Risk-Critical Thinking

Leading Risk Management from the Front Line

Developing risk awareness in the first line of defense is crucial, but difficult to achieve. What five steps can financial institutions take to get front-line employees to own their risks?

Friday, March 29, 2019

By Brenda Boultwood


Building a successful risk management program isn't just about implementing a robust risk system or advanced analytics. It's about enabling a cultural shift by embedding a pervasive sense of risk awareness and ownership at every level of the enterprise.

Nowhere is that more important than in the first line of defense. That's where the risks are taken and, therefore, where the consciousness around risk management needs to be pervasive.

Brenda Boultwood Headshot
Brenda Boultwood

Every time an employee engages in a transaction or makes a decision, he or she needs to know: Will this hurt or help the business? Will it get the company in trouble or will it strengthen business performance? Employee understanding of the balance between risks and rewards is critical to success.

The challenge is getting the first line to own these efforts. In a 2017 PWC survey, 63% of global respondents said that shifting more risk responsibilities to the first line made their companies better at anticipating and mitigating risk events. However, only 13% reported actually leading risk decision-making and collaboration from the front line.

For many employees, the risk management function, like any second line functional support group, speaks a different language. The terminology differences can be difficult, the processes opaque to the business and the documentation requirements time-consuming. How, then, can you get front-line employees to own the risks, thereby improving their ability to make business decisions?

1. Communicate the Business Value of the Risk Program

Most employees in the first line have one goal - to drive business revenue. Therefore, the first step in getting their buy-in on risk management is to communicate its business value: How can better risk practices in the first line drive better business performance? How can more proactive risk awareness increase the probability of success in employees' business transactions?

It helps to use positive language aligned with business growth and success. It also helps to treat the risk program like a brand. Consider giving it a name and identity that people can relate to. The goal is to get employees to connect with risk management, understand the business objective behind it and make it an integral part of their work life.

2. Keep it Simple

Risk terminologies and concepts aren't always easy to grasp. For instance, an issue, an incident and a risk may mean different things to a risk manager - but to the first line, they often look the same.

Training can help close these knowledge gaps. However, if the content is complex, it may not stick. A better, more sustainable option would be to focus less on how the front line should adapt to risk management and more on how risk management can be adapted to the front line.

How can risk processes be made so easy and intuitive that they become a seamless, almost inherent part of employee daily routines? It starts with speaking the language of the business. For instance, when creating risk and compliance survey forms, keep the questions simple.

Instead of asking employees to classify a risk event as an issue, an incident, or a risk, use one consistent term: “Did an issue occur?” Or, “Is there potential for an issue to occur?” If the answer is yes, the response can be routed to the next line of defense for further investigation. Alternatively, another (equally simple) question can be generated to gauge the nature and impact of the issue.

The aim should be to ensure that risk reporting in the first line is as easy as possible. Thereafter, the real risk experts (i.e., the second line) can take over and begin translating the raw data into the required risk terminologies.

Another way of making risk management more intuitive is to “layer” risk tools into the systems and applications used by the first line. Here's a look at how that might play out:

Layering Risk Management

Imagine that it's the closing minutes of the Irish Stock Exchange. A fund manager at an asset management firm issues a last-minute order to make a trade - one that's thrice the size of all trades taken together that day on the market index.

There's just 10 minutes to go, but the trader responsible for that particular transaction is worried. He or she might ask, for example, “Is this market manipulation?” “Will I get into trouble for executing this trade?” “How do I ensure that I'm following policy guidelines?”

At this point, the company's risk management system kicks into gear. Layered seamlessly into the employee's trading platform, the system automatically triggers a checklist or survey to the trader based on the company's market manipulation policy:

  • Was the client aware of the size of trade? YES
  • Was that conversation on a recorded line? YES

The trader's responses are automatically routed to a risk officer through an alert on her smart phone. She analyzes the data, and gives her go-ahead, enabling the trader to execute the trade confidently with three minutes to spare.

The result? A great commission for the trader and more revenue for the firm - all enabled through speedy risk assessments and agile communication between the trader and the risk officer.

3. Provide Support

Front-line employees need to know that the second line of defense exists not to police their every move and decision, but to provide independent oversight and to support them in becoming better risk managers. This support can be demonstrated by, for instance, providing a meaningful risk framework, establishing risk policies, defining a risk appetite that supports business growth and designing a system that can automate the risk and compliance processes.

Another solution is to build mini-teams of risk specialists within each business unit. These teams, often called the 1.5th line of defense, can provide risk training, control assurance and advisory services to the first line, while also dealing with ground-level risk issues. Since they probably understand their business unit better than the second line, they will know how best to guide employees in managing risks.

4. Incentivize

One of the best ways to drive risk management into the first line is to provide incentives. For instance, policy compliance and loss avoidance behavior can be linked to rewards and recognition programs. Sales teams with fewer customer complaints, a lower risk of customer attrition and zero losses from fraudulent or rejected claims can receive higher payouts.

Gamification in risk management is also useful. Run a contest on who can report the highest number of issues. Hold a quiz on the latest updates to a policy. Announce a competition to identify the employee who closes action items most efficiently.

These “games” motivate employees to get more involved in risk management activities without having to be pushed and prodded by an oversight function. The more engaging the game, the faster risk management practices will become a habit.

5. Embed Analytics in the Backend

Once the first line starts playing a more active role in risk management, the next step is to make sense of their risk inputs. Analytics can play an important role by swiftly sifting through the data and drawing out valuable insights to support decision-making. Users can - in real time - group together similar sets of data, so that what initially looked like a series of random events are arranged to reveal a pattern of emerging risks or incidents.

Simplicity is important here. Dashboards, reports and user interfaces need to be configured and personalized in such a way that each stakeholder can access the insights that are most relevant to him or her. What a business line risk manager wants to see will be different from what a CRO or board member wants to see. Building clear reporting mechanisms is essential.

The speed of reporting also matters. Boards and management want near real-time risk intelligence - something that legacy systems and spreadsheets may not be able to provide.

However, an advanced risk reporting system can provide the required level of visibility by automatically aggregating risk data, populating reporting fields and rolling the insights up to the relevant stakeholders. With the system taking over these tasks, risk professionals that were once bogged down by data collection and reporting can be freed up to focus on more valuable activities such as risk analysis.

Build a Foundation

Risk awareness in the first line is great, but cannot be achieved without a comprehensive risk management program. The maturity of a program depends on the strength of its foundation. For many companies, that foundation is a governance, risk and compliance (GRC) platform.

On this centralized platform, companies can build out a comprehensive risk framework with consistent risk and control taxonomies. This risk universe can then be mapped to compliance (regulations and standards), audit (audit entities and findings), the third-party ecosystem (third-party contracts and risk assessment results), organizational constructs (processes and assets) and, finally, business objectives (financial metrics and performance indicators).

Through this data, companies gain a clear view of risk impact and inter-relationships, which, in turn, enables them to better capitalize on opportunities.

The Importance of Empathy

Integrating risk management into the consciousness of an organization is ultimately an exercise in empathy. It's about stepping into the shoes of the first line, understanding how they think and work, and adapting risk processes accordingly. Think of the first line as your customers, and risk management as your product: How can you design and position it to maximize adoption?

Technology can help by minimizing process complexities and automating cumbersome tasks. It can also bridge the gap between the first line, where risk data is generated, and the backend, where the data is analyzed to enabled decision-making.

But technology is just one part of the equation. Before it is implemented, organizations need robust planning, commitment, patience, a strong tone at the top and dedicated change management resources to build a mature risk culture.

Once these pieces are in place, risk management can become a natural part of business processes. When that happens, the organization will be well-positioned to drive strong performance and growth - not blindly, but from a place of real awareness and integrity.

Brenda Boultwood is the senior vice president of industry solutions at MetricStream. She is responsible for a portfolio of key industry verticals, including energy and utilities, federal agencies, strategic banking and financial services. Prior to joining MetricStream, she served as senior vice president and chief risk officer at Constellation Energy. Before that, she worked as the global head of strategy, Alternative Investment Services, at J.P. Morgan Chase, where she developed the strategy for the company's hedge fund services, private equity fund services, leveraged loan services and global derivative services. She has also been a board member of the Global Association of Risk Professionals (GARP), and currently serves on the board of the Committee of Chief Risk Officers (CCRO).


BylawsCode of ConductPrivacy NoticeTerms of Use © 2023 Global Association of Risk Professionals