In my prior blog post I discussed Talent, one of the essential attributes of a strong risk culture, which are:
• Vigilance—Being alert to emerging threats and opportunities.
• Agility—Deciding and acting in time.
• Collaboration—Being able to work together effectively on risk issues.
• Communication—Sharing information and ideas about risks.
• Discipline—Knowing and doing what is right from a risk perspective.
• Talent—Attracting and motivating people who have the necessary risk knowledge and skills.
• Leadership—Inspiring, supporting, practicing, and rewarding good risk management.
This time I will discuss Leadership—the absolute prerequisite for building an effective and sustainable risk culture.
CEO commitment proves essential
Without strong leadership from the CEO, enterprise risk management will fail sooner or later (probably sooner). The reason is simple:
Embedding good risk management throughout the organization’s decision-making is hard. Hard things are not accomplished unless the CEO wants them to happen and makes them happen.
Too many bank boards and CEOs think that they can delegate enterprise risk management to the Chief Risk Officer.
This is a dangerous illusion.
In fact, the CEO is really the chief risk officer because the CEO has direct responsibilities for risk management which cannot be handed off to anyone else:
• Strategy=Risk. The CEO must understand and sign off on all significant risks that are embedded in the bank’s business strategy. The CEO owns the bank’s strategy and therefore owns the risks of that strategy.
For example, is the bank’s commercial lending business positioned to earn an attractive return on the risks being taken? Ultimately, the CEO must decide.
• Chief risk guardian. The CEO must protect the bank’s franchise from excessive or inappropriate risks that could derail its business strategies, damage its reputation, or impair its access to capital.
For example, are the bank’s operations exposed to crippling losses from fraud, business interruptions, or cyber attack? Ultimately, the CEO must make the call to reign in potentially dangerous activities.
To carry out these responsibilities, the CEO must be the driving force in laying out the bank’s risk management values and must commit and underwrite the organizational change required to live up to those values.
Ultimately, the CEO must back words with action.
No need to be Chief Risk Geek
The CEO certainly does not need to be a risk geek.
Many specialized tasks should be delegated to others, including the CRO. But the CEO needs to be fully engaged in the fundamental risk judgments that underpin the bank’s strategy and the health of its franchise.
How do we know that the CEO is on the right track to building a strong risk culture?
There are many observable indicators, some of which are:
1. The CEO has endorsed and implemented a specific risk management framework that spans the entire organization.
This framework specifies methods for identifying all significant risks; for measuring and monitoring risks; for deciding which risks are worth taking and which are not; and for judging whether the bank as a whole is taking too much (or too little) risk.
2. The CEO has provided sufficient funding and support to signal the vital importance of good risk management to the organization.
3. The CEO is seen to reward good risk management and punish bad risk management.
4. The CEO and his team are seen to apply the bank’s risk management principles to their own behavior and decisions.
Hypocrisy doesn’t sell.
5. The CEO is held to account by the board for success or failure in building a strong risk culture.
It should be apparent from this and previous blogs that building a strong risk culture is both vital and difficult.
In the course of this series, we have outlined an ideal state and no bank can reach perfection. But having a clear goal toward which steady progress is being made is the best we can do in this world. Banks which make the effort will likely outperform those which do not.
For links to the entire seven-part series, click here.