How to develop a culture of risk management?

The more detailed and clear the business process is described, the less likely it is that some risk will remain in the shadows.

The annual conference "Risk Management 2013: Reloaded", which took place in mid-May in Moscow, brought together risk managers from the largest companies in Russia and the CIS. The word “reboot” in the name of the conference is not accidental: this year its organizer, IC Energy, set a completely new vector for events of this kind. For two days, the participants shared their practical experience, discussed and solved urgent issues together and held business games.

The main topics for discussion at the conference were the issues of risk management culture, modeling the most significant risks, the relationship between risk management and budgeting through scenario analysis and modeling, risk management automation, as well as key risk indicators for operational risks. As the organizers of the conference noted, two interesting trends emerged during the conference. First, risk managers are paying more and more attention to developing a culture of risk management. And secondly, there is an urgent need for qualified personnel capable of modeling and financially assessing risks.

Why do not notice the pink elephant

The topic of risk management culture, according to the conference moderator, Risk Management Manager of the Skolkovo Foundation Alexei SIDORENKO, is perhaps the most important topic in risk management today. Speaking about risk culture as the human side of risk management, he, in particular, noted: “We talk a lot about modern methods, new tools and fashionable approaches to risk management in companies. But we seem to deliberately do not notice the "pink elephant in the corner of the room." This English expression is used when everyone in the audience is well aware that there is one "but", but no one voices this "but" and it hangs in the air. In our case, the giant pink elephant refers to the culture of risk management. All risk management approaches are only as effective as the culture of risk management in the organization and how significant the role that we, risk managers, play in developing this culture is.”

The problem lies in the weak support of risk management from above, on the part of the company's management. Management may understand the importance of implementation, but not everyone understands that the process needs to be constantly supported, energized and financed.

Line managers of the company are not very interested in sharing information about risks. Risk managers have to overcome the reluctance of employees to disclose such information, because the word "risk" is perceived negatively by many and they are afraid of being held accountable for the fact that this risk will manifest itself.

Another problem is that risk is perceived differently by each person: there is no common terminology and classification of risks. It is necessary to go a very long way for everyone to start speaking the same language.

There is an opinion that risk management is the prerogative of only large corporations. And even if claims are being made that all organizations should manage risk, how many SMBs are known to manage risk? Survival statistics for small and medium-sized businesses give rise to sad thoughts, Alexey Sidorenko noted.

In his opinion, the culture of risk management can and should be developed. One of the barriers that is difficult to overcome is that business people do not perceive the situation very positively when someone comes to them and tries to sort out their affairs. “This is perceived as a kind of encroachment on their territory. This reaction sometimes comes from fear. People are psychologically unprepared to assess the risk in their field of activity. They believe that if they voice the risk that exists, then they will be charged with the guilt that they allowed this risk. People just need to be explained that the work to identify risks just prevents punishment, - said Alexei Sidorenko. – The more detailed and clear the business process is described, the less chance the risk owner has that some risk will remain in the shadows. Unfortunately, in our country there are still very few companies where there is a clear formalization of business processes. The mistake lies in the approach: we often start dealing with risks, but at the same time we have a very poor idea of ​​the business process itself. This is not only a feature of Russia, but also a problem that exists throughout the world.”

How to ensure engagement

The report of Alexey KOSAREV, Head of the Risk Management Department of IES-Holding (CJSC Integrated Energy Systems), was devoted to risk management of investment projects - capital construction projects. In his opinion, the key tasks in risk management are to ensure the involvement of management in risk management processes, timely, complete identification and objective assessment of risks, as well as the formation and control of the use of risk mitigation tools.

The risk management system consists of several stages in a certain sequence. The first stage is to identify risks (violations). The second stage includes risk analysis and assessment of the impact of risks on project parameters. The third stage is the decision-making on the implementation/development of measures to reduce risks (eliminate violations). The fourth is monitoring the implementation of measures to reduce risks (eliminate violations).

Aleksey Kosarev proposed the following procedure for identifying risks: an investment project (object) is assigned to each employee of the risk management unit. The risk manager identifies the risks of each facility in a professional manner - by analyzing documents, visual inspection to control the compliance of the scope and quality of work with the requirements of design estimates, monitoring compliance with the requirements for work, etc.; interviews with employees involved in the implementation of the project, as well as with specialists from related departments; questioning employees; hotline organization.

Then the risk manager generates a report on the results of the checks: the identified violations, risks, causes of violations (risk factors), consequences, the likelihood of a risk (expert) and damage from implementation, measures to eliminate the risk are described.

Identified risks formulated in "technical language" should be "translated" into "financial language" to assess their impact on project parameters.

At the risk analysis and assessment stage, risk managers identify and analyze the direct and indirect consequences of the identified risk. They make a cost estimate of the damage in the event of a risk realization, and also calculate the impact of the risk on the cost and parameters of the project (implementation period, changes in milestones within the project, etc.). In addition, they analyze the processes - both within specific objects, and in investment activities in general. This includes the planning and organization of work, the selection of contractors, the control of work performance and, for the purposes of improving business processes, the management of investments and the formation of measures to reduce risks.

Measures to reduce risks are formed in two directions. The first is the elimination (prevention) of identified risks (violations) within the framework of specific projects. The second is the implementation of measures to reduce risks in the framework of investment activities in general.

The development/control of the implementation of risk mitigation measures is carried out based on the results of consideration of project risk reports. The governing bodies issue instructions to eliminate specific risks (violations) or issue instructions to develop measures to eliminate (prevent future) risks. The risk manager consolidates the decisions of the governing bodies and organizes control over the implementation of measures to reduce risks.

Integrated risk management platform

Daria NAKHOROSHIKH, IBM Eastern Europe/Asia Risk Analytics Representative, in her report spoke about solutions for automating risk management used by IBM.

“When we look at how systems are evaluated by market analysts, we understand that there are systems that are better or worse suited to a given situation. I will describe the situation for which, from my point of view, the system offered by IBM Open Pages is most suitable, ”she emphasized.

The concept is implemented using the GRC platform: Governanance (management in general), Risk (risk management), Compliance (management of compliance with requirements and standards). In general, the GRC platform means an integrated approach to risk management. This global vision assumes that risk and compliance with external and internal standards must be managed.

According to Daria Nekhoroshikh, the integrated risk management and compliance platform consists of five standard solution modules.

The first module is Operational Risk Manager (ORM). The Open Pages dashboards provide reporting on the current status of the risk level. They use scenario analysis, key risk indicators (KRIs), a database of realized losses, and corrective actions.

The second module is Internal Audit Management (IAM). The key capabilities of the IAM module include defining, planning, conducting, and reporting business-wide audits; tracking and managing audits, audit stages, working documents and placements: automation of all operations through fully customizable reporting and workflow; risk ranking performed according to the audit methodology.

The third module is IT risk management and standards (IT Governance - ITG). The OpenPages Information Technology Governance (ITG) module is responsible for aligning IT risk management with business objectives.

The fourth module is financial control management (FCM). It is a financial reporting risk management solution. Key features of the FCM module: automated requirements fulfillment life cycle, including the development and documentation of all stages from testing to certification.

The fifth module is policy and compliance management (Policy and Compliance Management - PCM). It is an integrated solution for managing compliance with both regulatory and internal policies; support for assessing the degree of compliance with requirements and standards at all levels (enterprise as a whole, process, business unit, etc.); managing policies and procedures; learning and interaction; support for regulatory certification and audit process.

Within the system, “extensions” to the platform configuration are also possible, relating to privacy, business continuity management, vendor risk management, etc.

Insurance as part of the overall corporate risk management system

The production activities of companies are accompanied by a wide range of risks, the implementation of which should not affect the sustainable operation of companies. This fully applies to companies in the oil and gas sector. According to Andrey ELOKHIN, Head of the Insurance Department of OAO LUKOIL, Vice President of RusRisk, the degree of protection of the company's assets also affects the ability to attract investors: “Any investor, in addition to the usual information about the company's enterprises, should know how safe the enterprises are and how much satisfaction of claims of third parties in case of a possible accident can be dispensed with. In a market economy, insurance is traditionally an integral part of industrial risk management and can significantly reduce the dependence of the company's economic and financial condition on them. Therefore, in any large industrial company, there is a need to develop a coherent and reliable system for providing insurance coverage.”

At LUKOIL, the main requirements for the insurance protection system are defined by a corporate document. At present, the system is a set of specially developed economically sound procedures, enshrined in the form of corporate norms and standards that are mandatory for all management bodies of the company. The procedures include the identification of all (without exception) risks that can pose a threat to the business, that is, the stability and sustainability of the company. This means identifying and quantifying risks with the accuracy required for their use in the budgetary management process and directly in the risk management procedure.

According to the speaker, the advantages of quantitative risk analysis are that both the insured and the insurer see the amount of the maximum possible damage, and the insured clearly understands why the insurance premium is equal to a certain value. In addition, both the policyholder and the insurer can objectively assess the impact of the deductible on the premium.

According to Andrey Elokhin, today LUKOIL has established much more stringent requirements for risk assessment compared to generally accepted ones. The company has developed and passed the state examination over 500 industrial safety declarations.

The organization of effective insurance protection is impossible without the identification and quantitative assessment of risks; close cooperation with the corporate industrial safety service; evaluation of the effectiveness of preventive organizational and engineering measures for industrial safety; property valuation for insurance purposes; effective claims settlement procedure. Such a system of insurance protection ensures the sustainable functioning and development of the company and prevents risks that pose a threat to business, the health of personnel, as well as the property interests of shareholders and investors, stressed the Vice President of RusRisk.

In general, the conference showed that risk management in Russia in the process of development has gone beyond the boundaries of individual industries. Banks, investment companies and industrial enterprises often use the same definitions and methods for assessing and managing risks. This allows us to say that risk management has become an independent interdisciplinary direction and companies from various sectors of the economy, joining forces, contribute to the development of risk management in Russia and in the world as a whole.

3. The desire to avoid uncertainty . The degree to which people in a given country prefer structured situations as opposed to unstructured ones. Structured situations are situations with clear and precise rules for how to behave. These rules can be formalized, or they can be supported by traditions. In countries with a high degree of uncertainty avoidance, people tend to be highly agitated and restless, feverish at work, or "abrupt".

In organizations with a high level of uncertainty avoidance, managers tend to focus on particular issues and details, are task-oriented, do not like to make risky decisions and take responsibility. In countries with a high degree of desire to avoid uncertainty, the prevailing opinion is that everything "not ours and unusual" is dangerous.

Table 3

Characteristics of crops with high and low levels of uncertainty avoidance

4. "Masculinity - femininity" . G. Hofshted defines masculinism (masculinity) as the degree to which the dominant values ​​in society are perseverance, assertiveness, earning money and acquiring things (materialism) and do not attach much importance to caring for people. He defines feminism (femininity) as the degree to which the dominant values ​​in society are relationships between people, concern for others, and the overall quality of life.

Risk analysis of Sberbank PJSC

In order to ensure the stability and efficiency of work, Sberbank operates a comprehensive system for managing the main banking risks (credit, market, operational and liquidity risk), designed to identify, assess, limit the risks assumed by the Bank, control their volume and structure.

Risk management processes are implemented consistently. The target state of the risk management system, which fully complies with the main requirements of the Bank of Russia and the recommendations of the Basel Committee, is planned to be achieved in 2015.

The list of material risks of the Group is updated annually. The functions of managing all significant risks are distributed among the committees of the Management Board of Sberbank. Risk management at the integrated level is carried out by the Group's Risk Committees, the Management Board and the Supervisory Board of the Bank.

The Bank attaches particular importance to the risk culture as one of the most important systems that ensure sustainable development in a constantly changing environment. Risk culture is part of Sberbank's corporate culture. It is a set of knowledge, values, principles and beliefs in the field of risk management that form the Bank's collective ability to identify, analyze, openly discuss and respond to existing and future risks. The risk culture complements the Bank's formal mechanisms and is an integral part of the integrated risk management system. The Bank pays special attention to the behavior of employees as a practical manifestation of the risk culture. Sberbank PJSC has formulated behavior models that are targeted for all employees, regardless of their position, in terms of risk culture.

The purpose of credit risk management is to determine and ensure the level of risk required to ensure the sustainable development of the Group, determined by the development strategy of the banking Group and macroeconomic parameters.

The Group's tasks in managing credit risks:

• - implement a systematic approach, optimize the sectoral, regional and product structure of the portfolio in order to limit the level of credit risk;
• - increase the Group's competitive advantages through a more accurate assessment of the risks taken and the implementation of risk management measures, including a reduction in the level of realized credit risks;
• - maintain stability when introducing new ones, incl. more complex products.

The Group applies the following credit risk management methods:

• - prevention of risk before the operation;
• - planning the level of risk through an assessment of the level of expected losses;
• - limiting credit risk by setting limits;
• - structuring transactions;
• - management of transaction collateral;
• - application of the system of powers in decision-making;
• - monitoring and control of the risk level.

Credit risk assessment is carried out for Sberbank as a whole and for individual asset portfolios, as well as for individual counterparties, countries, regions and industries. The assessment is based on statistical credit risk quantification models.

The Group has created a unified system of internal ratings. It is based on economic and mathematical models for assessing the probability of default of counterparties and transactions. Models are periodically reviewed based on accumulated statistical data. Risk factors related to the financial condition of the counterparty and its dynamics, ownership structure, business reputation, credit history, cash flow and financial risk management system, information transparency, the client’s position in the industry and the region, the availability of support from public authorities and parent companies, as well as from the Group, which includes the borrower. Based on the analysis of these factors, the probability of default of counterparties/transactions is assessed and a rating is assigned.

Assessment of individual risks of counterparties in transactions is carried out:

• - for corporate clients, banks, small businesses, countries, constituent entities of the Russian Federation, municipalities, insurance and leasing companies: on the basis of a credit rating system, as well as by building models of forecast cash flows or other important indicators;
• - for individuals and micro-business entities: based on an assessment of the counterparty's solvency in accordance with the Bank's rules and express assessment.

Limitation of risk and control of expected losses due to the default of the borrower are carried out using a system of limits available for each line of business. The amount of the limit is determined by the level of risk of the borrower, which depends on its financial position and other indicators: external influence, quality of management, assessment of business reputation. Separately allocated country limits. In 2014, the Bank introduced an automated system for managing credit risk limits. It is planned to replicate it to subsidiary banks - members of the Group.

The Group controls the concentration of major credit risks, compliance with prudential requirements, forecasts the level of credit risks. To do this, a list of groups of related borrowers is maintained at the level of a Group member, limits are set for borrowers, and the portfolio is analyzed by segments and products.

The main tool for reducing credit risk is the availability of collateral. The amount of collateral accepted depends on the risk of the borrower/transaction and is fixed in the conditions of loan products. As one of the approaches to hedging credit risks, the Bank applies the Collateral Policy, which is aimed at improving the quality of the loan portfolio. The quality of collateral is determined by the probability of receiving funds in the amount of the estimated collateral value upon its sale. The quality of collateral is determined by a number of factors: liquidity, reliability of valuation, impairment risk, exposure to loss/damage risks, legal risks. The valuation of the collateral is based on the internal expert assessment of the Group's specialists, the assessment of independent appraisers, or on the basis of the value of the collateral in the financial statements of the borrower using a discount. The guarantee of solvent legal entities as property security requires the same risk assessment of the guarantor as the borrower. PJSC "Sberbank" conducts regular monitoring of collateral assets in order to ensure control over the quantitative, qualitative and cost parameters of collateral, their legal affiliation, storage and maintenance conditions. The frequency of monitoring is determined by: the requirements of Bank of Russia regulations; terms of the loan product; type of security. The standard frequency of monitoring includes: confirmation of the value of collateral and control of insurance on a quarterly basis; the frequency of on-site inspections, control of ownership and encumbrances, depending on the type and category of asset quality - once a quarter / half a year / a year.

The existing systems of limits and powers allow us to optimize the credit process and manage credit risk. Each territorial subdivision, member bank of the Group is assigned a risk profile that determines the decision-making authority depending on the risk category of the application.

Assets with overdue maturities are presented in table 2.8.

Table 2.8

Assets with overdue maturities*

The amount of overdue loans as of January 1, 2015 increased by 55.4%. To the greatest extent, there was an increase in debt on loans from legal entities with a maturity of up to 30 days - more than 3 times.

As of January 1, 2015, the volume of restructured loans to legal entities is 2,212.0 billion rubles, their share in the loan portfolio of legal entities is 19.0%. Restructuring - making changes to the initial essential terms of the loan agreement concluded with the debtor in a more favorable direction for him, not provided for by the initial essential terms of the agreement.

As of January 1, 2015, the volume of restructured loans to individuals in the loan portfolio amounted to 72.5 billion rubles, their share in the loan portfolio of individuals was 1.8%. Typical restructuring options involve an increase in the period of use of the loan, a change in the procedure for repaying debt on the loan, a refusal to collect penalties in whole or in part, and a change in the currency of the loan.

The Bank pays close attention to controlling the level of concentration of large credit risks. The Bank has implemented a procedure for daily monitoring of large credit risks and forecasting compliance with the requirements established by the Bank of Russia in accordance with the norms15 H6 (maximum risk per Borrower or group of related borrowers) and H7 (maximum size of large credit risks). To this end, maintenance and monitoring of the List of Large and Related Borrowers is carried out.

The share of loans from the top 20 borrowers/groups of borrowers16 changed from 22.0% to 24.5% of the customer loan portfolio in 2014. Among the Bank's largest borrowers are representatives of various sectors of the economy, thus, the credit risk is sufficiently diversified.

The purpose of liquidity risk management is to ensure the Bank's ability to unconditionally and timely fulfill all its obligations to customers and counterparties while complying with the regulatory requirements of the Bank of Russia in the field of liquidity risk management both in normal business conditions and in crisis situations. The key document on the basis of which the assessment, control and management of liquidity risk is carried out is the "Policy of OJSC Sberbank of Russia on liquidity risk management". When managing liquidity risk, the Bank allocates risks of regulatory, physical and structural liquidity.

Liquidity management in 2014 was largely determined by the situation on the financial markets due to the current macroeconomic situation: complications in Ukraine, imposition of sanctions against Russia by the EU and the US, depreciation of the ruble and other factors. Despite the instability of financial markets, Sberbank made the most of the available opportunities for organizing foreign currency borrowing in the debt and capital markets:

• - In February, the Bank placed subordinated bonds under the updated Regulation No. 395-P with the possibility of redemption with the consent of the Bank of Russia in 5 years. The volume of issue amounted to 1 billion US dollars. The placement allowed not only to attract long-term funding, but also to improve the capital adequacy ratio.
• - In March, a private placement under the MTN program worth USD 500 million and EUR 500 million.
• - In June - the debut issue of eurobonds in euros in the amount of 1 billion euros.

Thanks to its flexible interest rate policy, high diversification of its passive base, and low dependence on external borrowings, Sberbank maintained a sufficient amount of ruble and foreign currency liquidity throughout the year. The Bank managed to reduce the volume of short-term borrowings from the Bank of Russia, replacing them with medium- and long-term borrowings, and thereby improve the existing liquidity profile.

Liquidity ratios of Sberbank PJSC are presented in Table 2.9.

Table 2.9

Compliance with liquidity requirements

As of January 1, 2015, Sberbank is fully complying with the limit values ​​of mandatory liquidity ratios set by the Bank of Russia. During the year, the Bank improved the values ​​of indicators of instant and current liquidity. The increase in the H4 ratio is associated with the revaluation of the portfolio of long-term loan debt of customers due to the growth in the exchange rates of major currencies, as well as the increase in the portfolio in real terms in the second half of 2014. Changes to the methodology for calculating mandatory liquidity ratios came into effect on January 1, 2015 (in accordance with Bank of Russia Ordinance No. 3490-U dated December 16, 2014 “On Amendments to Bank of Russia Instruction No. 139-I dated December 3, 2012 “On Banking ”), which resulted in a significant improvement in all Sberbank liquidity ratios (N2, N3, N4).

Interest and currency risks in the banking book are the risks of the Bank incurring financial losses on positions in the banking book due to unfavorable changes in interest rates, foreign exchange rates and prices of precious metals.

The main objectives of managing these types of risk are:

• - minimization of potential losses due to the realization of interest rate and currency risks;
• - compliance with the requirements of regulators;
• - optimization of the ratio of risk and profitability

The Bank takes on interest rate risk related to the impact of fluctuations in market interest rates on cash flows. The interest rate risk in the banking book includes:

• - interest rate risk arising from the mismatch of maturities (revision of interest rates) of assets and liabilities that are sensitive to changes in interest rates, with a parallel shift, change in the slope and shape of the yield curve;
• - basis risk arising from a mismatch in the degree of change in interest rates on assets and liabilities that are sensitive to changes in interest rates, with a similar maturity (term of interest rate revision);
• - the risk of early repayment (revision of interest rates) of assets and liabilities that are sensitive to changes in interest rates.

To assess interest rate risk, a standardized shock is used in accordance with the recommendations of the Basel Committee. Forecasting possible changes in interest rates is carried out separately for the ruble position and aggregated for the currency position. The interest rate shock is calculated as 1% and 99% quantiles of the distribution of the change in the average annual interest rate, obtained using the method of historical simulations based on data for at least the last 5 years. The indicative rate for ruble interest rate swaps for a period of 1 year (RUB IRS 1Y), as well as LIBOR 3M for the currency position, is used as the base rate for assessing the interest rate shock in rubles.

The Bank is exposed to currency risk due to the presence of open currency positions21. The main sources of ORP in the banking book are: lending and borrowing operations in foreign currencies and income received in foreign currencies. Currency risk is realized due to unfavorable changes in exchange rates.

The Bank consolidates the total open currency position on a daily basis and manages the open currency position of the banking book in order to reduce the currency risk. As the main instruments for managing foreign exchange risks, the Bank uses exchange operations with spot settlements, forward contracts, as well as futures contracts for the US dollar traded on the MICEX.

In 2014, the Bank closed currency positions in the banking book, as a result of which the Bank did not suffer any losses due to the significant depreciation of the Russian ruble against foreign currencies in banking book positions.

Omarova Zimfira Nasrutdinovna, Senior Lecturer ANOVO "Moscow Humanitarian and Economic University" Northern branch, Koryazhmadelfina5 [email protected]

The concept of the development of a strong risk culture

Annotation. The importance of the development of risk culture as an integral part of the integrated risk management system is substantiated. A concept for the development of risk culture is developed, which helps to increase the financial stability and competitiveness of organizations. The levels of corporate risk culture have been determined. The key elements corresponding to high and low levels of risk culture are identified. Recommendations are given for increasing and developing a strong risk culture of domestic organizations. Key words: risk management, risk culture, risk culture level, development concept, strong risk culture.

Risk management is now becoming one of the most important tools for improving economic efficiency and business stability around the world. Modern economic conditions require domestic companies to promptly prevent, identify and manage risks in various areas of activity. We talk a lot about modern methods, new tools and fashionable approaches to risk management in companies. But we are overlooking a very important and essential element of risk management - the culture of risk management. All risk management approaches are only as effective as the culture of risk management in the organization and how significant the role that risk managers play in the development of this culture. In order for a company to successfully develop in a constantly changing environment, it is necessary to constantly improve the risk management system and act in accordance with the principles of a strong risk culture.

The problem of risk culture development lies in the weak support of risk management from above, from the company's management. Management may understand the importance of implementation, but not everyone understands that the process needs to be constantly supported, fed with resources, energy and finances.

The company's line managers are not very interested in sharing risk information. Risk managers have to overcome the reluctance of employees to disclose such information, because the word “risk” is perceived negatively by many and they are afraid to be held responsible for this risk to manifest itself. Another problem is that risk is perceived differently by each person: there is no common terminology and risk classification. It is necessary to go a very long way for everyone to start speaking the same language. A culture of risk management can and should be developed. The path to effective risk management lies through the formation of a strong risk culture. A developed risk culture is today one of the key factors in the commercial success of an organization. The culture must permeate the entire organization - all employees of the organization must participate in risk management. What is risk culture? Risk culture is a system of values, beliefs, principles and knowledge in the field of risk management, shared by all employees of the organization at all levels of the hierarchy. The development of a risk culture is a very important, long and difficult path. The concept of developing a risk culture includes 5 areas of work (Table 1). Table 1 The concept of developing a strong risk culture

Approach Direction of workDiagnosticsAssessment of the current level of risk culture, identification of the reasons for the weak development of risk culture Elements of a strong risk culture Determination of elements corresponding to a high and low level of risk culture

Risk culture development program Recommendations for the development of risk culture, training employees in risk theory and behaviors that are targeted for all employees, regardless of their position in terms of risk culture Introducing a strong management culture of the organization Developing a system for monitoring changes in the level of risk culture

Implementation resultsIntegration of the concept of developing a strong risk culture into the company's activities

The presented concept of developing a strong risk culture is designed to radically change, first of all, the thinking of all employees of any organization in any field without exception. As soon as each employee (from an ordinary employee to a manager of any level) begins to understand that it is he who protects the organization from risks and that the total level of risk depends on the decisions he makes, these organizations are invincible - they are not afraid of any shocks and threats. organizations with different levels of risk culture. It is necessary to distinguish between 2 levels of corporate risk culture: high and low. As recent studies show, only 6% of the surveyed employees of domestic companies assess the level of corporate risk culture as high, noting the maximum score, 80% of respondents assess the level of development of risk culture in their company as low. are well defined and widely disseminated. The more members of an organization who share these core values, recognize their importance, and are committed to them, the stronger the culture. Young organizations or organizations characterized by a constant rotation of opinions (concepts) among their members have a weak culture. Members of such organizations do not have sufficient joint experience to form generally accepted values. However, not all mature organizations with a stable workforce are characterized by a strong culture: the core values ​​of the organization must be constantly maintained.” Figure 1 shows the key elements that correspond to a high level of risk culture. There are 4 key elements of a high risk culture:  respect for the ability to effectively and openly cooperate on risk issues;  awareness to know and do what is right in terms of risk; and pay attention to emerging threats and risks;  transparency to freely and quickly exchange information and ideas about risks.

Fig.1 High level of corporate risk culture

In practice, in organizations with a high level of risk culture, risk management permeates everything: processes, systems, management decisions, models, etc. At the same time, each ordinary employee understands his role in risk management, for each type of risk, appropriate risk management methods and technologies for modeling the consequences of risk are used. Employees are not afraid to openly discuss emerging risks, a collective understanding of the main risks to which the organization is exposed is supported and controlled and report any situations associated with risks, even if it seems insignificant, since the timely detection of potential problems or the recognition of errors allows minimizing possible negative consequences. Formation a strong risk culture of the company determines the sequence of actions of employees and the adoption of certain decisions in their daily activities, taking into account existing risks. Structural units in organizations with a high level of risk culture are risk bearers and are responsible for identifying, analyzing, managing, mitigating and reporting on key risks.

A strong culture determines the consistency of employee behavior. Employees clearly know what behavior they should follow. Predictability, orderliness and sequence of activities in the organization are formed with the help of high formalization. A strong culture achieves the same result without any documentation or allocations. Moreover, a strong culture can be more effective than any formal structural control. The stronger the culture of an organization, the less attention needs to be paid by management to the development of formal rules and regulations to govern employee behavior. It will all be in the subconscious of the employee who accepts the culture of the organization. The following elements correspond to a low risk culture (Fig. 2):  denial - low level of communication on risk issues;  lack of motivation - poor understanding of risks at all levels of the organizational hierarchy;  resistance - fear of bad news making mistakes in the field of risk management;  detachment – ​​slowness, indifference, ineffective risk control systems.

Fig. 2 Low level of corporate risk culture

In organizations with a low level of risk culture, risk management is reduced to formal conclusions and recommendations of risk managers, who often do not have the right to vote in making business decisions. In such organizations, as a rule, there is a low level of employee involvement in the risk management process, structural divisions are inactive or reluctant to participate and take on responsibility or do not fully understand their role in risk management. As a rule, responsibility for risk management is transferred to a separate functional service, other business units resign this function. In this regard, some risks inevitably fall out of sight, which can lead to devastating consequences. For the development of a strong risk culture, it is necessary to follow the following recommendations:  to form a behavior among employees in which they openly discuss and respond to existing and potential risks;  to form an internal setting of intolerance to ignore, hush up risks and risk behavior of others;development and implementation of a methodological approach to risk management;coordination of the company's actions in the field of risk management;consultation and methodological support of the company's divisions on risk management;coordination and preparation of risk reporting;training of employees on issues risk management;  monitoring the implementation of the risk management action plan by structural units, coordinating work with the internal audit service;  developing and implementing measures to improve the risk management system. important risk management. Risk culture is an integral part of the integrated risk management system. A strong risk management culture builds the collective ability of companies to identify, analyze, openly discuss and respond to current and future risks.

Obviously, in order to develop a risk culture, it is necessary to purposefully change the principles of the working culture and actively implement them, as well as to strengthen the responsibility in terms of functions and responsibilities in the field of risk management. If an organization has a strong risk culture, then its employees are not afraid to raise the issues and challenges they face every day. Within such a culture, there is an understanding that an employee can benefit from their erroneous actions, which can often be the result of trying to do their job in a more innovative or creative way.

2015. No. 211. S.24212424 2.B.Z. Milner. Organization Theory: Textbook. 2nd ed., Revised. and additional M: INFRAM, 2000. 480 p.3. Effective anti-crisis management [Electronic resource]: scientific and practical. magazine SPb. : LLC "Publishing House "Realnaya ekonomika", 2000 ISSN 20788886. 2013.N 3.C.2023 [Accessed 23.01.2017]. 13.

In order to purposefully and predictably achieve results, both for the company's activities and for risk analysis and management activities, it is necessary to harmonize the improvement of all production processes developed on the principle of gradual evolutionary improvements, rather than revolutionary transformations.

It is important to note that only those companies that have already reached a certain "maturity" in their development and directed application of information technologies to achieve the organization's business goals think about the application of risk management, but risk management, as well as the main areas of management, needs constant development.

In our opinion, the optimal solution under these conditions is the decision to apply the CMMI model in order to develop risk management processes as part of the overall management processes of the organization.

CMMI proposes a model of structural stages organized into 5 evolutionary steps, each of which represents a certain qualitative transformation in comparison with the previous one. It is in this step-by-step way that the development of the company and its processes, part of which is the risk of management, is carried out.

During the movement (which can be quite fast, and can stretch for decades), the following is performed:

• Process maturity measurement;
• Evaluation of their productivity;
• Development and prioritization of activities necessary for development;

As certain metrics formed to monitor the achievement of tasks are achieved, the individual components of the processes, the processes themselves and the process environment are stabilized, due to which there is a gradual increase in the productivity of risk management.

Standardly, the following 5 levels of "maturity" are distinguished, which can be correlated with certain levels of risk management:

• Elementary
• Risk management production processes are characterized by the fact that they are created each time for a specific project;
• Only separate parts of the processes are defined;
• Complete dependence on the competencies of individual employees;
• repeatable
• The main processes and activities of risk management analysis processes have been established, which allow only individual stages and stages of risk management processes to be subjected to the monitoring process;
• Separate parts of the overall risk management system begin to "crystallize";
• Definite
• The process is documented and standardized;
• Risk management is integrated into the general domain of enterprise management;
• All ongoing projects use "best practice" for analysis and risk management;
• Managed
• The whole domain of risk management is "covered" by quantitative metrics;
• Optimizing
• Continuous improvement of processes is carried out;
• A culture of risk analysis and management has been implemented;

In the event that the management of the organization decides to use the CMMI for the development of risk management processes, the practices recommended in this methodology should be reasonably interpreted and used. Too fast striving to achieve higher quality levels can lead to failures in the overall management system of the company and inconsistency in overall actions.

Skipping maturity levels is undesirable, since each previous qualitative level forms the basis necessary to reach the next level, "stepping over" which costs quite a lot of material and resource costs.

With an increase in the level of maturity, the deviations of the actual results of risk management from those that were originally planned are reduced. This happens for the following reasons:

• Minimization of deviations occurs at higher levels of maturity, due to compliance with controlled parameters identified by metrics;
• Improving the results of activities, in connection with an increase in the level of maturity of the organization;

It is assumed that organizations that achieve the highest levels of CMMI maturity should have risk management processes that are able to identify information risks in a timely manner and contribute to the production of a high quality information product, with predictable resource costs.

At the same time, the recommended methodology for the development of risk analysis and management processes is not the only correct and correct one. Each company has the right to choose the necessary ways of its development in the field of risk management. The main condition is that the chosen strategy must be carried out within the framework of transformations aimed at achieving the required results.

The undeniable advantage of the CMMI model is its gradual and purposeful evolution of processes.

After a company applying risk management (consciously or unconsciously) begins to constantly apply standardized risk management processes (transition from the "Repeatable" level to the "Defined" level in CMMI terminology), it will be possible to say that the company has an organizational system-level risk management system that all responsible employees must follow.

9.6. Whole company risk management

When an organization comes to the need to manage risks at a certain level of maturity, it is important to understand that the effectiveness of management over a long time interval will be determined not so much by risk management, but to a greater extent by the general level of development of all areas and functional characteristics of the enterprise and processes that maintain a given level.

In order to achieve a certain qualitative level of work with risks, at which it becomes possible to preventively manage risks and correct the development of risk situations, the topic of a comprehensive program built on the basis of a risk analysis and management system, discussed by us in previous lectures, again proves its relevance and relevance. Recall that we noted the fact that risk management will become an effective direction in the organization's activities only if its constituent processes "permeate" the enterprise as a whole and are performed with a given level of quality and professionalism. If there are "holes" in the organization's management system associated with a mismatch between the company's management's vision of the current state of development of management processes and their current state, development strategies and tactics, then it will be possible to question the success of the processes being implemented.

Statistics based on the analysis of the experience of successful companies demonstrates that under the following conditions, an acceptable result is achieved in the domain of analysis and risk management at the enterprise level:

• Continuous open dialogue about risks with all stakeholders;
• Constant exchange of "transparent information" with stakeholders, as well as providing them with the necessary information about the decisions and corporate values ​​of the company;
• Management plays a leading role in setting the objectives of the risk management system;
• A unified risk management system for the entire organization has been developed and implemented;

In conclusion to this part, we note that a successful start in building a corporate culture of risk management begins precisely with the management's awareness of the need for risk management processes, as activities that allow them to achieve a competitive advantage in the IT market of goods and services and become leaders in their product segment.

9.7. Culture of risk management

Gradually, towards the end of our course, we come to the fact that the secondary goal of risk management development is the gradual creation of a risk management culture that should become the successor to a comprehensive risk management program, as a result of phased, evolutionary changes in the organization's processes.

The effectiveness of the processes that will underpin the culture of risk management must be constantly monitored, monitored and, if necessary, coordinated. The lifecycle and progress should be designed to be clear and transparent to professionals and business users. This is a critical condition for their maintenance and further development.

The importance of the culture of risk management should be treated as an alternative direction of the organization's management, which can replace the classical schemes and types of management of the functional areas of the organization.

On the basis of culture it will be possible not only to carry out effective management individual areas of the organization's activities, but also to educate the necessary personnel that determine the further effectiveness of the company's development.

The CMMI model, discussed earlier, defines the levels through which an organization must develop before it can create a culture of risk management. Therefore, once again we draw your attention to the fact that there should not be any single radical, global risk management initiatives. Instead, there should be many, individually not very significant, changes that, in their totality, will give a positive impetus, complemented by an emergent effect. to the development of a culture of risk management. Each initiative individually may seem trivial and completely unimportant, but in a company with others, it will allow to lay the seeds of the basis of risk culture in the heads of managers and employees.

At the same time, initiatives should be generated not so much by risk managers themselves, but by employees and heads of functional areas for which risk management is carried out.

The culture of risk management becomes an effective force of the organization at the moment when it begins to be discussed at all corporate levels with further conclusions in order to achieve the final result of certain activities.

9.8. Improving risk analysis and management processes

The improvement of risk analysis and management processes takes place in the context of the business goals of risk management and the strategic plans of the organization, its existing organizational structure, the technologies used in the company, the social level of employees and many other factors.

CMMI suggests focusing on aspects of total quality management processes, but successful improvement of risk management processes also implies taking into account related issues outside the core processes (eg personnel problems, ..). At the same time, the basis for carrying out improving procedures is the information obtained during the monitoring of the main activity, analyzed in accordance with the existing program and presented in the form of a justification necessary to support additional actions to gradually transfer risk management to the next level of maturity.

Work on process improvement should be aimed primarily at the needs of the organization in the context of its business environment, at a certain point in time, associated not only with the company itself, but also with external factors.

9.9. Results

Despite the apparent abundance of information about risks, the current situation shows that such concepts as risk, Management of risks, risk analysis, for their practical application, remain poorly understood, insufficiently substantiated and adapted.

In domestic and foreign literature, there is still no common understanding of the term "risk" and a large number of scientists and specialists are still discussing the need and scope of the disciplines of risk analysis and management. This situation leads to the fact that the relevance of works related to the methodological description and substantiation of risk data and work with them remains very high and is in demand by a wide range of specialists and managers.

Thinking about our course, we set ourselves the goal not so much to discover something new from the risk management domain, but to adapt the available information from highly specialized areas of mathematics, psychology, statistics, programming, etc. for their understanding by all specialists interested in improving their skills in the field of risk management.

It is also worth mentioning that, despite the fact that our course is aimed at studying specialists from the field of information technology, at the same time, we have made every necessary effort to abstract from the IT sphere as much as possible and make it suitable for studying and subsequent application to interested colleagues from related fields of science and business.

In this course, the principles and concepts necessary for anyone with little experience in the field of information technology and knowledge of basic concepts, with little effort, to be able to independently understand the information provided, are set out in a generally accessible language. We thought that these conclusions would be enough for each colleagues to make their own conclusions and make a further decision on whether and, if so, how to move on. We hope we succeeded.

We wish you continuous development and improvement in understanding and application of risk analysis and management processes.