Peter Drucker once said “Culture eats strategy for breakfast.” That should give you an idea of how important Risk Culture is…

Photo by Monika Grabkowska on Unsplash

By Steven Strickman, LSSMBB and Gary Preysner, CPCU, ARM, LSSBB

This is the third post in a series where I bring you findings, questions and insights related to Enterprise Risk Management (ERM), derived from an extensive ERM survey conducted by the AICPA in conjunction with NC State Poole College of Management .? I highly recommend reviewing the findings, which are available in the “2023 The State of Risk Oversight: An Overview of Enterprise Risk Management Practices - 14th Edition” by AICPA and NC State University, found at https://erm.ncsu.edu/library/article/2023-risk-oversight-report-erm-ncstate-lp.

?

Let’s look at how Financial Services companies feel about several Key aspects of Risk Culture:

?

Impact of Culture on Risk Management: Existing Organizational Beliefs Limit ERM Awareness and Effectiveness

·???????? 55% of organizations gave little to no ERM training to executives over the past two years.

·???????? 54% felt that risk activities had minimal or no influence on performance compensation.?

Two or more years is a long time (especially in today’s world) for executives to go without training on Risk Management, especially in Financial Services. Such training should be broad, including risk definitions, detection, and evaluation in terms of frequency, severity, detectability, as well as risk management processes such as the three Lines of Defense.? Delivery can vary, from internal programs led by the ERM function, SMEs and functional department leaders, to outside seminars and webinars with external risk consultants.? Each has its pros and cons, and management must consider the cost and time tradeoffs.? In all instances Senior Management must be aware that without ongoing training and key message reinforcement, risk management awareness and hence culture, are sure to whither.

?

As for the finding that risk activities and compensation were not clearly linked, this is bad news for companies that want to manage themselves effectively. If you believe in the saying “what gets rewarded gets done,” then it’s clear that you can’t just talk about managing risks without providing people with tangible rewards for doing so.? Nothing works better than focusing the appraisal and compensation process on these objectives.

?

Although the mechanics of structuring these approaches to balance financial goals with prudent behaviors can be complex, here are some immediate “quick hit” suggestions:

·???????? Identify employees whose roles contain significant Financial, Operational and Reputational exposures, and determine codes of conduct, trading limits, social media policies, etc.

·???????? Develop clear and specific Risk Appetite Statements (RAS) related to business functions, and make sure that those Risk Appetite Statements cascade down to the Operational staff.

·???????? Begin developing risk-adjusted performance metrics for business and individual performance.

·???????? Gain a fundamental understanding of the timing relationships between goals, behaviors, and the potential consequences of those behaviors.

?

There is clearly room for ERM improvement, and it starts with Senior Management not only getting the message out, but also leading by example in building the appropriate risk culture throughout the organization.

Steven Strickman, LSSMBB is a development partner with Strategic Risk Associates, LLC, as well as a Founding Partner in the Ironwood Consulting Group, LLC, where he specializes in Risk, Operations and Expense Consulting for the Insurance industry. He can be reached at [email protected].

Gary Robert Preysner ERM/Process Improvement Expert, CPCU, ARM, LSSBB , is the Insurance Enterprise Risk Practice Leader with Strategic Risk Associates and President of The Ironwood Consulting Group. He works with insurance companies across the globe to improve their insurance-specific processes and implement new technologies, while simultaneously strengthening their risk management capabilities. Contact Gary to discuss how he has developed creative and novel solutions to some of the most difficult process and risk challenges that insurance companies face. He can be reached at [email protected].

SRA Watchtower (SRA) is a technology solution provider and risk management consulting practice serving the Financial Services, Insurance and Technology Industries. SRA's proprietary technology and methodology was designed and built by industry experts to enable clients to navigate risk and drive growth. SRA Watchtower is an intuitive risk intelligence and performance management platform built to continuously inform, enlighten, and empower executives and boards. SRA has helped hundreds of banks effectively navigate through significant risk events since the 2008 financial crisis. Learn more here.

?