Risk-Critical Thinking

How to Lead and Better Manage Risk Through Change

In a world marked by constantly-evolving regulations and technology innovation, financial institutions must regularly contend with change-driven risks and opportunities. It's a daunting challenge, but with the right governance, risk and compliance practices, firms can use change management proactively to identify potential threats and to make well informed, risk-based decisions.

Friday, November 22, 2019

By Peter Bannister


Organizations are always going to have to grapple with change - whether it's in the form of a major corporate shakeup, sweeping adoption of transformative digital technologies or shifting industry regulations. Indeed, it is one of the few constants in the business world.

Change, of course, yields risks, and it's therefore business-critical for organizations to develop highly functioning, adaptable governance, risk and compliance (GRC) programs that give leadership the power to be more proactive in identifying potential risks and corresponding solutions.

GRC is a top-down endeavor that enables organizations to be better prepared for change-driven risks that have the capacity to impact return on investment (ROI) in direct and indirect ways.

Peter Bannister Headshot
Peter Bannister.

Establishing a positive risk culture is a key component of effectively managing these change-driven risks, and GRC helps firms achieve this by ensuring that information and insights flow transparently across business units, across the three lines of defense and all the way to the board room and beyond. This, in turn, leads to better-informed decisions on risk-related activities.

Better storage, measurement and management of data is one significant change that every forward-looking organization should seek. More specifically, it is logical to have risk data that is centrally located, measured on a consistent rating scale and categorized under one taxonomy. Under this approach, reporting is faster, and insights not only appear more quickly but are more easily understood across management; consequently, decisions can be made on a firmer footing.

Given all of these benefits, would anyone really be averse to these GRC-driven data and reporting changes? The answer, at least sometimes, is yes, and the fundamental reason is typically because employees don't understand the value proposition of the recommended changes.

Leading through change is the job of the GRC program manager and his or her team, and top-down change needs to be translated into value for whomever it's poised to impact the most. We all know the organizational hierarchy is how enterprises are supposed to function and how work is supposed to flow. However, understanding how things actually get done at an organization is invaluable when aiming to lead through change.

Usually, unbeknownst to senior management, there are individuals in the associate and middle manager ranks who command respect and act as catalysts for change - since they are the go-to people for questions and concerns around change. Organizations that proactively identify these informal influencers can accelerate change.

Leveraging Influencers to Expedite Change

When initiating change, it's critical for organizations to know where to start. Influencers can be tapped to support this, as they can help management strategically conduct assessments to identify potential vulnerabilities preemptively.

Imagine, for example, rolling out a new issue-management program across a large global bank. Let's pretend all of the following: the “issues” are newly defined; data standards and the dates by which data needed to be entered into the system are changing; and a new technology is being implemented. To complicate matters further, let's also say that there are people in certain parts of the organization who think the new program is a mistake, as they don't see its value.

What do you do?

The trap that ensnares many is to try to appease the aforementioned naysayers. As a result, one spends a disproportionate amount of time trying to persuade the group to “get on the bus,” so to speak.

While these individuals shouldn't be ignored, they should be kept at arm's length; senior management should also be brought in to reinforce the value that the change in question might bring, as this type of negative response is typically born out of fear of the unknown.

Instead, imagine this scenario: you seek out a positive influencer and leverage his or her enthusiasm for a pilot program. You run a small and controlled test, with the influencer and his or her group and ask for feedback. Since they are organizational influencers, there's a high change that they'll offer you constructive feedback. Using their feedback, you can then make improvements for the next pilot group.

Under this scenario, the group who were reluctant to change will have no choice but to adopt it, as influencers in the organization will already be on board.

Parting Thoughts

Change is hard, but there are ways to lead through it successfully. Establishing a risk culture that is receptive to change is a good place to start. A pervasive culture yields continuous monitoring of threats, enabling an organization to more effectively spot potential risks before they cause problems.

Peter Bannister is the SVP of GRC at MetricStream. Prior to joining MetricStream earlier this year, he led the GRC program at Fannie Mae.


BylawsCode of ConductPrivacy NoticeTerms of Use © 2023 Global Association of Risk Professionals