The popular saying goes: “Culture eats strategy for breakfast.” And when it comes to risk, culture doesn’t just eat your strategy; it leaks your passwords, signs off bogus deals, and buries red flags under a carpet of silence. So how do you stop that?
How do you build a culture where every employee thinks like a risk manager? This isn’t a textbook answer. This is war-room advice. Because today, your biggest risk is not knowing what is walking out your door, or into your systems.
Start with this truth: Risk is not the job of Internal Audit or the Risk Manager. It’s the job of everyone, from the receptionist to the CEO. The boda guy who tailgates your CFO knows this. The fraudster calling “pretending to be URA” knows it. But inside your company? People still say, “That is not my job.”
That mindset is the virus. Culture is the cure.
Step 1: Make risk personal.
People don’t care about frameworks. They care about stories. Tell the story of the accounts assistant who lost her job after unknowingly paying a fake supplier. Show the case of the NGO that lost UGX 2.4 billion because one USB stick infected their network. Explain how one weak password gave hackers access to payroll. When risk becomes real, people change.
Step 2: Use visible leadership.
Step 3: Define your “Risk Culture Anchors”.
Step 4: Integrate risk into daily rituals.
Step 5: Run “Red Team” Exercises.
Step 6: Flip the language.
Step 7: Measure what matters.
What else have I missed? Let me know if you would like a detailed explanation per step.
I remain, Mr Strategy.
