Developing a risk culture

No comments

Financial institutions, perhaps more than any other business sector, today face the need to comply with a myriad of regulations which inevitably touch upon if not directly impact their risk management and corporate governance. While most of our roundtable participants agreed that regulations such as Basel II may produce valuable improvements in some cases, there was a general feeling that mere compliance is no guarantee of good risk management and in fact may go against the spirit of the regulations, which is to achieve best practice.

There was also some discussion as to the accountability – or lack of it – of the regulators, should initiatives like Basel II prove not to be beneficial, in view of the significant costs that institutions have devoted to meeting their requirements.

Some participants also highlighted the danger that corporate governance/risk management can stop at or near the top and may not filter through to the lower levels which may be more incentivised by associated financial or promotional benefits. It was suggested that good risk management may still not be a part of many people’s job specifications, with their employers simply taking it as read. There is also a need to strip away the mystique, relating risk management to the day-today activities of employees and basically getting on their wave length.

At a senior level, is it better to take a risk knowingly or unknowingly? This provoked some discussion. Directors may be reluctant to articulate the risk appetite on which they base decisions for fear of criticism if loss from a major risk occurs.

But identifying and documenting a risk demonstrates awareness and a calculated decision, even if that risk later occurs.

There was consensus that culture rather than regulation has the greatest part to play in embedding risk management and corporate governance through an organisation. And culture change is one of the most difficult things to implement.

Many of our participants believed that businesses are still failing to understand the risks and costs involved with IT, relying on controls rather than understanding their exposures.

The panel concluded by discussing the problem – ever present for financial institutions – of fraud. It was agreed that organised major fraud is becoming ever more sophisticated – an industry in itself – and financial institutions are hard pressed to catch up with the criminals.