How to Create a Culture For Risk Management

Within the business arena, it is well recognized that the higher the risk, the bigger the reward. One of the key roles of leadership within any organization is to define the levels of risks that can be taken and to draw a balance between the maximum risk and lowest return acceptable.

To create a culture that combines healthy risk taking with effective risk management, the leaders need to set in place a risk-management system in place, promote and reward the right practices and most importantly employ the right people. The organization culture needs to promote risk taking whilst at the same time maintain risks under control without impeding the growth of the organization.

Successful companies develop and adhere to an effective risk management system that enables them to ride through difficult and uncertain times and help minimizing risk exposure across the organization whilst maximizing the return in any of their business activities. As far as risks are concerned, the most critical gaps are not related to the risk management tools used to monitor risk exposure, but rather rated to people’s roles and the decision-making processes within an organization. Organizations need to realize and maximize short-term profits places and intense pressures on short-circuiting the risk management process to approve risky business dealing or transactions. Such behaviors undermine the core of the risk management discipline throughout the company.

Judging by the impact of the current credit crisis on companies across all sectors, it is evident that the severity level on businesses has varied significantly; companies possessing strong risk management culture have maintained strong positions and seem to weather the credit crisis fairly well. Such companies appear to be immune by building sharp and effective lines of defense against unnecessary risk taking, and support individuals who exhibit risk awareness and set an example for others to follow. Such organizations embrace risk management and view it as a competency that protect, if not create, value, as opposed to an obstacle to profits.

In order to understand, define, and actively manage risk appetite, organizations need to have a core of executive directors on the board with solid business and risk expertise. Such executives are expected to appreciate the risks being taken and understand the tradeoffs between risk and return during the decision making process. Furthermore, the board must be willing to take responsibility and accept the implications of major risk making decisions.

The risk management process is a collective responsibility and no single individual can solely be responsible for identifying and mitigating all possible causes of unacceptable losses. The goal is to ensure that no one assumes that risk is not his responsibility. One approach is to create a dedicated department for risk management and to consistently place risk management at the top of the executives’ agenda, where they can check compliances, offer opinions and recommendations. The risk management department has two distinct responsibilities for (a) developing sustainable strategies and tactics to keep the right balance between risk and return, and (b) providing senior management with an independent controlled mechanism should managers fail to adhere to the risk management systems. To earn respect from their managers, risk managers must be competent and able to challenge non-compliances, and help executives understand the risk scenarios.

The demise of many financial institutions is the result of poor business practices that have combined aggressive investments and a weak defense with little scrutiny, to decision making in the years leading up to the credit crunch, employed a strategy. Whilst a strong defense need not impede aggressive business growth, a robust risk management culture is what organizations need to embrace to avert similar future scenarios.

The leadership and managers dealing directly with customers (for example account and program managers) must demonstrate a clear understanding of trade-offs between risk and return. The management as a whole must have reliable and consistent information on the positions and risks they are taking. Discussions about new contracts, ventures, existing and new customers, and other issues must be broad in nature and not limited to quarterly routine meetings that discuss targets or other short-term goals.

The managers need to develop a deep understanding of their business activities and are able to determine what constitutes an early warning signal and what does not. If top risk management professionals do not have this authority and these tools, they will migrate elsewhere.

Reliance on the auditing function alone is inadequate, as it often fails to provide an independent and objective oversight. Instead, auditors see their assignment as a box-ticking exercise which ensures compliance, with limited critical review of potential weaknesses. A strong critical approach to each functional discipline must also be developed, involving far more insight and internal consultation. For instance, after reviewing the securitization process, the internal audit team could identify and bring to the board’s attention potential flaws such as over¬≠reliance on auditors.

To accomplish this, auditors must possess not only extensive knowledge of the business, but also a clear comprehension of the risk management discipline within the organization. In top performing companies, audit and finance teams blend a strong process and IT ‘know-how’ with an in-depth understanding of the business and risk. Audit findings need to be acted upon and closed in a timely fashion; Audit items cannot be allowed to remain open quarter after quarter, with no consequences for the executive who fails to act upon them. A more disciplined approach is required, with senior executives taking the leading role.

The ultimate goal is a culture that combines healthy risk taking with effective risk management. It takes a total, unambiguous and widely communicated commitment from the CEO to make this shift. Companies and banks that accomplish this will be much better equipped to weather the next set of economic storms.



Original Post