Traditional approaches to risk management put managers and senior executives at the helm, tasked with anticipating, identifying, avoiding and containing certain risks. But could a bottom-up mindset prevent more problems from happening in the first place?
More and more companies are providing all of their employees with a greater degree of risk management training and action. This approach has been adopted by Progeny, an independent financial planning and asset management firm. Chief Risk Officer (CRO) Charlotte Willis believes that risk management and reporting is everyone’s responsibility, a concept that can lead to the quick and effective implementation of actions and the resolution of problems.
“As staff have invested time and energy to help develop strategies and action plans, their commitment and accountability is almost always assured from the start, compared to a purely top-down approach,” says Willis. .
Each line of business within Progeny has initial responsibility for identifying and quantifying risks using a risk management framework. However, significant work has been undertaken with team leaders to help them understand how their decisions affect the company as a whole, as well as their own specific areas.
Together with department heads, they can escalate new or emerging risks to a risk and audit committee, which in turn works with the CRO, management team, and board to prioritize those risks.
When teams embrace and accept responsibility, it also means better alignment in pursuing new strategies or business goals, Willis adds. However, establishing a consistent approach to risk management is a challenge, she admits.
“Some departments are naturally more opportunistic and enterprising, while others are perhaps more naturally governed and risk averse. This places more emphasis on formalizing the requirements and responsibilities of all staff,” he explains. -she.
It will always be up to individual CROs to decide if a bottom-up approach is right for their business and industry. For Michael Brown, health and safety content manager at compliance firm Citation, this brings a number of health and safety management benefits, as employers have a legal obligation consult their employees or representatives on health and safety matters.
“Employees themselves can often come up with solutions that are overlooked by management because they know better how the work is actually done,” he says.
Such a pathway can also mitigate risk when new processes or equipment are implemented in the workplace, ensuring that any concerns are not overlooked, according to Brown.
“Consulting in these cases helps to identify the potential risks and hazards of a new process before it is fully operational, saving time, effort, money and, most importantly, it can avoid possible injuries due to potential misuse of the equipment later on,” he explains.
In financial services, the risks can be acute. Dr. Luke Carrivick is Deputy Executive Director of ORX, the world’s largest member organization for operational risk professionals in financial services. He thinks a bottom-up approach is a “great way to get real risk takers to think more clearly about what they’re doing”.
However, he points out a downside: too narrow a focus on insights by individuals or teams can mean that some broader risks could be missed. For example, ensuring the aggregation of similar risks which, taken individually, could be immaterial, but combined could be significant.
A more contemporary approach is now being used, similar to crowdsourcing, says Dr. Carrivick, with a diverse set of people interviewed on a particular topic, within or even across institutions. In cases where people don’t know what to watch out for or look for, what he describes as “noisy information from a range of sources” should be gathered when identifying new or emerging risks.
“Some banks are testing the concept of crowdsourcing,” he explains. Industry studies such as ORX Horizon are based on this principle, he notes, with the latest version identifying emerging technologies as the most concerning emerging operational risk for the financial services industry.
Risk management is also becoming increasingly digital, with the digitalization of finance bringing the automation of previously manual processes. “By integrating risk management into the regular process and becoming increasingly reliant on metrics that can be captured automatically, this bottom-up, data-driven activity monitoring then begins to help you understand your risk profile.” , adds Carrivick. .
Confidence and creativity
It is essential to recognize that employees in the field are closest to the operation and have “a wealth of experience and knowledge about the causes of disruptions”, believes Julie Goddard, business continuity consultant at Databarracks, who offers a range of IT disaster recovery and business continuity service solutions. “They also tend to come up with creative and smart solutions, because they probably already do that to some degree when navigating their day-to-day work,” she says.
Goddard also notes the importance of developing trust within the hierarchy, so that employees know their views are valued, while management must agree on thresholds within which they would be happy for staff to manage them. -even the risks. This can be based on their business’ risk appetite and be a cost value, the number of customers affected, or the extent of the disruption. Above the defined level, issues would then be escalated.
A bottom-up approach to risk management should now underpin business strategy and opportunities, Willis advises. “The more everyone in the company is engaged in what is too often a difficult topic, the better for everyone,” she says. “Risks can be reduced and opportunities can increase, which can have a truly positive impact on business growth and a company’s bottom line, while improving client outcomes and delivering exceptional client service. ”
To achieve this, CROs could always follow a simple advice from Goddard. “If you’re brave enough, put a sign on the mirror in the restroom that says, ‘You’re looking at the organization’s risk consultant’.”