In your experience, how effective are financial firms at communicating Risk beyond the Risk function?
In relation to metric information, generally good. Heatmaps and dashboards tend to get decent exposure at senior governance forums, such as Risk Committee and Boards, however rarely do you see the same information filter down to the operating level, which nine times out of ten are the people who provided the data in the first place and have it within their gift to improve the control or process that may not be effective
Where do you see the responsibility for communicating information relating to Risk sitting within an organisation?
The tone must be set from the Board - if the Board put the Risk agenda and Culture at the forefront of operational activity, then it becomes much easier for the 2nd line Risk teams to provide information that can add value to the 1st line. The key then, is to ensure you engage with the 1st line in the right way and build collaborative relationships that help improve the control environment so that communicating Risk becomes a two-way street. If engaged, and given the correct training, the 1st line will always identify risks, control improvements and process enhancements before the 2nd line Risk Team.
How do you think Risk functions are viewed within financial firms, and does this affect their ability to communicate effectively?
The value 2nd line functions actually add has been a discussion bouncing around since time began. It’s up to risk functions to prove value. If you only see your Risk functions at formal committees, or meetings with perfect RAG rated slide decks pointing out failings or receiving an email five minutes after risk event/incident has occurred asking for war and peace before the dust has even settled, then you are never going to be viewed positively. The biggest part of Risk Management in my eyes is relationship management, building trust with knowledge gained, spending time with SME’s, and having a decent understanding of how the firm operates. If you can do that, you tend to be called a minute after an event/incident occurs to be part of the remediation from an oversight perspective that can guide the business through good quality corrective actions for the immediate issue and the bigger picture objective of reducing Risk over the longer-term. It also means within the formal committees, or meetings, you are more likely to hear “We have been working with the Risk team/1st line and have created a solution" or "have improved such and such".
How can firms ensure that all employees receive the Risk training they need in order to be able to sense and respond to threats, are aware of where accountability lies and know where their responsibilities fit within the risk framework?
Inherently, every member of staff is a Risk Manager - the key is having a simple, clear and prominent Enterprise Risk Management Framework that can be understood to tap into that person’s logic. Add Risk training to the mandatory training suite, make sure the Risk team presents at new starter inductions, and ensure the core objectives of the department and individual are intertwined with the firms' Risk Appetite.
How you can ensure that middle and front-line staff are aware of an organisation’s risk management goals?
The Risk Management goals must be linked directly to the firm’s strategy, inclusive of the commercial elements. Risk in its purest form is “the chance of something happening that will have an impact on objectives”. Linking Risk Appetite to the firm's strategic goals will help raise awareness of the risk agenda, and if understood will ensure risk discussions become part of management decisions, rather than an argument about whether the risk is Green, Amber or Red!
When new risks are identified, how would you advise an organisation shares this information across the business?
Whether new risks are identified from a strategic level, or bottom up approach, the key is having a consistent enterprise framework with consistent taxonomies, and scoring mechanises. This is where the Risk function can really add value with ensuring one department mole hill isn’t another’s mountain and can take a measured view of the risk and escalate to different areas as required.
If you could share one tactic for risk leaders to employ in order to better communicate risk issues, what would that be?
Relationship Management. Risk function members should spend time learning the SME processes and issues throughout the year, not just when a RCSA cycle of event/incident has occurred. If a relationship is in place during the good times, it much easier to talk during the bad times.
What are your thoughts on technology as an enabler for effectively communicating Risk within an organisation?
Well implemented Risk systems can add much value and automation to Risk Management objectives, however it only really works if the 1st line own the input and the 2nd line are the custodians of the data and set the parameters within which data can be entered in line with polices and Risk Appetite. If it’s a tool simply used by the 2nd line, you may as well stick to the spreadsheets!
Thank you Martyn!
Find Martyn on LinkedIn or find out more about Wellesley.