An organization should build and promote a culture that encourages appropriate risk taking that is consistent with overall risk appetite. Individuals have certain beliefs, attitudes and values related to risk and risk management and factor risk into their business activities. An organization should ensure that these mindsets are consistent with the organizational strategy and consistent with the ethical culture.
Principles
> Explicit risk appetite and philosophy
> Appropriate risk management behavior modeled, communicated, and supported by the board and senior management
> Risk management philosophy and mindsets of the workforce understood and shaped
> Risk management culture never encourages taking legal compliance risks -- compliance is MANDATORY
> Appropriate risk management climate (formal structures) in place
Business Objectives
-
To understand and evolve the way the entity integrates risk management concepts into day-to-day activities
Considerations
-
Possibility of different risk cultures in different business units and functional areas
-
Differences in risk culture should be considered in any mergers or acquisitions where clashes of culture may arise
Critical Success Factors
-
Differentiating between the views on risk held by the entity and by individuals within the entity
-
Understanding how the risk culture actually operates, rather than just making statements about the risk culture