Who should be involved in developing and executing the plan?
Some companies have a chief risk officer who can manage the planning/execution of a risk management policy. Larger companies have formal methods of risk assessment, but it isn’t necessary to go to that level of formality. Smaller companies can get the ball rolling by going to business unit managers to have them share their top five risk concerns and then drilling down from there.
For companies not familiar with risk management techniques, a consultant may help give structure and direction. But, if a small company is hesitant to hire a consultant, they can do a lot from a risk management perspective by instead using the top-five method to self-identify risks and then cross-organizationally consider ways they might reduce their exposures to those risks.
Commitment from key leaders is critical, but so is buy-in from managers and supervisors, and employees who are working on the ground level where a great deal of fraud opportunities may exist. Emphasize to managers that managing risk is a key component of their leadership responsibilities and that a sales manager is also a risk manager.
How do you create a risk management culture?
Don’t miss an opportunity to champion risk management whenever you can. Form a risk committee with members from all levels of the organization. Address a risk topic at regular company meetings. Reward people who do an excellent job of engagement — people who are not just managing risk in their own silo. Create a variety of policies and procedures around the key control areas identified in the risk assessment and involve the risk management committee on approving these processes.
Ultimately, enterprise risk management works a lot like quality control. You can generate widgets and hire someone to sit at the end of the production line and check to see if the widgets are up to par. Or, you can institute a process that ensures those widgets meet high standards before they go down the line. The objective is to build quality from the start and not to go about business and leave risk management as an afterthought.
Rod Sloan is chief risk officer of Old Second National Bank in Aurora, Ill. Reach him at (630) 906-5459 or [email protected].
