VIEW: Improving staff behaviours for better operational risk management
Written by Michael Grimwade, head of operational risk for MUFG Securities EMEA, director of IOR
The last decade has been rich in financial scandals in both banks and multinationals alike; the rigging of LIBOR, the missale of financial products, the facilitation of tax evasion, to name but a few. Despite their range, these scandals oft en have three common features; they have persisted for many years; the scandals often, but not always, span a number of firms across an industry; and they typically involve the active participation of more than the odd rogue employee.
The last point illustrates how even the most sophisticated operational risk management framework may be undermined if staff simply do not escalate appropriately their knowledge of these issues. Consequently, a portfolio of approaches is required to improve staff behaviours.
Set the tone from the top: Start by assessing company culture – staff engagement surveys can be used to assess the extent to which staff feel able to escalate issues.
Provide training, communicating simple rules using external case studies to show what good looks like. Incentives and penalties can work in your favour – reward staff members who escalate risk issues. Some financial institutions have their risk and compliance functions rate the performance of first line department heads, that impact on remuneration reviews.
“Trust but verify”: Don’t just meet with department heads; operational risk managers should also speak directly and regularly to junior staff members, asking them about their concerns. Rotate staff in and out of operational risk management teams to both ensure that the second line has hands-on experience and also seed the first line with risk-aware staff members.
Test staff responses: The use of false phishing emails to test staff responses is becoming an increasingly common practice. The extent to which staff proactively raise issues is the ultimate test of how embedded any risk management framework is, so these actions and initiatives could be among the most critical that any risk management team could initiate.