2. Confidentiality level on slide master
Version number on slide master12 November 2015
Option 1
2
Content
• What is risk culture?
• A case for a strong risk culture
• Elements of strong risk culture
• Practical steps to building a strong risk culture
• Conclusion
3. Confidentiality level on slide master
Version number on slide master
What is risk culture?
• The culture of an organization or a company may be
seen as the overall reflection of the attitude of every
component of management within the company. The
culture of an organisation determines how individuals
will behave in particular circumstances.
• Risk culture is an emerging terminology which
encapsulates a company’s risk appetite, tolerance and
risk management practices as demonstrated by its
employees.
• According to Erik Banks (2012); risk culture is
defined as an internal sensibility that reflects
knowledge of, and respect for risk.
12 November 20153
4. Confidentiality level on slide master
Version number on slide master
A case for a strong risk culture
Problems with risk culture are frequently found at the root
of organisational scandals and collapses.
The concept of risk culture has grown steadily since the
global financial crisis of 2008
“The absence of healthy risk management culture is the
cause of the organisational failures”*
Proposals that risk attracting box ticking conformity as
opposed to a much more important (though often much
more difficult) substantive behavioural change must be
avoided
“The development of a risk culture throughout the firm is
perhaps the most fundamental tool for effective risk
management”*.
EC 2010, IIF 2008
12 November 20154
5. Confidentiality level on slide master
Version number on slide master
Elements of strong risk culture
Tone from the top
Tone from the top refers to the ethical atmosphere that is
created in the workplace by the organization's
leadership. Whatever tone management sets will have a
trickle-down effect on employees of the company.
• Are the mission, vision and values clearly aligned and
communicated throughout the firm?
• Is the strategy appropriate given the risk appetite, and
does the risk appetite framework ensure that
decisions down through the organization are
consistent with risk appetite?
• Are risk outcomes articulated in strategy?
12 November 20155
6. Confidentiality level on slide master
Version number on slide master
Elements of strong risk culture
• Can the board point to an example where risk
appetite considerations impacted strategic decision-
making?
• Does senior management lead by example?
• Is middle management displaying the right
behaviours?
• What process does the firm have to ensure the
message is consistent, well understood and accepted
throughout the firm?
• Is risk accurately factored into decision-making?
• Are limits consistent with risk appetite? Are limits at
the business unit level set to ensure risk appetite is
not exceeded?12 November 20156
7. Confidentiality level on slide master
Version number on slide master
Elements of strong risk culture
Accountability
It is the obligation to account for ones activities, accept
responsibility for them, and to disclose the results in a
transparent manner.
It is important to understand how various stakeholders
including employees and managers are held accountable
for their action.
Ownership of risk
• What is the expectations with respect to the
identification, assessment, monitoring and reporting
and response to, current and emerging risks across
the organisation?
12 November 20157
8. Confidentiality level on slide master
Version number on slide master
Elements of strong risk culture
Escalation process
• How are whistleblowers treated? Can you point to an
instance where an individual was promoted shortly
after he/she raised concerns about unacceptable risk
taking?
• Is the culture proactive? Do breaches in controls or
unacceptable behaviour have consequences?
• Are requests for increases to limits rubber stamped
by the board? How often are requests for limit
increases rejected?
12 November 20158
9. Confidentiality level on slide master
Version number on slide master
Elements of strong risk culture
Enforcement
• When was the last time an individual was disciplined
and compensation was cut as a result of
unacceptable risk taking?
12 November 20159
10. Confidentiality level on slide master
Version number on slide master
Elements of strong risk culture
Effective challenge
An effective risk culture will facilitate constructive
challenges in the line of business and in control
functions. This means that employees must be
empowered to challenge long held positions and new
decisions
Open to dissent
• Does the culture support risk transparency and
enable concerns to be voiced?
• Does the culture support constructive dissent? Can
you cite a time when an employee raised concerns
about risk taking? How did the company react?
12 November 201510
11. Confidentiality level on slide master
Version number on slide master
Elements of strong risk culture
Stature of risk management
• Does the CRO and the risk management function
share the same stature as the other departments of
the organisation
• Does the CRO and risk management function have
appropriate direct access to the board and senior
management
• Does the CRO have ex ante input to strategic
decisions? Are risk management and audit consulted
before new products are introduced?
• Does risk management have skills necessary to
understand all products and models?
12 November 201511
12. Confidentiality level on slide master
Version number on slide master
Elements of strong risk culture
Compensation
Inappropriate pay policy was one of the major
contributors to the failures in businesses that were
affected in the GFC of 2008.
Remuneration and performance
• How are compensation and risk-taking behaviours
linked?
• Is compensation based only on net income from a
given activity in a given financial year without
recourse to how that activity will affect the future
health of the organisation?
12 November 201512
13. Confidentiality level on slide master
Version number on slide master
Elements of strong risk culture
Compensation
Talent development and succession planning
• When was the last time a control function head was
promoted to run a business?
• Do business heads have control function experience?
12 November 201513
14. Confidentiality level on slide master
Version number on slide master
Practical steps to building a strong risk culture
Implementing the three lines defence
12 November 201514
15. Confidentiality level on slide master
Version number on slide master
Practical steps to building a strong risk culture
Adopting the BASELL III framework
12 November 201515
16. Confidentiality level on slide master
Version number on slide master
Practical steps to building a strong risk culture
Other steps
• Begin a dialogue on risk culture at management level
• Identify a team to lead the process
• Conduct a complete assessment of existing culture
• Develop a diagnostic report with a set of tangible
recommendations
• Determine what the desired risk culture should look like
• Design and implement an action plan based on the
recommendations to build the new risk culture
• Communicate changes and secure “buy in” from all
stakeholders
12 November 201516
17. Confidentiality level on slide master
Version number on slide master12 November 201517
Conclusion
• An effective or strong risk culture cannot be
developed without the support and involvement of
senior management.
• A strong risk culture should be focused on
optimizing well calculated and understood risk return
trade-offs within a comprehensive ERM strategy
aimed at consistent value creation for all
stakeholders.
• It is also important to note that developing an
effective risk culture is a journey, requiring several
resources and supported by consistent
communication, education and management.
18. Confidentiality level on slide master
Version number on slide master12 November 201518
Thank you!