World Risk Day Blog
Have Your Say
Why is it so hard to embed a risk culture?
Posted by: worldrd • Posted in: Blog
Posted on June 08, 2012
Guest blog post from Sheralee Morland of IRMSA (Institute of Risk Management South Africa)
You have tried everything, except for going down on your knees pleading, to implement risk management in your organization and yet obstacles remain. The organization is still met with nasty surprises, sometimes splashed across the newspaper, risk is not embedded throughout business processes, informal risk practices abound and risk is not a part of everything management and staff do…
Why oh why is that, you may ask yourself…?
Top of my reasons is that risk culture is just not what it should be, can be or ought to be! And yes you may be thinking that ensuring a sound risk management culture is easier said than done….
Be that as it might be I am of the view that critical success factors or key elements of an effective risk culture include but are certainly not limited to:
- Risk management philosophy – does the Board and executive management have a real aspiration to practice good risk management and better yet – would they like to strive for world-class risk management? Do they set the right tone – do they practise risk management by example? Do they give sufficient management time to reflecting on emerging risks and to the upside and downside of risks associated with the development of new processes and products – some ever increasingly more complex?
- Strategic Intent – is risk management included in the main strategic focus areas – for example, if client centricity and managing for value are strategic focus areas – is another – managing risk as an enabler?
- Directors on your side – is there a member of the Board or risk committee who is passionate about proper and effective risk management – if so, do you have their ear and support to further your cause? Do they whole-heartedly participate in the annual risk assessment or when new and emerging risks are considered? Do they appear well prepared for risk committee meetings with healthy challenge and debate and encouragement of the escalation of risks rather than the concealing of bad news?
- Lessons learnt – when bad things happen (and they do) are pitfalls understood and dealt with in a constructive manner to prevent the repeat thereof? Is awareness heightened of what can go wrong and does go wrong so as to widen the knowledge of potential risks? Is there demonstrable reflection by management and the Board of emerging/evolving risk?
- Is responsibility and accountability clearly defined and engrained in the way the organization organises itself and is this clearly described in annual reports and documents available to stakeholders – for example a 3 lines of defence concept ?
- 1st line of defence Focused and informed involvement by the Board and executive, accountability and responsibility of business management, all supported by appropriate internal control, risk management and governance structures and processes.
- 2nd line of defence Independent risk oversight and monitoring by Risk, Governance and Compliance functions
- 3rd line of defence Independent assurance provided by Internal and External Audit
- Scorecards, mandates/charters and appraisals – is risk management a component of each staff members job profile and scorecard? Are accountabilities for risk management understood at all levels in the organization and written into monitoring committee charters? Is appraisal against these regular and constructive? Is training offered particularly where evolving risk requirements have become more complex in nature to management, staff and directors?
- Singing from the same hymn sheet – Is a common understanding created through the use of governance frameworks; parameters set to enable but not hinder the management of key risks to the industry type in guiding policies; common risk language understandable to all and not just risk specialists?
- Regular reporting – are risks identified, assessed, monitored, managed and reported in an easily understood and effective manner? Free from unnecessary detail – short, succinct and impactful to facilitate decision making and the design of management actions/remedies? Are staff afraid to report? Are matters raised swept under the carpet? Is there a whistle blowing line and are whistleblowers protected?
- Selling the benefits of good, solid and robust risk management – Does risk management live in your organization or is it just a case that the boxes can be ticked? Important is an ERM team in place who are energetic to create awareness and understanding. Demonstrate that a strong risk culture will determine the way risks are identified, understood, discussed and acted on. Be convincing about it being essential as a foundation for risk governance!
Good luck… the benefits are worth the effort!
I’d be interested to hear your views and experiences on embedding a risk culture within your own organization…
Sheralee Morland is Exco Vice President of IRMSA (Institute of Risk Management South Africa)