FRAMINGHAM (01/14/2010) - Faced with challenging economic times and heightened legislative and regulatory scrutiny, companies across all industries are increasingly compelled to keep risk management top of mind. Success depends upon customer and shareholder confidence in a company's ethical standards and its ability to make prudent decisions about handling risks. Whether a company's risk management framework is centralised, decentralised, or somewhere in the middle, what's most important are the people in that framework--those who identify and manage risks every day.
Only through a culture of accountability, in which it's clearly understood that risk identification and management is everyone's responsibility, can a company truly meet its risk management and compliance commitments and deliver for its customers and shareholders.
As a first step toward building a culture of accountability, an assessment of the company's risk management model and framework is essential. Ensure that everyone knows who's responsible for understanding and addressing risks in each part of the organisation. From a divisional or business line perspective, who is responsible for executing against corporate policies and understanding what the business needs to do to adhere to the policies, including training and awareness? Who aggregates and looks at risk holistically? It's critical to know these things, because the accountability model starts with every employee understanding the potential risks that cross his or her desk.
All leaders must understand the risks in the businesses for which they're accountable and risk professionals must support employees and managers in risk mitigation. Beyond that, enterprise oversight is crucial so that risk is aggregated across the organisation--this is particularly important if business groups are siloed.
Also see Jeff Spivey on Enterprise Risk Management
As a next step, CSOs and other personnel in charge of risk activity need to acknowledge and address potential blind spots--the areas of concern or potential threat that can be missed if one is not careful. Even the strongest cultures have them. Blind spots include:
* The familiar sense that "It can't happen to us." To counteract it, continuously be aware of the fact that bad things can and do happen, and be on the lookout for potential risks.
* When a leader must communicate his or her own mistakes or those made externally, there's often a reluctance to deliver this news; it may be equated to a sense of failure or punishment. Instead, open communication should be viewed as an opportunity to share risk awareness and help others avoid similar pitfalls.
* If business groups are siloed, there's often a lack of transparency across the organisation when risks arise. As mentioned above, an aggregated, enterprise view of risk trends and patterns is necessary, allowing business decision makers to connect the dots across the company, share risk awareness, and avoid one-off solutions.
* When employees aren't clear about an organisation's risk tolerance, they may get mixed messages around risk, which can be a real danger to a culture of accountability. A lack of clarity and insight around risk leads to assumptions that could negatively impact business or a tendency to take on more risk than is prudent.
As a next step toward building a culture of accountability, companies need to emphasise to managers at all levels of the organisation the importance of role-modeling behavior. This includes ensuring that those responsible are helping employees identify and take responsibility for the risks that cross their desks. At the same time, leaders must remind employees that there are no penalties for bringing forward risks--it's when issues are not brought forward that can lead to damaging consequences. When employees do bring forward risks, it is important to make certain managers demonstrate how to address the risk, learn from it, put into place the appropriate action plans, and shore up gaps so that the same, or similar, issues do not arise again.
Finally, it is critical to communicate broadly and often to create awareness of blind spots and to help employees understand that risk management is everyone's responsibility - just talking about it makes a difference. Encourage leaders to cascade information through their teams, have critical conversations about risk on an ongoing basis and instill a mindset where people feel that their roles matter. For example, leaders can use communication channels that employees recognise and trust, whether it's e-mail, newsletters, video clips, or town hall meetings.
Also remember that keeping teams and business partners informed and building trust with them by sharing what you can, as soon as you can, minimises potential roadblocks to success. It is also critical to offer forums in which employees can identify and share "bright ideas" --simple, everyday actions that will help everyone better identify and manage risk. This type of proactive activity also reminds employees that leadership doesn't profess to have all the answers and that employees really are the first line of defense. Perhaps most important, leaders need to ensure that they communicate success stories, which helps make risk management real for employees.
Whatever an organisation's risk management model looks like, remember that instilling and reinforcing the right culture is foundational to effective risk management and helps protect customers and shareholders. Everyone has a responsibility for risk management, and with the right culture, everything else falls into place.
Kerri Grosslight is head of Risk Management and Compliance for the Technology and Operations Group, also serving as Group Risk Officer for the Corporate Staff Groups.
She joined Wells Fargo in April 2002, in an initial role designing and building a shared services organisation for the Technology and Operations Services division. Later, Kerri headed Technology Services, a division of the Technology Information Group. Technology Services was comprised of Information Security, Network, End User Computing, and Risk Management and Compliance. Since the Wells Fargo/Wachovia merger, Kerri has been focusing on Risk Management and Compliance, an expanded role.
Prior to Wells Fargo, Kerri spent several years consulting as the Wells Fargo account executive with Carreker and also with Northwest Natural Gas in Portland, Ore.
Kerri began her career with First Interstate Bank, Los Angeles, and has more than 20 years experience in financial services, primarily leading large scale technology and operations transformational projects and application development teams focusing on telecommunications and lending.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.