Jan 29 2009 Philippa Girling
This article is the third in a series on practical operational risk management. The series looks into the practical aspects of building, maintaining and driving forward an effective operational risk management program. The first article briefly looked at all the elements that are needed for an effective operational risk framework as below:
The second article addressed the challenges and opportunities that arise when implementing an appropriate governance structure. This article considers how culture and awareness affects the success of an operational risk management framework. An operational risk framework that does not actively and consistently address the cultural aspects of the program will have little impact on the firm. For operational risk management to be adopted and applied throughout the organization, the operational risk function must include three important activities: marketing, planning and training.
Marketing
The operational risk department is a brand within the firm and will have brand recognition, whether this brand has been carefully promoted or not. Colleagues, peers, managers and general staff will have formed an opinion on whether this function is one that they want to buy into or not. Their support or resistance will depend on how the function is perceived in the firm. It is important to keep this in mind when developing the operational risk function. An expert team that works in seclusion may produce excellent work, but if no one at the firm is aware of this good work, they will be unable to offer their support, and the operational risk function will struggle with demonstrating its value.
The operational risk function is in a unique position — it must interact with every corner of the firm as operational risks arise not just in trading areas and operations areas. The operational risk function needs, therefore, to undertake a firm-wide marketing effort to ensure that its reputation is positively reflected across the firm. There are several ways to achieve this. There does not need to be an official marketing workstream; however, marketing activities need to be included in planning. How, for example, does the organization launch new firm-wide activities? What works well for internal communications? There are many options: posters in communal areas, firm-wide e-mail blasts, internal web sites or town halls. The fact that an internal communications method has not been used in the past does not preclude it from being used on behalf of the operational risk function. New methods of communication always draw attention.
Town halls Holding a town hall to launch a new operational risk function is an excellent way to demonstrate to the firm that this is a serious undertaking and one that has senior managers' support. If the firm decides to proceed with a town hall either to launch a new operational risk function or to launch the next phase of the operational risk program, there are a few keys to success:
- Have a pre-prepared, very short, professional looking, slide show presentation, which covers the important points and make it available on the firm's intranet afterwards
- Engage the most senior person to give the introduction to the presentation and to introduce the head of operational risk who can then lead the presentation.
- Invite as many people as can be accommodated.
- Secure senior team RSVPs and follow up with them to ensure that they will attend in person.
- Announce something concrete — a new activity (loss data collection, training, assessments etc.,) or a new goal (Basel II compliance) that has a due date and that requires the support of the attendees.
- Invite questions at the end, but wrap it up on time and follow up with anyone who was unable to ask a question due to time constraints.
- Keep it short — no more than one hour. If it ends on time and is kept brief, people will be willing to attend the next time.
- Follow up within a week with the first step towards that goal or activity. Once the campaign has been launched, be sure to keep it simmering.
Internal web site
The value of an internal web site can sometimes be hard to prove. Obviously, hits to the site can be tracked, but there may be little reason for someone to visit the site and low hits might not necessarily mean that an internal site has no value. It is now the case that not having an internal web site might indicate that the function is not important to the firm and that is reason enough to ensure that there is an easily accessed operational risk web site. The site should include at a minimum: contact information, policies, procedures, purpose, training and awareness documents. If a firm is able to invest in a more robust web site, then it could also include links to the elements of the program (e.g., loss data entry database) and news coverage on operational risk events that are external to the firm. The site should conform to the corporate web site look and feel to demonstrate that it is an integral and important function of the firm.
Face-to-face
In addition to marketing activities, it is very important to invest serious time and effort in face-to-face cultural awareness activities. When launching or re-launching a new operational risk program, or embarking on a new phase of the framework, it is essential to elicit the opinions and buy-in of the main partners and sponsors. A list of all potential stakeholders needs to be prepared and meetings should be scheduled with each of these individuals, which are usually private one-on-one sessions. In these meetings, the operational risk head should explain that they are there to gather the stakeholders' thoughts — not to present a fait accompli. They should outline why the operational risk function exists, its goals, plans, aspirations and concerns, what commitment they need from the other person and what benefits they will receive in return. They might then ask each stakeholder two important questions: "What are you hoping we will do?" and "What are you hoping we will not do ?"
These two questions can provide valuable insight into where each individual is currently frustrated and is hoping for support (which the operational risk function could then try to provide), and where they may have serious concerns about the work of the operational risk function that need to be addressed.
Stakeholders who should be included in the initial cultural awareness meetings are:
- Chief risk officer.
- Head of SOX.
- Head of audit.
- Head of compliance.
- Head of legal.
- Head of business continuity planning.
- Head of information technology.
- Head of operations.
- Chief financial officer.
- Chief operating officer.
- Business line heads.
Armed with this information, the operational risk function can then adapt its plans in the light of these interviews, and request meetings with the stakeholders' direct reports. These second round meetings can be delivered in group settings, and provide an opportunity to educate the firm's managers and to request support. A simple way to arrange these is to request a 15-minute segment at their regular team meeting. Time invested in these cultural awareness meetings will be recouped later as it will be likely to result in less road blocks and a smoother political ride. It also allows the operational risk team to identify where it has allies and sponsors, and where it will need to work hardest to demonstrate that it is an important and relevant activity.
Find a sponsor It is important in a person's career that they identify both a mentor and a sponsor. A mentor will provide feedback and guidance as the person faces challenges and decisions throughout their career. A sponsor will support them when they are not in the room and will protect their back. If a person can have only one of the two — then they should go for a sponsor and the best way to get a sponsor is to ask. The operational risk function will need to identify a senior sponsor. Who in the organization will support the activities of the operational risk team when they are not present in the room? Who will provide public support for the new elements of the framework as they are rolled out? Identifying a suitable sponsor can be challenging and it may take several sponsors to cover all the activities of an operational risk function. Possible sponsors can be found in the following places:
- Who requested that the operational risk function be formed?
- Who is looking to prove themselves? (e.g., a recently appointed head of an area).
- Who is concerned about another area?
- Who responded very positively in interviews?
- Who was particularly critical in interviews?
The person who has tough questions during the early cultural awareness interviews may well be a future sponsor. After all, their awareness of the pitfalls and challenges suggests a level of engagement which is more helpful than someone who merely nodded politely and checked their watch during the interview.
Planning
Good planning is an essential part of culture and awareness activities. Every time the operational risk team sets clear goals and reaches them, it is building a reputation of excellence. Planning should be comprehensive, detailed and transparent. The level of detail that is shared with each audience will vary, but milestones and deliverables need to be backed up by careful planning of the tasks that are required to reach those milestones and complete those deliverables. Developing, implementing and maintaining an operational risk framework is a complex undertaking. If the planning is too high level it will be difficult to hit deadlines and lateness puts a department on the defensive. On the other hand, strong project planning builds confidence. It is also important for the stakeholders to appreciate the hard work that has gone into every milestone and deliverable. Making something look too easy does not result in confidence in the output, in fact experience has shown the oppo site to be true. It is better to show how much work has gone into a deliverable before presenting any conclusions based on that deliverable. It is also important to be clear about the work that the operational risk team has done.
Planning for an early achievement provides urgency and energy to the project and planning for a longer-term achievement demonstrates the importance of the function and provides continuity. It is advisable, therefore, to include both short- and long-term milestones in the planning. Project management skills are not always present in an operational risk team, and if that is the case, it may be worthwhile to either bring in a dedicated project management resource, or engage the central project management team if the organisation has one. Every day that is spent planning is a solid investment in a successful framework in the future.
Training
In addition to marketing activities, such as town halls and face-to-face meetings, operational risk training needs to be provided across the firm. Operational risk can occur in any corner of the firm and it is important that every employee can recognize it and respond appropriately. Firm-wide training can be provided economically and effectively using the intranet or internet. When designing firm-wide training it is important to ensure that the content of the training is not overly ambitious. An introduction to operational risk, for example, might only need to contain the following information:
- Definition of operational risk.
- Drivers for implementing an operational risk management program at the firm.
- Examples of events that are relevant to the firm.
- What to do if a person sees operational risk (e.g., enter it into the firm's loss event database or contact its departmental operational risk representative).
Online training should be brief (15 minutes) and should include a test, although this can be designed so that participants can retake a question until they get it right. Completion of the training can be tracked using a learning management tool and departments are encouraged to attain 100 per cent completion. Experience has shown that offering online operational risk training to all employees, and as part of the orientation for all future employees, makes a valuable contribution to raising the culture and awareness of operational risk across the firm.
An invitation to online training can be sent out immediately after a launch event, such as a town hall, to help the operational risk program maintain momentum. In addition to online training, group training sessions will be needed for the more complex elements of the framework, such as entering data into the loss event database, or participating in risk and control self-assessment or scenario analysis activities. As with all training, clear learning outcomes should be established for each training session and realistic expectations should be maintained regarding the learning curve of the participants.
A successful organizational culture change requires an energetic and enthusiastic approach and multiple supporting activities, which includes active marketing of the new function's "brand", careful planning and management of tasks, and group and individual training in the new concepts. The more time that is spent preparing the firm for the coming operational risk activities, the more accepted those activities will be and the more successful the operational risk function can become. The governance and culture and awareness elements of the operational risk framework require serious attention. Once it is in place, the operational risk function can proceed with rolling out the technical elements of the framework.
Author Biography:
Philippa Girling is an Of Counsel Attorney at Garrity, Graham, Murphy, Garofalo and Flinn in New York. She was previously global co-head of operational risk management at Nomura.
