Your message has been sent, thank you!
Please contact us for more information:
Lisette Mermod
Risk Reward Limited
T. +44 (0)20 7638 5558
F. +44 (0)20 7638 5571
Regulation
New Standard for Risk Management (Part 1) - Governance and Risk Culture
Dennis Cox is the Chief Executive of Risk Reward Ltd, the Global Risk Forum and chairs the Chartered Institute of Securities and investment Risk Forum based in London. In this first in a series of articles on this subject he proposes what he believes are the new standards for risk management in light of the plethora of recent reviews and papers generated by international regulators, national governments and the banks themselves.
Background
On 16 February 2010 the Committee of European Banking Supervisors (CEBS) issued their High Level Principles of Risk Management. This followed the declaration of the G-20 leaders on 15 November 2008 to "develop enhanced guidance to strengthen institutions' risk management practices, in line with international best practices, and encourage financial firms to re-examine their internal controls and implement strengthened policies for sound risk management."
As a result of conducting a gap analysis and developing a road map, the CEBS identified the following gaps that required addressing:
- 1. Governance and risk culture
- 2. Risk appetite and risk tolerance
- 3. The role of the Chief Risk Officer and risk management functions
- 4. Risk models and integration of risk management areas; and
- 5. New product approval policy and process
Of course only some of these were actually related to the crisis and as with any series of rules development the opportunity has been taken to look at a range of issues. In this series of articles we will look at some of the key elements of these new principles.
Governance and Risk Culture
The Risk Culture
The principles state that "A strong institution-wide risk culture is one of the key elements for effective risk management. One of the prerequisites for creating this risk culture is the establishment of a comprehensive (covering all risk types, business lines and relevant risks) and independent risk management function under the direct responsibility of the Chief Risk Officer (CRO), or the senior management if a CRO is not appointed, following the principle of proportionality."
So what actually is a risk culture and how can one be created? Can you just buy one from a consultancy firm? We often get asked to provide a standard version of a document that can be tailored to any bank - in this case no such document can really exist. A risk culture is driven from the tone of senior management and inculcates all of the employees and operations of the bank. It is all embracing and drives behaviour.
From our point of view it drives from the Goals and Missions of the firm and sets out the parameters within which risk management operates. The risk culture is higher level than individual risk elements and needs to be applied across the entire profile of the bank's risk framework. Are there any risks where the risk culture is not relevant? I cannot think of any - any risk can be transformed, controlled, accepted or mitigated. Accordingly we view the risk relevant test as being relevant to the bank.
