Professional Documents
Culture Documents
Risk Culture Program 1706804471
Risk Culture Program 1706804471
Intelligent Culture
Understand, measure,
strengthen, and report
Process follows culture
There is no “one size fits all” solution to risk management — how an organization manages
“A robust and pervasive risk risk should align with, and support, its strategy, business model, business practices, and
risk appetite and tolerance. This is especially true in the financial services industry where
culture throughout the firm significant risk-based decisions are being made throughout organizations on a daily basis.
is essential. This risk culture Essentially, a Risk Intelligent Culture exists within an organization when its employees’
should be embedded in the understanding and attitudes toward risk lead them to consistently make appropriate
risk-based decisions. Consequently, an organization’s risk culture drives the behaviors
way the firm operates and that influence day-to-day business practices, and is a significant indicator of whether the
should cover all areas and organization embodies the characteristics of a Risk Intelligent Enterprise™.1
To a large degree, an organization’s culture determines how it manages risk when under
activities, with particular stress. For some organizations, their risk culture is a liability. For others, it facilitates both
care not to limit risk stability and a competitive advantage. To that end, an organization wishing to cultivate a Risk
Intelligent Culture should first understand and measure its existing risk culture.
management to specific
business areas or to have it
operate only as an audit or
control function.”
– Institute for International Finance. “Reform in the Financial
Services Industry: Strengthening Practices for a More Stable System.
December 2009
1
Please see Resources for a Risk
Intelligent EnterpriseTM for more
information on Risk Intelligent
Enterprise management, available
on Deloitte.com.
1
Understanding risk culture
As used in this document, “Deloitte” means Deloitte LLP and its Expectation of challenge
subsidiaries. Please see www.deloitte.com/us/about for a detailed
People are comfortable challenging others, including authority figures.
description of the legal structure of Deloitte LLP and its subsidiaries.
Certain services may not be available to attest clients under the rules The people who are being challenged respond positively.
and regulations of public accounting.
nc
e Or
ga
A focused assessment is
te
pe n needed to fully understand
ctives
om
Knowle
tio
kc
Strategy
eth
n
& obje
Ris
s
sse
&
d
ce
es
Sk
o
lu
pr s
ills
Va
Le s, re
arn cie edu
ing o l
P pro
&
i c progress of cultural
Recru
itm
& induc ent
tion Risk go
vernanc
e
change.
Risk
ce Culture Deloitte has developed a broad approach to helping clients assess
Performan nt Chall
enge and measure risk culture based on our Risk Culture Framework. The
me
manage
framework consists of sixteen Risk Culture Indicators aligned to the
n M
an four Risk Culture Influencers.
a tio ag
ient em
or en Our Risk Culture Survey allows us to measure an organization’s risk
Le
t
es
k
Ris
tiv
ad
Comm
bility
ers
Inc
ps
unicat
Accoun
M
va
ot
ns
ti o ti o
i
la
ion
n
Re
3
Strengthening risk culture
Finally, it is important to recognize that this road map focuses on the cultural aspects of risk management. The assumption is that all the components of
a formal risk management structure have been adopted, or are being implemented, by the organization. A strong and intelligent risk culture requires that
this risk infrastructure be in place and be effective.
Exhibit 2.
Risk Culture Influencers Road Map for Continuous Cultural Improvement
methods to include
• Leaders/managers to employees risk management
• Peer to peer capabilities
• Risk function to
businesses
Enablers
Leadership commitment Secure the buy-in and commitment of the leadership
team, including executives and the board
Promote organizational risk
Communications Communicate program goals to all stakeholders, and
Organization
management infrastructures
proactively seek out feedback
• Governance and reporting
protocols Measurement and reporting Establish an objective measurement of the
• Procedural protocols organization’s risk culture and report on it regularly
• Behavioral and ethical expectations
• Compliance expectations Program management Manage as a program of change, including
coordinating with other relevant change initiatives
12 40
10
2008 2009 2010 2011 30
2008 2009 2010 2011
5
Delivering risk culture solutions
1. In a Risk Intelligent Enterprise, a common definition of risk, 6. In a Risk Intelligent Enterprise, executive management
which addresses both value preservation and value creation, is charged with primary responsibility for designing,
is used consistently throughout the organization. implementing, and maintaining an effective risk program.
2. In a Risk Intelligent Enterprise, a common risk framework 7. In a Risk Intelligent Enterprise, business units (departments,
supported by appropriate standards is used throughout the agencies, etc.) are responsible for the performance of their
organization to manage risks. business and the management of risks they take within the
3. In a Risk Intelligent Enterprise, key roles, responsibilities, and risk framework established by executive management.
authority relating to risk management are clearly defined and 8. In a Risk Intelligent Enterprise, certain functions (e.g.,
delineated within the organization. Finance, Legal, Tax, IT, HR, etc.) have a pervasive impact on
4. In a Risk Intelligent Enterprise, a common risk management the business and provide support to the business units as it
infrastructure is used to support the business units and relates to the organization’s risk program.
functions in the performance of their risk responsibilities. 9. In a Risk Intelligent Enterprise, certain functions (e.g., internal
5. In a Risk Intelligent Enterprise, governing bodies (e.g., audit, risk management, compliance, etc.) provide objective
boards, audit committees, etc.) have appropriate assurance as well as monitor and report on the effectiveness
transparency and visibility into the organization’s risk of an organization’s risk program to governing bodies and
management practices to discharge their responsibilities. executive management.
2
“Putting risk in the comfort zone: Nine principles for building the Risk Intelligent Enterprise™,” Deloitte Development LLP, 2009.
Available online at http://www.deloitte.com/view/en_US/us/article/6b929c9096ffd110VgnVCM100000ba42f00aRCRD.htm.
7
Contacts