The Australian Prudential Regulation Authority has warned the financial sector to improve its risk culture. Its concern is that many institutions are unwilling or unable to be better at risk management.
How does risk management fail, and what can be done to improve risk culture?
Risk management is successful when risks are realised, and only fails when:
- Hazards or consequences are unforeseen
- Likelihood or consequence is misjudged
- Controls are inadequate, or inadequately executed.
So what causes these failures in your risk management framework?
- Thinking “It’s beyond my control”
Sometimes things happen – droughts, dramatic political or social shifts, disruptive technologies, or the collapse of financial markets. Attempting to anticipate the complete range of events that could negatively impact your operations is an impossible task.
What is important is that you understand the consequences your organisation could experience from those events, and you mitigate those impacts with effective continuity arrangements, issues management plans, reputation strategy and innovation.
What you can do
- Undertake a business impact analysis to understand what’s critical in your business, and assess your organisation’s vulnerability to disruption
- Plan, develop and test Business Continuity Plans
- Invest in contingency planning.
- Not connecting the dots
Often, the information to address a risk management failure is available to decision makers, but difficult to access. It could be disaggregated, disconnected, or hidden from decision makers.
This is allowed to occur by structural and cultural obstacles that lead to differing degrees of risk management effectiveness, and internal factors that discourage reporting and promote dangerous over-achievement.
Risk management only becomes effective when:
- All functional and technical risk management processes are integrated
- An aggregated risk view across the business can be provided, to allow the identification of total risk exposure for similar hazards
- Sharing of risk intelligence and learning
- The escalation of seemingly tactical risks that actually have strategic influence.
What you can do
- Establish an aggregated risk view, or at least make risk registers transparent and visible across the entire organisation
- Incentivise achievement within risk appetite, but not overachievement
- Use a skilled risk expert to help join the dots and identifying the gaps.
- Forgetting that all management involves an element of risk management
Many organisations have a risk management policy, but not a risk management culture.
How do you know if your organisation is one of them?
In an organisation with a risk management policy:
- Management decisions (both formal and informal) are not made with a risk-based approach
- Managers are focused on operational performance, financial reporting, reputation management and compliance reporting
- Managers do not recognise that every decision they make, delay or delegate is a decision about risk
- The board or owners have not articulated their risk appetite
- Managers at each level of the organisation cannot articulate their risk tolerance
- There isn’t a consistent, aggregated system of assessing and reporting risks.
What you can do
- Articulate your organisation’s risk appetite (known as your risk vision statement)
- Cascade your risk tolerance to each level of management
- Ensure your risk management framework is pragmatic, appropriate and integrated
- Use a risk expert to advise how your organisation can incorporate true risk management standards in day-to-day business.