“Don’t be fearful of risks. Understand them and manage and minimize them to an acceptable level.” ― Naved Abdali
Imagine the following scenario: You are hired to manage a leading organization’s ethics and compliance program, and one of your key responsibilities is to build the risk management function within it. To your knowledge, the company has a risk management program, but it can use some fine-tuning. You have a basic understanding of risk management but are relatively new to the field. Where do you start? What are the building blocks of your program? And how do you make risk management a key priority in your organization? While there is no one-size-fits-all approach, here are some activities to help get you started.
Networking from the kids’ table to the adult table
Many have vivid memories of past family gatherings or holidays when, as children, we were unable to sit at the grown-up table. For some, this was heaven—sharing silly stories, laughing, and “acting up” without an adult rolling their eyes at you and asking you to be quiet. But for others, sitting at the kids’ table meant we were missing the lively conversations of the adults—full of ideas, opinions, and experiences.
Similarly, networking in an informal setting (both internally and externally) can be an excellent source of new perspectives and ideas to help you in your professional role. This is particularly beneficial for ethics and compliance professionals, as networking creates a sense of shared knowledge with people from similar professional backgrounds, provides opportunities to learn how peers are operating their ethics and compliance or risk programs, builds relationships and business connections, and can help raise your profile or advance your career through collaboration with peers.
There are many ways to network in the ethics and compliance industry, either through industry affiliations or locally in your organization’s area. If your organization is a nonprofit, make a point to talk with other nonprofit ethics and compliance professionals at industry conferences. Explore if a networking group exists or suggest creating one. Whether your organization is public, private, or nonprofit, most larger cities have a local ethics and compliance networking group—for example, in the Washington, DC, metro area, there is the Capital Area Business Ethics Network, and in Chicago, there is the Chicago Regional Business Ethics Network, just to name a few. And for risk management professionals, there is also enterprise risk management (ERM) networking groups. In the DC metro area, there is an ERM Roundtable group. Networking and relationship building should be a continuous process, even if you started at the kids’ table during family gatherings.
Starting at the top: Create a board/executive risk partnership
To truly drive change in risk culture, your executives and board need clear guidance and a shared understanding of what kinds of risk-taking are acceptable and where the organization could take more or less risk. To help them align on the key risks facing the organization and to forge a consensus around how key risks tie to organizational strategy, try the following activities, which can aid strategic decision-making and be game-changing in terms of more constructive and fulsome strategy and risk conversations in the boardroom.
-
Risk working group: Create a small risk working group (two or three board members and three or four members of senior management) to meet regularly (maybe quarterly between board meetings) and establish ground rules for engagement—choosing activities that will clarify board and management risk preferences—while creating a sense of collaboration and shared responsibility.
-
Risk education: Create documentation and education to level-set the risk management process—what, why, and how—so everyone has the same foundation and understanding of risk in the organization. Focus on how the board discharges its risk oversight responsibility, given that risk oversight is most likely included in board and/or committee charters.
-
Risk assessment survey: Invite the board to take the same annual risk assessment survey that management completes to determine if both groups are aligned in terms of risk, what the board’s risk perception is, and whether there are big gaps. Discuss the results with the board. This exercise will get both groups on the same page, deepen strategic conversations in the boardroom, and, most importantly, make your board risk savvy, not just risk-aware.
-
Risk scenario workshop: Include management and the board in a tabletop risk scenario planning exercise. The goal of the scenario exercise is to forge consensus on how key risks tie to organizational strategy by identifying existing or new risks, how the organization would respond, as well as what the organization is doing to prevent the scenario from happening. Consider doing the tabletop exercise as a breakout session during a board meeting. Create hypothetical scenarios (upside and downside) and play them out, applying your organization’s risk appetite and strategy. Try intermingling senior management with board members at tables and remind everyone to remain in their roles, meaning senior management manages the risks and develops mitigation plans while the board provides risk oversight and guidance. The main takeaways from the workshop include engaging in risk discussions, eye-opening on the interdependency among enterprise risks, a common understanding of the risk profile and its capabilities to manage the risks mentioned in the scenarios, and conversations on short-term initiatives to prepare for what was articulated in the scenarios.
-
Risk appetite: The above activities can provide the necessary partnership, context, and momentum to understand clarity on board/management risk preferences and set the stage for a need to formally articulate the organization’s risk appetite or “risk philosophy,” if not already articulated.
Establish and operationalize risk appetite
Risk management programs serve to identify, assess, prioritize, monitor, and communicate critical risks to business strategy. To do this, you must first understand your organization’s risk tolerance.
According to Risk Appetite – Critical to Success by the Committee of Sponsoring Organizations of the Treadway Commission, a risk appetite statement “is critical to organizational success. Articulating risk appetite for your organization will provide board members and senior management with important insight.”[1] The risk appetite statement is the foundation of the ERM program. It clearly defines an organization’s priorities and risk tolerance.
Simply having a risk appetite statement is a good start, but it is not enough. Organizations should develop a plan to operationalize the statement. Here are a few ways to do this:
-
Write an article: Perhaps one of the best ways to inform your organization about your risk appetite statement is by writing an article for your staff. This ensures the statement is communicated across the organization.
-
Align and embed risk appetite within the organization’s strategy: Make sure the board of directors and managers know how to use the risk appetite statement for strategic decision-making.
-
Review risk appetite annually: Ask your board of directors to formally approve the statement yearly. Formalizing the approval process for the risk appetite statement and documenting the approval date assures staff that it was reviewed and they are referencing the most current version.
-
Communicate continuously: Leverage your organization’s communication tools, such as newsletters, internal websites, or email. Make sure you tap into your company’s resources to keep the risk appetite statement top of mind for staff because you want staff to use the risk appetite to inform decision-making.
Meaningful risk reporting
Meaningful reporting is essential to a risk management program. Reports should focus on the key risks identified within the organization and how to mitigate them. Ask yourself, “Who is my audience? What context do they have? What is the best format?” When developing your reports, consider the following:
-
Will the intended audience understand what I am sharing? Make sure you are writing in simple terms. For example, the standard deviation is a useful measurement when calculating how far a response is from the average, but you may lose your audience with too much statistical jargon. Eliminating jargon helps the reader get to the point faster.
-
Is what I’m sharing best displayed pictorially or in words? You may decide to use charts, graphs, or images instead of words. For instance, you may choose to display a column comparing the leadership team’s results to the board’s. This allows readers to easily determine if there is alignment in the rankings or if they need to discuss differences.
-
Use risk mitigation scorecards. These one-page snapshots include the risk description, risk owners, mitigation efforts, and vital takeaways. Require risk owners to regularly review and update the scorecards and share them with management and the board.
-
Use year-over-year visuals. Use data from your annual risk assessment survey to create visual reports for management and the board, comparing risks from the prior and current years. This will help you quickly prioritize and address any noticeable changes in the risk landscape. For instance, between 2020 and 2022, the COVID-19 pandemic elevated talent management risks. As a mitigation plan, many organizations offered workplace flexibility and other retention tools.
Stay on top of emerging risks
Organizations leverage ERM to identify, assess, prioritize, monitor, and communicate critical risks to strategy. New business risks could materialize at any moment. Effective risk management programs, in addition to identifying and assessing near-term risks, need to look further into the future to identify emerging risks and trends on the horizon (e.g., five to seven years) and prepare accordingly.
A common definition for emerging risks should be shared so that management and the board are on the same page. One typical definition is “newly developing risks that cannot yet be fully assessed but could, in the future, affect the viability of the organization’s strategy and/or business model.”
The discipline of addressing emerging risks by embedding them into current risk processes allows the organization to have a more structured approach to identifying and assessing over-the-horizon events that could affect the organization. This approach encourages forward thinking and helps management make informed decisions on emerging risks.
An organization can employ several activities to help identify emerging risks in the external or internal environment. Two acronyms that can help you identify potential emerging risks within defined categories and provide a structure for horizon scanning are PESTLE (Political, Economic, Social, Technological, Legal, Environmental) and STEEP (Social, Technological, Economic, Environmental, Political).
In terms of internal emerging risk identification, here are a few ideas.
-
Senior management and board interviews: Question management and risk owners about emerging risks as part of the annual risk assessment survey and query both management and the board as part of quarterly risk updates. Also, consider having “risk management” as a standing agenda item at regular executive management meetings.
-
Strategic planning: Your annual strategic planning process and any deep-dive futuristic discussions with management may surface potential new emerging risks. Internal audit observations, after-action reports on major initiatives/projects, and even ethics/compliance questions asked by staff can also suggest emerging risks.
-
Environmental scans: Periodically review news, social media, and industry survey results of emerging risks to help identify new risks on the horizon. Keep PESTLE and STEEP in mind.
-
Peers/networks: Participate in industry surveys/polls on emerging risks to gain insight into what other organizations see as risks. Consider asking your external auditors about what potential emerging risks they see on the horizon for your industry sector.
Identifying emerging risks can be difficult; be proactive in having the emerging risk conversation. In other words, a compliance or risk management professional is better poised to raise their hand on emerging risks that are worthy of management discussion. Having a constant dialogue with management and the board on emerging risks will allow management and the organization to be better prepared and act on that knowledge while the iron is hot.
Conclusion
Whether your role is compliance, risk management, internal audit—or a combination thereof—all these disciplines are risk-based. A workplace culture promoting compliance and risk management will help the organization succeed in staying ahead of the change curve. For compliance and risk management professionals, it is more important than ever to leverage risk management with compliance simply due to the growing uncertainty within the risk landscape.
Takeaways
-
Networking and relationship building should be a continuous process.
-
To truly drive change in risk culture, your executives and board need clear guidance and a shared understanding of what kinds of risk-taking are acceptable and where the organization could/should take more or less risk.
-
Simply having a risk appetite or risk philosophy statement is a good start, but it is not enough. Organizations should develop a plan to operationalize the statement.
-
Meaningful reporting is essential to a risk management program. Reports should focus on the key risks identified within the organization and how to mitigate them.
-
New business risks could materialize at any moment. Effective risk management programs, in addition to identifying and assessing near-term risks, need to look further into the future to identify emerging risks and trends on the horizon (e.g., five to seven years) and prepare accordingly.