As protecting an organisation from risk becomes increasingly challenging and costly – yet more vital than ever – the risk function must embrace new ways of working. Functional consolidation and technology transformation are key, as is a focus on the customer and business, bringing strategy and governance closer to the front-line.
The risk function of an organisation has a critical role, but it can be a costly area to maintain. A continually changing risk landscape, new regulations, the need to refresh specialist capabilities and a fast-paced, global and competitive environment put immense strain on the function.
Mike Ritchie, Partner, Advisory at KPMG says the challenges faced by the risk function need addressing without delay. He is certain that embracing functional consolidation and technology transformation are core to the answer.
“Technology is going to be a real disruptor for the risk function,” Ritchie says. “The risk function can’t sustain the traditional way they have done things. With the tools available, chief risk officers (CROs) can now change their model, the capability of their people, and shift their focus to culture and customer.”
Traditional business models and processes which are currently subject to risk oversight are being disrupted, and the goal posts are moving. In this fast-changing landscape, the risk function will need to add more value than ever to help protect organisations and customers, despite the requirement to keep costs manageable.
“The risk function is going to become more digital, and it is not going to look the way it does today,” Ritchie says.
Organisations have transformed in many areas, such as in the human resources (HR) and finance functions. However, Ritchie says the risk function has been swamped by regulatory change and has not kept pace on transformation.
“The HR and finance functions have reduced operating costs and have created more business-value-aligned propositions. They have used functional consolidation, technology and outsource partners to be faster, more responsive and more value adding, with the insights that come from data and technology, while saving costs,” he says.
After the global financial crisis of 2008-09, organisations boosted investment in their risk function, often hiring more staff to deal with regulatory change. Now the cost of maintaining a people-heavy risk function is unsustainable for many organisations. There is a need to be more efficient, with the ‘The Risk Function of the Future’ complementing the ‘Digital Business of the Future’.
“While we have empathy for the regulatory change challenges that CROs have been dealing with, it is important to recognise that disruption is here and that they need to act now. You can’t sustain that level of cost, and while you are going to get more regulatory change, you can’t just keep hiring people. You need to find a better way to operate – with functional consolidation and technology transformation providing a solution,” says Anu Kukar, Director, Advisory, KPMG.
In the face of cost pressures and emerging risks, the CRO must transform their risk function to be simultaneously efficient and effective. This must take into account the capabilities of people in the team, the skills required to ensure the risk function is value adding, and how it can be more time and cost efficient.
“The risk function needs to move away from solo subject matter experts to more outcome focused risk people,” Kukar says.
The second step of functional consolidation is to look at processes and the operating model, with the goal of seeing how it can be refined to improve results.
“It is important that CROs embrace all the technology options that could fundamentally change and reduce the time it takes to do risk activities,” she says.
Applied appropriately, technology can speed up risk analysis, sampling broadly and deeply across the business.
“Why have staff monitoring and checking activities weeks or months later, when RPA (Robotic Process Automation) can provide same-day continuous monitoring?” Kukar says.
Ritchie says embracing functional consolidation and technology transformation will help CROs cope with risks as they expand.
“The variety and speed of risk has definitely increased over the last few years and we expect that to continue at a rapid pace,” he says. “So the solution here is fundamental to CROs being able to continue to add value going forward.”
Changing the risk function may sound overwhelming, but Ritchie and Kukar say that with a well-planned strategic methodology, it doesn’t have to be complex or take years.
KPMG’s approach to the risk function of the future leverages the strength of the KPMG Insights Centre, the U-Collaborate team and the KPMG Innovation Lab.
“We bring together the technology experts, financial services leaders and risk specialists, and work with our clients to design a future-state risk function for their organisation,” Kukar says.
This involves visualising the risk function in the future, and helping the organisation make financially viable strategic choices for the future aligned to its strategy. It involves analysis of processes, timeframes, missing capabilities, and how they can get where they need to go. Key to this approach is an ‘agile roadmap’ which is where speed of implementation comes in.
“We work with the CROs to form the business case in terms of return on investment. Then it is time for implementation,” Kukar says.
With business models and technology changing so fast, and new risks continually surfacing, the ability to transform a risk function in an agile way makes an immense difference to its effectiveness. Traditional, expensive, complicated change programs that take years to develop and implement are unlikely to be the best investment, as by the time they are complete, the goal posts will have shifted.
“The continual emergence of new risk is one reason, the other is that the CROs are under huge pressure to move fast and get things happening,” Ritchie says.
Despite the urgency, he says there can be resistance to change among risk functions – somewhat due to the fact that it is their job to tread with caution. Not taking action, however, could result in the cost of the risk function being too high to maintain and the effectiveness of risk management declining.
“If organisations already have a cost reduction target, if they don’t start now, costs are only going to increase as global and local regulations increase,” Kukar says.
There is also the potential for risks to go unchecked, leading to fines, reputational damage or even the loss of business.
“Risk functions have to be prepared for how they’re going to manage the increasing cost of the risk function, and with the regulatory change coming, how they will be effective. What happens when the organisation goes digital, and their risk function is not prepared?” Kukar says.
Regardless of sector, an appropriate strategy, functionally aligned operating model, new technology, agility, and awareness of the ever-evolving risks could make the difference between success or downfall in a disruptive world.
The risk function plays a powerful role in monitoring the culture and conduct of an organisation. Find out more in our article Culture and conduct in a new world order.