With the financial crisis still looming over the world economy, the regulators are trying to regulate the financial institutions more and more. This has lead to an over-burdening of staff having to comply with legislation.
In the process of producing more and more paperwork to keep the legislators happy, many financial institutions have lost their way, especially, when it comes to managing their business risks.
Risk Management is often seen as an inhibitor of business, rather than as an aide to business growth.
If we go back to first principles, we see that Risk Management was introduced in order to:
- Protect the business
- Protect the shareholders
- Protect the public
In any business, if one can identify the risks in advance of them materialising and put some safeguards in place, this would of course be prudent practice.
For example, looking at a typical sales process could you could identify the risks around customer satisfaction and client retention rates. So as a measure we could set up some metrics around customer complaints. Your risk appetite could be, say, between 70 to 100 complaints from customers a month.
If the level of complaints went above 100, this could be investigated and action could be taken to reduce the customer complaints. Likewise, if the level of complaints went below 70, this could be an indication of falling sales or lack of reporting and measures could be put into place to rectify this.
Of course there can be up and downs in profits, however, each company has a duty of care to its shareholders to maximise their return on investment.
In order to do this there must be accountability for errors and mistakes. And therein lies the problem! Risk Management follows a “blame culture”.
The Operational Risk Manager will blame operational staff for not reporting accurately.
The Group Risk Manager will blame the Risk Manager for not embedding the Risk Management framework in the business.
The Head of Risk will blame the Group Risk Manager for not carrying out audits and checks.
The Chief Risk officer will blame the Head of Risk for not putting safeguards in place to manage the risk appetite of the business.
The CEO will blame the Chief Risk Officer and simply say it’s your responsibility, not mine!
The IT department gets blamed for anything that has anything to do with computer hardware or software.
It reads like a children’s story book but unfortunately it’s too true!
Earlier in this article I stated that “In order to have a useful risk management framework there must be accountability”. Now by accountability I don’t mean blame. What I mean is accountability for rectifying errors, malpractices and non-adherence to policies and procedures.
If the accountability is with the person who didn’t follow the procedure then there is a real possibility of non-reporting. We see companies such as: Enron, Worldcom, Andersons, The Royal Bank of Scotland, in the news too often and this undermines the public confidence in the regulatory practices of any large organisation.
In order to move away from the blame culture, the risk department needs to be divided into separate sections and as a minimum into the following:
- Risk Audit Section: whose sole job is to find problem areas and hotspots within the risk framework, by carrying out a series of Risk Audits. This section should report directly to the head of internal audit. In addition the Head of Internal Audit should be completely independent from the risk function.
- Risk Management Reporting section: production of daily, weekly, fortnightly, monthly etc. reports and Management Information.
- Risk Management Policy and Procedures: Whose function is to ensure that the organisation really learns from its mistakes by ensuring policies and procedures and controls are put are put in place so similar mistakes do not occur again.
Where possible, Risk professionals should be cross skilled with multi-disciplinary specialisms. For example, Information Technology and Risk Management, or Finance/Accounts and Risk Management, or any other combination that may assist the business. Now I say this from experience, as I am: A Chartered Tax Advisor; A Risk Management Professional; An IT specialist and an NLP Master Coach and certified trainer, but that’s another story!
What makes these cross skilled Risk Managers an asset to any organisation is that they can understand the technical language as well as the internal workings of the areas and departments in which they have specialisms. This in turn means that less errors and mistakes are made when departments must communicate with each other and when handing off work to other departments. Or indeed simply running an effective meeting would assist organisations greatly.
In addition, if the departments themselves from the CEO to the people at ground zero could communicate effectively with subordinates, peers and executives using language that moves us away from the blame culture this would mean Risk Professionals would be able to effectively work towards reducing Risk, rather than hiding from mistakes.
So in summary I would conclude that effective communication at all levels as well as true accountability for future actions and not the past will lead to more confidence in Risk Management as a whole.