Risk Culture: Cornerstone of Successful Risk Management
by François Masquelier, Head of Corporate Finance and Treasury, RTL Group, and Honorary Chairman of the European Association of Corporate Treasurers
This article describes what should be understood by ‘risk culture’ and what this involves. Inculcating such a culture into a company is often a challenge. However, it is a challenge that is crucial for successful risk management (Enterprise Risk Management-ERM). Surprisingly, people manage risk and set up an ERM system without having either a risk culture or a precise definition of their risk heightens appetite or risk tolerance. The financial crisis, and the fragile state of the economy, only emphasise the need to embed this culture throughout the whole company.
Background
No one can deny that there has been real progress over the last decade in the development of risk management tools, techniques and systems in multinational corporations. According to generally accepted practice, boards of directors and audit committees must relate all risks that face the company to its strategic objectives and align them. It is this alignment that often gives rise to problems. In general risks are managed as a whole without aligning them with the strategic risks approach. Everybody is in agreement on the need for a comprehensive, integrated, systematic, specialised and professional approach to corporate risk management (Enterprise Risk Management – ERM). To quote the UK Financial Reporting Council in 2011:
“The issues with which companies were grappling included understanding their exposure to risk and how this might change, identifying the information and assurance that the Board needed to carry out its role, embedding the right risk culture throughout the company and the increased velocity of risk, which had highlighted the importance of effective crisis management”.
Furthermore, if we refer to the international ISO 31000 standard on risk management, it repeatedly stresses the need to embed risk management in corporate culture and that the corporate culture needs to be well understood by everyone. Even the famous COSO II framework (COSO framework – www.coso.org) accepts the importance of the tone and culture of the organisation and how risks are perceived and tackled by employees, within an embedded approach internal to each company. This is one of the key foundations of the COSO II framework.
