When it comes to building a risk management framework, getting past the mindset of risk as a box-ticking exercise is critical, says Marc Howson, group director of risk and compliance at Norton

As with many risk improvements, Norton’s decision to implement a risk management framework was driven in part by regulation.

The combination of the Consumer Duty directive and a desire to generally improve consumer outcomes led the firm to bring in a senior risk manager to look at enhancing the risk measurement and management process.

Risk management framework

Of course, compliance wasn’t the only goal, and the family-run firm was also keen to move towards the kind of governance frameworks that are typically deployed by much larger companies. Ultimately, the goal was to make sure that risk management was a driving force in strategy discussions at governance meetings and that risk management was used to help formulate the objectives of the organisation.

Marc Howson was recruited as group director of risk and compliance at Norton and tasked with the overhaul. He says it was a great opportunity to build something from the ground up and implement lessons that he’d learnt from other roles.

“Norton’s main goal was to enhance the level of governance around discussions around risk management”

He explains: “It’s unusual to have the opportunity to go into a business and create a new risk framework, because many businesses in this sector are at a certain level of maturity and perhaps have a risk management framework so integrated into existing business processes that it becomes difficult to unpick. There was a unique opportunity to enhance and build on existing risk management activities, whilst building something completely new, to bring this company in line with some of the standard practise that I’ve seen elsewhere.

“Of course, there were already strong risk management activities in place, these just weren’t formalised through a structured risk management framework, with risk appetite statements and the use of AGRC tools. Norton’s main goal was to enhance the level of governance around discussions around risk management and improve reporting capability and the visibility of risk management outcomes.”

Understanding key objectives

Howson says that another key aim was to make sure that risk management is elevated beyond a tool that simply shows what risk management controls need to be put in place.

Instead, Norton wanted to ensure that the framework was able to strategically transform the business and understand which areas of focus would actually help to meet business objectives, including both regulatory, consumer experience and commercial goals.

He says: “An enterprise risk management framework brings together everything. It identifies the strategic focus points and then after the risk assessment exercise, you know where you are in terms appetite and that gives you then the ability to focus your resources on the biggest return on investment.

Building a taxonomy of risk

When building a risk management framework, Howson say the most important thing at the outset is to understand the context in which the organisation exists.

For Norton, that meant starting with the principal risk categories. Next, these were broken down into tier 2 categories, which gave more granular details in terms of understanding the core areas of risk that the business is exposed to.

He says: “The first stage was really establishing categories that would support the context of the environment that we’re operating in. 

“[We had] to strip it back, understand the sector that the organisation works in, understand the regulatory and legislative environment that we are subject to, understand the operational infrastructure that’s required to deliver the services, and understand the people, skills and competences that are required to deliver those services.”

Aligning to business goals

Having risk categories is important, but they are meaningless if not aligned to the strategic goals of the business. So, Howson’s next step was to understand the governing body’s (namely the shareholders’ and the executive directors’) risk appetite and attitude to risk.

Howson says: “Those are two very different things. Attitude is defined by people’s backgrounds, experiences, cultures… the scars on the back, whereas appetite is how much of that risk are they actually willing to accept.”

To achieve this, the team worked with business owners and stakeholders to refine the risk categories further so that it was possible to do a risk assessment and understand the specific controls that were in place or available to manage a response to each primary threat category.

“Attitude is defined by people’s backgrounds, experiences, cultures… the scars on the back, whereas appetite is how much of that risk are they actually willing to accept.”

This was then filtered down through the tier 2 and 3 risks, until the firm eventually arrived at a qualitative enterprise exercise where each risk has been assessed and scored on an inherent and residual basis, controls had been documented and assessed for effectiveness, and the residual risk profile had been plotted against the directors’ risk appetites.

Howson explains: “That really gives us an enterprise risk view of where we’re operating outside of tolerance and where the key focus areas are in terms of the mitigating actions to bring those risks back within our appetite.”

The initial appetite and attitude assessments were carried out in a qualitative way, but Howson says that the next phase for Norton is to move to a more quantitative model where these are driven by data and key risk indicators.

Overcoming challenges

Howson says that education and engagement was a central pillar of the project, pointing out that risk management as an academic concept was new to many people, and that it was important for everyone to understand why a framework was a valuable tool to implement.

He explains: “Trying to explain the technicalities around some of the terminology that we’re using such as risk responses, risk appetite statements, inherent and residual risk assessments, materiality matrix etc [was important]… Really explaining it to people who don’t have risk practitioner backgrounds and then trying to sell the benefit of a model and how it can feed into enhanced governance, systems and controls, and better strategic decision making for the organisation.

He says that getting past the mindset of risk management as a compliance tool or regulatory tick-box is critical. And that the key to this is using a risk management framework that will ultimately help the business achieve its ambitions.

“The reason why we manage risk is so that we can take risk, identifying the upside of opportunity risk is equally as important as trying to mitigate the downside.”

He concludes: “My approach from the outset was that it does enhance regulatory compliance but it’s more around enhancing the quality of the decisions that you make and ensuring that you are considering all angles before you pull the trigger.

“If you do that consistently and consider risk within all your governance procedures it will result in many benefits. One is a reduction in operational loss through reduced incidents, but it’s not just about that. The reason why we manage risk is so that we can take risk, identifying the upside of opportunity risk is equally as important as trying to mitigate the downside.

“When I was trying to educate people and convince them to pay money for a system that they didn’t have before, it needed to be very much seen as an opportunity to enhance the growth ambitions of the organisation in the future.”