Fundamentals of Risk Management
Download 3.45 Mb. Pdf ko'rish
|
Fundamentals of Risk Management
|
Risk culture
296 The quality of a risk management policy and details of the requirements and pro- cedures contained in the risk guidelines or protocols will give an indication of the risk culture of the organization. For many organizations, improvement in the risk culture is a valid strategic risk objective. This will be especially true when areas of weakness in the level of risk awareness have been identified. When undertaking actions to improve the risk culture within an organization, it is important to acknowledge that improving the risk management processes must lead to improvements in risk management outputs. This, in turn, should have a positive impact that delivers greater benefits from risk management. There is little point in improving the risk management processes as a means of improving the risk culture of the organization if the overall effectiveness of the risk management effort is not enhanced. There is a danger that enhancing and improving the risk management process in an organization is automatically assumed to have improved the risk culture. It is possible for the risk management process to be enhanced without the risk culture of the organization being improved. For example, a more aggressive internal audit programme may improve compliance standards, but that does not guarantee that the risk culture of the organization has been enhanced. Improvements to the risk management process may not deliver any additional benefits, whereas improvements to the risk culture should be expected to provide an enhanced level of risk assurance. ISO 31000 places considerable importance on context, and this is illustrated in Figure 6.4. Information is provided in the standard on the importance of the external context, internal context and risk management context for the organization. Context is closely related to risk management culture and the benefits that will be derived from enhanced risk management within the organization. The Canadian Criteria of Control (CoCo) framework of internal control concen- trates on the control environment in an organization. Additionally, the COSO ERM framework (2004) refers to the internal environment of the organization, rather than the control environment that is described in the COSO Internal Control framework (2013). The control environment and the internal environment are measures of the risk culture and the level of risk awareness within the organization. An overall improvement in risk performance will be achieved through improvements in the internal context, risk management context, control environment or internal environment. The level of risk maturity, the achievement of a risk-aware culture and the fulfilment of the LILAC criteria set out in Table 24.3 are all means of improving the control or internal environment. During the 1990s, a system called the balanced scorecard became a popular manage- ment tool. This is a management system that enables organizations to clarify their vision and strategy and translate them into action. Many large organizations use balanced scorecards as a means of establishing context for the various initiatives that are undertaken within the organization. The government agency used as the basis for Figure 28.2 is an example of an organization that uses the balanced scorecard. If an organization uses the balanced scorecard, it is sensible to use the same frame- work for risk management activities. When risk management processes and procedures are compatible with existing activities, the risk management requirements are more likely to be accepted and fulfilled. This represents an alignment of risk management activities with existing protocols, in order to embed risk management in the organ- ization and create a more risk-aware culture. |
