Cultivating a risk intelligent culture - Understand, measure, strengthen, and report | Whitepaper
Process follows culture
There is no “one size fits all” solution to risk management - how an organisation manages risk should align with, and support, its strategy, business model, business practices, and risk appetite and tolerance. This is especially true in the financial services industry where significant risk-based decisions are being made throughout organisations on a daily basis.
Essentially, a Risk Intelligent Culture exists within an organisation when its employees’ understanding and attitudes toward risk lead them to consistently make appropriate risk-based decisions. Consequently, an organisation’s risk culture drives the behaviors that influence day-to-day business practices, and is a significant indicator of whether the organisation embodies the characteristics of a Risk Intelligent Enterprise™.
To a large degree, an organisation’s culture determines how it manages risk when under stress. For some organisations, their risk culture is a liability. For others, it facilitates both stability and a competitive advantage. To that end, an organisation wishing to cultivate a Risk Intelligent Culture should first understand and measure its existing risk culture.
Understanding risk culture
Having a Risk Intelligent Culture means that everyone understands the organisation's approach to risk, takes personal responsibility to manage risk in everything that they do, and encourages others to follow their example.
The organisation's symbols, management systems, and behavioral norms should be aligned to encourage people to make the right risk-related decisions, and exhibit appropriate risk management behaviors.
The first step is to understand the existing risk culture and measure how well it supports the organisation’s risk strategy and risk management approach. Deloitte’s Risk Culture Framework and corresponding Risk Culture Survey provide a structure and process to help clients in their efforts to achieve this.
The Risk Intelligent Enterprise™
A strong risk culture is a pervasive theme of the nine fundamental principles of a Risk Intelligent Enterprise
- In a Risk Intelligent Enterprise, a common definition of risk, which addresses both value preservation and value creation, is used consistently throughout the organisation.
- In a Risk Intelligent Enterprise, a common risk framework supported by appropriate standards is used throughout the organisation to manage risks.
- In a Risk Intelligent Enterprise, key roles, responsibilities, and authority relating to risk management are clearly defined and delineated within the organisation.
- In a Risk Intelligent Enterprise, a common risk management infrastructure is used to support the business units and functions in the performance of their risk responsibilities.
- In a Risk Intelligent Enterprise, governing bodies (e.g., boards, audit committees, etc.) have appropriate transparency and visibility into the organisation’s risk management practices to discharge their responsibilities.
- In a Risk Intelligent Enterprise, executive management is charged with primary responsibility for designing, implementing, and maintaining an effective risk program.
- In a Risk Intelligent Enterprise, business units (departments, agencies, etc.) are responsible for the performance of their business and the management of risks they take within the risk framework established by executive management.
- In a Risk Intelligent Enterprise, certain functions (e.g., Finance, Legal, Tax, IT, HR, etc.) have a pervasive impact on the business and provide support to the business units as it relates to the organisation’s risk program.
- In a Risk Intelligent Enterprise, certain functions (e.g., internal audit, risk management, compliance, etc.) provide objective assurance as well as monitor and report on the effectiveness of an organisation’s risk program to governing bodies and executive management.
Page Last Updated