A crucial aspect to risk management is not only recognizing the problem, but also communicating those risks to the key stakeholders. Oftentimes organizations do not actively engage stakeholders until forced to because of a crisis. The resulting interaction is often defensive, antagonistic, and damaging of trust.
The smarter approach is to involve stakeholders in the overall risk plan from the outset, helping to build trust and confidence between the organization and its stakeholders and fostering meaningful stakeholder engagement. Communicating risks to stakeholders should be a continuous process in which the organization works systematically in identifying, assessing, prioritizing, managing, and communicating both present and emerging risks; Stakeholders, in essence, become an extension of the organization’s compliance team.
Communication Is Key
Success is achieved when an organization has succeeded in communicating risk information to intended stakeholders, thereby earning stakeholder trust. Creating meaningful stakeholder engagement has many benefits, including a fuller and more comprehensive understanding of risks and their potential outcomes. Engagement generates mutual understanding and sharing of responsibility if things go wrong. It also allows risk stakeholders to express their opinion on the risk and the actions taken by the organization to address it, as well as potential outcomes.
Engagement generates mutual understanding and sharing of responsibility if things go wrong. It also allows risk stakeholders to express their opinion on the risk and the actions taken by the organization to address it, as well as potential outcomes.
Although the “tone from the top” and the role that leaders play is fundamental in building meaningful engagement, getting middle management to embrace a new risk program is the most crucial step leadership can achieve towards its adoption. The manner in which the tone from the top is reinforced is often just as crucial to implementing change in corporate culture.
Middle managers serve as both the emissaries of management’s policy decisions, and the supervisors of those responsible for carrying out and adhering to those policies. This critical stakeholder group plays a crucial role in the success of any effort to change corporate culture. While leadership and younger employees are generally more likely to consider new policies, mobilizing middle management has been a common challenge.
Relationship-Building For Risk Management
At the enterprise level, building a risk-management program calls for a unique set of skills, none more important than relationship-building. Success will be dependent upon multiple factors, perhaps none more important than emotional intelligence. Understanding the interrelationships between people and processes can have a vital impact — positive or negative — on the success of your risk management program, hence why middle management buy-in is vital.
The communication skills required for persuading stakeholders, convincing conflicting stakeholder interests, and reaching compromises and satisfaction of those stakeholders, are fundamental to effective risk communication. The impact and effectiveness of the communications must be understood by the communicator, and the messages themselves must be understood by the recipient: risk management solutions are likely to fail if stakeholders feel that they have not been properly informed. A persuasive message is more likely to be effective and complied with if the communicator is credible, trusted, and knowledgeable. Most importantly, communicating risk requires a profound understanding of the recipient stakeholder. Most importantly, communicating risk requires a profound understanding of the recipient stakeholder.
As supervisors, middle managers typically have more extensive interactions with the employees responsible for carrying out and complying with the company policies, and they know what motivates those employees. Most employees, especially at larger organizations, have little direct contact with senior management, the dialogue happens with those managers who supervise and interact with them regularly. Middle managers develop networks between departments and wield the most influence on the largest number of employees’ day-to-day experience.
One of the biggest challenges facing organizations today is the ability to motivate, persuade or influence stakeholders on matters of risks. Organizations continue to face both internal and external challenges because of negative emotions associated with third-party risk management, which generally feels forced.
It is important to meet and talk with as many people in an organization as possible, find out their experiences, their specific challenges and pain points, and then help address them. It is essential that all stakeholders believe their input is listened to, important, and valued. Building a relationship grounded in trust in key. Utilizing middle management’s skill set assures that the appropriate group of stakeholders feel empowered to implement recommendations, and that the others will take those recommendations seriously.
Internal stakeholder engagement is crucial to gaining the broad buy-in to changes in policies, processes, and practices necessary for successful third-party risk management programs, but external stakeholder engagement may be the key to its success - a perfectly designed and executed program doesn’t mean much with the cooperation of the third parties being monitored. Smart organizations also build relationships with those very third parties, fostering communication and collaboration to their mutual benefit, speeding up the onboarding process and reducing unmanaged risk overall.
Critical Elements of an Effective Third-Party Risk Management Program
Share, engage and continuously communicate with supply chain stakeholders to identify, monitor, and mitigate risks rapidly and as a team, saving time and reducing costs. Efficiency is boosted during information-gathering for due diligence, shortening the process of assessing and evaluating documentation, yielding significant operational savings, and expediting onboarding for that third party. Agree upon and implement incident response procedures to incentivize your partner to the extent possible to quickly report any issues and work together to resolve them - increased communication and collaboration will prove invaluable to both parties in a crisis.
Gain increased transparency through first-hand insight into the partner’s attitude towards an investment in cybersecurity controls. The stakeholders of both parties are responsible for mitigating risks to prevent the snowball effect that could produce severe consequences in the event of an incident; Transparency removes the element of unmanaged risk and is in the best interest of both. It may also lead to improved client and third-party confidence and reputation, increasing trust when doing business.
Through the experience and insights of collaborating organizations, your organization gains the potential to achieve multi-dimensional risk coverage. For example, agree to increase security to ensure consistent cybersecurity requirements, driven by industry experiences and aligned to industry frameworks and regulations.
An integrated supply chain risk management approach can deliver significant financial benefits to the organization, support organizational goals and objectives, and provide ongoing assurance about overall resiliency and compliance to stakeholders across multiple areas. Organizations employing this collaborative strategy can drive down overall costs and streamline processes, while incorporating best practices, gaining greater agility in risk reduction as well as reputational improvements.
Continuous, comprehensive monitoring of third parties remains essential, with or without collaboration. Manual continuous monitoring, however, consumes an unnecessary amount of time, labor, and resources, not to mention increases the organization’s exposure to additional human errors - it is not scalable and in truth, not sustainable.
Leverage technology for accessible, intuitive tools that reduce your organization’s unmanaged risk while greatly enhancing user experience. Solutions integrate with reliable industry sources to aggregate, validate, and enrich data providing the most comprehensive picture of risk, and putting your organization in the best position to deal with any risks that do surface. Automated monitoring with live alerts saves unnecessary time and work monitoring manually, while still allowing for effective decision-making in real time. Utilize tools that can establish an open line of communication with third parties, fostering communication and collaboration, and monitor third-party performance through key performance indicators generated in real-time.
Michael Volkov specializes in ethics and compliance, white collar defense, government investigations and internal investigations. Michael devotes a significant portion of his practice to anti-corruption compliance and defense. He regularly assists clients on FCPA, UK Bribery Act, AML, OFAC, Export-Import, Securities Fraud, and other issues. Prior to launching his own law firm, Mr. Volkov was a partner at LeClairRyan (2012-2013); Mayer Brown (2010-2012), Dickinson Wright (2008-2010); Deputy Assistant Attorney General in the Department of Justice (2008); Chief Counsel, Subcommittee on Crime, Terrorism and Homeland Security, House Judiciary Committee (2005-2008); and Counsel, Senate Judiciary Committee (2003-2005); Assistant US Attorney, United States Attorney's Office for the District of Columbia (1989-2005); and a Trial Attorney, Antitrust Division, United States Department of Justice (1985-1989).