The top 10 things likely to go wrong if a finance company fails to instill a robust risk-management culture
1. Undisciplined introduction of new products. A failure to fully review the risks associated with new products prior to their introduction may result in an inefficient use of capital, reputation risk, and increased liabilities. 2. Stakeholder value not optimized; opportunities missed. Stakeholder value should be enhanced through the dissemination of the knowledge that a company has in place a risk culture that will allow it to identify issues at earlier stages. Further, a robust risk culture will allow for faster identification and pursuit of opportunities in line with the company's defined risk appetite. 3. Inefficient and ineffective use of capital. A risk culture assumes that business opportunities can be "risk weighted," bringing into the decision-making process a risk-adjusted decision about which opportunities would offer the greater possible returns given a firm's capital structure. 4. a. Risk appetite unknown. Not knowing what a firm is willing to do in terms of risk acceptance will lead to uncertainty and a lack of guidance for the organization, possibly resulting in poor or inefficient decision-making. b. Poorly understood or estimated risk limits. A lack of certainty will cause confusion as to what a company is willing to accept in terms of, for example, counterparty risk or trading limits. 5. Risk models unchallenged. Overconfidence in models and their output contributed to the current financial crisis. A risk culture will require that model inputs and assumptions are regularly challenged and the results questioned. 6. Risks remain hidden Internal control policies are incomplete or not documented or followed. An effective audit of risks and consequences will not take place, exposing the organization to losses it could have mitigated or avoided with proper due diligence. 7. No check and balance for risk-takers. The review and decision-making process surrounding the assessment of risks, in particular the oversight function relating to risk-takers, needs to be robust and independent. A failure to objectively assess risks and risk-taking can lead to catastrophic results. 8. Incentives focused on short-term returns. Taking a short-term view of results can lead to poor decision-making at the expense of hoped-for immediate positive returns and the taking of unwarranted or inappropriate risks not in the best long-term interests of stakeholders or the company. 9. Risk unnecessarily avoided. Profits are derived from risk-taking. A failure to take risk or avoiding risk even though it would be within the organization's assumed risk appetite will lead to underperformance and a failure to optimize stakeholder value. 10. Communication and reporting fails. Organizations should strive to understand their risks from an enterprise perspective, which includes the reporting or communication of risks and risk-taking, as well as opportunities presented by dealing with risks in an efficient and optimal way. A failure to develop a risk culture that provides for the communication of risks, risk-taking, and their consequences, either positive or negative, is not in the best interests of any organization.