Reviewing risk arrangements for effectiveness and simplification
This paper discusses addressing the risk needs of evolved organisations operating in a transformed environment.
We live in a rapidly evolving world
We live in a dynamic and rapidly evolving world, with constant changes taking place across all aspects of life, the environment and business.
Just to name a few, all with such a big impact to our day-to-day lives as well as the future.
Organisations have been reacting well to the constant changes: transforming business models, legal structures, governance and operations. But impacts to risk and compliance can be gigantic and may require significant changes to be implemented. It is time to pause, to look at things from the top and decide if what we see is appropriate given the new world.
When it comes to risk, we typically want to apply two lenses in assessing our perspective on the appropriateness of risk arrangements:
- Effectiveness of the arrangements to address the specific objectives, i.e. the ability to manage risks in the right way; and
- Efficiency in achieving the objectives, i.e. the ability to manage risks in a sustainable manner (e.g. without becoming an operational burden but a business enabler).
Overall, there is now a clear opportunity to re-assess critical risk arrangements for optimisation and simplification.
“Impacts to risk and compliance can be gigantic and may require significant changes to be implemented.”
Different drivers but common challenges for risk
Large organisations are facing issues of rationalisation and simplification of their risk departments. Often, these are the result of changes to business and operational models.
Smaller organisations are experiencing the need to organise risk operations to match the new needs driven by the evolution of their business as well as of the marketplace, with ‘new’ risks becoming more material while at the same time more difficult to manage (e.g. cyber risk and third party risk).
Others are required to reconsider their risk arrangements in light of significant changes in size, changes in the business model or also acquisitions.
There is a myriad of reasons why something has to be reviewed and adjusted for a better fit. However, key challenges tend to focus on a few key questions:
- How can I change my risk framework to be a better fit for purpose?
- How can I improve it to prevent the next big risk event?
- How can I make it more understandable and more simple to operate?
- How can it be operationalised without having to spend a fortune?
- How can I make the most of new technologies and innovative arrangements?
- And finally, how can it all be streamlined and simplified?
Defining a simple and robust approach is required
A robust approach is required to begin the journey towards answering those questions.
The approach must be cognizant of current circumstances, characteristics of the organisation, key strengths and objectives, but it also needs to consider future needs and anticipate the required changes. Once you define your solution, you don’t want to change it too often or too soon!
The approach can be structured in four key stages.
Vision and Objectives
The first stage is to develop clarity on the vision for the risk function and on the objectives to achieve in operating a risk management framework. Clarity of objectives is critical to achieve streamlining and simplification. Hence, this is required to happen at the right level of seniority within the organisation, starting from the top, at Board level.
Having clear and shared objectives is a vital factor in achieving a simplified risk framework, limits scope creep, produces better quality output and the likelihood of overall success, as the project will have strong sponsorship and support to address challenges that may arise on the go.
Priorities and Current State
Armed with the clearly defined objectives, actions can then proceed to define the key priorities for the assessment, shedding light on the current status, both internal and external, and on the expected future state with the appropriate focus.
Priorities will typically be:
- organisational (areas to cover);
- thematic (risk type or part of the framework); and
- infrastructural (process, technology, people) nature.
This exercise can be structured bottom up, starting to look at the disaggregated picture then aggregating it according to vision / objectives or key processes, using the typical risk framework structure below.
For example, following the structure above, the disaggregated assessment could be performed by risk type and key process. Priorities could be defined around these and drive the current state assessment.
The assessment of the aggregated picture could be done considering the processes and infrastructure that would be addressing the objectives agreed for the risk management function.
For example, this could consider:
- Processes, like capital management, liquidity management, strategic planning, business support; and
- Infrastructure, like the overall governance, operating model and three lines of defence.
Understanding views from key stakeholders, challenging the status quo and discussing ideas alongside these dimensions will take most of the time at this point. Hence the importance of agreeing priorities upfront so not to risk extending the exercise for too long and becoming ineffective.
Moreover, it is very important that the assessment is done thoroughly and that the temptations to move to the next step (solutioning) before having fully completed this are avoided. This will guarantee the right / strong foundations for the initiative and the success of the next steps.
The assessment will highlight what the next critical step should be. This stage involves building, sharing and deciding on options for the future state; this should include solutions related to how to operationalise some of the options that could be more innovative.
The focus of this stage can be quite broad so it must follow the key objectives and priorities agreed in the previous stages to remain effective.
A key challenge is to keep the focus on simplification while looking at options and solutions – strong project governance is key for this to happen.
…it is very important that the assessment is done thoroughly and that the temptations to move to the next step (solutioning) before having fully completed this are avoided.”
Following the same disaggregated / aggregated approach used in the current state assessment stage, this could include the following areas of challenge.
Disaggregated future state considerations:
- Ensuring all risks are appropriately identified, mapped and assessed for materiality. In particular, in relation to the non-financial and emerging risks. Key focus here will include the likes of climate risk and cyber risk, and the need to assess and manage them at various levels given their materiality and regulatory focus.
- Maintaining an appropriate and sustainable model risk management framework. With the proliferation of models, the use of artificial intelligence (AI) and increased regulatory requirements, this area is normally prone for optimisation and streamlining.
- Availability of skills and capabilities in the two Lines of Defence (LOD) to discharge its responsibilities.Particularly with respect to those risks that require strong / niche technical capabilities (e.g. model risk, cyber, climate, operational resilience, etc.), the challenge is often related to the ability to attract and retain the right expertise. Which also raises the question of using internal vs external services, or a good mix of them. ‘Experience as a service’ is a model under current consideration for many organisations, particularly the smaller ones.
- Use of data is optimised and enriching the business with new insights (e.g. for climate risk use). It is clear now that big benefits can be achieved with better use of data. For example in relation to climate risk assessment, where lots of data is already available to banks but cannot actually be used to address current / emerging needs unless they are appropriately enriched and structured.
- Use of technology is enabling new risk capabilities and business uses. An ongoing assessment of new / emerging applications and the assessment of potential applicability can lead to significant benefits. However, this can also be time consuming and lead to additional complexity and risks to be managed.
- Use of third parties is considered for efficiency and effectiveness (e.g. for outsourcing agreements or cloud services). However, assessing the implications of vendor risk to operational resilience and developing the support internally required to effectively manage these relations / risks can be a significant task requiring regular stock taking.
- How appropriate, robust and time consuming is risk and regulatory reporting; and especially action-oriented (the ‘so what’ question). There is huge regulatory focus on this topic and big fines are dispensed to those who fail to comply. New solutions continue to emerge for smart operationalisation and robustness of regulatory reporting processes. However, many opportunities still remain in the space of simplification and internal usability for value-added decision making.
- How well is risk embedded and ‘use’ evidenced. Is this conducive of the right risk culture? Not only building the right culture but also maintaining it remains critical. This is an endless effort requiring constant monitoring and improvements.
“How appropriate, robust and time consuming is risk and regulatory reporting… There is huge regulatory focus on this topic and big fines are dispensed to those who fail to comply.
Aggregated future state considerations:
- Governance, who owns the risks, who manages them, who accepts them, at different levels of aggregation. Governance remains one of the most critical aspects to consider given related impacts are huge for the ability to achieve overall risk objectives. Typical challenges can arise from the need to adjust arrangements and streamline them, following changes in the organisation but also in relation to the evolved risk profile and external market conditions.
- Where is risk management required to happen, e.g. entities vs group level, and what are the nuances to be applied. Many organisations have built a very complicated structure over time for various reasons, including regulatory needs (see for example Brexit, but also resolution issues) and they are now in a position where this has to be reviewed and fine-tuned.
- How is regulatory compliance maintained and monitored. In the current fast paced / global environment, keeping up to speed with the impact of new requirements demands for a flexible framework that can be adjusted as required. Projects of regulatory nature can represent a significant portion of the total effort and hence require the right management, expertise and governance.
- The right balance of skills and apportionment of responsibilities across the three LOD. Finding the right equilibrium across the lines, that strikes the right balance of enabling them to achieve their statutory objectives while remaining efficient at the same time, is an ongoing exercise.
- Capital is managed for optimised profitability and driving the right behaviours at business level. The need to ensure this is appropriately in place, and revisited is amplified in those cases where corporate structures have changed because of various reasons (including Brexit, business changes, new models, legal entity optimisation efforts).
- Risk strategy, appetite and planning. Upholding appropriate standards, taking into account emerging risks and required adjustments to risk management, reflecting them in the required regulatory processes / documents and keeping them up to date can be a herculean task in the current fast paced environment.
“In the current fast paced / global environment, keeping up to speed with the impact of new requirements demands for a flexible framework that can be adjusted as required.”
Simplification opportunities should be proactively sought to maximise risk management efficiency and allow effective management, as per agreed governance. The simplification lens should be applied across the whole exercise to steer decisions on the:
- focus and scope of framework components;
- overall operating model and governance; and
- efficient solutions to make the framework operational and manage its implementation.
Decisions will be taken by assessing whether a new solution would provide a better (more efficient or effective) option to achieve the agreed vision and objectives for the risk.
The need to simplify is a critical challenge for many organisations, given the complexity of running risk operations and in light of the many considerations above. However, at the end, simplification is about ensuring not only sustainability but also enhanced risk understanding across all organisational levels, and with this… use, behaviours and culture!
- Implement Future State
Once all the above is considered and decided, it is time to put it all in place. This could mean a huge effort, involving multiple parts of the organisation depending on the solutions to implement.
Careful planning is required to balance the need to make quick progress but avoiding the typical risks related to project fatigue, where shortcuts and temporary solutions may become the preferred way forward (to then become ‘the’ final solution over time).
Success here typically calls for the right balance of implementing practical / pragmatic / feasible solutions while ensuring the right project discipline and governance throughout.
A unique opportunity, for the brave ones
Overall, there is no one-size-fits-all solution. If taken in its full scope, this is a complex exercise, requiring the need to involve multiple disciplines, a deep internal understanding and views on possible future market and regulatory scenarios.
Whatever the appropriate scope and focus, a clear and strong approach is required to make progress in this exercise. This will also guarantee that, regardless of what is decided, good reasons for decisions are available and that they are taken based on a transparent / appropriate process. Sometimes, the latter can even be more important than the actual chosen solution itself.
The prize at stake is high. One thing is clear: the availability of a proper risk management framework and operations is a critical enabler, even more so today than in the past, to ensure future success for any organisation.
Whatever the appropriate scope and focus, a clear and strong approach is required to make progress…”
For more information on how we can help simplify your organisations’ risk framework, please get in touch.
Alessandro Vecci, Partner – Head of UK Risk, Regulatory and Compliance services
With many years of experience in the international financial services industry, Alessandro has a wealth of experience in risk, regulation and compliance, gained through international roles, both as a consultant as well as a banker, and including CRO roles in UK and CH. His experience ranges from strategy and governance, AI/ML risk applications, risk transformation, system implementations to compliance and regulatory assurance.
Be | Shaping the Future UK (Be UK) is a subsidiary of Be | Shaping the Future, a well-established management and technology consultancy with over 1,700 consultants located across 11 European countries.
We work with the leading financial services organisations to shape their future through our transformation consultancy and advisory services, covering the following sectors:
- Cards and Payments
- Retail and Commercial Banking
- Capital Markets
- Risk and Compliance
We take pride in building relationships with our clients and we work collaboratively to drive change for a bigger and better future.
The Risk and Compliance team at Be UK is composed of specialists and advisors. Our key service areas include:
- Enterprise risk management
- Recovery and resolution planning
- Capital management and optimisation
- Financial crime
- Operational resilience
- Climate risk
Produced by the Risk, Regulatory and Compliance (RRC) Segment of Be | Shaping the Future UK.