In an earlier post, I outlined the three lines of defense model and the need for organizations to robustly embrace these functions for an optimized risk management program. Business unit managers, the first line of defense, are integral to the success of an operational risk program. Their responsibilities address the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events.
Managers have always been responsible for defining and managing processes within their business units. Business processes are nothing more than a collection of related tasks executed to achieve some objective, typically to deliver a product or service to a customer or internal stakeholder.
No one knows the business processes delivered by a business unit better than the business unit’s manager. Since there are
almost always operational risks associated with a business process, and risk treatments (such as internal controls and risk transfer) associated with most risks, it only makes sense that the business unit manager is also the best individual to understand the risks and risk treatments for their business processes.
It is in this sense that Business Unit Managers and their teams are in the best position to act as the first line of defense in the management of risk for their business unit. From a risk perspective, business unit managers:
• Document their business processes and associated policies and procedures
• Identify existing and emerging, internal and external risks associated with their processes;
• Perform periodic assessments of processes, risks, and controls;
• Treat risks and assign accountability to manage them
• Review and approve loss events, perform root cause analysis and remediation; and
• Monitor key metrics of risk and performance.
Although business unit managers may not use risk management terminology a lot, they are ultimately responsible for maintaining a culture of sound risk management within their areas by promoting appropriate policies and procedures and by establishing explicit accountability for business processes, risks, and control procedures. In addition, they have to report on and assure that the business unit's risk profile, emerging risks, loss history, and internal controls are being managed in accordance with the organization’s tolerance. These activities are a high priority these days because the Executive team and the Board are paying attention.
According to a Deloitte & Society of Corporate Secretaries and Governance Professionals joint 2014 survey,
the top two goals of boards of directors are strategy and risk oversight. Board of Directors prioritizing Strategy seems intuitive enough but why is the second goal risk oversight? Because risk reduces the likelihood that strategy will be achieved - the two goals go hand-in-hand.
Business unit managers are critical for success but unfortunately, they may not be executing as well as hoped. In a February, 2014 Harvard Business Review Analytic Services survey of 610 senior-level and executive management respondents from companies with more than 100 employees, 77% stated that frontline managers are important or extremely important in helping their organization reach its business goals. Yet only 33% and 21% scored their frontline managers competent in business-based decision making and strategic thinking, respectively.
This disconnect between board priorities and the perceived competence of frontline managers is problematic and must be addressed to align resources to priorities. The causes of the disconnect vary as business unit managers:
• May not always have a clear understanding of their role in managing risk;
• Have limited time and resources to devote to risk management; and
• Use inconsistent approaches to assessing risk such that risk-based decisions are inconsistent.
Each of these problems can and should be addressed across business lines. And many issues can be addressed by establishing a common risk management framework in cooperation with technology, like RSA Archer Operational Risk Management. In this way, the overall first line of defense is strengthened and Board goals are better achieved.
Are you interested in engaging your business unit managers in the risk management process? On September 24, 2015, RSA is sponsoring a webinar in collaboration with OCEG to highlight how organizations are improving business operations by engaging the first line of defense. Register here and join us for this event!