How to build an effective risk champion network
As published in the Risk Leadership Network's Intelligence platform
Developing an effective risk championship network starts with endorsement from senior management. Once you have that, you need to think carefully about what the role will include and who the best people for the job are. Training is critical for giving your champions the tools they need, and rewards will help keep them engaged and interested. Starting the risk champions from a strong baseline can’t be under-estimated; with strong commitment, the right training and encouragement and support from the organisation’s leadership, the benefits risk champions can bring will reap dividends on an ongoing basis.
Executive summary
- Building a successful network starts with C-suite support
- Communication of the role, expectations and value of risk champions needs to be clearly articulated by the organisation’s leaders
- Spell out the rewards for committing to and succeeding with the risk champion role
- Champions can be chosen in a few ways: by managers or the risk team, or by asking for volunteers
- Training means that champions understand risk and the role of risk management
- Using workshops gets champions familiar with identifying risk and working with experts in their departments to better understand and analyse risk
- Eventually an almost autonomous network is formed, with departments having ownership of their risks and champions promoting risk culture
Context
International firms with a network of offices, usually spread across countries and continents, often struggle to build a consistent risk program and a positive risk culture. This is partly because risk management teams have limited reach, but also because different geographies and management teams – and the prevailing country or regional culture – will have different attitudes to risk.
Equally, smaller firms where the risk management team is extremely small, often struggle to identify the risks throughout the organisation. Risk managers (especially those operating alone) have limited time and it can be difficult to prioritise and align expectations and competing agendas, let alone connect with everyone across the business to understand risks and promote consistent risk culture. Additionally Risk Managers can't be an expert in every technical area of a business.
In both scenarios, building a network of risk champions can help. Having a group of well-trained individuals who understand risk and are responsible for information gathering, sharing experiences and updating risks exponentially, increases the reach and effectiveness of the risk management team.
As everyone will have had the same training – regardless of geography – you can start to build a consistent and positive risk management approach and culture across the organisation internationally. Meanwhile risk champions become an extension of the core risk management function – the eyes and ears of the risk team, meaning a better-informed decision-making process. They can report back to you about some of the challenges and what frustrates staff and managers about your risk process. It allows continuous improvement to the risk management approach as a result of this feedback loop that you otherwise wouldn’t have had as a risk manager. And having a network of risk champions basically selling risk management throughout the organisation builds understanding and culture.
Finally, a risk champion network allows departments to take ownership of risk, something which is otherwise difficult to achieve because people just look at the risk management department or the risk manager and assume the responsibility for it sits with them rather than at the front line. The champion framework puts the responsibility for assessment and mitigation back on departments and risk owners. Having a risk champion within each department or area enhances and strengthens ownership of the risk process.
Key Steps
Getting senior management approval
The first stage to building a successful risk champion network is to engage senior management. You would usually need to get approval from the from the top – whether that’s the board, a risk audit committee or the C-suite – to go out there and put this sort of network in place.
If you don’t have this approval, you may find that when you ask managers to choose a risk champion, there is reluctance to get involved and commit to the risk management initiative. This is particularly true when senior staff don’t prioritise risk management or are very busy. However, if it’s in a policy and it's been signed off at the top of the organisation, then people see the commitment from top management and are more inclined to positively respond to what you need.
A simple way to get the leadership team familiar with the term is to mention risk champions in your risk procedure or risk policy document. This should explain at a high level how risk management will be undertaken, including the roles, responsibilities and value of risk champions. It's important to note that there can be other names assigned to the role such as Risk Co-Ordinator, Risk Analyst or Risk Focal Point, whatever suits the Organisation's current terminology.
Another approach is to try to drive it through the risk committee. Suggest a risk champion network, outlining the reasons and benefits of taking this approach, and they may give you a mandate to get it done.
You may be able to proceed with a risk champion network without sign-off, but only if you’ve got extremely good relationships across the middle management team. In most organisations it helps for the process to have senior management endorsement. A Risk Manager should always be looking to develop these strong relationships within an organisation, so it is often up to them to prove the Risk Champion network's worth before taking it up to the Risk Committee or C-Suite.
If you can’t get senior management approval, you may be able to work with HR to embed risk management in senior managers’ job descriptions. If they know they have to do risk management as part of their responsibilities and KPIs, and as part of their annual appraisal, they will be much more willing to assign a risk champion to take on that work.
Deciding what the risk champion role will be
Next you need to come up with a job description for your risk champion network. This will vary depending on the risk maturity of your organisation and how engaged and knowledgeable people are with risk management.
It could be as simple as updating departmental risks at defined intervals, or it could be going further and include making sure that risks are analysed. You might want to say that the risk champions should talk to all people in a department individually or you might ask them to run workshops. It could be that you want the risk champions to drive risk management within their own departments, but instead of the risk champion being responsible for the risk register, they support their manager in maintaining it. With the right risk champion and training, they could even drive training throughout the organisation.
You also need to think about how much time they have and what percentage will need to be dedicated to risk management. That will dictate how much of the risk management responsibilities they can take on alongside the other roles that they play.
If you know that you're really chancing your arm even getting them in the first place, then you just want to keep it simple. But if you know that you're going to get support building risk culture, then you may want to go into a bit more depth. Generally speaking, I would get the basics done first and then think about building in extra responsibilities.
Whichever approach you take, it needs to support your ultimate aim, which is to drive risk culture with the managers owning risk for the departments. Managers are responsible for departmental objectives and it is therefore natural that they should also be responsible for the risks impacting their critical objectives.
Working out how many risk champions you need
When building a risk champion network, I start by looking at the organisational structure of the company. For example, many businesses have divisions sitting below senior management and then departments within those divisions.
In an ideal scenario, each department would have a risk champion, so that is a good place to start. But in some companies, this will not be achievable as it would involve too many people and too much training.
In that case you may want to start by having a risk champion for every higher level division, but you can also identify the most critical divisions and implement one champion per department there, or two or three champions for the division to support the departments.
It also depends how many people are in each department. If they are large departments, they should have a risk champion, but where there are smaller departments all sitting within a bigger division, you can probably get away with one risk champion for the group.
For an international company, I may look at a different organisational structure with risk champions representing the different offices. If one office only has 50 people, you can get away with one champion, but if it has 400 people you may want one champion per division for that location.
It may also depend on the authority you have for a foreign country. You might just have one focal point who could be an informal risk champion, but with a clear line of access and communication with the central risk management team.
Choosing your risk champions
There are at least three different approaches to selecting risk champions. They include:
1) Managers assign risk champions for their departments, divisions, or geographies
In some cases, a manager assigns the risk champion themselves, which can happen in companies with good risk maturity and culture. Often the manager will choose someone who works for them.
The upside of this approach is that the assigning manager knows what the role entails, and that the person is going to be doing this on an ongoing basis.
The negative is managers often choose someone they think isn't too important (in their eyes). That’s because they don't want their key team members to be dealing with what they may perceive or value as the simple tasks of risk management, which they don't see value in. Sometimes they assign anyone they can find that can take on more work, and that's not good because the risk champions need certain skills (both hard and soft) and authorities to do the job successfully.
In a company with good risk maturity, your managers are more likely to suggest someone with the right blend of knowledge, competency, skills and commitment. Otherwise, you can try to improve the process by guiding managers on the kinds of skills you need. For instance:
- champions need to be relatively senior
- they may need to have the authority and ability to speak to people at higher levels
- they need to have been in the job for a while
- they may need to have a certain personality
- you might want someone with certain qualifications (for example, financial or engineering background)
You don’t want to step on managers’ toes, but if you can give them a good idea of what you are looking for and how the specific characteristics and criteria will benefit them, you’re more likely to get the champions you need.
2) The risk manager assigns risk champions
The upside of this approach is that the risk manager knows what skills a successful champion needs and should be able to identify the people who can do the job.
The downside of this approach is that risk managers may not have all the information they need to select someone in every department, and could find that they’re choosing people without sufficient authority or networks.
In this situation, you can speak to your network within the organisation and ask who might be good and who other people recommend. This can help broaden your reach and make sure you’re choosing the right people throughout the company.
The ideal scenario when it comes to picking risk champions is a mixture of risk manager and manager deciding (and agreeing).
3) Risk champions volunteer themselves
The best system is where you have people in departments or regions raising their hand and volunteering to be risk champions. Then the risk manager gets to vet them and make sure they have the right skills for the job. Finally, they need to get sign off from their managers to make sure they agree and are on board with the process. Having people volunteering ensures you have a risk champion network that want to do their job, have the drive to do a good job, and will offer quality you would otherwise not have.
Reflecting risk champion roles in job descriptions
Once you’ve selected your champions, work with HR to get their new responsibilities added into their job descriptions and appraisal systems.
When I speak to risk champion networks, I often ask them who wanted to do the job – and no one puts their hands up. Often this is because the role was thrust upon them and is poorly rewarded and recognised. If someone is spending 10 per cent of their time on risk, this needs to be acknowledged through the review process, and ideally reflected in rewards, such as bonuses.
Ideally, HR will partner with the head of the risk function to gain the necessary insight, promote the importance of the risk champion’s role, and ensure adequate recognition (including reward elements) are incorporated into the annual review cycle.
Beginning with an introductory meeting
This is an opportunity to explain the champions’ new roles to them and what risk management is all about.
It’s also crucial to build a rapport within the network and to make sure that they all understand each other’s departments and what they do. Often in a business, people have no idea what other departments actually do, but risk champions need know who is reliant on what – and how risks in the business are interlinked.
I break down and bridge the silos immediately and work on networking, getting them to know each other and building up a relationship.
Creating a community of risk champions is as important as selecting and training the risk champions.
Training risk champions
When I build risk champion networks, the next thing I do with newly selected champions is training. Ideally, this is an intensive five full days of training, but you can also scale this and start with a two-day course. This training can be spread out over a period of a few weeks, and some of it can be done online if needed.
If you have the budget, ideally you would send them to a recognised course such as the Institute of Risk Management that could provide them with a certificate and qualification.
If you’re not using an external provider, good elements to cover in training include:
- What is risk management?
- What does risk management look like in the world?
- What does the organisation see as risk management (focus on opportunities too)?
- What is risk appetite and tolerance? What is the organisation’s current risk appetite?
- How do we go about identifying risk?
- How do we measure those risks?
- How do we manage those risks?
- How do we communicate and what reporting requirements do we have?
- How to facilitate workshops and risk conversations.
This could be covered over the five days with case studies and examples to flesh out each of the different risk tools and concepts.
Holding risk workshops
Next, I usually go out and work with each champion by holding a workshop with their department. I will run the workshop and facilitate the identification of risks against their key objectives within the department, with the risk champion present as part of the training. I try to make sure that their manager is part of this workshop. I also clarify the role of the risk champion and the importance of risk management.
They see me in action identifying the risks, and then I use this information to help them populate the risk registers, reports or other requirements set out by the organisation or risk procedure, so that the champions become familiar with the process. They sit with the managers in a meeting to get sign-off on the risks, then we go through the first process and assign tasks and actions to various people.
I tell them that from then on, they will have responsibility and ownership for the registers alongside their managers. All the risk champion needs to do is follow up and make sure the risks are updated, and every few months perhaps run a workshop themselves.
I wouldn’t necessarily expect the champions to be ready to run the workshops themselves straight away, but after two or three run-throughs, I can hand this activity over to them as well. It could take up to six months, but eventually I would expect them to be running this process autonomously.
That is my main purpose for my risk champions. I want to make sure that they feel comfortable enough to run this on their own and be able to overcome some of the barriers they may encounter in developing an accurate view of risks. And, ideally, I have the right characters to be able to do that.
If you want to go further and do quantitative risk analysis, I wouldn't suggest the risk champions do this. What I suggest is the risk champions gather the data that you request so you can run the analysis with them. Involving them is important, as they will soon understand why you need the data and what kind of data to be looking out for. In some cases, the right risk champions may have the right skill sets to run such quantitative analysis and it is useful to ensure they receive training to do this. Quantitative risk analysis is a powerful tool and the more people capable of doing it, the better.
Once the risk managers are autonomous, you can start deepening the work that they do. For instance, you might want to make them business continuity champions or responsible for identifying new risks. You can start layering activities to get the most out of your network.
Regular networking and sharing success
You need to make sure your champions are regularly brought together for further training, to learn from each other and to keep networking. Ideally, champions should be meeting at least once a quarter, and some of the allocated time should be social.
For large, international organisations group meetings might be difficult, so I implement monthly meetings per division, quarterly meetings per country and an international risk management conference once a year.
Different approaches will work for different business structures, but you need to be creative in making sure that people are still networking and sharing.
Looking at additional rewards
Even if you have risk built into appraisals for champions, you should also look at other ways of rewarding your champions. To get the right rewards you need to think about what drives your organisation and staff.
For instance, if it's an organisation that doesn't pay very well, look at trying to secure some extra money for champions to reflect the additional responsibilities and time they need to commit to their roles.
But if it’s a highly paid organisation, an extra two or three per cent isn’t going to motivate people and deeper consideration needs to be given to the specifics of compensation and remuneration.
Options to consider include:
- Financial rewards – for example, pay or bonuses
- Access to the C-suite – for example, having champions present risks to the board and CEO
- Career development – for example, certification or introducing risk requirements for partnerships or management roles
- Recognition – for example, awards
Outputs
Better quality risk management
Risk champions along with their managers are now responsible for risk to their objectives, meaning better quality data that is kept up to date by those on the frontline dealing with the risks and making decisions about them.
Ownership of risks
This means that departments and divisions now have ownership of their risks, so risk culture is consistent throughout the organisation – and the risk management team has more time to work on areas such as emerging risks and improving the decision making of the C-suite.
Risk Culture
Having champions promoting risk management, using examples from training and real life case studies and ensuring that their colleagues understand that risk management is about enabling the organisation to take risk, the right risk, and that its not a bad thing, can build a consistent, strong and positive understanding of risk management across the organisation, and promote the right type of risk culture for your organisation. The right risk culture trumps a good policy and procedure anyway! as Peter Drucker says, "Culture eats strategy for breakfast!"
Risk maturity increases
If you measure risk maturity throughout the organisation, you should see it steadily increase. Furthermore, the business gets better at identifying new threats and opportunities and – critically – mitigating it.
Results
There is now an autonomous network of risk champions identifying and assessing risks through workshops and updating risks on a continuous basis. The risk manager no longer needs to chase people for that "once a quarter risk register" that often adds little value. Risk culture is consistent throughout the organisation and champions are responsible for promoting risk management in their departments. This should lead to greater insight right across and up and down the organisation, with the ability to respond more effectively to events.
Lessons learned
What worked well
- Building a risk champion network helps increase the reach of the risk management team, meaning risk is better embedded across functions and departments, and internationally. The champions can reach much further than you can as an individual or as a department.
- Having allies in every team means that the risk manager is better informed and gets early warning about risks coming down the track.
- Having a positive risk culture ensures that people are actually willing to report risk AND take risk, and are not scared that they will get punished.
What was difficult
- Sometimes managers might propose champions that are ill-suited to the role. If after training a champion still isn’t succeeding, you will have to go back to the manager and ask for someone new.
- Sometimes it can cause challenges when a champion reports a risk and their manager disagrees. To overcome this, it is first important to ensure there is a mechanism to allow these risks to be communicated to the risk manager. I would then sit down with the manager and say this risk is coming out of the business, and ask why they don’t see it from the same perspective. There might be a good reason, or it could be that the risk needs to be included.
This blog post is an adapted version of a paper from Risk Leadership Network's Intelligence platform, contributed by advisory board member, Alexander Larsen.
Risk Leadership Network’s Intelligence platform is a searchable database of peer-contributed case studies, tools and templates. Contributed by Members, current and former senior risk managers and subject matter experts from around the world, the Intelligence platform is a melting pot of new ideas and shared learnings. You can view a list of all contributions currently available to Members of the Risk Leadership Network here.
Risk Leadership Network's Intelligence is one of four interconnected platforms that enable our Members to collaborate and share knowledge across different sectors and geographies to improve the effectiveness of risk management. Click here for more information about our different platforms.