Risk transformation: What do you need for a successful transition?
Financial services remain in transition. Business models and associated risks are evolving in line with a more digital and interconnected society. While the Covid-19 pandemic showed the remarkable resilience of the financial system at scale, it also highlighted material gaps in managing points of failure outside the institution – not just looking at third parties but considering their ecosystems as well. At the same time, the past decade has brought generational challenges to the fore, with sustainability and a changing geopolitical landscape providing significant uncertainty over the medium- to longer-term.
What does this mean for the risk function?
As part of our 2021 global survey of risk functions, we spoke to more than 60 banks and have identified a common set of priorities on the risk transformation agenda:
Future-proofing risk function mandates and strengthening interaction models
There is consensus on the need for the risk function to be a part of shaping future business models, as strategies are considering the place of the institution in a much larger ecosystem as well as entering exciting new business areas such as digital assets. While there has been progress in early engagement, collaboration strategies and ways of working remain areas of focus. For example, “agile” is a concept that many institutions aspire to adopt – however, making this work in practice is not straightforward, and institutions speak of mixed success. In addition, providing the first line with risk and control tools that work for the business and moving towards continuous assurance models provides significant room for efficiency while maintaining effectiveness.
Building capabilities to manage thematic and digital risks
As business models become more digital and connectivity to the environment increases, the risk profile tilts towards a complex mix of IT, cybersecurity and third-party vulnerabilities. Complementing this, sustainability and operational resilience will be key challenges for the coming decade. Building effective capabilities requires establishing cross-functional structures and different ways of interaction across business, risk and other corporate functions; as well as thinking beyond organisational boundaries and consider the firm’s ecosystem.
Data and infrastructure
There is increased recognition of data as an asset and a major source of competitive advantage. A wealth of new data will come in and enable better analytics and new value propositions as the bank repositions itself within an ecosystem of customers and partners. On the infrastructure side, there is a need for capabilities to run much faster and more complex analytics, while at the same time uplifting control standards for critical areas such as the cloud.
Creating platforms for the controlled deployment of new technologies
While emerging technologies are starting to deliver significant benefits, firms need to get better at setting themselves up for industrialisation. Priorities include getting better at managing towards return on investment, as well as building out governance and control structures and investment in model risk management.
Planning the generational transition of the workforce
Ways of working are changing and becoming much more tech enabled. In addition, the new generation of talent has a different mindset and life objectives. This requires institutions to invest in platforms to support existing employees during the transition, while simultaneously rethinking leadership models and career journeys to remain attractive for the talent of the future risk function
What is needed to deliver a successful transition?
A critical and often under-appreciated pillar of successful transformation is a robust roadmap. Apart from well-articulated objectives, realistic deadlines and sequencing, thinking end-to-end and interlocking transformation plans with the broader organisation is critical. Organisational silos remain a challenge to the execution of large-scale programs, but the pandemic showed that it can be done.
A second thing to get right is proactive delivery against regulatory requirements. Many firms continue to highlight the magnitude of resources that regulatory compliance binds in the organisation, with a perspective that a resetting of the balance of promoting effective risk management versus materiality may be required. There are areas where regulatory expectations may need to evolve, including enabling more materiality-based decision-making, use of technology and different interaction models across the three lines of defense.
Thirdly, strengthening the ability for holistic risk management is critical as risks become more thematic and (in some cases) impossible to effectively manage without technology. ERM is starting to take a key role and we see this growing, championing the digitisation of risk management and building more forward-looking capabilities. In this context, emphasizing the role of risk appetite in strategic decisions is critical. For example, once a sourcing decision has been taken and is being executed, the associated risk has been accepted at least in the short- to medium-term. As such, decisions driven by short-term cost objectives too often end up delivering sub-optimal outcomes.
Finally, people and infrastructure remain differentiators versus the competition. Innovative thinking about leadership and structuring teams as well as investing in “smart” and on-demand tools available to staff across all lines of defense enables managing risk effectively and efficiently, while contributing to the overall staff experience and career opportunities.