Assurance functions face a more difficult landscape that ever before, and the recent coronavirus outbreak shows us exactly why there's a need for insight into risk at the front and midline. Part of Assurance's role will be giving good advice on the right risks to take to grow but another part of managing the burden will be equipping the wider business to own and manage risks effectively itself.

Our survey on employee risk ownership shows considerable benefits for those organizations that have successfully empowered the business to take control of risks better. For example, the likelihood of acting on observed risk jumps 32 percentage points, the likelihood of reporting an identified risk jumps 19 percentage points, and the employee confidence in owning risks increases 57 percentage points.

We call this type of risk management an empowered approach, as opposed to a more traditional prescriptive approach where assurance functions simply assign ownership to business units. The benefits are not limited to risk management either. Empowered employees are around three times more likely to overperform in individual, team and corporate financial goals.

So, what do Assurance functions need to do to create an empowered organization?

|

1. Clarify risk management roles and responsibilities

Educate employees on the need to act on risk as well as the necessary actions required of them. Often, we see that conflicting messages about risk management roles and unclear direction about what the business should be doing have undermined business ownership of risk.

So before educating the business, Assurance leaders must clarify risk management roles and responsibilities by engaging across functions to identify optimal risk owners; they should coordinate between assurance functions to minimize conflicting risk management expectations among business partners; and lastly they should build a framework that clarifies which tasks require compliance expertise and which do not.

When everyone is on the same page about what the key risks are and who is responsible for monitoring and acting on them, Assurance are in a stronger position to educate and empower their colleagues in the business.

|

2. Provide tools and resources to enable business ownership

This step is about empowering those in the business to act on risk. Provide the necessary coaching, guidance, tools and resources to enable more independent risk decision making. Where possible, do not act for or instruct the business but enable it to act for itself.

The biggest roadblocks we see here are limited guidance and inaccessible tools and resources. 57% of employees say they can't obtain the tools they need to manage risk. One in three say they don't receive any guidance in this area.

To solve this challenge Assurance leaders must place compliance's tools, reports and data in the hands of frontline employees and leaders. Think about resources that enable business leaders to discuss, prioritize and action-plan risk such as discussion prompts and sample conversation topics. Provide self-service resource centers that offer comprehensive risk guidance and teach the business how to make the right decisions by increasing the transparency of the risk process and democratizing risk reduction strategies.

|

3. Create accountability for risk ownership

This kind of business empowerment relies on employees feeling directly responsible for risk management. Our survey found that only 42% felt that they or their peers are held accountable for managing compliance risks.

Business leaders are often willing to own risk but face competing priorities and often perceive risk to be someone else's problem to manage. Assurance leaders can overcome this by holding business units accountable for process discipline and the mitigation of risks that arise in their workflows.

This is best accomplished by helping the business leadership narrow down on a small set of compliance risks and regularly monitoring their progress in managing them. Also, it's important to discuss business ownership of compliance risks at the same level as business performance—at a board or executive level. This helps to establish true accountability.

After following these three steps, an organization should be well on the way to becoming more empowered when it comes to the wider business owning and managing risks. By empowering their colleagues in the business to own and manage more risk, Assurance leaders will likely see an improvement in overall risk management yet a reduction in how much of it they must manage. This approach also has the added benefit of distinguishing the tasks that need compliance expertise from those that don't while freeing up Assurance function resources to focus on them.

It's also worth reiterating that it's vital to coordinate amongst Assurance to minimize conflicting risk management expectations, and to inventory risk management tools and resources that can be democratized.

Chris Audet is a Senior Director of Research with Gartner's Legal and Compliance practice.