Driving Cultural & Behavioral Change in an organization through ORM

All departments and employees throughout the organization must understand, accept and help drive the changes in daily behavior to embed Ops Risk Management in their DNA.

Guest Post by David Nickles, Vice President, Business Leader – Operational Risk & Controls at MasterCard

One of the biggest challenges I’ve experienced when building and implementing Operational (Ops) Risk programs, is assimilating the discipline into the existing operating environment and culture without causing major disruption. Before an organization can embark on the journey of implementing an effective Ops Risk program, buy-in and sponsorship from executive management is a must. Engagement of executives and management alike, however does not end there. All departments and employees throughout the organization must understand, accept and help drive the changes in daily behavior to embed Ops Risk Management in their DNA.

As I am working towards implementing our program with my team, I wanted to take some time to reflect on some key techniques to make the implementation successful without being disruptive, intrusive and bureaucratic within our existing environment. Below is a list of important techniques and general guidance to be considered as we navigate through this journey. Depending on the industry and organization where you reside, how implementation looks may differ, however common best practices exist that we can follow to be as efficient and effective as possible.

Keys to Successful Implementation of an Ops Risk Program:
(*Note, this is not an all-inclusive list rather some of the more significant areas of focus.)

1. Secure Executive Sponsorship

· Strong buy-in and sponsorship from Executives

· “Tone from the Top”

2. Alignment (where feasible) across various risk functions

· Alignment and harmonization of all second line risk functions (ERM, ORM, Compliance, Process Improvement, IT Risk, Information Security, etc.) and Internal Audit

· Areas of focus should be risk frameworks utilized, risk taxonomy, data governance and systems

3. Productive Interactions with the Business

· Breed a culture of continuous improvement

· Recognition by all stakeholders that we have room to improve our processes by being more efficient and ensuring effective controls are in place

· Demonstrate the value add to groups, teams, individuals and the overall organization in performing operational risk activities

· Remind business owners that change is good, it brings maturity and evolution to existing programs by building on the existing strong foundations in place

· Enable the first line business resources to drive the assessment execution by building bench strength via subject matter expert community

· IT supports the business in accomplishing business objectives

4. Documented Program Guidelines

· Strong relationships across the organization

· Focus on the right training and communications provided to the right groups at the right time

· Risk assessment is not a one-time task (i.e. changes in the environment or events can trigger the need to take a fresh look at processes and how we operate)

· Quality standards – Assessment results are only helpful to the organization if they are of the highest data quality. Assessment excellence improves comprehensive analysis capability across the enterprise and within specific business areas. (Without good quality, our work is for naught!)

· Align an ORM resource to support each business area

· Develop capability to report to the Board, Audit Committee, Risk Committees, Senior Management and Business Management

5. General Rules of the Road (applicable for all groups involved)

· Be creative

· Ask questions and listen to the responses

· Be open to change, listening, alternative approaches and in general anything that may help advance your organization

· Be present but not annoying! Constantly be evaluating and discussing real business challenges with the key resources. This is not easy!

That’s all for now. It’s nice to sometimes take a step back from the daily grind on a Friday and reflect. As always would love to hear feedback or additional thoughts!

About the Author

David has over 17 years of direct experience in the first and second lines of defense with a heavy focus on Operational and Technology Risk Management. He has also supported and partnered with Internal Audit to drive strategic objectives. He has often been described as an innovative thought leader in managing organizations’ highest risk areas while implementing solutions focused on operating efficiently and effectively which benefits the overall company. He has demonstrated strong proficiency in program management, project management/delivery, people, process, systems, data governance, data integrity, data availability, data security, enterprise reporting, internal controls, compliance and quality disciplines. Companies he has worked for include Aon Hewitt, Fidelity Investments, GE Capital, BNP Paribas and Mastercard.