Risk management is a sequential series of tasks: analyse, forecast, investigate and mitigate against risk. Risk reporting alone is just fine for appearance – this is where many lax financial companies ran into trouble in recent years. Any reaction to a threat in such firms is likely to be ineffective because the risk management function will be underfunded and understaffed. Lack of training and proper risk management procedures result in a haphazard counter-attack against risk. Organic risk management takes the human and team factors into account to build a risk-managed corporation. This means an active risk outlook, not a passive one.
RAMP is a project methodology that has in-built self-checks to counter bias or project deviation. It should be considered for managing financial projects. This way we can have a real audit check that goes beyond simple numbers on the balance sheet, towards monitoring the fundamental sources of business risk. RAMP provides a design template for implementing a project.

Effective counter-measures have to be put in place and tested. We have outlined some of the Basel II guidelines for effective risk management. The trouble is: “Do you have the corporate influence and the budget to get the proper risk management in place?”
Where advice and plans fall on deaf management ears, nothing concrete is likely to be done. Budgetary constraint, as an opponent, is no stranger to the champion of risk management.
The financial world is set on cutting costs and automating business processes; risk management systems are just one facet of this drive. Yet, the quest for lower costs and automation can blind us to the fundamental areas for error. Human intervention and room for exercise of staff initiative can become stifled.
This is partly why human error is cited as the source of most operational failures. However, this is often just an excuse for poor management and badly designed systems and processes that remove checks and controls in an effort to improve efficiency by lowering costs.
Much of this corporate culture against disclosing the truth stems from the top of the financial institutions. Switzerland, for example, makes whistle-blowing a crime. Therefore, unfavourable financial assessments can remain hidden from the investors. Whistle-blowing really saves investors money in the long run. It pinpoints the perpetrators of economic crimes and reduces the period during which they could be removing or destroying economic capital of the company and its shareholders. Whistle-blowing reduces the time-lag after which auditors and investigators can look for relevant evidence.
Whistle-blowing works on a raising series of red flags. When there is no visible recourse, or for major crimes, resort to an escalation of whistle-blowing. Alert the press and media, then report to regulators, police and other supervisory authorities. A proper whistle-blowing methodology can be set within the staff contract to lift the lid on fraud and crime. For minor transgressions: keep the dissent internal initially and keep an account of all errors, crimes and relevant data. Consult the ombudsman or newspaper if the company refuses to act.
Whistle-blowers must be protected and encouraged. Right now, the downside risk is being fired or shunned in the professional for “squealing” on the company or colleagues, while the upside potential is not much. Immediate risk is being questioned for technical competence, political competence, sanity, naivete ́; onus is on the whistle-blower to understand the
whole of the story; first managerial reaction is often “you do not have a view on the whole picture”.
Many corporations do not encourage whistle-blowing. Certainly, discouraging the leaks of information is an overt attempt to block all events that present a corporate reputation risk. Enron did not support whistle-blowing, but preferred to hide or shred the facts. Fraud and concealment of the truth were deep-rooted in the structure of the company. Worse, the fraud was perpetrated at the top. A company has to have a structure that is rooted in business and risk management.
Risk ignorance does not work, especially if the top management is ignorant or crooked. What an open risk-managed structure does is to open the corporation to the control function of the risk managers. They actively let the company be open to the idea that “squealers” can inform on the company if something wrong or fraudulent is suspected.
An internal company “fraud hotline” should be set up, where anonymous whistle-blowing can be channelled and processed for action. Nowadays, whistle-blowing is possibly anonymously through setting up temporary email accounts that access the regulatory website.

Risk management has suffered from various forms of opposition from top management. Something along the lines of:
Expensive – the IT systems and the rocket-scientists are all too much to pay.  Slow – risk groups will never deliver on time.  Naive expectations – the risks will never hit us.  Weak management – let’s talk about this sometime (procrastination).
Unrealistic – we’ll get the insurers and lawyers to get us out of the jam. Once we convince top management that there is a justifiable business case for risk management, then we can deploy a full range of countermeasures. We still have to be alert to market
changes, but risk management gives us a safety buffer. Everyone is trying to move ahead of the investment pack. Given so much ego and PR, there is a crying need to compare performance. There are various forms of benchmark, e.g. against the previous year’s performance, whole industry or the top rival in the sector, etc.
Benchmarks are used to handle trickier points of detecting operational risk within a company. Fine corporate PR and good-looking financial statements could have been ripped apart by organic risk red flags. One of the problems may be that the risk management reports sent to the board do not have the right information, a suitable format to understand, or the board may not have the skills to understand.
We have already detailed the Barings, Enron–Andersen, Worldcom incidents of the ships that sank. What can we say of the boats that stay afloat? MCI floats on, after its previous incarnation, WorldCom, sank.
What we need to do is to examine the living corpse that is the company CEO before they cause damage. This process may reduce or even prevent financial losses that have caused major shareholder grief in recent years. We have to conduct an adequate due diligence before the company falls apart with us locked into the investment. Part of this process comes under the investigation comprising forensic accounting.