More financial institutions are now evaluating their risk cultures more regularly, a survey by the Risk Management Association (RMA) and Ncontracts has found.
According to RMA, risk cultures encompass messages, policies, behaviors, and other factors that determine how closely an organization’s decisions match its stated strategy, appetite for risk taking, and principles.
However, the survey also found that moving to remote and hybrid work has caused shifts in operating environments and culture that have prompted institutions to revise risk management incentive programs—and could cause shifts in risk culture in the future.
The survey, which involved 57 community, regional, super-regional, money center, and investment banks headquartered in the US and Canada, showed a rise in the number of respondents that evaluate risk culture has been rising steadily. While around half the respondents regularly evaluated their risk culture five years ago, all do so today. This highlights the growing importance of a robust risk culture for organizations of all sizes, especially financial institutions.
Other findings include:
According to Ed DeMarco (pictured above), chief administrative officer and general counsel of RMA, huge upheavals and disruptions caused by COVID-19 and the Russia-Ukraine war provide an opportunity for organizations to evaluate their risk cultures.
“Any time you have events that are unexpected and pose major risks, it’s an opportunity for institutions to assess the strength of their risk culture,” DeMarco told Corporate Risk and Insurance. “In risk, we tend to rely on historical data. Events like the pandemic and the war in Ukraine challenge our assumptions and force us to use new datasets to determine risk and build it into decision-making. This provides a great opportunity to debrief and reassess how we identify, assess, and address risk. Involving the whole organization in this discussion leads to an even stronger risk culture. As a result, I would expect these events to actually strengthen organizations’ risk cultures for those institutions that take the time to really think about the impacts on their organization.”
DeMarco also described how organizations with advanced cultures approach risks, especially in today’s volatile environment.
“Organizations with the most mature risk practices assess the entire risk landscape, identify their risk appetite, and monitor residual risk related to all their risk categories in an ongoing fashion,” he said. “They link these frameworks to specific strategic goals for the institution’s employees to promote an understanding of how risks evolve and the impact of those changes on the institution’s goals and objectives. They also regularly re-evaluate their risk culture and goals (66% of respondents in our survey with Ncontracts said they do so annually), cascade risk messages to the organization broadly (only 37% of respondents in the survey said they do this) and implement new tools and techniques to capture baseline results and track trends. One other thing to note, especially in today’s ultra-competitive talent environment, is that they revise recognition and incentive programs to encourage employees across the organization to prioritize risk management and to help retain the risk management group.”