What is the most important factor that drives the success of risk management?

Once you understand the feelings that may be holding your customer back from making a purchasing decision, you'll be able to make him feel confident that he'll have no regrets once he signs on the dotted line.

As senior vice president of corporate development and investor relations, Mike Rost is a key contributor to the organization's growth with a focus on corporate development initiatives, emerging business areas, and developing relationships with investors and key stakeholders. Since joining Workiva in 2015, he has served in various leadership roles helping to drive the organization's growth, including the scaling of Workiva’s marketing and partner & alliance functions.

With more than 25 years of experience assisting organizations to optimize business processes, Mike has an extensive background in finance, accounting, enterprise performance management and Governance, Risk and Compliance (GRC) technology. Prior to Workiva, Mike served as vice president of marketing at Metricstream and vice president of strategic marketing at Thomson Reuters. Prior to that, he spent more than a decade in product management and marketing positions for SaaS companies and held finance positions at Pillsbury and Rollerblade, Inc.

Mike has been active in industry associations, including the Open Compliance and Ethics Group (OCEG) and the Institute of Internal Auditors (IIA). He was also a founding member of XBRL International (eXtensible Business Reporting Language), the global not for profit consortium for open international standards for digital business reporting. He has also been a frequent speaker at industry conferences on subjects such as finance transformation, data and reporting, and risk and compliance technology. He received his Bachelor of Science in Economics and his MBA from the University of Minnesota.

Recent press has once again shone a light on the consequences of poor risk culture and capabilities in the financial services industry. Risk culture remains inconsistently understood, applied, and monitored. With the pending increase in regulator supervision of this subject, and the associated oversight expectations of Directors and senior Executives, it is necessary that organisations effectively manage their risk culture.

This short article is designed to assist professionals seeking to understand the fundamentals of risk culture, and for those planning an assessment within their organisation. It suggests ten critical success factors.

What is Risk Culture?

An organisation’s culture is commonly defined as “the way that things are done around here”, representing the collective values, assumptions, and attitudes. The culture of the organisation influences the employees’ day-to-day behaviours and decisions. Risk culture, simply, is the attitude applied to taking and managing risk. When applied to risk management, an effective culture can provide significant benefits including:

• More confidence in business strategy, decisions, and performance;
• Greater long-term sustainability for the organisation and value for shareholders;
• Reduced loss from risk incidents or compliance breaches;
• Greater capacity to take on risk in the pursuit of opportunity; and
• Appropriate alignment with societal, employee, customer, and political expectations.

Conversely, a poor risk culture can result in excessive risk taking, poor conduct, a loss in customer and shareholder trust, regulatory and legal non-compliance, and consequently – as we have seen in the financial services industry – a necessity for costly remediation programs, the replacement of Executives and Directors, material changes to strategy, and the retention of additional capital.

Critical Success Factors for an effective Risk Culture:

The critical success factors presented represent components of a system that is designed to plan, operate, and monitor a desired risk culture. The factors are broad in scope and sit at the heart of strategic, governance, performance, and investment management decisions. The nature and scale of each factor will necessarily be tailored to the organisation’s industry, size, and risk profile.

1.      Clearly define risk appetite and organisational values at Board level:

Ensure that the Board establishes and regularly reviews the appropriate risk appetite in consideration of the organisation’s purpose, shareholder value, and the business context. Communication of risk appetite should be aligned with the organisation’s values and ‘ways of working’. The risk appetite should include a statement of intent for the target risk culture.

2.      Specify the risk accountabilities in your organisation:

In simple terms, communicate the accountabilities within the business for managing risk, and where applicable, the specific responsibilities and boundaries of specialist risk management functions. This should include responsibilities for effective independent challenge and assurance. Accountabilities should be clear and easy to understand; team members should know what is expected of them daily.

3.      Promote risk appetite within operational plans and incentive programs:

Design business unit performance objectives that incorporate desired risk outcomes. Align with position descriptions, employee incentives and remuneration, and consequence management processes.

4.      Integrate risk management performance within governance processes:

Incorporate risk performance (both financial and non-financial risk) within Executive and Board governance processes. Design performance indicators that report on both risk outcomes, and the organisational capability for the desired risk culture.

5.      Operate an effective risk management framework and systems:

Design a fit-for-purpose framework which facilitates the consistent measurement of material risks vs desired risk appetite, the regular identification of emerging risks, and the incorporation of risk analysis into critical decision processes. Underpin risk analysis with the effective use of quality data.

6.      Invest in your risk management capabilities and skills:

Demonstrate the importance of risk management through visible investment in capacity, regular training, within induction programs, in specialist skills, and in broad education programs. Through doing so, signal that “risk is important to us”.

7.      Leaders must role model the desired risk behaviours:

Leadership behaviours and communications should promote and demonstrate the expected risk culture through the visible use of risk appetite in decisions and in daily prioritisation. They should show respect and responsiveness to legal and regulatory obligations, and for internal risk management and governance processes. Audit items should be closed in a timely manner. Leaders should use opportunities to explain risk-based decisions and the benefits provided to customers and long-term organisational value.

8.      Prioritise customer care and conduct:

Establish mechanisms that incorporate the ‘voice of the customer’ in strategic planning, in performance criteria, in operational decisions, and within incentive programs. Ensure that there is due focus on customer complaints and their resolution. Be open about examples of poor conduct, and how “we have both rectified the immediate issue and learnt long-term lessons from the experience”.

9.      Support speaking up and protect those who do:

Foster an openness for constructive feedback and speaking up. Visibly prioritise investigation and response to concerns raised. Communicate the outcomes. Promote ‘integrity’ as a core organisational value. Establish effective protections for whistleblowers.

10.  Regularly measure, report, and respond to risk culture performance:

Use a range of leading and lagging indicators inclusive of risk outcomes, staff surveys, audit results, compliance outcomes, and specialist reviews. Ensure that reporting and response processes are regular agenda items for the Board and key Executives. Continuously iterate communications and processes in response to the insights provided.

Summary

Achieving an effective risk culture is not a one-off exercise. It is necessarily an ongoing and iterative process. Organisations should continuously examine, reinforce, and reshape the risk culture in a proactive and reflective manner which recognises both its protections and value-generating opportunities. This activity should occur both at a ‘whole of organisation’ level and within individual business units or locations where different sub-cultures may emerge.

If you are looking to self-assess your organisation’s risk culture, all critical success factors will need to be considered. I suggest starting with the three foundational questions:

1.      Is it clear what risk culture our organisation should be aspiring to?

2.      Is our process for defining our risk appetite effective?

3.      Are we committed to long term and iterative measurement of our risk culture?

I welcome your feedback on this article and other success factors for operating an effective risk culture.

About the author: Chris has a 20-year career in financial services risk management advisory and assurance, and has led 1st and 2nd line operational risk & compliance teams. His specialisms include operational risk, technology and cyber risk, supplier risk, control assurance, and risk management transformation.

What is the most important aspect of risk management?

What is the most critical factor in successful risk management programs?

What is one key factor in risk management?