What Organizations Need to Know about Risk Culture Audits

Today’s risks require more proactive oversight by boards of directors on the issue of risk management. Transitioning to this approach is easier said than done, however. The trouble is that many organizations are weighed down by antiquated risk management frameworks that prevent them from being proactive. Even today, how financial services and other industries address risk is deeply ingrained in organizations’ character, requiring a broader change which extends beyond simply implementing new risk management frameworks.

Overcoming this hurdle is easier said than done. In fact, businesses across the capital markets are prime for a risk culture rewiring.

What’s in a risk culture audit?
A risk culture audit is a critical first step in reinventing risk management because it helps identify challenges in behavior and reorients how companies think about today’s increasingly complex risk landscape.

Here are the key focus areas in any risk culture audit:

Organization Vision and Values: Evaluating leadership and established communications by senior leaders relative to risk and compliance.

Risk Management: Evaluating the maturity of risk frameworks, defining clear roles and responsibilities, and implementing education and training programs designed to empower individuals to include risk management in their decision-making consistently across the organization.

People Management: Understanding how risk management is introduced early in the onboarding process on the front end and back end, as well as directly into incentive compensation programs.

Risk culture audit lessons learned
I recently led OCC (Options Clearing Corporation) through one of these trailblazing exercises, leading me to my new mantra of “identify, escalate and debate.”

Rather than promote a reactive risk culture in which specific risk incidents derail teams from business-as-usual, we’re adopting a risk-focused culture that enables our teams to escalate an event immediately, assess its impact quickly, and debate its resolution broadly.

While every financial institution has unique considerations in its risk management framework, OCC’s risk culture audit revealed some key hurdles that are commonplace across financial services firms.

The first challenge is developing a risk management framework that boards and management can easily implement for risk oversight. This framework can be difficult to pin down because it must be formal, objective, and metrics-driven—and ultimately must map back to a risk appetite and process that team leaders can follow.

The second challenge is developing an action plan to help team leaders manage the shift toward a proactive risk culture. To effect change, team leaders need to be able to demonstrate that the new approach reduces risk or manages new risks within the firm’s risk appetite. Oftentimes, this means replacing human judgment with transparent rules and objective criteria.

Finally, the third challenge is shifting employees toward adopting a risk-based mindset at the individual level. A successfully retooled risk culture ultimately comes down to the people. Doing this successfully requires firms to reinforce the new risk culture at every turn, such as linking positive risk culture behaviors to performance rewards. At OCC, we are working on this third piece of the puzzle by identifying “risk champions” across the business and training them on the techniques needed to evaluate risk.

At the end of the day, financial institutions’ risk cultures must support risk management models that ensure market confidence does not erode, that issues are addressed, and that business continues as planned. I have concluded the best way for organizations to do this is to use a risk culture audit to identify opportunities that will help them transition to a strong risk-oriented business model. This enables them to comprehensively evaluate and understand the risk posed to their business, put mitigating controls in place, and enable an environment where risk can be discussed openly across the firm.

If companies can re-orient their risk culture to be more forward-thinking, they will put themselves in the best possible position to address today’s ever-evolving and complex risk environment.