Rebecca Grogan on Governance, Risk Managment & Audit

Views are my own

Risk Management and Culture

Risk management can reward companies with a stronger strategy, more positive outcomes and a resilient organisation. It just needs the right buy in and culture to do so.

Following the 2008 financial crisis, new European regulatory frameworks (Basel III and Solvency II) were introduced that imposed higher standards of risk management and governance within insurers and credit institutions.

However risk management should not be seen as simply a regulatory requirement that must be followed. Risk management provides strong benefits to companies in the pursuit of its strategy, providing the foresight to not only identify and manage risks to company strategy at the outset, but also to take early advantage of opportunities in an ever changing business environment. You just need the right culture to reap these benefits.

What is risk management?

When we talk about Risk Management Frameworks and processes, it’s not simply about checklists and control registers. It is about putting a defined structure in place to assist companies in setting and meeting their objectives. It’s about taking the time to understand and define the company’s appetite for risk taking. It’s to help us understand what could go wrong in the pursuit of objectives and how we can manage this at the outset to avoid losses down the line. It’s also about accepting things will inevitably go wrong sometimes, and having the structures in place to identify and remedy problems in the most timely and effective manner.

Benefits of risk management

As outlined in COSO’s Enterprise Risk Management Integrating Strategy and Performance 2017, having a formal structure in place that everyone buys into can have many benefits, including:

  • Increasing opportunities: Risk management allows you to consider all possibilities, both positive and negative, which can identify new opportunities and unique challenges associated with current opportunities.
  • Increases positive outcomes: Thinking up front about what risks or problems you might encounter allows you to respond timely, reducing surprises and related costs or losses, while profiting from advantageous developments.
  • Enhances company resilience: Companies can anticipate and respond to change. The ability to anticipate and plan for business continuity events is also important here.

The right culture fosters the most effective risk management:

To get the most out of risk management, it is important to have the buy in and culture in place that accepts and integrates risk management into day to day activities. People company-wide need to understand the purpose and benefits of risk management, so that it’s not seen as an extra thing they have to do in their job, but rather it’s seen as integral to their jobs. The Institute of Risk Management (IRM) has a good model under which risk culture can be considered (See IRM’s Risk culture Resources for Practitioners). Some considerations include:

  • Tone at the Top: There should be buy in from Board members and senior management. Leaders should ensure the focus of risk management efforts is focused on supporting the organisation in delivering its corporate objectives, and send a clear message and sense of direction which is actively reinforced.
  • Governance: The accountability for the management of key business risks should be clearly defined and aligned to the accountabilities for key business processes and corporate objectives. There should be appropriate structures in place to oversee this accountability e.g. Committees. Where appropriate risk taking is successful, this should be shared. Where it was less successful, learning should be extracted and shared from these events.
  • Competency: The Risk Function should have access to senior management and have the credibility and resources required to deliver its remit. Leaders should also invest time in building skills in managing risks across their teams through training and on the job learning.
  • Decision making: Decision making processes should incorporate risk analysis. Risks should be evaluated in the context of the nature of business opportunities being considered. The Performance Management process should reward appropriate risk taking and challenge inappropriate risk behaviours.

Culture can take some time to shape. Positively, thanks to regulatory frameworks such as Basel III and Solvency II, many of these elements of risk culture are likely already in place or may need some tweaking. The most important thing as I see it, is to continue to reinforce the message throughout the organisation that risk management is a value add activity so that there is a strong buy in that ultimately benefits all involved.