Implementing risk management throughout the company

January 2013 | MARKET OUTLOOK 2013

Financier Worldwide Magazine

The banking sector has found itself under increasing levels of supervisory and public scrutiny. Despite it being over four years since Lehman Brothers defaulted, the industry is still plagued with scandal and struggling to regain public confidence. As the dust settles on successive inquiries, the finger of blame is invariably pointed at the systems, processes and controls that failed to identify and prevent these problems combined with a lack of organisational governance. Invariably, new reporting standards and controls are introduced to try to mitigate the risk of reoccurrence until the next time something goes wrong.

What role does governance play? The theory behind a lot of the enhanced reporting and control processes, such as those required under Sarbanes-Oxley, is that they become integrated into the governance of the organisation with reports being attested by senior management. The logic of this is reasonable and as a process, can be quite effective in smaller organisations with a flatter structure. However, in most large firms, the decision makers responsible for running the company are quite removed from the day to day operational detail and risks of the business.

Although reviewing large swathes of management information in risk and board packs may give an insight into a range of risks to which the organisation is exposed, such focus can create a myopic view of risk and result in complacency. Meeting a regulatory standard does not necessarily translate into sound and effective risk management and governance.

So how can effective governance and risk management be put into place?

The simple answer is that a culture of risk awareness has to be introduced into an organisation via a top-down approach to cement a strong governance culture at all levels of the company. Board members and senior executives should take a proactive stance towards the information that is reported to them and be prepared to ask questions, no matter how simple they are, so that they thoroughly understand what is being presented to them and what is going on more broadly in their business.

Most importantly, the real challenge for senior management is to understand the risks that are not reported in their management information packs.

Business is dynamic and although subject to periodic review, the content of management reports is generally quite static. Although ‘obvious’ questions should be asked, it actually takes a brave executive to ask the ‘dumb’ question in an environment where there is a presumption that senior managers are ‘experts’ in the business and should ‘know it all already’. Rationally, it would seem ludicrous for a single person to know everything, but this culture is prevalent in the highly political world of senior and executive management. Hence the critical importance of such a culture being pushed down from the leadership of the organisation.

It is important to note, however, improved governance at the top of the organisation is only half of the solution. This culture needs to be replicated throughout the firm, with successive layers of management taking a similar approach so that even the lowest level staff are not only encouraged but are expected to question the information and reports that they produce. Ultimately, it is at this level of the organisation where, exposed to the day to day operations of the business, staff are best placed to detect new risks and issues and improve, report and evolve operational controls accordingly.

John-Paul Sessa

Principal Consultant

Parker Fitzgerald

T: +44 (0)207 100 7575

E: info@parker-fitzgerald.com

www.parker-fitzgerald.com

John-Paul Sessa

Parker Fitzgerald