IssueDetermining an organization’s approach to risk management and monitoring its risks often are the responsibilities of a core team of individuals. While these individuals can develop effective policies, procedures and frameworks to help direct the organization’s risk management strategy, responsibility for the execution of sound risk management activities and the operation of key control points falls on the wider employee base as part of their day-to-day activities. It is the line manag-ers, traders, accounts payable clerks, stock managers, brokers and many other professionals who must maintain the key controls that help mitigate risks to the organization.

Within many organizations, individuals operate these controls and mitigate these risks, but do so subconsciously as part of their general activities. When individuals are required to change practices to mitigate potential risks or are required to start formally attesting to controls they oper-ate, little support or advice may be provided and resistance can build up. Without an effective training program to help explain the value of risk management and support business users in their individual responsibilities, risk management becomes an ancillary function rather than one that is embedded into daily business activities.

Challenges and OpportunitiesEmbedding risk management into the day-to-day running of an organization and driving individuals to consider the risk of their actions are key to the implementation of a successful enterprise risk management (ERM) program. Like any type of change, users need to be helped through any transforma-tional activities to understand the value of their actions or why change is required. Therefore, training becomes highly important. The challenge to delivering an effective training program is meeting the needs of a wide range of individuals who often are at different grades or levels within the organi-zation but, in many cases, have the same risk responsibilities.

Our Point of ViewTo successfully deliver a risk and control awareness campaign and truly embed risk management within an organization, a number of core basic principles should be followed:

• Demonstratevalue – Any training should be worded appropriately to demonstrate how it will aid end users in their roles and should be viewed as value-adding rather than one of many time-consuming corporate requirements.

• Tonefromthetop – Support and buy-in from senior management are critical to drive ownership and embed risk management. Executive-level training in the form of “know your responsibilities” is a useful mechanism to help management understand their risk responsibili-ties and those of their staff.

• Identifytheneedsofendusers – Risk management training should seek to cover not only the “why” of risk management, but also how users can implement risk management practices successfully into their day-to-day activities. Through tailoring courses to meet the needs of individual users based on their roles, employees can be provided with highly specific training to which they can relate.

• Utilizemultipleformats – The use of multiple formats or media can increase user participation significantly. Computer-based training (CBT) courses can provide training to multiple individuals and are useful in geo-graphically dispersed organizations, while formal class-room training or seminars can be used to provide more in-depth learning.

Risk Management – Embedding Sound Risk Management Practices into an Organization P O W E R F U L I N S I G H T S

About ProtivitiProtiviti (www.protiviti.com) is a global business consulting and internal audit firm composed of experts specializing in risk, advisory and transaction services. The firm helps solve problems in finance and transactions, operations, technology, litigation, governance, risk, and compliance. Protiviti’s highly trained, results-oriented professionals provide a unique perspective on a wide range of critical business issues for clients in the Americas, Asia-Pacific, Europe and the Middle East.

Protiviti has more than 60 locations worldwide and is a wholly owned subsidiary of Robert Half International Inc. (NYSE symbol: RHI). Founded in 1948, Robert Half International is a member of the S&P 500 index.

P R O V E N D E L I V E R Y

How We Help Companies SucceedGiven Protiviti’s deep understanding of enterprise risk management, we have assisted many clients in designing, executing and embedding risk management training and awareness programs, each tailored to their organizational approach to risk management.

ExampleProtiviti assisted a client in the financial services industry with a comprehensive review of its risk management training program and then rolled out a global risk aware-ness program. The goal was to increase awareness among end users of their risk management responsibilities, provid-ing both “light touch” training to all staff and more detailed, role-based training tailored to an individual’s role and risk responsibilities.

Our engagement involved:

• Determining the training needs of all staff based on the organization’s approach to risk management

• Producing tailored training materials to drive a better understanding of risk management requirements for each individual based upon their role. These included a computer-based training course to be taken by all staff, courses for risk and control owners, and hand-books for executives to summarize their risk manage-ment responsibilities.

• Rolling out the training program to more than 1,500 users across more than 15 countries, including the delivery of a “risk management basic CBT” course, targeted classroom courses, executive “know your responsibilities” events and risk management aware-ness sessions

• Embedding a process for the ongoing tracking, monitor-ing and reporting of stakeholder attendance at courses

• Delivering a dedicated risk management training intranet site to act as a point of focus for all future risk management activities

Key benefits of this approach included:

• The improvement of risk management awareness across the organization, leading to the client being able to demonstrate compliance with regulatory requirements regarding risk management awareness

• An “up-skilling” of staff, leading to improved risk manage-ment performance against internal management statistics

• Training that was aligned to users’ requirements based on their roles and organizational responsibilities

ContactsKurt Underwood +1.206.262.8396 kurt.underwood@protiviti.com

Michael Schuchardt +1.312.476.6399 michael.schuchardt@protiviti.com

Jonathan Wyatt (London) +44.207.024.7522 jonathan.wyatt@protiviti.co.uk

Jim DeLoach +1.713.314.4981 jim.deloach@protiviti.com

Cory Gunderson +1.212.708.6313 cory.gunderson@protiviti.com

© 2011 Protiviti Inc. An Equal Opportunity Employer. PRO-0511-107059Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services.

http://www.protiviti.commailto:kurt.underwood@protiviti.commailto:michael.schuchardt@protiviti.commailto:jonathan.wyatt@protiviti.co.ukmailto:jim.deloach@protiviti.commailto:cory.gunderson@protiviti.com