Risk and marketing share many of the same traits. You could take the marketing adage, “Half of all marketing works. We just don’t know which half”, and easily swap out the word marketing for risk. The big difference comes in the fact that a marketing program gets to reset itself quite often and offers that positive message of growth and success whereas a risk program tends to get created and not get a reset opportunity unless something bad happens. When a risk management program is successful, there are no “slap on the back” type signs of success because things stay quiet.
Think about the recent Wells Fargo event, where false accounts were being opened in order to make sales goals and achieve bonuses and promotions. Yes, individuals were identified who opened the accounts and they were fired as the incidents were uncovered. But the overall depth of the problem wasn’t uncovered until the Consumer Finance Protection Board (CFPB) leveled the $185 million fine against the bank. It appears, though, that the practice had been going on for years and had been uncovered by various risk and compliance personnel. I will bet that no risk professional was congratulated for uncovering the practice.
Like a marketing program, a risk program can become stale and tired. Marketing addresses this by changing things up, offering new and different versions and getting the organization excited about things. What can risk management do to keep things lively and exciting?
I suppose risk management could instigate attacks on the organization or sponsor fraud schemes and then come swooping in to the rescue. But that doesn’t sound very practical and is most likely illegal, which really runs against the purpose of risk management. So let’s not do that.
There are other ways to keep a risk program active and interesting (to others. I already know that risk management is interesting to the professionals who do this for a living). Below are some ideas based on initiatives I have seen used by various organizations.
1) Keep the risk program closely aligned with the strategic plan of the organization. Consider this to be the annual reset of the risk program. Make certain there is a section of the plan that is authored by risk.
2) Create interesting reports using charts and graphs. Move away from the pure dialogue approach. Use active and colorful words like initiative, opportunity or disastrous.
3) Use actual events and cases when conducting training and reporting to management and the board.
4) Reward people for initiative. Even the CIA has a secret award they present to operatives for success.
5) Create and use scenarios, especially when working with management and the board. Add life to the scenarios and make them interesting.
6) Consider how to help others achieve success. I have always said that Anti-Money Laundering presents a great way to gather information about your customers because it allows you to ask questions you didn’t ask in the past.
7) And, finally, avoid whenever you can using the words, “the regulators say you have to do this”, or auditors, compliance, etc… People hate being told they have to do something.
Of course, being in the risk function means you periodically have to stand your ground and do what is needed to maintain your integrity. But is doesn’t mean you have to be the “Debbie Downer” at the party. Staleness is much easier to see from the outside or when risks turn into events. Staleness can also lead to a poor risk culture, with people just “papering the file” (I use this term repeatedly because I really hate the concept) and letting things slide.
I am sure many of you have done things to keep the program fresh and viable and I would love to hear what you have done. I can be reached at firstname.lastname@example.org.