“Don’t be fearful of risks. Understand them and manage and minimize them to an acceptable level.” ― Naved Abdali
Imagine the following scenario: You are hired to manage a leading organization’s ethics and compliance program, and one of your key responsibilities is to build the risk management function within it. To your knowledge, the company has a risk management program, but it can use some fine-tuning. You have a basic understanding of risk management but are relatively new to the field. Where do you start? What are the building blocks of your program? And how do you make risk management a key priority in your organization? While there is no one-size-fits-all approach, here are some activities to help get you started.
Networking from the kids’ table to the adult table
Many have vivid memories of past family gatherings or holidays when, as children, we were unable to sit at the grown-up table. For some, this was heaven—sharing silly stories, laughing, and “acting up” without an adult rolling their eyes at you and asking you to be quiet. But for others, sitting at the kids’ table meant we were missing the lively conversations of the adults—full of ideas, opinions, and experiences.
Similarly, networking in an informal setting (both internally and externally) can be an excellent source of new perspectives and ideas to help you in your professional role. This is particularly beneficial for ethics and compliance professionals, as networking creates a sense of shared knowledge with people from similar professional backgrounds, provides opportunities to learn how peers are operating their ethics and compliance or risk programs, builds relationships and business connections, and can help raise your profile or advance your career through collaboration with peers.
There are many ways to network in the ethics and compliance industry, either through industry affiliations or locally in your organization’s area. If your organization is a nonprofit, make a point to talk with other nonprofit ethics and compliance professionals at industry conferences. Explore if a networking group exists or suggest creating one. Whether your organization is public, private, or nonprofit, most larger cities have a local ethics and compliance networking group—for example, in the Washington, DC, metro area, there is the Capital Area Business Ethics Network, and in Chicago, there is the Chicago Regional Business Ethics Network, just to name a few. And for risk management professionals, there is also enterprise risk management (ERM) networking groups. In the DC metro area, there is an ERM Roundtable group. Networking and relationship building should be a continuous process, even if you started at the kids’ table during family gatherings.
Starting at the top: Create a board/executive risk partnership
To truly drive change in risk culture, your executives and board need clear guidance and a shared understanding of what kinds of risk-taking are acceptable and where the organization could take more or less risk. To help them align on the key risks facing the organization and to forge a consensus around how key risks tie to organizational strategy, try the following activities, which can aid strategic decision-making and be game-changing in terms of more constructive and fulsome strategy and risk conversations in the boardroom.
-
Risk working group: Create a small risk working group (two or three board members and three or four members of senior management) to meet regularly (maybe quarterly between board meetings) and establish ground rules for engagement—choosing activities that will clarify board and management risk preferences—while creating a sense of collaboration and shared responsibility.
-
Risk education: Create documentation and education to level-set the risk management process—what, why, and how—so everyone has the same foundation and understanding of risk in the organization. Focus on how the board discharges its risk oversight responsibility, given that risk oversight is most likely included in board and/or committee charters.
-
Risk assessment survey: Invite the board to take the same annual risk assessment survey that management completes to determine if both groups are aligned in terms of risk, what the board’s risk perception is, and whether there are big gaps. Discuss the results with the board. This exercise will get both groups on the same page, deepen strategic conversations in the boardroom, and, most importantly, make your board risk savvy, not just risk-aware.
-
Risk scenario workshop: Include management and the board in a tabletop risk scenario planning exercise. The goal of the scenario exercise is to forge consensus on how key risks tie to organizational strategy by identifying existing or new risks, how the organization would respond, as well as what the organization is doing to prevent the scenario from happening. Consider doing the tabletop exercise as a breakout session during a board meeting. Create hypothetical scenarios (upside and downside) and play them out, applying your organization’s risk appetite and strategy. Try intermingling senior management with board members at tables and remind everyone to remain in their roles, meaning senior management manages the risks and develops mitigation plans while the board provides risk oversight and guidance. The main takeaways from the workshop include engaging in risk discussions, eye-opening on the interdependency among enterprise risks, a common understanding of the risk profile and its capabilities to manage the risks mentioned in the scenarios, and conversations on short-term initiatives to prepare for what was articulated in the scenarios.
-
Risk appetite: The above activities can provide the necessary partnership, context, and momentum to understand clarity on board/management risk preferences and set the stage for a need to formally articulate the organization’s risk appetite or “risk philosophy,” if not already articulated.
