Faced with challenging economic times and heightened legislative and regulatory scrutiny, companies across all industries are increasingly compelled to keep risk management top of mind. Success depends upon customer and shareholder confidence in a company’s ethical standards and its ability to make prudent decisions about handling risks. Whether a company’s risk management framework is centralized, decentralized, or somewhere in the middle, what’s most important are the people in that framework–those who identify and manage risks every day.
Only through a culture of accountability, in which it’s clearly understood that risk identification and management is everyone’s responsibility, can a company truly meet its risk management and compliance commitments and deliver for its customers and shareholders.
As a first step toward building a culture of accountability, an assessment of the company’s risk management model and framework is essential. Ensure that everyone knows who’s responsible for understanding and addressing risks in each part of the organization. From a divisional or business line perspective, who is responsible for executing against corporate policies and understanding what the business needs to do to adhere to the policies, including training and awareness? Who aggregates and looks at risk holistically? It’s critical to know these things, because the accountability model starts with every employee understanding the potential risks that cross his or her desk.
All leaders must understand the risks in the businesses for which they’re accountable and risk professionals must support employees and managers in risk mitigation. Beyond that, enterprise oversight is crucial so that risk is aggregated across the organization–this is particularly important if business groups are siloed.
As a next step, CSOs and other personnel in charge of risk activity need to acknowledge and address potential blind spots–the areas of concern or potential threat that can be missed if one is not careful. Even the strongest cultures have them. Blind spots include:
* The familiar sense that “It can’t happen to us.” To counteract it, continuously be aware of the fact that bad things can and do happen, and be on the lookout for potential risks.
* When a leader must communicate his or her own mistakes or those made externally, there’s often a reluctance to deliver this news; it may be equated to a sense of failure or punishment. Instead, open communication should be viewed as an opportunity to share risk awareness and help others avoid similar pitfalls.
* If business groups are siloed, there’s often a lack of transparency across the organization when risks arise. As mentioned above, an aggregated, enterprise view of risk trends and patterns is necessary, allowing business decision makers to connect the dots across the company, share risk awareness, and avoid one-off solutions.
* When employees aren’t clear about an organization’s risk tolerance, they may get mixed messages around risk, which can be a real danger to a culture of accountability. A lack of clarity and insight around risk leads to assumptions that could negatively impact business or a tendency to take on more risk than is prudent.
As a next step toward building a culture of accountability, companies need to emphasize to managers at all levels of the organization the importance of role-modeling behavior. This includes ensuring that those responsible are helping employees identify and take responsibility for the risks that cross their desks. At the same time, leaders must remind employees that there are no penalties for bringing forward risks–it’s when issues are not brought forward that can lead to damaging consequences. When employees do bring forward risks, it is important to make certain managers demonstrate how to address the risk, learn from it, put into place the appropriate action plans, and shore up gaps so that the same, or similar, issues do not arise again.
Finally, it is critical to communicate broadly and often to create awareness of blind spots and to help employees understand that risk management is everyone’s responsibility – just talking about it makes a difference. Encourage leaders to cascade information through their teams, have critical conversations about risk on an ongoing basis and instill a mindset where people feel that their roles matter. For example, leaders can use communication channels that employees recognize and trust, whether it’s e-mail, newsletters, video clips, or town hall meetings.
Also remember that keeping teams and business partners informed and building trust with them by sharing what you can, as soon as you can, minimizes potential roadblocks to success. It is also critical to offer forums in which employees can identify and share “bright ideas” –simple, everyday actions that will help everyone better identify and manage risk. This type of proactive activity also reminds employees that leadership doesn’t profess to have all the answers and that employees really are the first line of defense. Perhaps most important, leaders need to ensure that they communicate success stories, which helps make risk management real for employees.
Whatever an organization’s risk management model looks like, remember that instilling and reinforcing the right culture is foundational to effective risk management and helps protect customers and shareholders. Everyone has a responsibility for risk management, and with the right culture, everything else falls into place.