In the first of two blogs for the Risk Coalition, Keith Davies set out the case for change for Risk teams - much needed in view of the changing and increasingly dynamic, connected and multi-stalkeholder environment. In this second (and concluding) blog, he explains the key aspects of how they need to change..
Last week’s post highlighted the new areas that Risk teams should now oversee, in addition to more traditional financial and operational risks, in order to the ever-more complex and interconnected, tangible and intangible risks, that their firms now face. However, in order to meet their formal objective of “protecting and creating value”[1], Risk functions will not only need to expand the scope of their activities but also adopt the forward-looking commercial mindset needed in the fast-moving digital world. Some of the changes needed are highlighted below.
From hindsight to insight to foresight
Whilst risk functions should always seek to mitigate future risks, many traditional approaches result in backward-looking box-ticking that often only really addresses risks after they have occurred. The modern world requires a mindset shift in which Risk teams recognize the value in using new techniques (e.g. data analytics and behavioural science analysis) and new types of risk data (e.g. stakeholder sentiment, ESG factors in third parties etc) in order to identify risk indicators, trends and patterns, and continually horizon scan for new and emerging threats, opportunities, and new risk combinations. Such activities will become ever more critical as the accelerating rate of change continues to reduce the time that firms have to react once risks crystalise.
Commerciality: being a safety belt rather than handbrake
Risk functions must better align to their organisation’s commercial needs and help deliver new activities quickly and sufficiently safely, rather than adopting a risk averse approach of moving only when risks have been fully understood and mitigated. Risk teams now need to be agile, make timely decisions based on adequate but imperfect information, and accept wrong decisions will be made – not least as the opportunity risk/cost of not changing quickly can now often be greater than the risks of change itself. Risk functions should assess whether they support the delivery of a firm’s strategy within cost and risk appetite with questions like:
do they compare the potential benefits of additional controls against the associated cost, effort or disadvantages? ALARP can be overkill for some risks!
does risk appetite focus disproportionately on preventing downside risks and hinder an appropriate level of risk-taking? Should some risk appetite statements have a lower as well as upper threshold?
does the function look appropriately at business opportunities (e.g. with an opportunities grid alongside the usual risk matrix, or within taxonomies including the opportunity risk of not changing)?
do teams focus on traditional processes & reporting at the expense of forward-looking mitigation?
Resilience: ‘when’ not ‘if’ events occur
Risk teams must recognise that in an interconnected, multi-stakeholder world many risks cannot be adequately mitigated by internal, preventative controls – and that the key mitigation will often be the speed and quality of a firm’s response and communications when incidents inevitably occur. The need for both preventative actions and resilience is already recognised for cyber risks and operational activities, but will become increasingly critical as social media and stakeholder capitalism mean that firms can no longer control their own reputation and brand: with anyone - including customers and employees - able to post their views and sinister agents able to create fake news, websites and social media accounts.
Tooling up
Risk functions will need to re-skill and re-tool to meet the new business dynamics they face. There is already a significant increase in the use of data and technology to improve risk management activities. Companies can leverage Robotic Process Automation (RPA) to collect and validate data, and data analytics and AI to be able to turn a wider universe of structured and unstructured data into usable insights and identify emerging and growing risks. And eGRC tools can consolidate information, automatically distribute required risk MI and remedial actions to appropriate people and even automate certain risk actions (e.g. automated patch management).
All these techniques support the implementation of continuous monitoring which permits real-time risk and control testing and reporting, thereby stopping risk management becoming stale and possibly even developing blind spots over time. They not only significantly improve the richness, depth and speed of risk management, but also improve team efficiency by reducing data and processing time and by freeing up existing employees to work on value-adding risk assessment and management activities.
Skills and mindset
Even more importantly, Risk teams will need to employ the skill mix and mindset needed to support the firm in a digital and stakeholder environment. In order to achieve this, CROs may need to make brave hiring decisions:
They need a breadth of perspectives above and beyond traditional risk disciplines, with specialists who truly understand the nature of the modern risk profile – including experts from unorthodox sources (e.g. non-related industries already exposed to modern-day risks)
They will need people who have worked elsewhere in the organisation and who understand its commercial and cultural fabric and pace of change and can be advocates for appropriate risk culture
They need individuals with genuine enterprise-wide knowledge and the intellectual agility to quickly identify, assess and respond to emerging and connected risks
They will need to hire those with learning agility and cognitive diversity to complement existing traditional risk skills and approaches.
Such trends are already apparent with CRO recruitment: recent research by Hedley May[2] shows 43% of FTSE 100 Group CRO appointments since 2020 have been “leaders without any significant prior Risk experience”. They will increasingly need to permeate across the whole function in order for teams to get the required balance between modern business understanding and traditional subject matter expertise.
Conclusion: a challenge and opportunity for CROs
The changes in risk profile created by an interconnected, trust-driven, and digital landscape requires risk functions to significantly adapt their coverage, skillset and approaches. This will be a major challenge for many, but one which functions must do to prevent themselves - and maybe their organisations - becoming obsolete, and one which, if done correctly, presents a massive opportunity for functions to elevate their impact and enhance (rather than just protect) their organisation’s long term value.
[1] ‘ISO 31000:2018 Risk management’, International Organisation for Standardization (2018).
[2] Hedley May (2022) “Chief Risk Officer Succession: The Search for Learning Agility”
Keith Davies, Chief Risk & Compliance Officer at Federated Hermes Limited, is a commercially-focused CRO with a passion and track-record for change and implementing risk frameworks that support all aspects of business strategy – including financial, operational, digital, behavioural, reputational and ESG/sustainability risks. He has worked for over 20 years in global insurance, asset management and banking.