“Where do I start?” It’s a common question from in-house risk folks. The prompt for this question could be:

• someone starting a new role (or a newly created risk or compliance role);
• a growing organization starting their professionalization journey;
• an investor looking to improve governance standards in portfolio companies; or
• needing a change – the old ways of assessing and managing risk need a refresh.

Whatever the reason, many of the considerations overlap. The key is strategy, tactics, and implementation, not where you start.

Focus on what matters

In any job, it’s easy to get swallowed up in “busy work”. This is especially true for risk and compliance people. Our stakeholders often seem to devolve thinking to us: “Can I … should I…?” Regulators spew out (increasingly localized) legislation and guidance, sometimes barely intelligible and often duplicative or overlapping. Meanwhile, new threats emerge. 

In this context, being “strategic” may seem fanciful. But it’s possible. Bear with me. 

I’ve observed vulpine leaders torture compliance people with requests seemingly designed to overwhelm (including nit-picking about punctuation and dollar limits for coffees).

Assess risk

When you next rent a vehicle, get a mortgage, book a flight, or buy an electronic product, you will (likely) be met with insurance add-ons. Cancellation cover, extended warranties, mortgage protection, and others are (essentially) wastes of money. Flustered or nervous, many people pay. With risk, this is reacting to every leadership whim, bad news story, or regulatory development as if it’s an immediate danger to you.

Start with a proper risk assessment. By that, I mean one that assesses risk (not box-checking what policies you have).

1. External operating environment – where does your world really meet threats outside? 
2. Internal maturity – the doing, not just having risk and controls infrastructure. 
3. Risk culture – knowledge, access, accountability, and trust in the risk framework. 

This exercise, which we can complete in less than a month (typically), will save years of busy work. I see this model used by investors (impact, venture capital, private equity, and development finance). They need to quickly know what they’re buying (or lending to). 

The outcomes are the best I’ve seen in 20+ years of managing risks. Why? Because we’re gathering the views of frontline employees at the start (external and cultural assessment). The alternative – reacting to senior management flapping or regulator sabre-rattling – ignores the consumers of your product: risk owners. When we start this way, we know who (location, department, length of service, etc) needs what support. 

Now the real work starts – getting people to behave!

Tactics – responsibility & behavior

In dealings with extortionists, corrupt cops, and teenagers, there’s more similarity than dissonance. They all want something you (usually) can’t give. Often, the same dynamics are at play with in-house risk experts. I see people damaging their health by trying to give more of themselves than can reasonably be given. 

I’ve observed vulpine leaders torture compliance people with requests seemingly designed to overwhelm (including nit-picking about punctuation and dollar limits for coffees). Most of your colleagues aren’t intentionally obstructive or obtuse, but many seem to lean on you to make common-sense decisions. When faced with untenable demands (on your time), the only option is to make it their problem. 

The self-help section of any bookshop is inundated with tomes on influencing and negotiating tactics. Some are great, and some are written by charismatic or fortunate people in homogenous cultures. I’d start simply with two rules:

1. Mirror: Using the words of the person you’re speaking to, done well, helps us skip over pesky cultural barriers. 
2. Agency: Empower people to think for themselves!

Be responsibly responsive 

How does that look in practice? The conversation might go like this.

A: “Why is it so hard to onboard a business partner? This critical supplier has been flagged as “high risk”, and now we must fill out a gazillion irrelevant forms. It’s frustrating and slowing things down.“

B: “It sounds like you’re under a lot of pressure. I can imagine how frustrating it must be. Is the supplier not ‘high risk’ then?“

A: “I don’t know … I guess I understand why they might be high risk.“

B: “Which of these forms do you feel is irrelevant?“

A: “Well, I guess not ‘irrelevant’, but they’re too long and complex.“

B: “How would you (or your team) suggest we simplify the forms?“

The example is condensed and exaggerated. But the point is simple – we need to acknowledge genuine frustrations and struggles, but NOT make it OUR problem every time.

“Strategy without tactics is the slowest route to victory. Tactics without strategy is the noise before defeat.” 

Sun Tzu in The Art of War

Behavioral basics

As we triage the “make my problem your problem” requests, we finally get time to consider why we do what we do. This is an expansive area, so I’ll pick the top three barriers to better risk behavior I’ve observed:

1. Unclear instructions – we (risk people) suffer from the curse of knowledge. We don’t realise that something self-evident to us is not to others. Armed with the risk culture data (from a proper assessment), we can correct the disjoint. 
2. High pressure – most people do the wrong thing because they were told to or incentivized to do so. By looking at the context and conditions for rule-breaking, we can identify the 20% of areas posing 80% of the risk. 
3. Top-down application – when strategy, systems, and content are developed top-down, it (often) seems to fail. If we understand where trust and accountability are lacking, we find active resistance to risk, compliance, and leadership.

Most of the time, when things go wrong, it’s decision-making. Understanding the role confusion, pressure, and rationalization play is vital. It helps us make targeted interventions with high-risk groups.

Intentional implementation

We can implement mindfully with a strategic perspective on risk and a behavior-centric approach to tactics. We know that one-size-fits-all doesn’t work. But the conventional pushback is that “I don’t have time to tailor stuff for every different need”. True. 

A more manageable (and delegatable) list comes out of the steps above. For instance, in a recent project for a fast-growing firm shedding the vestiges of an investor-dumped policy framework, three themes emerged:

1. Training was fine for most people but lacking for two high-risk groups (sales and operations). 
2. Knowledge about high-impact but low-probability events was high, but around everyday risks, it was poor, especially with longer-serving employees (more than three years). 
3. Policies were unclear, generally. But people didn’t want more. They needed cheat sheets, checklists, and simpler (actionable) support. 

Most can condense the immediate priorities into three to five steps. Aside from answering the “Where do I start?” question, this also ensures those who need most (immediate) support get it. Tailoring training to sales versus operations is worthwhile. Easing up on the “bribery is bad” missives and highlighting daily information security and fraud risks pays immediate dividends (literally – it reduces losses). Crowdsourcing content – as we did here – increases engagement, knowledge, and trust. 

In The Art of War, Sun Tzu noted, “Strategy without tactics is the slowest route to victory. Tactics without strategy is the noise before defeat.” 

Strategic insights focus our resources. Tactics can target those we need to engage, understand and challenge. The phrase “start somewhere” works for messy teenage bedrooms, but for organizational risk, I’m sticking with Sun Tzu!