There is no ideal risk culture.
By Stefan Hirschmann
The buzzword of the hour is: risk culture. According to the Financial Stability Board (FSB), deficits in the risk culture was not only one of the causes of the global financial crisis, but also resulted in other tribulations. A reasonable risk culture is not only necessary, but is central to the decisions of the banks and to the behavior of their employees. Since the management of risks is a core task of a business, risk management as a management task must be considered. However, if the identification and analysis of various risk categories do not operate at the highest level and delegated risk management, important control information is sometimes lost to a business.
The fundamental elements of an appropriate risk culture in banking include, for example, a transparent risk governance, an effective risk appetite framework and a compensation practice that promotes appropriate risk-taking. So much for the theory. In practice, many risk managers have difficult in managing a real risk culture and the regulators are wondering what standards of risk culture should be supervised . Risk culture is in fact multidimensional. ” There is no ideal risk culture” says Dr Simon Ashby, professor at the Plymouth Business School and Chairman of the Institute of Operational Risk ( IOR ) .
In reality, risk culture reflects the balance between risk taking and risk control. Without doubt, the best losses are those which do not happen, but risk in the banking and insurance businesses is virtually immediate. Therefore, risk awareness is crucial. Dealing with each other must be based on mutual agreement and carried out in a careful manner in order to avoid a weakening of risk culture, according to Ashby at the Operational Risk Forum 2014 conference in Cologne.
Therefore, according to the FSB Financial Stability Council, the most important indicator of a sound risk culture is the “Tone from the Top”. This refers to the behavior of management that reflects the values defined by the management system and the risk culture. All employees must align their activities to this value system and are responsible for their compliance with it.
Top management sets the budget for risk capital, creates the timetable for any changes in the risk profile and ensures regulatory compliance. Together with the Chief Risk Officer the framework for an Enterprise Risk Management is created and defines the business-wide risk appetite. The monitoring and use of risk management tools, however, is assumed by the relative specialist department.
However, the ideal typical structure requires open communication within the company, promotes constructive criticism, as well as financial and non-financial incentives that support the desired risk tolerance, thus supporting the value system and the risk culture of the company.
What sounds trite often requires a rethinking in the minds of those involved. Risk measurement, modeling and calculation are important. Careful analysis and information from losses helps to optimize the database in order to avoid future losses, but this also requires an unbiased dialogue about errors made in the organisation.
This is a challenge, particularly for management. If open communication does not happen, the treatment of risk remains intuitive and one-dimensional. If top management, executives and risk managers are in regular contact, this leads to a collaborative culture that incorporates risk awareness in the strategic planning of the company.
According to Dr. Gerrit Jan van den Brink, Risk Management Consultant with Accenture, risk culture is also quite measurable. To this end, van den Brink developed an approach in four phases to document a comprehensible risk culture, even for banking supervision. As a first step, a maturity check is completed which analyzes the current situation in the company. This is followed by a gap analysis to reveal any gaps in comparison with the target model. In the last two steps, measures are identified and then implemented .
A similar, but more IT-based approach, was presented by Dr. Hans-Peter Güllich (photo), Head of Commercial Strategy -Risk at Thomson Reuters, to the Operational Risk Forum 2014 in Cologne. Following the fuzzy logic, risk-related factors are assessed individually and finally compacted to a Behaviour Risk Rating.