Embedding Sound Risk Management Practices into an Organization

Determining an organization’s approach to risk management and monitoring its risks are often the responsibilities of a core team of individuals. While these individuals can develop effective policies, procedures and frameworks to help direct the organization’s risk management strategy, responsibility for the execution of sound risk management activities and the operation of key control points fall on a the wider employee base as part of their day-to-day activities. It is the line managers, traders, accounts payable clerks, stock managers, brokers and many other professionals who must maintain the key controls that help mitigate risks to the organization.

Within many organizations, individuals operate these controls and mitigate these risks, but do so subconsciously as part of their general activities. When individuals are required to change practices to mitigate potential risks or are required to start formally attesting to controls they operate, little support or advice may be provided and resistance can build up. Without an effective training program to help explain the value of risk management and support business users in their individual responsibilities, risk management becomes an ancillary function rather than one that is embedded into daily business activities.

Embedding risk management into the day-to-day running of an organization and driving individuals to consider the risk of their actions are key to the implementation of a successful enterprise risk management (ERM)  program. Like any type of change, users need to be helped through any transformational activities to understand the value of their actions or why change is required. Therefore, training becomes highly important. The challenge to delivering an effective training program is meeting the needs of a wide range of individuals who often are at different grades or levels within the organization but, in many cases, have the same risk responsibilities.

To successfully deliver a risk and control awareness campaign and truly embed risk management within an organization, Protiviti suggests following these core principles.

Click through for core principles for risk management adoption outlined by Protiviti.

Any training should be worded appropriately to demonstrate how it will aid end users in their roles and should be viewed as value-adding rather than one of many time-consuming corporate requirements.

Support and buy-in from senior management are critical to drive ownership and embed risk management. Executive-level training in the form of “know your responsibilities” is a useful mechanism to help management understand their risk responsibilities and those of their staff.

Risk management training should seek to cover not only the “why” of risk management, but also how users can implement risk management practices successfully into their day-to-day activities. Through tailoring courses to meet the needs of individual users based on their roles, employees can be provided with highly specific training in which they can relate.

The use of multiple formats or media can increase user participation significantly. Computer-based training courses can provide training to multiple individuals and are useful in geographically dispersed organizations, while formal classroom training or seminars can be used to provide more in-depth learning.