To strengthen your risk culture, start by asking these questions
As board members and management look to improve their organization’s Enterprise Risk Management (ERM) system, it’s important to start by asking several critical questions, financial consultant Roberta Wagner of Bugbee Wagner PLLC says. In this guest column, Wagner proposes several topics executive leaders should probe in order to strengthen the process.
Enterprise Risk Management: Organization or Culture Risk
By Roberta Wagner
The hub of any strong Enterprise Risk Management (ERM) system is the organization’s risk climate or culture, i.e., the attitude and approach the organization takes toward identifying, monitoring, controlling, and mitigating risk.
Truly understanding the risk climate requires more than just completing checklists. It is at the very heart of how executive management and the board approach risk and it’s often not black or white. How are decisions made in the organization? Are opposing concerns minimized? Are executives encouraged to discuss concerns? How does the board or executive management discuss the things that keep them awake at night? How strong is the “bad-news network”? How is the quality of management and human resources practices incorporated into the ERM system?
Below are some questions that board members and CEOs might ask to begin this critical part of developing a sound ERM. We find in our work with organizations that assembling confidential board and management responses to these questions is often enlightening and can help to strengthen the risk culture.
1. Have the major perceived risks to the organization been:
b. Ranked, and
c. Discussed with the board?
2. What risks do you see that are not either clearly identified or a part of management/board focus?
3. Has the board approved a risk appetite statement?
4. What are the incentives and penalties for officers who identify risk in the organization?
5. How are the “cons” of a major new initiative handled in executive management and board sessions? Does an atmosphere of “group think” prevail, or are alternative ideas encouraged?
6. What happens when a major risk is uncovered that was not identified by management?
7. How are concerns about executive performance handled?
8. Is the board conversant with the various risks?
9. Is there a split on the board?
10. Does the board add value to strategy development?
11. Can you clearly describe your institution’s strategy?
12. Does the entire executive management team have responsibility for ERM or has one lower level officer been assigned the responsibility?
13. Have both performance and leading indicators been identified for all major risks? (For example, on asset quality, a key performance indicator is the coverage ratio. Risk indicators for various concentrations in the portfolio might include industry performance ratios.)
14. How are risks monitored and reported? Do you have a risk model?
15. How strong are your controls on risk? (For example, audit or policy limits and reporting.)
Just answering these questions and having a candid, thorough discussion of what that means for ERM in your organization will take you a long way in developing a strong ERM system.
For more information on preparing for your next regulatory exam, download the whitepaper, 9 Ways to Prepare for Your Next Examination.
Roberta Wagner has more than 30 years of experience in the financial services industry in senior regulatory and consulting roles. She is a founding partner of Bugbee Wagner PLLC (www.bugbeewagner.com), which is headquartered in Gig Harbor, WA and provides enterprise risk management, regulatory advisory, and other traditional management consulting services to financial institutions.