Kerri Grosslight, Wells Fargo’s head of risk management and compliance for technology and operations group and corporate staff groups, is a people person. More specifically, she’s a people risk manager.

I recently chatted with Grosslight to find out more about the bank’s approach to risk management. What I discovered did not surprise me.

Several years ago, I wrote an article for HR Magazine examining the inclusion of human capital metrics in annual reports and shareholder letters. Wells Fargo’s (now retired) chairman and CEO Richard Kovacevich made this very human point in his 2004 letter to shareholders: “GAAP does not recognize the value of intangible assets that a knowledge-based company such as Wells Fargo generates internally — such as the loyalty and relationship levels of our team members and customers.” Kovacevich made the point, in part, to explain why he included human capital measures and information in his communications to shareholders.

It appears that Wells Fargo also believes that people play a vital role in risk management.

(People, of course, play a vital role in every organization’s risk management process; what differs is the extent to which companies recognize this importance and actively manage the human component of risk management.)

“Our mantra has been ‘Risk management is everyone’s responsibility,’ Grosslight notes, “and now we’re also emphasizing ‘Know your real risk’” – the risks that cross your desk every day. We’re working to help our team members understand that they are in the best position to understand and identify risks because they’re the ones doing the work.”

Here is our chat …

Eric Krell: Please tell me a little bit about your company’s risk management framework and also about the role that people play in supporting this framework.

Kerri Grosslight: First, I’d say that whatever a company’s risk management framework looks like, what’s most important are the people in the framework because they’re the ones who identify and manage risks every day and need to be accountable for those risks.

At Wells Fargo, we have a top-of-the house group that looks at risk management and compliance across the enterprise. Then, each business group head has a group risk officer who ensures that all the risks in that organization are understood and covered. I’m the group risk officer for the Technology and Operations Group (TOG), which has over 25,000 team members, and I also support corporate staff groups like human resources, finance, audit, and communications.

Within my own team, we have risk management support groups that are aligned with each of our organization’s divisions. We also have a shared services group, which looks at risk holistically across the organization. One of their key roles is to understand the corporate policies (such as vendor management, information security, records management, business continuity planning, and more) and what we need to do to comply with them — for example, training and awareness. The shared services group works closely with the risk managers, who then partner with the divisions.

Eric Krell: One of the most important issues I see in risk management today relates to what I call “people risk,” which amounts to the extent to which an organization’s risk-management strategy and principles enter into everyday decision-making. What are some of the ways you and your team strive to address people risk and to ensure that the company’s risk-management principles enter into daily decision-making in the trenches?

Kerri Grosslight: I couldn’t agree more — people are the key to any risk management strategy. Within our organization over the past 12 to 18 months, we’ve focused on building a culture of accountability for risk management. Our mantra has been “Risk management is everyone’s responsibility,” and now we’re also emphasizing “Know your real risks” — the risks that cross your desk every day. We’re working to help our team members understand that they are in the best position to understand and identify risks because they’re the ones doing the work.

We’re also encouraging our managers to help role-model the behavior we’re looking for – managers are crucial to making this a natural part of our culture. We know that our team members see their direct managers as their primary source of information, so we need our managers to play that really important role in communicating about risks, demonstrating that there are no penalties for bringing forward a risk and that we all have to work together to resolve it and learn from it.

Across the company, we have a “defense in depth” risk management strategy, meaning that we believe we should manage risk as close to the customer as possible. Going back to the framework I mentioned earlier, every team member is accountable for managing risk. Then we have risk management organizations like mine that provide support across business lines. We also have the top-of-the-house group that looks at patterns and trends across the enterprise. Checks and balances exist; that helps us to execute our risk management strategy.

Eric Krell: How do you define an organization’s “risk culture” — and/or what are its most important elements?

Kerri Grosslight: As I alluded to earlier, whether a company’s risk management framework is centralized, decentralized, or somewhere in the middle, what’s most important are the people in the framework – they have to be engaged. Culture becomes part of the equation when those people have a set of shared values, goals, and practices. Everyone has a responsibility for risk management, and with the right culture, everything else falls into place.

To take that a step further and relate it directly to Wells Fargo, I think about our Vision and Values, which defines culture as “knowing what you need to do when you get up in the morning without having to be told what to do.” When people know their real risks and know what they need to do as part of their job every day to help manage risk and protect the company and our customers, that’s a strong risk culture.

At Wells Fargo, we support that culture in several ways. We promote the fact that we’re all risk managers. We’re organized in such a way that our business line owners are the first line of defense and are accountable for day-to-day risk management. We emphasize risk management as a core business competency, and we run the company with a culture of prudence, which means that we’ll continue to emphasize control, profitability, and growth, always in that order.

Eric Krell: What excites you most about your organization’s risk management capabilities right now?

Kerri Grosslight: It’s exciting to see that culture of accountability come to fruition and to constantly enhance it. It’s exciting to see more and more team members across the company, regardless of business line and function, really “get it” and understand that they’re responsible for risk management every hour of every day.

One of the ways in which I can tell this is happening is through a risk-related recognition program that we launched within our organization in April. The point was to catch people doing risk right – to encourage the behavior and also use the success stories to help educate others on good risk management practices. In just over a month, we’ve recognized more than 20 team members, and the vast majority of them are from teams outside our risk management group. I think that’s really indicative of the fact that all team members are starting to see themselves as risk managers. ###