Recently I posted a question to my LinkedIn connections asking what concepts do you think risk managers struggle when learning the fundamentals of ERM? Someone mentioned one of the most important qualities necessary for a risk manager – being a persuasive advisor.
Specifically, she asked
What questions to ask and who to ask them to! Particularly in a new environment or culture that might not have risk embedded in it or a culture where risk is the risk manager's problem. Stakeholder management is absolutely critical to helping embed risk thinking into decision making at every level of the organization.
The first thing a risk manager should do in a new environment or culture is to determine the scope of the “project.” Have you been tasked with a bottom-up or top-down approach? Are you new, or is the department or person you are talking to new? Prior to the meeting, gain as much knowledge about the area as you can. If you are new, pull the risk register for that area. Research emerging risks for that area and bring those with you. Are there any audit findings in that area? Have those findings been remediated? You can do a search of risks in a particular area to find some “best practice” risks, but I also talk to Internal Audit, Compliance, Fraud, and others to get an understanding of what risks they expect to see the business area articulate.
Listen to the person you are talking to, and I mean really listen. Put down your pencil (or tablet) and give them your undivided attention. You will find out more that way than with canned questions, although you will need a few of those to get the conversation started. I once had a person in the first line keep telling me that a control was “stupid.” I thought he was just lazy. I didn’t listen, and I didn’t ask him enough questions. Sure enough, as you can imagine, the control execution failed. When I pointed out the risk that the control was supposed to prevent – he said, “I didn’t know that, but by the way, there is an easier way to prevent that risk from happening.” My fault for not making sure he understood his new role and for not listening to the why behind his comments.
In my experience, you want to talk to the control executors, the first line (bottom-up approach). Generally, they know more than the supervisor, and if they do not, that might be one of the risks. If it is a new area, I find that mapping out the process on a flow chart will help determine if the areas of risk are controlled and where there may be areas of redundancy. Does the area understand the company’s strategic objectives and their area’s risk to achieving those objectives? When I am documenting an area, I often tell the first line that we are just documenting the great things that they do (which is usually the case, by the way), and that puts them at ease to discuss the process.
I hope this helps. Does anyone have any other tips or tricks to add?