To date Riskviews has featured discussions of issues relating to Risk Culture 27 times. While we talk about the Eight ERM Fundamentals, Culture is THE ERM FUNDAMENTAL.
While Standard & Poor’s uses this category to include a variety of practices including governance, disclosure and risk appetite, here we mean solely the manner that people outside of the risk management department are brought into the risk management process in a firm.
Decisions need to be made regarding who to get involved in doing and then who else to tell about the objectives and plans and activities of risk management in the firm.
Some companies do this on a need to know basis, involving only those who must get involved to make things work and only telling those who have an active role.
At the opposite extreme are firms who say that risk management is everyone’s job and who therefore work very hard to make sure that everyone understands everything that is going on.
The firms in the first group are focused on efficiency. Management usually believes that everyone must stay focused upon their own primary responsibilities. A select few are given responsibility for risk management activities and everyone else is kept out of the way. Knowledge of the risk management work in these firms is usually restricted to top management and line management only in the situations where the risk management efforts need to be integrated into the operational unit’s activities.
The firms in the second group believe that risk management is everyone’s job because crippling risks can take many forms, both currently known and unknown. And that these risks can emanate from any part of the firm. They do not believe that just because there has never been a large problem from one activity, that there never can be.
For the first type of firm, risk management culture means that risk management is one of those things that separates the cognoscenti from the rest of the firm. Risk management culture means keeping those in the know up to date on everything that is important about risk and risk management. Each one of the restricted group must take a major responsibility to join in this activity.
For the second type of firm. there will be a totally different type of activity supporting risk management culture. That will involve training sessions and informational newsletters. One firm holds an annual conference about risk management and allows anyone at the supervisory level and above in the firm to attend. Another firm puts an ERM related message on the intranet home page and changes that message at least once per week.
The second type of firm will welcome input from anyone to their ERM processes.