CFOs are well acquainted with risk management. But how many place people risks under that umbrella? People risks relate not only to the employees the company hires but to the actions those people take and the decisions they make once they are on board.

Let’s look at the first group of people-related risks—that is, the risks associated with evaluating, hiring and retaining individual workers. Those risks can include everything from financial losses associated with replacing employees who quit or are fired, the operational risk poor performing employees represent in terms of productivity, on-the-job safety and other metrics, and on and on.

Such risks are incurred by all companies in countries all across the globe. A recent CareerBuilder survey found that bad hires are costly no matter where you are. For example, 27% of U.S. employers have had a bad hire cost more than $50,000, while 29% of German employers had such hires that cost €50,000 or more, 27% of U.K. employers have had bad hires cost more than £50,000, and 48% of companies in China had bad hires that cost 300,000 CNY (US$48,734). The survey also found additional impacts of bad hires, including lost productivity, negative impact on employee morale and client relationships, and lower sales.

But what about once a good hire is on the job and taking actions and making decisions that impact the company? A recent McKinsey & Company study identifies the key people risks involved in the day-to-day decision making and operations of many companies, what the authors call the “risk culture” of that organization.It is unlikely that any program will completely safeguard a company against unforeseen events or bad actors,” note the study authors. “But we believe it is possible to create a culture that makes it harder for an outlier, be it an event or an offender, to put the company at risk.”

Of course, risks are an innate part of doing business. They cannot be avoided. They must be managed effectively. The first step toward having employees who can effectively manage risk is making sure that those individuals are able and allowed to acknowledge that the risks exist.

The McKinsey authors compare two financial institutions—one that is very open about identifying, sizing and managing risks, and one that is more risk-averse and compliance-oriented. In the former organization, people regularly discuss and proactively deal with the risks the organization faces. In the latter, people tend to ignore risks until they have no choice but to do something about them. You can guess which organization is better able to cope when situations require action.

To provide people with strong guidance on how to deal with risks, the authors suggest that companies build a consensus around what the company’s risk culture should be. “CEOs and CFOs who want to initiate the process must build a broad consensus among the company’s top 50 or 60 leaders about the current culture’s weaknesses,” note the authors. “Then they must agree on and clearly define the kind of culture they want to build.” Next, companies need to find ways to sustain and nurture the attitudes and behaviors necessary to support that risk culture.

All of this takes time and effort. However, CFOs are extremely well positioned to take a leading role in this effort.