Risk Culture and Business Performance

Dr Paul Quigley, Dean of The Institute of Banking, shares some insights into the world of Culture Risk:


In a former life I was asked, as the Chief Risk Officer of a large financial institution, to speak at the end of a strategy away day for the senior management team. In response to the CEO outlining the multi-year strategy, each country head and divisional business leader had spoken confidently on their plans for development of their businesses in the coming year. Last up, at the end of a long day, was the CRO.

I began my comments by saying that the risk management function is not likely to contribute much to the revenues of the firm. However, if it does its job properly, it creates the confidence in the organisation to enable it to raise the capital and funding that provide the lifeblood for business growth and development. In order to do this job effectively it needs to be trusted by management with access to people, data and systems, to form an independent view on the risk profile of the firm and to act in the interests of the firm in seeking to manage this risk.

The essence of the role of the CRO is to help management build good businesses, which I define as sustainable businesses built on a thorough understanding of customer and organisational needs and capabilities. To achieve this, the CRO needs to demonstrate all of the knowledge, insight and ambition of business leaders, as well as discerning judgement as to when and how to intervene to steer the business away from unwanted exposure.

There is a subtle cultural difference between this view of risk management and the one most common in Enterprise Risk Management (ERM) frameworks, which emphasises the roles of first and second line of defence in risk management. In my view of the function, the CRO promotes the adoption of a system of risk-based financial management to drive the performance of the business. He/she seeks to influence every aspect of the business by participating actively in the design of the decision processes, performance measures and incentives that determine business success. 

In applying the first and second line of defence models, firms have become over-reliant on reporting on risk appetite compliance and key risk indicators at the expense of active engagement with business leaders on how to mitigate unwanted risks. While the risk management function contributes little to revenue generation, it has the capacity to destroy significant value by failing to discriminate between avoiding risk and managing risk. If it can’t be trusted to use the information provided by management to improve business outcomes, it risks the danger of becoming an after-the-fact reporting function with little influence on the key drivers of business performance. This is an opportunity lost at great expense to the firm.


The Institute of Banking offers a range of UCD-accredited programmes covering areas such as Conduct and Operational Risk, Banking and Financial Services, Funds, Credit and Financial Planning. Join us at our next Open Evening on Wednesday 16 August, where you will have a chance to meet with our faculty and discuss your options, the application process and any other questions you may have. Registration is available here.