Embedding risk culture in the first line of defence is a long-term battle met with constant pushback and new barriers. So, is it worth the fight? Stephen Varma, former director, risk and governance for Rio Tinto, shares a successful approach that’ll inspire you to battle on
“I can’t get the engagement.”
“It’s a nebulous and challenging task.”
“I don’t think the first line of defence care much about risk management.”
If you’ve tried to build engagement with the first line of defence, or further still, worked on a plan to embed a culture of risk management among first line colleagues, these statements won’t be unfamiliar to you.
“The challenge isn’t for the faint hearted”, said one senior member of the Risk Leadership Network, upon registering for a virtual meeting on this topic.
“I’ve tried doing this in previous organisations. It’s a long-haul journey and requires persistence, resilience [when pushback is constant] and a lot of recalibration.”
This was an experience that resonated with Stephen Varma, former director, risk and governance for Rio Tinto, who led and kicked off last week’s member meeting with a ‘show and tell’ of the approach that he created and successfully implemented.
We haven’t detailed Varma’s full approach here – you’ll need to watch the full recording to find the real gems to his strategy for embedding risk culture in the first line of defence – but here’s a brief summary in three short steps.
1. Conduct a diagnostic
As Varma explained, his journey began with a detailed diagnostic, which evaluated risk practices, attitudes towards risk and risk management performance.
The diagnostics led the team to explore new ways it could embed risk into the first line; and threw up four core areas that its risk strategy needed to address, including:
- Harmonising and consolidating disparate controls
- Establishing clear accountability of risk across the organisation, with clear performance expectations. For example, all senior leaders were expected to sign off their risk exposures to that five-year strategic plans
- Embedding an elevated suite of capabilities, for example new resources, measuring and calculating risk
- Making use of the technology available to us to measure and record risk
2. Use your diagnostic results to establish a strategy
This led to multi-tiered, three-year transformation strategy made up of the following aims:
- Build a robust risk management organisation
- Create a new operating model that could be scaled up to the needs of a new commercial function
- Establish a risk management framework to address commercial risk, governance, strategy, appetite and risk technologies
- Strengthen the mandate for the commercial organisation and help it grow and pursue more advanced commercial capabilities.
- The last was Varma’s personal and primary motivation: “To help the organisation grow by optimising our risk management approaches in a way that allowed us to pursue new opportunities, improve the understanding of risks versus trade-offs in the pursuit of greater revenues and growth.”
3. Set out a change management plan, backed with strong communication
A change management plan followed: “We also put a lot of thought into the transformation components. Because with any major transition or change management plan, we needed to ensure that these components were very much set up as key neighbours to the strategic execution of your overall strategy.”
This began with a suite of communications strategies developed to “bring people along with the change journey” and was made up of:
- Town halls and conferences
- Internal social media
- Intranet platform
The core objective was to make the risk journey “completely transparent”.
“We wanted to ensure that all stakeholders, and particularly those in the front line, could acknowledge what we were doing,” says Varma.
“We were setting ourselves up as a service and providing a one stop shop for all things risk by leveraging the technologies that were available to us at that time.”
“We were able to reduce those barriers to engagement. And we developed a really strong, critical mass of risk awareness and knowledge across the organisation pretty quickly,” he adds.
First phase outcomes
These three areas marked the first phase of Varma’s strategy. They helped achieve the following:
- Risk was well understood.
- Material risks were well highlighted across the organisation and discussed every month and every quarter in audit committee meetings.
- Systems were established and embedded.
What next? Getting first line managers on board
The next critical task in our transformation programme was to get a better handle of the day-to-day operational risks and controls.
“When I spoke to front line managers (who were performing critical day to day activities), I found that they were disconnected from the whole strategic planning process,” says Varma.
“I don't think they really cared about whether or not the organisation reviewed these deep and meaningful strategies, and the risks connected to them because they don’t materially impact their day to day activities. So, I had a long hard think about how to address this.”
Varma’s next step was to outline a plan for improving engagement within the first line of defence – a plan that leveraged existing technologies and data analytics to solve key issues and make day-to-day first line tasks easier for managers.
This marked the start of the second phase of Varma’s approach, covered in the full recording, which members can watch here.
The full recording also explores – in more detail – the following:
- Conducting a diagnostic and the identifying objectives
- Devising a three-year strategy, including establishing a risk management framework that would address commercial risk and governance, strategy and appetite, risk management and risk technologies
- Change management and transformation and communication
- Setup and implementation of a risk and control tool, including day to day operational risk and controls
- Engaging the frontline
- Employing data analytics
- The results, including improved engagement among the first line of defence
Varma’s presentation led to discussion among members, who shared their thoughts on:
- Adapting communications strategies for the first line versus the second and third line
- Leveraging technology to build engagement with the first line of defence (an area that is typically challenging to get good engagement
- Addressing approaches to culture following an M&A