How do seasoned risk professionals fight risk management inertia? They find ways to dismantle silos and develop processes to spark discussion about risk throughout the enterprise.
It’s easier said than done, but with determination and a clear game plan, it’s possible. We reached out to professional risk managers for their best silo-busting tips. Here’s what they told us:
1. Give everyone a seat at the risk table.
When using a committee approach to risk management, think broadly about which areas of the institution should be represented. IT and compliance may be top of mind, but areas like human resources, marketing and deposit operations belong there too.
Risks intersect, and sometimes that intersection isn’t apparent until the right person at the table brings up a new perspective. People rarely think outside their own lane, so bring all the drivers together. Once an initial discussion takes place, if a business line really has no tie to the initiative, it can be left out of future meetings. If extra support is needed, it can be called in.
When the door to discussion is wide open, it makes it much harder for something to sneak in undetected.
2. Integrate risk into processes.
Baking risk management into the beginning of any initiative ensures that every business line and department is aware of risk. No one should be surprised that risk is part of the initial discussion or ongoing processes.
3. Introduce a risk management survey.
When onboarding a new product or vendor or undertaking a new initiative, require a risk management survey that reviews how it would impact consumers and their data. This makes everyone take a step back to think about data security, compliance, and risk management—and shares key information that can aid in monitoring, measuring and mitigating risk.
4. Build trust and relationships with respect.
Many individual departments already have their own metrics and system for managing risk. When working to connect these departments, recognize what they have, the work they’ve put in, and bring that data to other departments to show where risks overlap with other departments. Trying to work with existing data and processes, particularly while they are generating strong results, goes a long way in creating an environment of respect.
Some people think the goal of ERM is to play “gotcha.” In reality, ERM is a second line of defense. It’s there to make processes safer and to add value. Demonstrate that value by showing how involving risk management from the beginning saves time on the backend. If a department tells risk management about an initiative late in the process or after the fact, it’s already on fire for risk.
Done right, ERM can actually improve communication throughout the entire organization.
Reporting may feel like a finish line of sorts, but it’s also an opportunity to educate. When reporting on risk, every stakeholder and decision maker should be present. Not only does it ensure the institution is working within its risk tolerance, it ensures every business line and department is aware of what’s going on around the institution.
Whether it’s at a small institution where the same players are at the table for every discussion or a large one where committees rule risk, these tips simplify the daunting task of breaking down silos to ensure risk management is a shared task.