Did your mother teach you to say “Please” and “Thank you”? She surely did and the lesson is valid for second line risk managers as well; a polite gesture that goes a long way.
Below is an extract of our textbook Operational Risk Management Best Practice for the Financial Industry (Chapter 13, pp 135-136), relating the case study of a large Nordic bank that centralises the recording of operational risk incidents and requires risk managers to thank everyone who reports an incident or raises an alert:
Case study: Nordic bank’s “thank you” note
To facilitate reporting, a large Nordic retail bank centralizes the recording of operational incidents, with four people in the ORM team dedicated to filling out operational incident forms. When incidents arise, a call or an email to the ORM team suffices. The operational risk manager talks through the incident details and completes the form. This straightforward process has two main advantages. First, because it is not too much bother, it overcomes one reason why people are reluctant to report. Second, it ensures far better data quality, in particular regarding categorization of risk events, causes and various impacts.
In addition, the risk team will thank anyone who reports an incident or sends information about risk and issues. Because risk managers respond with “thank you” notes, it creates positive reinforcement and encourages future cooperation. This is the best practice I have witnessed so far. And because it is in a large bank, it demonstrates that corporate size is not an impediment to a centralized recording process and effective communication between business lines and risk function. The excellent relationship between the first and second lines of defense in this bank is no coincidence.