Publications & Articles
- Publications
- Articles
- Accounting (3)
- Banking (7)
- Corporate Governance (3)
- Financial Management (9)
- General (10)
- Marketing (1)
- Markets (19)
- Risk Management (73)
- Wealth Management (4)
- Islamic Finance (2)
- Financial Services Sector (2)
- Anti Corruption (1)
- Corporate Social Responsibility (2)
- Economics (6)
- Research (1)
- Bonds (1)
- Human Resources (2)
- Business and Management (1)
- Expert Opinion
IABFM Articles > > Risk Management > Developing a Positive Risk Culture
Developing a Positive Risk Culture
By Mohammad Kahn
22 September, 2019
Who shares the greatest responsibility in encouraging and promoting an 'admirable'
culture of risk management?
'Risk culture' and 'Conduct Risk' are two important and emerging interrelated topics that I have extensively researched about and one that often draws my attention. Following the last Global Financial Crisis (GFS) and the many corporate scandals involving not only fraudulent practices but a deliberate intent to drive profitability at the expense of 'reputation', we also find that some of the biggest risk management failures occurred in organizations that already had established risk management safeguards, including the involvement of the Boards and Management in monitoring risk management breaches. This all leads to one single fundamental question i.e. Why did the failures happen, particularly in those institutions which had some of the best risk management monitoring systems and processes in place? Was it the people who lacked the knowledge and skills, the processes that perhaps were not well established or systems that failed in supporting effective risk monitoring? Or perhaps could it all have been due to lack of or ineffective/poor Governance? Or perhaps, was it a case of intentional misconduct? As we have seen, different events have had different so called 'drivers' of failure. While it is easy to pinpoint the various root causes or responsible stakeholders who may have contributed to the various failures, I believe that regardless of the type of institutions we consider, be it a bank, private enterprise or a Government institution, the most important factor that leads to risk management failure is a 'poor' or at times 'non existent' positive risk management culture. This now leads to the fundamental question as to who bears the most responsibility in driving and enforcing a positive risk management culture?
While my readers will have their opinion in thinking over this as to who should be considered as having the greatest share of responsibility in encouraging and enforcing a solid risk management culture, in my opinion, the first line of defense or the 'people' of an organization that are involved in the day to day operational aspects are the 'key' to driving a positive risk management culture, based on shared principles and a 'proactive' driven behavioral model. This then leads to the question as to why I am stating this? The answer to this is that if the 'people' in the front line or supporting the business and day to day operations are not taking ownership and protecting the reputation of an organization through a conscious effort to enforce positive risk management actions, the efforts by the Board, Management, Audit and the Regulator to enforce Risk Management will never meet its target(s). This problem will naturally be compounded by the fact if there is a weak or ineffective Board, Management and Audit. However, no matter how one may look at it, the starting point never changes and that will always be the 'people' or 'employees' involved in the day to day business who are having the greatest control over how activities get carried out.
The first line of defense or the employees that are in the business interacting with customers or managing the day-to-day operations within an organization is where the greatest risk ownership is needed. If the processes fail or if there are breaches or deviations within the process, all risk management failure points commence at this very stage that eventually grow into bigger problems or become uncontrollable. For example, activities involving loan and transaction processing, issuance of credit cards and mortgage and personal loans, processing of treasury and foreign exchange transactions etc are all activities that are carried out by staff in the front line and if risk management fails within the front line, the natural outcome will be a weak and poor risk management culture.
People who are the greatest asset to an organization need to be continuously awarded for risk management behaviors and the Board and Management need to take measures that not only reward its staff for proactive risk management behavior but also ensure strict enforcement of what is considered as 'acceptable' and 'unacceptable' risk management behaviour. A 'zero tolerance' against wrong or misleading behaviors where customers are negatively affected should be the 'norm' as opposed to where there are always gaps and failures being continuously tolerated by Management. Just as a 'code of conduct' naturally exists within organizations, there is the need to enforce a 'risk management code of conduct' that can ensure consistent and continuous monitoring of the risk management corporate values that can deliver a sound and supportive risk management culture. One additional key point is the ability to 'retain' the most prized asset of an organization, which I refer as to the 'high performers' or 'best risk players', that should be continuously supported in order that they become a permanent asset to the organization's risk management infrastructure.
