‘Risk Culture’ has received a lot of attention following the financial crisis.
The Regulator expects firms to effectively and routinely identify, manage, monitor, and report on the risks their business is or might be exposed to. It is important therefore that each firm can demonstrate that they have explored various aspects of their business and working practices, including governance and culture, and fully understand the risks posed to their operation.
How we understand and react to risk
Risk has different meanings for different companies. Factors like age, personality, gender, wealth, nationality, and experience all influence our attitudes to risk at different times in our lives.
Risk can exist at various levels and is usually assessed in terms of frequency (how often it will happen?) and severity (how serious it will be if it does happen?).
The relationship between frequency and severity varies from one risk to another.
Risk Culture and organisations
Risk culture is a term that is used to describe the appetite, attitude and understanding of risks that are shared by a group of people. It can be displayed in a mixture of formal and informal processes and behaviours, and organisations need to be open to continual change in risk culture. Organisations may also have more than one ‘risk culture’, with different elements of the business operating separately from each other.
From my experience of visiting different GI firms, there is a wide variation in the way in which risk culture is managed. When it comes to recognising a poor risk culture, key indications include:
- An audit check reveals that agreed risk management procedures are ignored
- Not regularly reviewing and updating the firm’s business risk assessment
- Leadership delivers inconsistent or unclear messages on acceptable levels of risk
Has your firm completed a Business Risk Assessment?
As part of the Fifth Threshold Condition, the Regulator will expect all firms to have completed and regularly reviewed a business risk assessment.
Once you have completed and reviewed your business risk assessment, you should translate the results into a Risk Register detailing the risks that have been identified and how you plan to mitigate these as far as possible. This register should then be reviewed on a regular basis to ensure that it is kept up to date.
If you would like to discuss risk culture further, please contact your RWA Business Manager.