Focusing on controls will not save a company when human error inevitably plays its part, said Stafrace, board member for the Malta Association of Risk Management
Establishing a positive risk culture throughout the organisation is the biggest challenge for risk managers, according to risk manager Ian-Edward Stafrace (pictured).
A positive culture is far more effective than a strong network of controls, and gives risk managers have a closer view of their company’s actual risk appetite, he suggested.
“The biggest challenge is establishing a good, positive risk culture within the organisation,” said Stafrace, chief risk officer at Atlas Insurance and a board member for the Malta Association of Risk Management (MARM).
Truly embedded risk management within front line operations is crucial, he emphasised. “If you focus on controls, you’re going to miss something out,” he said, noting the inevitability of human error. “And if you have a positive culture, you’re going to get a good understanding of your risk appetite,” he added.
He suggested there was a debate going on within the profession, between those risk managers at investment firms who are focused on quantitative and mathematical issues, and those within other sectors who are far more focused on processes.
He explained that for many privately-owned firms, internal audit was also a major blurred line within risk management. While regulators demand the two functions are kept independent, this is frequently not the case.
“It makes sense to keep them apart, particularly when internal audit gives recommendations to the risk function. It’s very important that they can be critical of the risk function. How can it be critical of itself? At MARM we’re trying to convince some of those firms that [separating the functions] is in their own interest,” he said.
Stafrace emphasised a defence-in-depth approach to risk management, with successive lines of defence protecting the firm. “The first of these should always be front-line operations,” he said.
Behind this, and working closely with it, should sit risk management, he explained. Then behind risk management, internal and external audit represent the third and possibly fourth lines of the defence.
For “truly embedded risk management”, accountability at all levels is crucial, Stafrace noted, with employees’ job descriptions including ownership of risks for which they are responsible. “It’s about creating that self discipline down at the front line,” he said.
This is cultivated, he suggested, through risk registers throughout the firm, encouraging staff to rate threats faced by likelihood and severity, and keeping track of any changes in proportionality between returns gained for risks taken.