Embedding Risk Management in the Business
Put at its most basic, as a business I do not need the greatest risk management function; rather, I need the greatest risk management and that requires risk management to be embedded within the business units themselves (the front line of the business or the first line of defense).
This is an easy thing to say, but a difficult thing to actually achieve. Staff will only understand what the purpose of risk management is if they both see its value and that senior management really believe in it and its importance. Embedding is never easy and many great risk management programs have failed for this simple reason.
If you were appointed risk management of a team that had failed to embed risk management, what would you do? This falls into the challenge equals opportunity debate. It will be a challenge and cannot be achieved quickly. Start with realism. Be realistic in what you can achieve for nothing is going to come easily. Staff will not have any real understanding of risk or the goals and objectives of risk management. They will not have any ability to answer difficult questions on risk assessment or appreciate what they should do with confidence levels. They have been hired to do a job, not to think how they should do their job. Basically, they are not trained to achieve your goals. They are too busy doing what they are paid for.
You will need to demonstrate your worth to the business units and to show that their implementing good risk management techniques is good for the company, and therefore, also good for them. Do not use jargon or rely on regulation, because if you do that, you will have probably already lost the argument. Unless the values in what you are seeking to achieve are obvious to the front-line team, your project is doomed to failure.
So, how can this be done? Slowly and with great care.
You need to spend time with each front-line business, understanding what challenges they really have and what can go wrong. Considering where they can make losses, where they could be more efficient and where they could make more profit. You need to be someone that helps them to solve things and then to introduce tools that assist them to achieve this same aim. Simple solutions are normally the best ones to start with, so that you build the level of trust that is required. None of this is difficult in principle, but too many risk management specialists try to be elitist and to keep what they are doing to themselves. The risk management function does not manage the risk in the business. Instead, this is achieved by the front office teams. These are the people that actually do something.
I always start with the first line of defense, which is the staff that actually make a real difference. The second line of defense are the people that check and monitor the first line of defense. The third line of defense (internal audit) check the first line of defense and whether the second line of defense are checking the first line of defense. Risk management knows what to do with defense. They sit on it.
Risk management is not just a dumping ground for everything that does not belong anywhere else. Their role is to ensure that the business develops systems of control and structures that deliver the goals and missions of the firm in accordance with its risk appetite, of which more later. In working with business units, good risk management behaviors need to be seen to be part of the way that they work. Loss is not in itself a four-letter word. Losses are the consequence of the control function that they have chosen to implement aligned to their risk appetite. This is a decision that is made by senior management implemented within the business.
Losses can be budgeted for and included into product pricing. They can be monitored and managed. The risk management team may well undertake complex calculations for their own use and to support reporting to senior management if senior management can understand what you are doing. However, much of this has little relevance to the front office and they will not react well to it.
You need to get out there and build. Nothing can be achieved from sitting in your office and sending out instructions. Nobody will understand their relevance and they will not take your role seriously.
The front-line staff understand that if they fail to deliver what is expected of them, then this is likely to be career limiting. They know that if there are events that they did not expect, then they will have a problem in trying to get this properly understood without achieving their own dismissal. If risk management can help them to build a system to reduce the likelihood that unexpected things will occur, then this is surely a good thing and something that they will work on. They will understand its value and see you as a partner in helping them to achieve their own objectives.
Always start with the identification process. Remember that risk identification is a combination of bottom-up and top-down work. There are some risks that every business unit clearly has—internal fraud, fire, or loss of key skills, for example. Each risk needs to have a clear definition that will resonate with the individual business unit and be in the language that they will understand, not in the nerd language of a consultant. These are a given and you do not initially need to spend a lot of time on these. Then, there are risks that are directly associated with the business unit, that really matter to the local management. These need to be identified with the greatest of care. Not each of these will actually be a discrete risk; indeed, many of them will be elements of another risk.
In building the risk register for the business unit, the risks need to appear in the language that the unit understands best and this then also needs to be capable of being consolidated into a single model by the risk management function. Accordingly, clarity of purpose is required. If you allow each unit to come up with their own definitions, then you will have no chance of building a consistent structure.
They will have multiple computer systems that they will be working with. Some of these they will immediately recognize as computer systems, such as data entry packages. Others, such as word processing and spreadsheet software, they will not recognize as computer systems. In reality, the main systems used by many firms are spreadsheet software solutions since all management reporting appears to be based on such spreadsheets.
So, the risks need to align to the business unit and ideally the register needs to be complete. It should not just be a list of the risks that the business is controlling, but instead it should also include those that it should control. It does not just include risks that occur all the time, but also those that could occur infrequently or could potentially occur.
When you start with this work, it is always worth spending time with the local management to understand where they have problems and what has previously gone wrong. If you know what has gone wrong in the past, then you know that risks should have been recognized. The management ought to know about these since this will have cost them bonuses or stress.
Teasing out the others is a true skill and means that the facilitating risk specialist needs to spend time understanding the nature of the activity and the problems faced. Some of this required material will appear in monitoring reports from another part of the second line of defense and other material will be in internal audit reports from the third line of defense. Apart from that, the risk specialists will still need to start doing some fundamental research because good risk management is not just about what you see, but what you should see. The local management will only know what they do and what has gone wrong in the past, since this is what they have always done. They are less likely to know what they should be doing and this is another challenge for you.
If you go in having done the right level of research, you will be able to engage with the local management as an equal. Too often risk managers seem to think that every business unit is the same and fail to do their research. This cannot make sense and it essentially insults the front line, doubting their value. It is condescending and a mistake.
Embedding risk management is about building controls and systems into the way things are done that identify problems before they occur and give management time to prevent their occurrence. It is about looking at how automation of process can provide assistance to the management. It is not about blaming people for things; rather it is about working together to improve the way things are done to prevent recurrence of a specific problem. When risk management is working well and is effective, management will perceive problems that could occur before they occur and take action to prevent them.
As limits and controls are slowly implemented by the management team, they could initially think that they are having their time wasted. They may not perceive the value of having these additional controls. And then the time will come when the control will have saved them from a disaster. That is a disaster for them in their terms, for example, of losing their job. Perhaps only then will they will see the value. Sometimes, it is only after disaster strikes that they really grab the importance of the idea.
The reporting from the business unit will then include naturally risk-based reporting. It will be part of the way that they work. The key problem remaining is risk quantification and that is addressed in the next chapter.