There is no question that risk functions, like all other aspects of an organisation, must transform the way they operate to be relevant and value adding amid new technology, disruption and emerging threats.
However, no transformation is easy. For the risk function, the change challenge not only involves its own operations, but how it helps the organisation to rethink and reform its approach to unprecedented risks.
Jacinta Munro, Partner, Advisory at KPMG says transforming towards a risk function of the future must be done with awareness that risk can now come from anywhere.
“A large part of what happens with risk involves the external environment, and the changing economic environment,” she says.
For risk functions to cement their role and value, Munro says they must be more evidence based, demonstrating proof of concept and measurable outcomes.
“We need to build new types of analytics around the risk function, whether it is using cognitive technology or big data to help in areas like improving conduct risk and culture, or employee incentives. The challenge is, how is risk bringing new thinking to solving problems?”
Robust discussion between the risk function, the board and management is a vital part of a successful transformation. Stefanie Bradley, Partner, Advisory at KPMG says it is necessary to harness competing tensions and priorities in an organisation, and turn them into action.
“You have to have a series of discussions – to identify where the best opportunities are, as that leads to what we call an ‘alignment around the burning platform’. That is in getting an organisation to begin its shift into a change program.”
Once there is agreement that change is needed, the next challenge is taking a “leap of faith” in terms of investing in and testing change, Bradley explains.
“Perhaps there are two or three dilemmas existing in the organisation – that might be in regulatory issues, or it could be that speed to market for new products is being impacted by out of date risk processes. Whatever it is, risk need to test why that is occurring, and really get into the organisation’s willingness to invest in changing that,” she says.
Agility is vital for the risk function of the future as it strives to make organisations resilient to emerging risks. However as risk is fundamentally a structured and compliance-focused discipline, changing to an agile way of operating can present roadblocks.
Munro says the risk function must learn to deliberately break and test its systems.
“It is being ‘fragile by design’, where you deliberately make the system fragile,” she says.
This acknowledges the fact that issues do occur, but means risk can respond quickly to mitigate the impact.
“It is not about being unbreakable. You want the organisation to be able to withstand the impact and recalibrate, and to reconfigure itself without the shock,” he says.
As risk functions transform, a key challenge is innovating ways to review culture and conduct within the broader organisation. Building capability to assess behaviours in increasingly competitive, customer driven environments, where incentives dominate, will require fresh thinking.
“The future of risk will be about getting into the space of behavioural change and assessing where behaviours sit in alignment with what risk is trying to manage overall,” Bradley says. “The risk function has to rethink how they review the behaviours they are seeing, the tools they need, the capabilities they face, and the assessments they must make, to get deep into why types of behaviours emerge.”
Michael Hill, Partner, Advisory, at KPMG offers a current example of an online retailer, for which he is assessing the risk management framework in terms of people, processes and system operations.
“As a digital business, they are looking to be agile and entrepreneurial. But how do we create a narrative around cultural change, and help them understand the need for a more visible risk management system to preserve customer trust? Identifying signposts for the organisation to focus on, empowering and educating people and building the case for change anchored in customer outcomes is vital. We look at what should happen in terms of risk and control and how to build resilience into the environment for when things do go wrong.”
Change programs have traditionally been long planned and slow to unfold, but the challenge for risk is to transform quickly and nimbly to keep ahead of new risks.
“What could stand in the way of change is that it becomes too big and overwhelming and then you lose momentum,” Bradley says. “Working on change that is going to deliver more quickly and visibly can signal to everyone in an organisation that risk is doing something about this.”
A tried and tested way to help quicken the change process is to adopt the old adage “what gets measured gets done”, Bradley says.
“If you want change in the business, you have to hold people accountable for it, and you have to be clear on what they will be measured on and rewarded on to embed it. Change is a multifaceted, complex, nebulous, conceptual issue. One or two ideas to assess or address it are not enough,” she says.
In a dynamic, complex business environment, no change program can be perfect – but imperfect action is better than no action at all, Bradley argues.
“The question risk must ask is, how much are we going to let the pendulum swing one way and accept that it is OK? Because you can’t have perfect and you can’t have everything running to plan,” she says.
That loops back to the need for dialogue, and establishing what really matters for the change program and keeping that in focus.
“It is not just one solution, it is complex. Risk must help people to look further than their own organisation. They must seek learning from the past, seek learning from other sectors, and build that into a change program,” she says.
A core part of change in the risk function is the need for leadership to prepare for a complex future. Find out more in our article Risk leaders of the future – a vital role in success.