We believe risk awareness and acceptance is the beginning of the journey before it gets indoctrinated as organisational culture.
The common mistake is, to fulfil regulatory obligations, we often quickly identify members from the business team and ask them to run the Risk department. The result - based on their prior business experience the new risk managers start chasing the Relationship Team or the Branches for Credit Control and KYC compliance. They often target individual customers and products instead of assessing the overall customer portfolio or the product segments. This often leads to constant conflict and resistance towards the newly formed Risk Department like “we are burning candles at both ends and these guys are warming their seats and chasing us for nothing ".
Another common error is to create a Risk Management Policy in a hurry, - lookup up the manual of other institutions quickly chop and change a few words and draft a policy. Here I am speaking of new and smaller organisations, a newly licensed MFI or a small SME focussed Bank. For some MFIs, these things continue for years with a few spreadsheet driven MIS that gets recorded in the Board notes trying to meet the regulatory requirements.
Risk Management Starts at the Top.
The best ways to initiate a comprehensive Risk Management framework is to start with the Corporate Strategy and Business Plan and fine-tune it with the products and process. The questions to ask are:
Who are your target customers (Market)?
What would be your focus products?
What is your risk appetite to fulfil your goals?
The Board must set the ball rolling for the Senior Management Team to take the Risk Management Policy to the front desks of the institutions. The Board should continue with periodic oversight and assessment, such that the communications to the entire team are precise and made relevant to their areas of work. The leaders cannot remain complacent about having a document for Risk Management Manual and that it is available for all the employees to read from the archive or the intranet but enable tools and resources to enhance compliance culture. An internal knowledge review (not necessarily restricted to the mandatory qualification of standardised AML, CFT certifications) may be a good way for assessing the depth of awareness. The institution may use the capabilities of many education technology companies in video, gamification and MCQ formats for testing.
The HR department has a key role in ensuring that quantitively measurable compliance KPIs are included in the Performance Management System of all employees and that there is separation of duties, review of the four-eye principle.
The objective therefore may not be complete risk mitigation, but a path towards awareness and knowledge leading to compliant business.