Basel’s Principles for the Sound Management of Operational Risk defines risk culture as “the combined set of individual and corporate values, attitudes, competencies and behavior that determine a firm’s commitment to and style of operational risk management.” It is no coincidence that — of the 11 principles Basel cites — risk culture is at the core of the very first principle: Strong risk culture is ONLY achievable in concert with strong firm-wide culture.

I believe that there are three key ingredients to this as follows:

  1. Tone at the top
    While it starts with the board of directors (who should influence the C-suite), it is the C-suite and senior management who establish the tone for risk management culture. The underpinning of this culture must be derived from the top through a comprehensive risk appetite framework.” Risk appetite is ‘the amount and type of risk that an organization is willing to take in order to meet their strategic objectives.” It forms a foundation on which all can be attributable to, following a principled approach that:
    • Aligns strategy with risk appetite.
    • Reflects the entity’s risk management philosophy, and influences the culture and operating style.
    • Guides resource allocation and aligns the organization, people, process and infrastructure.
  2. Governance
    A strong risk culture has a strong effective governance structure which is fit for the needs of the organization. It will be featured in many of the organizations business functions and be an integral part of the decision-making process. The structure will have a clear pathway which shows the hierarchy of this decision making by dedicated risk teams and committees. The structure will be transparent and open to both challenge and review. The information on risk activities, standards and protocols will be easily accessible internally and externally.
  3. Living pulse
    The above factors must be translated into a living and breathing risk culture evidenced by human interaction within the organization containing a sample of the elements below:
    • Risk management inclusion in end-of-year performance evaluations.
    • A whistleblower program or anonymous complaint tracking system.
    • Anonymous surveys to gauge employee views on the risk culture of the firm.
    • Metrics used to gauge the adequacy and effectiveness of the risk culture.

Proof in the pudding
These three ingredients then transfer into the seven hallmarks below:

  1. Clear communication of risk appetite and risk disclosures to all internal and external stakeholders.
  2. The risk culture is transparent and clearly defined through training, education and a common language.
  3. A standard risk/control/compliance taxonomy backup is created by written policies which represent the risk appetite of the organization.
  4. Roles and responsibilities are clearly articulated and a governance structure is all inclusive.
  5. A strong risk analytics program is established to include scenario and stress testing models to capture correlated and unknown risks.
  6. Evidence of risk-adjusted pricing is reflected in risk transfer pricing, risk capital and risk-based product pricing.
  7. Risk management is integrated in strategic planning, performance measurement, budgeting, projects and operational activities.

A strong risk culture will always be a winner of the marathon, with staying power and stamina, if the organization is willing to take it on.

This article was published on ACFE Insights