What is risk?

‘Risk Culture’ has received a lot of attention following the financial crisis.

The Regulator expects firms to effectively and routinely identify, manage, monitor, and report on the risks their business is or might be exposed to. It is important therefore that each firm can demonstrate that they have explored various aspects of their business and working practices, including governance and culture, and fully understand the risks posed to their operation.

How we understand and react to risk

Risk has different meanings for different companies. Factors like age, personality, gender, wealth, nationality, and experience all influence our attitudes to risk at different times in our lives.

Risk can exist at various levels and is usually assessed in terms of frequency (how often it will happen?) and severity (how serious it will be if it does happen?).

The relationship between frequency and severity varies from one risk to another.

Risk Culture and organisations

Risk culture is a term that is used to describe the appetite, attitude and understanding of risks that are shared by a group of people. It can be displayed in a mixture of formal and informal processes and behaviours, and organisations need to be open to continual change in risk culture. Organisations may also have more than one ‘risk culture’, with different elements of the business operating separately from each other.

From my experience of visiting different GI firms, there is a wide variation in the way in which risk culture is managed. When it comes to recognising a poor risk culture, key indications include:

  • An audit check reveals that agreed risk management procedures are ignored

  • Not regularly reviewing and updating the firm’s business risk assessment

  • Leadership delivers inconsistent or unclear messages on acceptable levels of risk

Has your firm completed a Business Risk Assessment?

As part of the Fifth Threshold Condition, the Regulator will expect all firms to have completed and regularly reviewed a business risk assessment.

Once you have completed and reviewed your business risk assessment, you should translate the results into a Risk Register detailing the risks that have been identified and how you plan to mitigate these as far as possible. This register should then be reviewed on a regular basis to ensure that it is kept up to date.

If you would like to discuss risk culture further, please contact your RWA Business Manager.

About the author

Kirk joined RWA in 2015, having worked in the financial services sector for many years. He started out in both the general insurance and mortgage advice arms of HSBC, before becoming the Compliance Officer at Go Compare and Training & Competence Manager at Optimum Credit. 

At RWA, Kirk supports clients by looking after their compliance and training and competence needs and keeping them up to date with regulatory changes. He promotes the achievement of fair customer outcomes and specialises in designing and implementing T&C schemes for firms of all sizes.

Get RWA Insight In Your Inbox

Regular business news and commentary delivered direct to your inbox each week. Sign up here