It can be argued that risk management and compliance in banks became a mathematical exercise which for all practical purposes ignored human nature. We have, hopefully, now learned that risk management is just as much an art as a science. For the CRO of a financial institution, the most important things now are culture and its related risks.
Effective risk management comprises the following.
* Understanding the control environment, including the competence of the board and staff, the culture, key motivators and the ethical climate.
* Understanding the company’s strategy and purpose and the associated risks.
* Understanding of the business model, the value drivers, the systems and their associated risks.
* Balancing risk against reward.
* Efficient business processes, including management and financial reporting systems.
* Compliance with relevant requirements.
* An appreciation that risk management is not about managing individual risks, but about understanding patterns of risk and how they are interrelated.
* Understanding all the significant risks threatening, or potentially threatening the company, including those which might kill it.
* The board and the company’s attitude to risk and their willingness to accept it.
* The ability to manage risks so they are within limits of acceptability.
* A process of feedback involving monitoring and learning, so that strategic and other key decisions are taken only where the risks are understood and acceptable.
* In any complex large organisation, an independent assurance function that gives objective assurance, to the board or the non-executive directors, on each of the above elements.
* The board having ownership of, and strong commitment to, risk management, including a clear understanding of the above elements.
A holistic understanding of risk is essential. If we liken a company to a 50-floor building, it is important that risk is considered at each floor. The best view of risk will probably be gained from the top floor or the roof, but problems could also exist below ground. Other risks can arise from activities on each of the floors. It is important to know who and what you let into the building. It follows that risk should considered across the whole organisation and taking into account its place in the environment. Scenario planning of risk is highly desirable.
Source Risk and reward: tempering the pursuit of profit by ACCA