Basel’s Principles for the Sound Management of Operational Risk defines risk culture as “the combined set of individual and corporate values, attitudes, competencies and behavior that determine a firm’s commitment to and style of operational risk management.” It is no coincidence that — of the 11 principles Basel cites — risk culture is at the core of the very first principle:. Strong risk culture is ONLY achievable in concert with strong firm-wide culture.
I believe that there are three key ingredients to this as follows below:
1) Tone from the Top (Actions speak louder than words)
While it starts with the board of directors (who should influence the C-suite), it is the C-suite and senior management who establish the tone for risk management culture. Underpinning this culture is a must have derived from the top, "A Comprehensive Risk Appetite Framework." Risk appetite can be defined as ‘the amount and type of risk that an organization is willing to take in order to meet their strategic objectives." It forms a foundation stone on which all can be attributable to, following a principled approach which includes:
It is considered in strategy setting so that strategy aligns with risk appetite.
It reflects the entity’s risk management philosophy and influences the culture and operating style.
It guides resource allocation and aligns organization, people process and infrastructure.
A strong risk culture has a strong effective governance structure which is fit for purpose for the needs of the organisation. It will exhibit and feature in many of the organisations business functions and be an integral part of the decision making process. The structure will have a clear pathway which will show the hierarchy of this decision making by dedicated risk teams and committees. The structure will be one that is transparent and open subject to both challenge and review. The information on risk activities, standards and protocols will be easily accessible internally and externally.
3) Living Pulse
The above factors have then to be translated into a a living and breathing risk culture evidenced by human interaction within the organization containing a sample of the elements below:
Risk management inclusion in end of year performance evaluations.
A whistle-blower program or anonymous complaint tracking system.
Anonymous surveys to gauge employee views on the risk culture of the firm.
Metrics used to gauge the adequacy and effectiveness of the risk culture.
Proof of the Pudding
These three ingredients then transfer into the 7 hallmarks below:
Clear communication of risk appetite and risk disclosures to all internal and external stakeholders.
The risk culture transparent and clearly defined by training, education and a common language.
A standard risk/control/compliance taxonomy backup by written policies which represent the risk appetite of the organisation.
Roles and responsibilities are clearly articulated and its governance structure all inclusive
Strong Risk Analytics program to include scenario and stress testings models to capture correlated and unknown risks.
Evidence of risk adjusted pricing reflected in risk transfer pricing, risk capital and risk based product pricing.
Integration of Risk Management in strategic planning, performance measurement, budgeting, projects and operational activities
A strong risk culture will always be a winner of the marathon, with staying power and stamina, if the organisation has the mindset.