Stakeholder Management for Risk Professionals
If you were to rank order different professions by the importance of stakeholder management to them, Risk Management would be close to the top of the list. Why? Because individuals are behind every risk a business faces – whether that be a product management team bringing products to market, an underwriting team making lending decisions or an operations team handling inbound and outbound company payments. And it is the job of the risk management team to ensure that all of these individuals fully understand the nature of the risks they are exposing the business to and fully understand their respective roles in mitigating or managing them.
In fact, the potential set of stakeholders to be managed can be wide-ranging, and includes:
- Board of Directors and Senior Executives: The Board sets risk appetite, the executive team manages the risk-return profile of the business.
- First Line of Defence: The risk owning business functions that take and manage risks. These can encompass not only front-office functions (marketing, sales, servicing, etc.) but also back-office functions (e.g., HR, IT, Finance).
- Second Line of Defence: The Legal and Compliance teams that are responsible for managing regulatory risks.
- Third Line of Defence: The Internal Audit team, with responsibility for ensuring the adequacy of risk processes and controls across the business.
As a second line of defence function, stakeholder management for risk professionals can be challenging. By the very nature of their differing roles, the objectives of each of the above actors can often be conflicting. Add in the agendas of critical external stakeholders such as regulators and the external auditor and the importance of careful stakeholder management is clear.
So how should one go about it?
In simplified terms, risk management comprises five steps: identifying the risks that a business faces, prioritising a subset for risk analysis, developing potential solutions to eliminate or mitigate or manage the risks, guiding the business to make decisions on which approach to take, and monitoring the effectiveness of those decisions. The end-to-end process is ongoing and continually repeats.
For each of these steps, risk professionals need to identify the individuals who would benefit from any of the following:
- Education on the nature of the risks they are taking and the implications of these
- Involvement in risk mitigation design or risk decision-making
- Advocacy of behaviour change or the adoption of new risk controls and practices
Once stakeholders have been identified, risk professionals need to develop and execute a stakeholder management plan that includes the objectives, means and ownership for each individual or group of individuals who form the target for stakeholder management.
Stakeholder management is thus a strategic management activity. Those organisations that get it right are able to engender real accountability for following risk policies across the organisation and, in the long-term, can realistically aspire to driving risk awareness, attitudes and behaviours that go beyond relying on policy and controls alone. Organisations that reach this level of maturity are routinely able to introduce significant changes to risk management practices that are driven not by regulatory requirements but by sound business judgement.