Within the financial services industry there is a significant focus on risk management as a core part of a well-run regulated entity, with risks generally separated into categories that are dealt with depending upon the approaches to their measurement, monitoring and management.
The creation of lists of risks (often termed risk registers) has traditionally led to core business functions not taking full responsibility for their risk exposure or the risk function’s work not aligning with the business functions. For example, when the risk function is used to gather risk information and report it to senior stakeholders and regulators the risk information often becomes divorced from business information – exacerbating the issue.
By linking objectives to risks, communication and understanding is enhanced within a firm and an organisation has a better likelihood of achieving its objectives - the ultimate goal of risk management.
With regulatory pressure unrelenting there is a clear need for all levels of a business to understand the risks they are running in order to clearly communicate these risks, and their status, to stakeholders including the three lines of defence, regulators, senior management and investors.
In order to mitigate this problem a number of institutions have taken to linking the business objectives of the firm to its risks. This serves not only to anchor the risks within the business lines but also make them more relevant.