With the financial crisis still looming over the global economy, regulators are increasingly trying to regulate financial institutions. This has led to an overload of staff who have to comply with the legislation.

In the process of churning out more and more paperwork to keep lawmakers happy, many financial institutions have lost their way, especially when it comes to managing their business risks.

Risk management is often seen as inhibiting business, rather than helping business grow.

If we go back to the first principles, we see that Risk Management was introduced in order to:

1. protect the business
2. Protect shareholders
3. protect the public

In any business, if one can identify risks before they materialize and put in place some safeguards, this would of course be a prudent practice.

For example, by looking at a typical sales process, you could identify risks related to customer satisfaction and customer retention rates. So as a measure, we could set some metrics around customer complaints. Your risk appetite could be, say, 70-100 customer complaints a month.

If the complaint level were above 100, this could be investigated and steps could be taken to reduce customer complaints. Similarly, if the complaint level were below 70, this could be an indication of falling sales or under-reporting and measures could be put in place to correct this.

Of course there can be ups and downs in profits, however every company has a duty to take care of its shareholders in order to maximize its return on investment.

To do this, there must be responsibility for errors and faults. And therein lies the problem! Risk management follows a “blame culture.”

The Operational Risk Manager will blame operational staff for not reporting accurately.

The Group Risk Manager will blame the Risk Manager for not integrating the Risk Management framework into the business.

The Risk Manager will blame the Group Risk Manager for not carrying out audits and controls.

The Chief Risk Officer will blame the Chief Risk Officer for not implementing safeguards to manage the risk appetite of the business.

The CEO will blame the CRO and just say it’s his responsibility, not mine!

The IT department gets blamed for anything to do with computer hardware or software.

It reads like a children’s storybook, but unfortunately it’s all too true!

Earlier in this article I said that “To have a useful risk management framework, there must be accountability.” Now by responsibility I don’t mean blame. What I mean is the responsibility to rectify mistakes, bad practices, and non-compliance with policies and procedures.

If the responsibility lies with the person who did not follow the procedure, then there is a real possibility of not reporting. We see companies like: Enron, Worldcom, Andersons, The Royal Bank of Scotland, in the news all too often and this undermines public confidence in the regulatory practices of any large organisation.

To get away from the blame culture, the risk department should be divided into separate sections and, at a minimum, into the following:

1. Risk Audit Section: whose sole job is to find problem areas and critical points within the risk framework, by conducting a series of Risk Audits. This section must report directly to the head of internal audit. In addition, the Head of Internal Audit must be completely independent from the risk function.
2. Risk management reports section: production of daily, weekly, fortnightly, monthly reports, etc. Reports and Management Information.
3. Risk Management Policy and Procedures: whose role is to ensure that the organization actually learns from its mistakes by ensuring that policies and procedures and controls are in place so that similar errors do not happen again.

Whenever possible, risk professionals should cross-skill with multidisciplinary specialties. For example, Information Technology and Risk Management, or Finance/Accounting and Risk Management, or any other combination that can help the business. Now I say this from experience as I am: a chartered tax assessor; a risk management professional; An IT specialist and NLP Master Coach and Certified Trainer, but that’s another story!

What makes these cross-skilled risk managers an asset to any organization is that they can understand the technical language as well as the inner workings of the areas and departments in which they specialize. This, in turn, means fewer errors and mistakes are made when departments need to communicate with each other and deliver work to other departments. Or indeed, just hosting an effective meeting would help organizations a lot.

Furthermore, if the departments themselves, from the CEO to the people at ground zero, could effectively communicate with subordinates, peers, and executives using language that steers us away from blame culture, this would mean that risk could work effectively to reduce risk. instead of hiding from mistakes.

So, in summary, I would conclude that effective communication at all levels, as well as true responsibility for future actions and not for the past, will lead to greater confidence in Risk Management as a whole.