Risk Champions and their importance to risk culture
Educating Risk Champions
We speak to expert IRM trainer and risk practitioner Alexander Larsen, CFIRM on the subject of risk champions and why they are so crucial in embedding an effective Enterprise Risk Management (ERM) structure and culture into an organisation.
What is a risk champion?
In order to implement an effective ERM structure in an organisation, the process, tools and procedures, along with risk knowledge, decisions and behaviours all need to be communicated and integrated at every level. A Risk Champion is a great option for achieving this goal.
There are numerous names and roles for a risk champion however, most commonly, they are employees in an organisation who do not have risk management as a primary role, but rather, have the responsibility of supporting their own department or divisions with developing and reporting risks.
Known also as Risk Co-ordinators, Risk Officers and Risk Management Business Partners (or, Risk Business Partners), they are essentially an extension to the core risk management function and they can communicate risk information and influence risk culture and behaviours. In addition they can report back to the risk management team on areas for improvement such as what frustrates staff in relation to the risk management approach, and help overcome some of the challenges faced.
The role of the risk champion can vary but includes:
- Providing feedback on an employee’s view of risk management process
- Supporting identification and reporting of risk
- Ability to identify blockers
- Communicating the risk management vision to staff
- Acting as a subject matter expert in certain disciplines (geologists, etc.)
- Acting as a “translator” between risk management and their technical department
- Building a risk-aware culture within the organisation including appropriate education
- Providing guidance to the risk manager on the best way to implement risk management in specific areas of the business and at what pace.
The Risk Champion Network
One risk champion will hardly be enough in an organisation looking to identify risk across all their departments, and so a risk champion network allows a better spread across the organisation. It allows departments to take ownership of risk, something which is otherwise difficult because people just look at the risk management department or the risk manager and assume the responsibility for it sits with the risk management function/department, bringing a sense of risk “ownership” to the front line.
The risk champion framework puts the responsibility for assessment and mitigation back on departments and risk owners and having a risk champion within each department or area enhances and strengthens ownership of the risk process.
International firms with a network of offices usually spread across countries and continents, often struggle to build a consistent risk culture. This is partly because risk management teams have limited reach, but also because different geographies and management teams – and the prevailing country or regional culture - will have different attitudes to risk. Again, in these cases, having a risk champion network can improve consistency in risk identification, understanding and reporting.
What kind of roles might risk champions have in different organisations?
You will need to develop a job description for your risk champion network. This will vary depending on the risk maturity of your organisation and how engaged, knowledgeable and conversant people are with risk management.
It could be as simple as updating departmental risks at defined intervals, or it could be going further and include ensuring risks are analysed in line with the published criteria. You might want to say that the risk champions should talk to all people in a department individually or you might ask them to run workshops. It could be that you want the risk champions to drive risk management within their own departments, but instead of the risk champion being responsible for the risk register, they support their manager in maintaining it.
With the right risk champion and a structured training and development programme, they could even drive training throughout the organisation. This tends to be correlated with the level of organisational risk maturity.
You also need to think about how much time they have and what percentage will need to be dedicated to risk management. That will dictate how much of the risk management responsibilities they can take on alongside the other roles that they play, and the time commitment may be different in different departments, areas or regions.
Whichever approach you take, it needs to support your ultimate aim, which is to drive risk culture. Managers are responsible for departmental objectives and therefore they should also be responsible for owning the risks for their departments as risks impact their critical objectives.
What education do they need?
In a company with good risk maturity, your managers are more likely to suggest someone with the right blend of knowledge, competency, skills and commitment. Otherwise, you can try to improve the process by guiding managers on the kinds of skills you need.
Champions need to be relatively senior
- They need to have the authority and ability to speak to people at higher levels
- They need to have been in the job for a while
- They may need to have a certain personality
- You might want someone with certain qualifications (e.g. financial or engineering background)
- They need the visible support of the CEO (and the Risk Manager).
You don’t want to step on managers’ toes, but if you can give them a good idea of what you are looking for and how the specific characteristics and criteria will benefit them, you’re more likely to get the champions you need.
Once risk champions are in place, the training should begin from the very outset.
Induction and basic training
Context is important and therefore risk champions need to have an introduction to risk management and an understanding of their roles and expectations as they relate to the organisation.
The training should consist of communicating why the organisation is focused on risk management, the benefits of the program, and the resources dedicated to it. It should also include the foundations of risk management: What is risk? What is risk management? How do we identify, assess and manage risk?
These sessions should be interactive and involve various identification and assessment exercises.
Running sessions where the risk champions are able to work together also adds value. They build an informal relationship that can be helpful in understanding other parts of the business and how risks may interconnect and it helps to eliminate biases and groupthink from the early stages of developing risk management capabilities. It also builds a network of risk champions who can rely on each other and not always feel the need to ask questions of the risk management department.
The Risk Manager should be hands-on and deliver dedicated one-to-one training and support. This may be in the form of shadowing, inviting champions to workshops and involving them in the preparation and running of the sessions, as well as observing them running sessions as time goes on. Essentially the role is to handhold until they are confident enough and providing the right quality of output to go it alone. These one-on-one sessions need to be integrated with the annual performance review process and cycle which should also include individual development plans for risk management.
Soft Skills training
Soft skills are a vital skill for any risk professional and risk champions will benefit greatly from such training, depending on the expectation set upon them. As an example, if they are expected to run workshops, then they should receive facilitation skills training, for presenting reports they should have presentation skills, and for dealing with numerous stakeholders they should be offered communication skills training.
These are just some examples of the types of soft skills training that would be extremely useful in their roles although there are numerous others.
Multi-layered and multi-year training
Whilst the above training should be in place as standard, it is important to have a training plan in place that aligns with the longer-term aspirations of the risk management department.
Linking the training to the risk maturity aspirations of the organisation might be a good way to develop the training requirements. As an example, if the expectation is that quantitative risk analysis will be a feature of the risk management process across the organisation within a 3-5 year period, it might be useful to build a training program that prepares your risk champions to either understand the data inputs required or even go as far as training them on how to run Monte Carlo simulations with the help of software.
Having a 3-year training program (or longer) in place which guarantees a set number of days for training, for example, 5-10 days training a year over a three year period, will greatly improve the skills and knowledge of the risk champions whilst also meeting the needs of the organisation’s risk maturity aspirations. This has the positive knock-on effect of improving the overall risk culture of the organisation, with the risk champions able to better communicate the benefits of risk management to staff as well as improved support to all involved in the risk management process.
To really add value to the training program, it can be undertaken in conjunction with an organisation such as the Institute of Risk Management which would allow the risk champions to achieve a certificate by the end of the program. This ensures not only top quality bespoke training developed specifically for the organisation's needs and in conjunction with a highly regarded professional training and education body, but it also adds an incentive to be a risk champion and to remain a risk champion, for the 3 years or whatever period the risk champions role has been specified as.
Encouraging HR to include such a certificate as a prerequisite for certain managerial promotions, etc., will even further encourage people to willingly put themselves forward for the role of risk champion.
When training a risk champion, the following elements should be covered;
- What is risk management?
- What does risk management look like in the world?
- What does the organisation see as risk management (focus on opportunities too)?
- What is risk appetite and tolerance? What is the organisation’s current risk appetite?
- How do we go about identifying risk?
- How do we measure those risks?
- How do we manage those risks?
- How do we communicate and what reporting requirements do we have?
- How to facilitate workshops and risk conversations.
- What tools are available for risk management
The full portfolio of IRM’s qualifications and training courses can be viewed here: www.theirm.org