It goes without saying that the integrity of any process is dependent upon the amount of trust everyone has in the process. So, the question I have is; what is the level of trust whether it’s those being supervised or those doing the supervision in any risk management program? I’ve always assumed that as a risk manager, there would be a basic business level of trust in the relationships right from the start as in any relationship. It turns out the research shows when someone is put into a position of supervising as a risk manager, their level of trust of those they are supervising goes down. A risk manager will have a lower level of trust of those they are supervising right at the start.
This level of trust is an answer to a question I did not know I needed the answer to. I should have asked this question because it would explain certain actions I’ve come across in the past. The actions I’m referring to is an extreme case were the individuals in the risk management department could not be trusted. This risk management department developed a very low level of trust, a very toxic culture towards the rest of the company. Their toxic attitudes became well known in all departments. I learned over time that you should never get a verbal answer because you could never take their word as is, you always needed to get an answer in writing. Even in writing, there was little comfort that this would be the truth over time. There was an underlying belief that the truth will always be adjusted to fit their beliefs as a risk manager, not the corporate culture or corporate history.
While this is an extreme case, a very limited case, there are elements that I’ve noticed in many risk management departments over the years when trust is involved. In my view, a risk management department must have a focus on the level of trust so that everyone believes in the integrity of the process. Adjusting the truth overtime to satisfy the risk management process does not build trust. Building trust is the corner stone for individuals in any business relationship, we must be willing to have honest and true conversations about any situation, whether it’s a verbal conversation or in writing. These conversations allow us as risk managers to uncover hidden risks by listening and understanding that not all risks can be identified by a process. While any risk management process provides the three lines of defense, we should also be listening and trying to learn if something has been overlooked. Back to my extreme case of toxic risk management leader. There may have been some listening, however people are unwilling to speak up because they do not believe in the integrity of the department or the process. Remember toxic leaders are in it for themselves, not for the company, not for their department and not for those who are in their department. It’s all about them and their goals and objectives.
Which brings me to the independent audit function in the three lines of defense. Does anyone have a component of any audit team that is geared towards reviewing a risk management department for there effectiveness in relationships, communications, and building trust and integrity for the risk management process? This is important because toxic leadership is an unnecessary expense, destroys cultural trust and therefor hinders the effectiveness of any risk management process. So, I guess what I’m really asking is; how may audit teams are on the lookout for toxic leadership, specifically in the risk management department and the detrimental effects it has on their respective organizations?