Strengthening the Risk Management Culture

With Dodd-Frank financial reform legislation more than 2,300 pages long, it will take some time to understand its full impact on financial institutions. In the interim, there are steps companies can take to deepen their risk management culture and ensure they’re building a strong foundation to effectively execute in the “new normal.” Improving and strengthening risk management within your organization is the right thing to do and that cultural foundation can also be instrumental in helping systemically important firms earn “strong” regulatory ratings for operational and compliance risk management.

It’s critical to avoid complacency, an easy trap to fall into while waiting to understand the ramifications of the new legislation. Rather than wait for the new regulations to be finalized and for regulators to define what will be needed to ”get to strong,” use this time to build and strengthen your risk culture by assessing how your organization is demonstrating continued progress on risk management.

You can start by asking these questions:

Are leaders cascading important messages about risk management down through the organization? Communicating broadly and often helps build trust and showcase success stories. Consider open forums where employees can share ideas for everyday actions to help avoid and mitigate risk, as well as more formal, recognized channels like employee newsletters and all-hands meetings. A customized training process can also be helpful. For example, within our Technology and Operations Group, business leaders sponsor and facilitate risk management workshops, taking their teams through risk assessments and case studies relevant to their daily jobs. To date, more than 2,000 employees have participated in these workshops. It’s a great way to help our teams learn simple risk assessment and management behavior that can be incorporated into everyday duties.

Do employees at all levels – and in all roles – across the organization view themselves as risk managers, responsible for the risks that cross their desks each day? Employees are the first line of defense; it’s important that they know and understand the risks inherent in their daily jobs, and equally important that they’re comfortable bringing forward risks for resolution. Consider an informal recognition program to “catch people doing risk right.” Within our organization, we recognized more than 100 employees during the second half of 2010 in a grassroots campaign to highlight everyday risk management efforts and promote a culture of accountability for risk management.

Is information about risk management shared across business groups? Sharing what you know, as soon as you know it, can help others avoid similar pitfalls, while also building trust and fostering partnership. It’s critical to move beyond an internally-focused thought process to promote cross-group impacts and identify risk patterns and trends.

It’s also important to be proactive in identifying risks across the organization. Asking challenging questions and ensuring all stakeholders are engaged supports a proactive approach to risk identification and mitigation. “Who, what and how” questions help identify hidden or unknown risks, such as: Who do I alert and inform to share the accountability and provide support? What impact could this have on our customer, our company and/or our reputation? How do I verify this has been resolved? How could it be prevented or managed in the future?

We expand on these questions in our organization’s risk management workshops by facilitating “what if” and “so what” discussions. Any risk assessment begins by thinking critically about what could go – or has gone – wrong. We encourage employees to think about risk in their jobs by asking: What is your job? What are some of the risks in the business processes you contribute to? What would be the consequences if those risks were realized? How are the risks controlled? Who is responsible for them? Are any of the risks and controls owned by other groups/individuals?

At a foundational level, employees in a strong risk culture say to themselves, “I know now that if I don’t bring forward a risk, I own it. So, I have to raise the question so I can help assess the risk and its impact.” Building on that foundation, think about how to encourage people to bring forward risks. It ties back to strong communications – acknowledging that everyone is a risk manager; and, sharing information. A risk culture with all these components helps create an atmosphere in which employees aren’t afraid to bring forward a risk. They know there are no penalties for coming forward and, in fact, are motivated to help resolve the risk.

As part of our efforts to encourage our employees to think more proactively about risk management, we’re also having conversations about how to scope a risk issue, another key building block in a strong risk culture. Scope will define who comes to the rescue and who communicates what, when. It also helps determine accountability; knowing who needs to follow through and follow up is critical. Most important, what do you do to ensure it doesn’t happen again? It’s helpful here to take an end-to-end view and consider all applications, platforms, infrastructure, business processes and related controls. Having an understanding of the complete process – and an assessment methodology that allows you to evaluate where high-risk processes exist – helps ensure a risk approach that’s both preventive and detective.

While you work toward more proactive risk identification, it’s also helpful to measure risk management effectiveness. “Getting to strong” really equals effective risk management, and applying certain criteria can help foster common standards in a distributed environment. You may use any existing framework that aligns with your organization to evaluate criteria such as:

  • Does your organization’s risk management approach include a comprehensive structure of principles and policies applied consistently across all business lines?
  • Are risk exposures and corresponding, well-defined risk management processes visible across the organization?
  • Are risk management activities prioritized and executed with appropriate levels of urgency?

Of course, as we receive regulatory guidance, it may be that criteria such as these are only minimum requirements to earn “strong” ratings but they are still an excellent foundation to leverage.

Assessing how you’ve moved the needle on risk management, being more proactive in identifying risk and measuring risk management effectiveness can help lay the foundation for a deeper risk culture and a lower risk profile. Equally important, these are steps that can be taken in advance of regulatory guidance on the new financial reform legislation. We know the bar has been raised for the financial services industry, with heightened expectations and scrutiny. Begin now to evaluate your organization’s risk culture and work toward a “strong” rating.

Ms. Grosslight is executive vice president, risk management and compliance for the Technology and Operations Group and Corporate Staff Groups at San Francisco-based Wells Fargo & Co. She can be reached by contacting Colleen Carnley at [email protected].