Page 63 - iiA
P. 63
Taskforce have harped upon and intend to deliver • Culture of ‘fail fast’ : Need for organisations
to the industry, regulators and external agencies to promote a culture of ‘fail fast’ and celebrate
through the Model Risk Code include: such early- stage failures. Early-stage failures
have a lower impact which in turn allows
• Perceiving Risk Management as a organisations to promote creativity, and
‘competitive advantage’, not compliance : innovation, and a culture that offers a chance
Need for appreciation for risk management for course correction.
as being able to offer novel opportunities and
create a significant competitive advantage if • Using the ‘What if’ approach: Consideration
dealt appropriately, else may also lead to an and evaluation of scenarios beyond the
existential crisis. Business-as- Usual activities by using the
‘what-if’ approach to scenario building which
• Risk Management as an ‘enabler’, rather will allow managers to brainstorm and prepare
than a ‘detractor’ : The analogy one may use for specific downside events and plan for the
is about brakes in a car, you can drive as fast unexpected.
as you want because you know there is a brake
that can slow down your speed when required. • Stakeholder engagement: How critical it is
A good and well-governed risk management to engage and communicate with internal
framework is also meant to allow businesses and external stakeholders, i.e., employees,
to take faster, bolder, risk-informed decisions, customers, vendors, third parties, lenders,
knowing very well that if things go off the track, regulators, shareholders, and the community)
the risk management framework will quickly to appropriately address the various risks
pick it up and enable course correction. emanating from them.
• Busting the myth of Internal audit being
entasked to play the role of Risk Management
function: Internal audit is an independent
third line of defense, i.e. more of a monitoring
function, whereas, Risk management needs to
be owned and managed by the business - first
and second lines of defense. While internal
audit provides an independent assurance,
Risk Management is a partnering role with
the Strategy or equivalent function in terms of
future proofing the organisation.
• Tone from the Board: How it needs to lead by • Ability to foresee risks / disruptions: How
committing requisite resources for enhancing organisations need to get better at scanning
risk management processes including people, internal and external environment to identify
technology, external partners, time, attention, noise, signals which could eventually hit as
training, and communication. Also, how it real risks.
needs to set expectations, and define the scope
and frequency of risk reports it expects to • Addressing ‘early warning signals’: Realising
receive from executive management including that small failures or seemingly insignificant
heat maps to reflect significant risk factors. individual risk events that are causing losses
may be ‘early warning signals’ that, if not
• Building KRAs around Risk Management: detected and addressed in time, may lead to
Need for embedding risk considerations in catastrophic failures.
strategic and business decision making into
the DNA of the organisation. Embedding risk • Need for enhancing the Risk organisation
considerations and defining responsibilities structure:
for various parts of the risk management
process to be made part of the KRA definition. 1. Merit in widening the applicability of a
INTERNAL AUDIT TODAY 60
