Although many large organizations embrace risk management in their leadership offices, very little enterprise risk information is communicated to middle and front-line staff. In a recent CEB survey, only one in three middle managers and a fifth of front-line managers reported receiving communications or training on the top enterprise risks they personally face in their work.
Lack of training and communication has a negative impact on how the entire organization is able to sense and respond to threats. Because the median staff size of ERM teams is only two, however, it is difficult for them to combat this challenge alone. As such, it is critical that central risk management teams rely on their business partners to take risk into account when making decisions and to perform basic risk responsibilities such as conducting due diligence, evaluating potential threats and developing risk treatment plans. Yet, only 34% of ERM leaders currently believe business unit managers are effective at risk management.
In order for the business to perform risk tasks effectively, risk management goals and guidance must be properly communicated to risk owners across the enterprise. Based on interviews with risk leaders, here are three scalable tactics that leaders can employ to better communicate risk issues, improving employee awareness and, in turn, the staff’s ability to better perform basic risk tasks.
- Build a risk management training curriculum. Nearly every large organization has a learning and development function. Many organizations have one or two risk-related courses as part of mandatory annual training, but progressive organizations have realized that one risk course is not enough to effectively communicate risks to employees. These organizations use existing training infrastructure to create and host a curriculum of internal courses that teach employees about risk management and top risks. Deploying training across multiple channels such as e-learning modules and traditional in-person classes with internal subject matter experts makes training accessible to all employees, regardless of location and learning style.
One innovative approach to risk management training is to use case studies. By developing a case that puts learners in the position of the risk owners, organizations can teach them how to accept, avoid, mitigate or transfer the risk. Using common examples faced by business unit owners or other senior leaders, learners can have a realistic experience of managing risk in the organization.
- Empower employees to fulfill their risk roles. Training is a very effective technique for building risk awareness, but some employees have extra responsibility for risk activities and need further support on risk-related topics. To reach those employees, leading companies have started creating risk management communities of practice.
For example, one major U.S. financial company uses a risk management newsletter and various risk management events to communicate thought leadership, resources and tools to a group of employees who have opted into the community. These are employees who have a portion of their responsibilities dedicated to managing risks or who have expressed a general interest in learning more about risk management.
Communities of practice can also be used to host events and serve as a forum for identifying employee advocates that champion the goals of the centralized risk management function.
- Create and employ risk liaisons. Those employee advocates can be critical to the success of ERM objectives, especially given the typical ERM team’s limited employee resources. Risk liaisons, or staff who work in the line and help translate the firm’s risk management policies and approach into day-to-day advice and guidance, are a cost-effective way to increase ERM’s impact beyond the central team.
Seventy-one percent of ERM functions already use risk liaisons. Typically, those liaisons are people who wield a lot of influence with the team and are regularly involved in important decisions. The most successful liaisons also view risk management as a significant part of their job and have a strong relationship with the central risk team.
Building training curricula, giving employees the opportunity to learn more about risk management, and embedding risk advocates in the business puts ERM teams well on their way to integrating risk management principles across the enterprise. In doing so, they can expand their influence and enable leaders and employees alike to manage risks on their own.