Risk professionals are often asked “how do you know when good risk culture is embedded?”. One answer we often hear is that this is demonstrated when your second line risk function is included in risk discussions across the organisation (Board, Executive, Business) from the outset.
This concept indicates a level of risk culture and is sure to please regulators, but I have a lived experience that I think provides better evidence of actually “embedding” risk culture.
When we think about the traditional three-lines-of-defense model that most organisations who are serious about managing risk employ, we can think about this quite literally. When we do this, it becomes obvious that a rock-solid first line negates the need for a beefed-up second line. But we can only achieve a truly solid first line of defense when risk culture is embedded in the first line….no holes in the dyke.
So, in answer to the question “how do you know when good risk culture is embedded?”, I would suggest that this can be evidenced by a reduced need for second line input in respect of those risk processes that can be performed by the first line. When the first line is behaving in a risk aware manner and is taking accountability for the risks in the business, thereby reducing the need for the second line to step in and manage risk process, you know risk culture is embedded.
#riskculture#noholesinthedyke
Comments