Risk management only works when it factors into everyone's thinking. Kerri Grosslight of Wells Fargo lays out steps for getting there.
As a first step toward building a culture of accountability, an assessment of the company's risk management model and framework is essential. Ensure that everyone knows who's responsible for understanding and addressing risks in each part of the organization. From a divisional or business line perspective, who is responsible for executing against corporate policies and understanding what the business needs to do to adhere to the policies, including training and awareness? Who aggregates and looks at risk holistically? It's critical to know these things, because the accountability model starts with every employee understanding the potential risks that cross his or her desk.
All leaders must understand the risks in the businesses for which they're accountable and risk professionals must support employees and managers in risk mitigation. Beyond that, enterprise oversight is crucial so that risk is aggregated across the organization—this is particularly important if business groups are siloed.As a next step, CSOs and other personnel in charge of risk activity need to acknowledge and address potential blind spots—the areas of concern or potential threat that can be missed if one is not careful. Even the strongest cultures have them. Blind spots include:
- The familiar sense that "It can't happen to us." To counteract it, continuously be aware of the fact that bad things can and do happen, and be on the lookout for potential risks.
- When a leader must communicate his or her own mistakes or those made externally, there's often a reluctance to deliver this news; it may be equated to a sense of failure or punishment. Instead, open communication should be viewed as an opportunity to share risk awareness and help others avoid similar pitfalls.
- If business groups are siloed, there's often a lack of transparency across the organization when risks arise. As mentioned above, an aggregated, enterprise view of risk trends and patterns is necessary, allowing business decision makers to connect the dots across the company, share risk awareness, and avoid one-off solutions.
- When employees aren't clear about an organization's risk tolerance, they may get mixed messages around risk, which can be a real danger to a culture of accountability. A lack of clarity and insight around risk leads to assumptions that could negatively impact business or a tendency to take on more risk than is prudent.
Finally, it is critical to communicate broadly and often to create awareness of blind spots and to help employees understand that risk management is everyone's responsibility - just talking about it makes a difference. Encourage leaders to cascade information through their teams, have critical conversations about risk on an ongoing basis and instill a mindset where people feel that their roles matter. For example, leaders can use communication channels that employees recognize and trust, whether it's e-mail, newsletters, video clips, or town hall meetings.
Also remember that keeping teams and business partners informed and building trust with them by sharing what you can, as soon as you can, minimizes potential roadblocks to success. It is also critical to offer forums in which employees can identify and share "bright ideas" —simple, everyday actions that will help everyone better identify and manage risk. This type of proactive activity also reminds employees that leadership doesn't profess to have all the answers and that employees really are the first line of defense. Perhaps most important, leaders need to ensure that they communicate success stories, which helps make risk management real for employees.
Whatever an organization's risk management model looks like, remember that instilling and reinforcing the right culture is foundational to effective risk management and helps protect customers and shareholders. Everyone has a responsibility for risk management, and with the right culture, everything else falls into place. ##
Kerri Grosslight is head of Risk Management and Compliance for the Technology and Operations Group, also serving as Group Risk Officer for the Corporate Staff Groups.
She joined Wells Fargo in April 2002, in an initial role designing and building a shared services organization for the Technology and Operations Services division. Later, Kerri headed Technology Services, a division of the Technology Information Group. Technology Services was comprised of Information Security, Network, End User Computing, and Risk Management and Compliance. Since the Wells Fargo/Wachovia merger, Kerri has been focusing on Risk Management and Compliance, an expanded role. Prior to Wells Fargo, Kerri spent several years consulting as the Wells Fargo account executive with Carreker and also with Northwest Natural Gas in Portland, Ore.
Kerri began her career with First Interstate Bank, Los Angeles, and has more than 20 years experience in financial services, primarily leading large scale technology and operations transformational projects and application development teams focusing on telecommunications and lending.