Partnering with Risk Owners for Risk Assessments
Risk owners are the people responsible for overseeing the day-to-day operations in specific parts of the business that experience risk. A branch manager at a bank is one example. As such, they’re crucial to risk managers’ success.
While a risk manager or chief risk officer is responsible for overseeing risks, they are not able to truly identify, assess, and mitigate risks without the perspective and insight risk managers offer. This is why the Three Lines of Defense (3LoD) model stresses the risk manager as the second line of defense while a risk owner is part of operational management in the first line of defense — the actual risk management.
Risk assessments are the simplest and clearest way for risk managers to understand what risk managers see and experience at the first line. Unfortunately, collaborating with risk owners on anything can be a challenge for risk managers. They are often viewed as a nuisance by operational managers, the risk owners, as risk management may be seen as unrelated to their goals or even a restriction.
This is a problem. Without proper collaboration with risk owners for assessments, risks and controls may go unnoticed or be misunderstood or disregarded by risk managers and leadership. Risk managers, consequently, need to understand how to partner with risk owners for effective risk assessments.
Common approaches, communication, and priorities
Identifying who will own or be responsible for a particular risk is done after identifying risk and developing a risk appetite and tolerance, but before actually assessing and analyzing the risk. Within this framework, the risk manager monitors the risk owner’s internal procedures regarding the identification, classification, treatment, and documentation of risks.
Ways that risk managers can make sure risks are fully understood, and that risk owners are using best practices when implementing controls, are through:
- General surveys
- One-on-one interviews
- Individualized assessments
General surveys are convenient, can be quick when kept simple, provide a clear, calculated data set, and require less engagement between risk managers and risk owners. Unfortunately, surveys often rely on risk owners’ risk management knowledge and willingness to disclose potential issues. This calls into question the integrity of the data being received.
Also, because of the lower level of engagement, risk managers often struggle to get survey responses back at all. One mid-size organization with a very mature risk management program sends out thousands of risk surveys each year, and often receives less than a hundred back, even with executive sponsorship and engagement.
Finally, if you are able to pull back a robust set of accurate data from surveys, what are you going to do with them? Oftentimes, there isn’t a systematic method in place to consolidate the data to create clear, concise reporting that can be used for informed strategic planning.
One-on-one interviews are at the other end of the risk evaluation spectrum. They allow risk managers to gain deep and meaningful insight into the risks and the mitigation practices in the risk owners’ various silos while simultaneously giving risk owners access to the expertise offered by risk managers.
One challenge this approach shares with risk surveys is that of consolidating and standardizing data. How does one take the information gained through one-on-one interviews, log the relevant points, and prioritize risks and issues from those discussions? But the biggest challenge this approach poses is time. Time demands for meetings alone may cause other areas of risk managers’ roles to be neglected, or risk assessments may be postponed when time can’t be made.
Finding a happy medium
Individualized assessments seem to be a happy medium. Risk managers can start with a standardized template and tailor the assessments to ensure they are relatable and understandable to the risk owners completing them. This approach provides a foundation of standardization and uses the tailoring process to help encourage data accuracy. By placing risks and controls into quantifiable categories with clear descriptions, and rating them accordingly, individualized assessments offer a level of accountability in their answers.
Risk managers are also able to challenge assessments if they think there may be a gap that has gone unnoticed or is being minimized. The individualized assessments should be more relatable to risk owners, making it less daunting for them to complete. With the time saved on the front end through having risk owners complete the assessments and on the back end thanks to the assessments’ standardizations, risk managers have more time to engage lagging risk owners to drive better response rates.
In order for risk owners to implement these best practices effectively, risk management goals and guidance must be properly communicated and tied back to business goals. It’s also important to support risk owners’ progress and hear their concerns. Encourage them to own their business’s risk and use you as a partner who supports their success.
This goes a long way toward convincing an operational manager — who is certainly juggling many different responsibilities — the importance of accurate risk information within a culture of risk management. Establishing that mindset goes a long way toward making risk managers valued partners instead of hindrances.
ERM facilitates this partnership
Even once a risk owner is convinced to partner with risk managers for risk assessments, risk responsibility can still be daunting. An open line of communication is vital, but many middle managers and front-line managers don’t have any formal risk management training.
An enterprise risk management (ERM) solution, however, can ease the burden. With ERM software’s pre-built risk assessment templates, users can properly identify risks and control measures while using consistent enterprise-wide terminology, processes, and workflows.
Most importantly, ERM increases cooperation, breaking down barriers and silos between risk owners and risk management. The risk assessment and reporting process will be streamlined across an organization.