Creating a Culture of Risk Management
Financial Service organizations must initiate a top-down transformation to spread risk management visibility and accountability throughout the enterprise
Todd Cooper, Vice President & General Manager, Enterprise Risk and Compliance
Christina Speh, Director, New Markets and Compliance Strategy
Amy Downey, Director, Professional Services
After the rash of corporate and accounting scandals leading up to the Sarbanes-Oxley Act in 2002, a “Culture of Compliance” emerged to foster ethical behavior and decision-making. The culture of compliance goes beyond having good policies and procedures, a dedicated compliance staff, sufficient compliance resources or electronic exception reports. It articulates a sense of responsibility for compliance at every level of the organization.
In the risk-averse environment following the latest financial crisis, we believe there is a strong case for replicating this successful paradigm shift to create an enterprisewide risk management culture. In a risk management culture, accountability for risk permeates the enterprise from the boardroom to the front line—instilling employees with the tools to identify, manage and mitigate risk.
In a poorly controlled organization without an institutionalized culture, employees will tend to do the wrong thing even in the face of good policies. In a wellcontrolled organization with an institutionalized culture, employees will do the right thing even in the face of unclear policies. Financial service organizations that establish a strong culture of risk management will foster risk-informed decisionmaking that ensures long-term viability.
Why Push for Change?
The typical scenario in financial service organizations today involves silos of risk management. Individual business lines, products and geographies have their own analytics and reporting, with limited visibility into the impact of their risks across the enterprise. From the executive management perspective, there is no global view of risk. The situation is made worse when the business lines that create risk are not held responsible or accountable for managing their risk.
In this scenario even a cautious, risk-averse organization is put in jeopardy when one line of business takes risks without a full appreciation of the potential impact on the enterprise. The unscrupulous or ill-advised actions of that one unit can incur enforcement actions, monetary fines and reputational losses that affect the entire organization.
When business unit risks are not factored into the organization-wide risk assessment, it is impossible to effectively control those risks. The struggle to capture risks for every risk discipline across all lines of business exasperates the situation. Often, risk assessment efforts by the individual disciplines (compliance, operations, information technology, audit, etc.) are perceived as being a waste of time and/or adversarial by the business entities charged with completing their paperwork. The overlapping processes become redundant and burdensome, resulting in the assessments not being taken seriously.
Excerpt from "Creating a Culture of Risk Management," A Position Paper by Wolters Kluwer, June 8, 2010. Copyright 2010 Wolters Kluwer, Waltham, MA