It is 2016 and Wells Fargo had just “survived” one of the biggest scandals of the decade. The creation of millions of fraudulent checking and saving accounts in the names of clients who had not given their consent. This event resulted in the loss of hundreds of millions of dollars and over 5,000 employees. A hit like this is not easily resolved or swept under the rug. But how? How did this company, one of the biggest banks in the world, dig itself into such a deep, expensive hole?
The answer is simple. A failure in risk management. This failure on the part of the board and executive team was due to a lack of awareness of the processes used to mitigate the company’s risk. If the company had followed a few simple steps, as outlined below, Wells Fargo may have avoided this blunder altogether.
The following are 6 keys steps in managing risk:
- Understand and Identify Risks
- Prioritize those Risks
- Keep Good Records
- Develop a Plan
- Review of Policies and Procedures Annually
- Monitoring and Testing of Procedures
Understand and Identify Risks
The first step in risk management is identifying and understanding what risks your organization is vulnerable to. This discovery phase is the foundation of success when it comes to battling threats to a business. Understanding what risks lie ahead and what potential consequences come from these risks is an inherent part of any plan to combat organizational risk.
Some ways to identify risks include:
- Listing risks you believe to be a threat
- Using technology to track and assess risk is critical in the digital age
- Overseeing events that take place that may produce problems within the organization
- This helps to pinpoint specific actions that pose a risk
- Bring in unbiased eyes to identify risks your team cannot see
- Sometimes boards and executive teams are ‘too close.’ Bring in professionals who have a different frame of reference and expertise in risk mitigation
This list of risks can include, but are not limited to:
Prioritize those Risks
Prioritizing the risks that you identified in your identification phase is just as important as identifying risks themselves. This is the point in which you take the lists, your tools, charts, and reports and give them a sense of order. Once there is a good handle on the risks inside and outside of your organization, as well as the relative importance to the organization, the organization can begin develop a plan to move forward and either address the problem head on or disregard it and let it play itself out. This is often done through a Risk Appetite Framework and related Risk Management Strategy. The use of heat maps to identify those risks that could have the largest impact on your organization as well as the probability of these outcomes occurring also can aid in prioritizing which risks are most critical to protect your organization against. In terms of compensation, organizations often don’t put enough focus on this type of risk and do not do enough to manage this risk, so should be considered a priority moving forward.
Document … Everything
Documentation is a critical component of the risk mitigation process. It is a key indicator that the organization is aware of potential problems/issues that the organization faces today and those of the future. Ensure you are keeping records of all-important matters, relating to the risks listed above, to ensure that the Board and management are kept up to date on your organization’s efforts to manage its risks. Conducting a compensation risk assessment and noting the recommendations that come from that to manage compensation risk.
Leveraging technology to automate some of these processes or securely store important documentation in the cloud, as opposed to servers that can be hacked, can aid you in ensuring that all information related to risk is documented and available for key members of management and Board members to access at any point in time.
Develop a Plan
Now that you have identified and prioritized, it’s time to mobilize. The battle strategy you take to attack your problems is a difficult, yet necessary process. Companies don’t always want to think about their vulnerabilities, however, if an issue arises there needs to be methodical, thorough, and understandable steps in place to combat the issue. Risk Mitigation plans usually involve four steps which are:
- Avoidance - Avoidance is the most obvious, but often the most elusive step. Avoiding issues is a great first step and walking away is almost always preferred to having to deal with a long a drawn-out problem. This first step, however, is not always possible.
- Control - The next step is to control the issue. This entails taking steps to make the issue smaller or to lessen the impact upon the company. This mitigation may be the best course of action in instances in which you could not avoid the issue.
- Transference - Transference is the transfer of risk to an outside company. This usually takes the form of insurance. Outsourcing this risk is smart for those companies that simply cannot handle the burden of taking on such an issue.
- Acceptance - The last step is acceptance. Acceptance is reserved for the final acts of your plan to manage your risk. This is the final step given the fact that you have attempted to avoid, mitigate, and transfer your risk already and this is the only option you had left.
Annual Review of Policies and Procedures
Policies and procedures are in place in order to mitigate risk. This includes updating your Risk Management and Risk Appetite Frameworks to make sure you are covering all of the existing and emerging risks your organization faces. As long as these policies and procedures are reviewed, and those in a position of authority are cognizant of them, then potential risk will be at a minimum. Your company’s policies and procedures take a significant role in risk mitigation which is vital to a company’s long-lasting success.
Monitoring and Testing of Procedures
Once you identify the policies and procedures needed to aid in the risk management at your organization, you must test them to ensure that they run as efficiently as possible. Without this testing and re-testing phase there would be no way to know how effective the procedures are in saving your company from potential threats.
Risk management has the ability to save your organization. Without proper steps in place, you expose your organization to risk from almost every angle. While we have just scratched the surface in terms of the types of risks your organization might face, if you can follow a few simple steps to identify and manage all of your organization’s risks then you can help protect your organization from unexpected surprises.