Case Study: Governance, Risk & ComplianceImplementing a risk culture within an organization and the challenges
A company needs to implement an effective risk culture due to supervisory scrutiny.
Risk culture has significantly increased with a focus on training and awareness. In financial services and other industries, one of the first questions regulators ask is about describing the risk culture of the company.
There are some challenges to improve the effectiveness of the risk culture. The impact could be limited if there is no involvement and all levels. This sometimes requires a change in behaviours for the controls to mitigate risk incidents:
- Risk culture responsibility starts at the top management/board level as they need to clearly understand what risks should be accepted and what risks should be minimied or avoided. They should support both culture and conduct risk through robust governance and training programs.
- One of the key tools could be the consideration of a senior manager regime similar to the UK’s senior manager and certification regime (SM&CR)
- It is important to note that a strong risk culture does not imply taking as little risk as possible, but instead helps companies consciously take appropriate risks that fit the risk appetite, vision, and strategy. There should be a top-down approach for risk/culture management and strategy formulation to establish a Risk Appetite Framework (RAF) based on a clear Risk Appetite Statement.
Through our panel of professionals, GMn has many experts ranging from operational risk managers to enterprise risk subject matter experts to help companies implement and/or transform their risk management culture.
- The risk management frameworks/tools and procedures can only be effective when they are used in the right way and at the right time. To increase the impact on the culture we would focus on training, risk planning involvement, status meetings, and risk identification sessions.
- More procedures, more rules, or more regulation leads to a decline in clarity and employee accountability. Implementing maker/checker/authoriser instead of maker/checker only could decrease the standards/quality and commitment of staff as there is a “safety net”.
- Sometimes risk managers don’t understand the day-to-day behaviours across companies. This is important to drive the right changes so the risk culture meets regulatory requirements and successfully manages the risk.