Setting accountability for risk is a foundational element of strong risk culture, and for good reason: if the culture of a business is based on the individual and collective behaviours of people, establishing clear accountabilities can help to instill the kind of behaviours you want those people to demonstrate.
Risk practitioners and experts across our network believe accountability and culture are mutually reinforcing; while second line teams can use accountability as a lever to ensure people act in the right way, behaviours that the business needs to cultivate can also guide the setting of accountability.
Clearly, the two are inextricably connected to one another.
What challenges, then, are involved in setting accountability? Among our members, some of the most common difficulties raised include dividing responsibilities in a way that is both consistent and fair, and ensuring the correct balance between consequences and recognition with regards to risk management.
Furthermore, the only way to truly make people accountable for risk is to ensure that everyone in the organisation – from senior management to first-line business units – takes ownership of risk.
Risk leaders are focusing their attentions on trying to make their businesses more responsible for risk, and are sharing ways in which they have overcome the associated challenges during candid discussions with one another – for more information on our member meetings, click here.
Here, we explain three key tips for setting accountability for risk that have resonated the most with risk managers and CROs across the network.
Capture data from the business
How can you set accountabilities without assessing the subcultures that exist within the various business units and corporate functions of the organisation? One way to make this assessment is to conduct a culture survey around the business, asking questions focused on accountability, how to incentivise performance, and consequence management.
One risk leader, who carried out this type of study within their organisation, was able to use the data captured (in the form of survey responses) to predict the cultural outcomes of the business. This enabled them to locate which areas of the business needed a stronger accountability framework in place, in order to achieve outcomes desired by the board.
Link risk management to rewards
In order to make people more responsible for risk management, it can help to recognise and reward them for their efforts in a more formalised manner.
As many risk leaders across the network have reflected, risk accountability processes should be built into conversations about expectations and KPIs, especially as everyone around a business faces risks as part of their role. Ultimately, you want to send the clear message: everyone is a risk manager in their day-to-day role, and risk management does not just fall to managers or heads of departments.
A particular member noted that they have implemented a four-point scale during performance reviews where doing what is expected of you, when it comes to handling risks, places you at a three – only if you outperform what is expected can you reach a four, as well the opportunities for remuneration this offers.
Furthermore, any scale or expectations set should reflect that individual’s role in the business: for example, is this person a senior manager, or a more junior employee?
Set the right context
A problem many companies face is the lack of a clear business plan or strategy that is cascaded down through the organisation. While short-term initiatives are launched with a specific, usually short-term goal, the broader strategy of the business is typically more ambiguous for the vast majority of employees.
At a recent member meeting, one risk leader explained how important it was for them to set the right context across their organisation; if the business doesn’t understand the threats it faces now and in the future, it can be very hard for employees to be held accountable for them.
One method of developing awareness is to prepare context statements and refer to these in workshops with employees. Context statements explain the key risks to (and opportunities for) the business and how these threats may affect the ability of the organisation to achieve strategic objectives.
Discover how risk leaders are setting accountabilities in their business