Risky Business

Picture the following within an organisation. A risk manager is on the phone with a branch manager. The reason for the call? The branch’s quarterly risk assessment update is overdue. Again.

The branch manager says all the right things and promises to complete the update quickly. After the conversation, both people have very different thoughts. The risk manager is thinking, "Why do I have to call these managers every quarter? They're not taking this seriously." The branch manager is thinking, "Why won't these people leave me alone to do my job? Didn't we just do this?"

Is this a common scenario in your organisation? Chances are no matter how strong your risk management programme is, improvements can be made to the process and the interdepartmental relationships.

Every business wants a successful risk management programme, but not everyone has found the same level of success. Talk of removing silos and embedding governance, risk and compliance processes within the business lines is great, but making it reality forces companies to face a major challenge - the relationship between the risk, audit and compliance professionals and the other business unit leaders and staff. Too often, the risk team believes that the field isn't taking them seriously, and the field views the risk team as an annoyance at best or an impediment at worst. How do you bridge that gap and develop the right levels of communication and trust?

Organisations that have developed successful risk management programmes share two common strategies: the creation of a strong risk-aware corporate culture and the relation of GRC issues to everyday business. The cultural change has been discussed in many other forums, but it is still important to ensure the buy-in is both top-down and bottom-up. Executives need to lead by example, and business units need to realise that GRC activities are a key part of their daily activity, not a nuisance to be set aside or hurried through.

The second strategy tends to be overlooked, in that many risk professionals view GRC issues in and of themselves, rather than in the context of the organisation's larger goals. On one level, this is understandable - a constantly evolving, relatively new discipline requires narrow focus to become established. However, this narrow view has the unwanted effect of making the risk team appear to be aligned differently from the rest of the business. You need to bridge this gap. The benefit arises not only from ensuring that everyone is on the same page, but also by instilling a belief across the organisation that when circumstances change teams are capable of adjusting to ensure continued understanding.

There are several ways to ensure that the GRC teams are translating risk concepts to get better response from the business units. It can be very easy to focus risk management efforts solely on risk prevention or avoiding past mistakes - the trick is to learn those lessons and apply them to the present and the future. Ensuring that individual business units understand their levels of risk tolerance will allow decisions to be made about pursuing opportunities that can help attain specific objectives. Using an assessment tool that clearly and easily aligns processes with the organisation's objectives is a must.

The GRC team can also help by quantifying not just the exposure but also the upside associated with a risk activity. Showing a business unit that there is limited or no upside to a risk helps the risk manager make a far more compelling case about changing behaviours or assigning resources to mitigate a risk. Conversely, if the risk manager can quantify opportunities, GRC functions will gain broader acceptance as a fundamental part of each business unit. Either way, better information will be produced, analysed and acted on more efficiently. Both sides will understand that they are working toward the same goal - the success of the company.

About

Tom Bolger is the vice president of global marketing for Methodware, which provides risk, compliance, audit and investigations software to more than 1900 clients. His experience in financial services and operational risk management over 15 years helps shape Methodware's product and market strategies.