IRM ERM M1U5.4 Successful Risk Culture Flashcards
Styles of risk management
Compliance
Hazard
Control
Opportunity
Steps to successful risk management
The initial, and perhaps most important, step is ensuring that the risk management initiative is sponsored by a member of the board or a senior member of the executive committee of the organization.
This support is likely only when the last step has been communicated and agreed: that implanting an ERM approach will contribute to the success of the organization.
1 Engage senior management and board of directors to provide organizational support and resources.
2 Establish an independent ERM function reporting directly to a board member.
3 Establish the risk architecture at executive and board levels, supported by internal audit.
4 Develop the ERM framework that incorporates an appropriate risk classification system.
5 Develop a risk-aware culture fostered by a common language, training and education.
6 Provide written procedures with a clear statement of the risk appetite of the organization.
7 Agree monitoring and reporting against established objectives for risk management.
8 Undertake risk assessments to identify accumulations and interdependencies of risk.
9 Integrate ERM into strategic planning, business processes and operational success.
10 Contribute to the success of the organization by delivering measurable benefits.
RM implementation Barriers
Lack of understanding of value of risk management
Establish a shared understanding, common expectations and a consistent language of risk in the organization
Lack of support and commitment from senior management Identify a sponsor on the main board of the organization and confirm shared and common priorities
Seen as just another initiative, so relevance and importance not accepted Agree a strategy that sets out the anticipated outcomes and confirms the benchmarks for anticipated benefits
Benefits not perceived as being significant Complete a realistic analysis of what can be achieved and the impact on the mission of the organization
Not seen as a core part of business activity and too time-consuming Align effort with core processes and achievement of the mission of the organization
Approach too complicated and over-analytical (risk overkill) Establish appropriate level of sophistication for risk management framework and undertaking risk assessments
Responsibilities unclear and any external expenditure agreed (ie external consultants) resented Establish agreed risk architecture with clear roles and accepted risk responsibilities
Risks separated from where they arose and should be managed Include risk management in job descriptions to ensure that risks are managed within the context that gave rise to them
Risk management seen as a static activity not appropriate for a dynamic organization Align risk management effort with the mission of the organization and with the business decision-making activities
Risk management too expansive and seeking to take over all aspects of the company Be realistic: do not claim that all the business activities within the organization are risk management by another name
Frameworks for measuring culture
Frameworks for measuring culture can be found in, for example: audit committee evaluation; level of risk maturity; the Canadian criteria of control (CoCo) framework.
Risk Culture qualitative & quantitative measurements
While qualitative assessments based on policies and procedures offer insights, quantitative measurements are needed to pinpoint weaknesses and plan improvements. Frameworks like audit committee evaluations and risk maturity models aid in this assessment.
Enhancing risk culture
Enhancing risk culture is often a strategic goal, especially where gaps in risk awareness exist.
Improvements in risk management processes must translate into better risk management outcomes to be effective. Simply enhancing processes doesn’t necessarily enhance risk culture. I
SO 31000 emphasizes the importance of context, highlighting external and internal factors influencing risk management.
Risk Culture Assessment Tools: Surveys & interviews
Surveys offer a broad view and measurable output, while interviews provide deeper insights into the reasons behind the risk culture.
It’s essential to maintain consistency in questioning and avoid bias in interviews. Tailoring questions to the organization and keeping them concise improves response rates and content quality.
Deloitte highlights the importance of using multiple data sources and assessment techniques to grasp risk culture.
Risk Culture Aspects model / IRM
This model identifies eight aspects of risk culture grouped within four themes:
Tone from the top
Risk leadership – clarity of direction
Dealing with bad news.
Governance
Accountability – clarity of accountability
Transparency – and timeliness of risk information.
Decisions
Informed risk decisions – how well-informed decisions are
Reward – rewarding of appropriate risk taking.
Competency
Risk resources – status, resources and empowerment of the risk function
Risk skills – embedding of risk management skills.
This Risk Culture Aspects & Double ‘S models
This Risk Culture Aspects model is related to the Double ‘S’ model, in that the ‘Dealing with bad news’, Reward’ and ‘Risk Skills’ aspects have a greater impact on sociability, and the other five aspects are related to improvements in solidarity.
Changing risk culture timelines
Changing risk culture can be a long and slow process. Association for Federal Enterprise Risk Management (AFERM) suggests that a compliant risk management framework can take 1-2 years to implement, whereas a mature risk management process can take 5-10 years to build.
Steps to changing risk culture:
The IRM’s Risk Culture paper sets out the steps to changing risk culture:
Evaluate the current risk culture (Where are we now?).
Assess the impact of the current risk culture (Where do we want to be?).
Identify areas of improvement (What needs to change?).
Plan and implement the cultural change.
Monitor and adapt to change.
