Determining an organization’s approach to risk management and monitoring its risks often are the responsibilities of a core team of individuals. While these individuals can develop effective policies, procedures and frameworks to help direct the organization’s risk management strategy, responsibility for the execution of sound risk management activities and the operation of key control points falls on the wider employee base as part of their day-to-day activities. It is the line managers, traders, accounts payable clerks, stock managers, brokers and many other professionals who must maintain the key controls that help mitigate risks to the organization.
Within many organizations, individuals operate these controls and mitigate these risks, but do so subconsciously as part of their general activities. When individuals are required to change practices to mitigate potential risks or are required to start formally attesting to controls they operate, little support or advice may be provided and resistance can build up. Without an effective training program to help explain the value of risk management and support business users in their individual responsibilities, risk management becomes an ancillary function rather than one that is embedded into daily business activities.
Challenges and Opportunities
Embedding risk management into the day-to-day running of an organization and driving individuals to consider the risk of their actions are key to the implementation of a successful enterprise risk management (ERM) program. Like any type of change, users need to be helped through any transformational activities to understand the value of their actions or why change is required. Therefore, training becomes highly important. The challenge to delivering an effective training program is meeting the needs of a wide range of individuals who often are at different grades or levels within the organization but, in many cases, have the same risk responsibilities.
Our Point of View
To successfully deliver a risk and control awareness campaign and truly embed risk management within an organization, a number of core basic principles should be followed:
- Demonstrate value – Any training should be worded appropriately to demonstrate how it will aid end users in their roles and should be viewed as value-adding rather than one of many time-consuming corporate requirements.
- Tone from the top – Support and buy-in from senior management are critical to drive ownership and embed risk management. Executive-level training in the form of “know your responsibilities” is a useful mechanism to help management understand their risk responsibilities and those of their staff.
- Identify the needs of end users – Risk management training should seek to cover not only the “why” of risk management, but also how users can implement risk management practices successfully into their day-to-day activities. Through tailoring courses to meet the needs of individual users based on their roles, employees can be provided with highly specific training to which they can relate.
- Utilize multiple formats – The use of multiple formats or media can increase user participation significantly. Computer-based training (CBT) courses can provide training to multiple individuals and are useful in geographically dispersed organizations, while formal classroom training or seminars can be used to provide more in-depth learning.
How We Help Companies Succeed
Given Protiviti’s deep understanding of enterprise risk management, we have assisted many clients in designing, executing and embedding risk management training and awareness programs, each tailored to their organizational approach to risk management.
Protiviti assisted a client in the financial services industry with a comprehensive review of its risk management training program and then rolled out a global risk awareness program. The goal was to increase awareness among end users of their risk management responsibilities, providing both “light touch” training to all staff and more detailed, role-based training tailored to an individual’s role and risk responsibilities.
Our engagement involved:
- Determining the training needs of all staff based on the organization’s approach to risk management
- Producing tailored training materials to drive a better understanding of risk management requirements for each individual based upon their role. These included a computer-based training course to be taken by all staff, courses for risk and control owners, and handbooks for executives to summarize their risk management responsibilities.
- Rolling out the training program to more than 1,500 users across more than 15 countries, including the delivery of a “risk management basic CBT” course, targeted classroom courses, executive “know your responsibilities” events and risk management awareness sessions
- Embedding a process for the ongoing tracking, monitoring and reporting of stakeholder attendance at courses
- Delivering a dedicated risk management training intranet site to act as a point of focus for all future risk management activities
Key benefits of this approach included:
- The improvement of risk management awareness across the organization, leading to the client being able to demonstrate compliance with regulatory requirements regarding risk management awareness
- An “up-skilling” of staff, leading to improved risk management performance against internal management statistics
- Training that was aligned to users’ requirements based on their roles and organizational responsibilities