Regulators are trying to regulate financial institutions more as the financial crisis continues to loom over the world. This has led to an increase in staff burden and the need to adhere to legislation.
Many financial institutions are losing their way in managing business risks, particularly as they produce more paperwork to please the legislators.
Risk management is often seen as a hindrance to business growth rather than an aide.
When we return to the first principles, we can see that Risk Management was created in order:
- Protect your business
- Protect shareholders
- Protect the public
If one can recognize the risks before they materialize and put in place safeguards, it is prudent in every business.
If you look at a typical sales process, you might be able to identify potential risks regarding client retention and customer satisfaction. As a measure, we can establish metrics about customer complaints. Your risk appetite might be between 70 and 100 complaints per month from customers.
The customer complaints that exceed 100 could be investigated. If this happens, then the appropriate action can be taken. If the number of complaints falls below 70, it could indicate a decline in sales or a lack of reporting. Suitable measures could be taken to remedy this.
While profits can fluctuate, every company must take care of its shareholders in order to maximize their return on investment.
Accountability for errors and omissions must be established in order to achieve this. Herein lies the problem. Risk Management has a blame culture.
The Operational Manager will blame the operational staff for failing to report accurately.
The Group Risk Manager will accuse the Risk Manager of not integrating the Risk Management framework into the business.
The Head of risk will accuse the Group Manager of not conducting audits and checks.
The Head of Risk will be blamed by the Chief Risk Officer for failing to put in safeguards to manage the company’s risk appetite.
The CEO will blame Chief Risk Officer, but he’ll just say that it’s not mine to do.
Anything that is related to computer hardware and software gets blamed on the IT department.
It’s almost like a children’s book, but it’s far too true!
As I said earlier in this article, “To have a useful framework for risk management there must be accountability.” But accountability does not mean to blaming others. This is about accountability for correcting mistakes, malpractices, and non-adherence with policies and procedures.
The possibility of non reporting is possible if accountability lies with the person who failed to follow the procedure. Companies such as Enron and Worldcom, Andersons, The Royal Bank of Scotland are often mentioned in the media. This undermines public trust in large-scale regulatory practices.
To move beyond the blame culture, the Risk Department must be broken up into sections. At a minimum, it should include the following:
- Section for Risk Audit: Responsible for finding problem areas or hotspots within the framework of risk. This is done through a series if Risk Audits. This section should report directly into the Head of Internal Audit. The Head of Internal Audit should also be independent of the risk function.
- Section Risk Management Reporting: Production of weekly, fortnightly and monthly reports. Management Information and reports.
- Risk Management Policy and Procedures : This person is responsible for ensuring that an organisation learns from its mistakes and ensures that policies, procedures and controls are in place to prevent similar mistakes from happening again.
When possible, risk professionals should be multi-disciplinary specialists. Information Technology and Risk Management. Finance/Accounts and Risk Management. Or any other combination that could be helpful to the business. You can trust me when I say that I have experience as a Chartered Tax Advisor; a Risk Management Professional; an IT specialist and NLP Master Coach, as well as a certified trainer.
Cross-skilled Risk Managers are an asset to any organization because they can both understand the technical language and the internal workings within the departments or areas they specialize in. This allows for fewer errors and mistakes when departments need to communicate with one another and when passing work off to other departments. Organisations can also benefit from a well-run meeting.
Additionally, if all departments, from the CEO to ground zero, could communicate with their subordinates, peers, and executives using language that is free from blame culture, this would allow Risk Professionals to work effectively towards reducing Risk instead of hiding from making mistakes.
Effective communication at all levels, as well as accountability for future actions, will increase confidence in Risk Management.