Traditional risk management approaches put managers and C-suite executives at the helm, charged with predicting, identifying, avoiding and containing certain risks. But could a bottom-up mindset prevent more issues from occurring in the first place?
More companies are increasingly offering all employees a greater degree of training and agency in risk management. This approach has been adopted by Progeny, an independent financial planning and asset management company. Chief risk officer (CRO) Charlotte Willis believes risk management and reporting is everyone’s responsibility, a concept that can lead to the quick and effective implementation of actions and problem-solving.
“As staff have invested time and energy into helping shape strategies and action plans, their engagement and accountability is almost always assured from the outset, compared with a top-down only approach,” Willis says.
Each business area within Progeny has initial responsibility for identifying and quantifying risks using a risk management framework. However, significant work has been undertaken with team heads to help them understand how their decisions affect the whole company, as well as their own specific areas.
Along with heads of departments, they can escalate new or emerging risks to a risk and audit committee, which itself works with the CRO, senior leadership team and executive board to prioritise these risks.
When teams accept and agree responsibility it also means greater alignment in pursuing new strategies or business goals, Willis adds. However, establishing a consistent approach to risk management is a challenge, she admits.
“Some departments are naturally more opportunistic and entrepreneurial, whereas others are maybe more naturally governed and risk averse. This places greater importance on the formalising of requirements and responsibilities for all staff,” she explains.
It will always be up to individual CROs to decide if a bottom-up approach is suitable for their company and industry. For Michael Brown, health and safety content manager at compliance firm Citation, it brings a number of advantages in health and safety management, given employers have a legal duty to consult with their employees or representatives on health and safety matters.
“Employees themselves can often offer solutions that are overlooked by management by virtue of being more familiar with how work is actually completed,” he says.
Such a path can also mitigate risks when new processes or equipment are implemented in the workplace, ensuring any concerns are not ignored, according to Brown.
“Consultation in these instances helps to identify potential risks and hazards with a new process before it’s fully up and running, to save time, effort, money, and most importantly, it may avoid possible injuries from potential misuse of the equipment later down the line,” he explains.
In financial services, risks can be acute. Dr Luke Carrivick is deputy executive director at ORX, the world’s largest member organisation for operational risk professionals in financial services. He thinks a bottom-up approach is a “great way of making the actual risk takers think more clearly about what they do”.
However, he points to a downside: an overly narrow focus on information by individuals or teams can mean some broader risks could be missed. For example, ensuring the aggregation of similar risks, which in isolation might be immaterial, but in combination could be important.
A more contemporary approach is now being used, akin to crowdsourcing, Dr Carrivick explains, with a diverse set of individuals polled on a particular topic, within or even across institutions. In cases where people don’t know what to monitor or look for, what he describes as “noisy information from a range of sources” needs to be collated when identifying new or emerging risks.
“Some banks are piloting the crowdsourced concept,” he explains. Industry studies like the ORX Horizon are built on this principle, he notes, with the latest version identifying emerging technology as the financial services industry’s most concerning emerging operational risk.
Risk management is also becoming increasingly digital, with the digitalisation of finance occurring alongside the automation of previously manual processes. “By embedding risk management into the business-as-usual process and by being increasingly reliant on metrics that can be automatically captured, this bottom up, data-driven monitoring of activity then begins to drive your understanding of your risk profile,” Carrivick adds.
Trust and creativity
It’s critical to recognise that employees on the ground are closest to the operation and have “a wealth of experience and knowledge on what causes disruption”, believes Julie Goddard, a business continuity consultant at Databarracks, which provides a range of IT disaster recovery and business continuity services. “They also tend to come up with creative and clever solutions, because they’re probably doing it already to some extent as they navigate through their day job,” she says.
Goddard also notes the importance of developing trust within the hierarchy, so employees know their views are valued, while management must agree the thresholds within which they would be happy for staff to manage risks themselves. This could be based on their company’s risk appetite, and be a cost value, the number of customers affected, or the extent of disruption. Above the set level, issues would then be escalated.
A bottom-up approach to risk management should now underpin business strategy and opportunity, Willis advises. “The more engaged everyone within the firm is with what all too often is a challenging subject, the better it is for everyone,” she says. “Risks can be reduced and opportunities can increase, both of which can have a really positive impact on business growth and a firm’s bottom line, while improving customer outcomes and delivering an outstanding client service.”
To achieve this, CROs could always follow a simple piece of advice from Goddard. “If you are brave enough, put a sign on the mirror in the loos saying: ‘You are looking at the organisation’s risk consultant’.”