Making Risk work

Making risk management work efficiently and effectively in practice is more similar to the second scenario. You hardly ever will have a clean sheet of paper. Therefore, in this blog, instead of coming up with the perfect blueprint for risk governance (we have the regulators for that), I outline three practical but important changes by which risk management can shift to a more effective way of working.

Firstly, by distributing risk tasks appropriately across the first and second line of defence (in line with the three lines of defense model). Secondly, by building an ‘agile bridge’ to close the gap between Business and Risk. And thirdly, by directly integrating risk management and control requirements into the design of your new products, services and processes.

Use your renewed risk taxonomy to assess your organisation's structure

For starters, take your renewed risk taxonomy to carefully scrutinise your organisation’s structure and the number of FTEs and competences for each of the major risk types your organisation is facing. In the context of the three lines of defence model, these risks may in some cases be already well-addressed in the first line, whereas the second line can be understaffed or lacks the skills - or the other way around. By simply comparing the number of FTEs dedicated to these risks in the two lines of defence, an initial list of question marks may arise. 

Of course, distributing risk management tasks appropriately between the 1st and 2nd line does not necessarily mean that this distribution needs to be even. However, the principle of proportionality should apply here: in order for Risk to fulfill the role of independent challenger and add value to strategy execution, it is not sufficient to have half an FTE - and often without the right skills - responsible for 2nd line cyber risk, whereas the 1st line has dozens of cyber experts. 

Risk as a business partner and advisor

Large disparities in risk FTE between the first and second line are not conducive to fruitful cooperation. Risk management could easily be overwhelmed and may then be reduced to a formality, centered around control testing, filling in checklists, and other procedural activities, rather than truly challenging the business and adding value as a partner. And vice versa: in numerous cases, for example in the case of compliance risk, I observe large second line Risk teams performing tasks the Business should be doing, as if Risk was almost fully ‘outsourced’ to the second line. 

Risk ownership in the first line

To what extent is Risk embedded in your business processes and truly owned by business executives? Many risk and control activities could easily be performed whilst executing business processes, rather than on top of them. This makes work a better place for everyone involved.

As long as accountability is clear, duplication can be minimised and efficiency increased. After all, risk and control ownership, risk identification and assessment, control design, execution and testing and monitoring are 1st line tasks and could - and should - be embedded in end-to-end business processes and operations. 

Good examples of this include restaurants, aviation companies and power plants, where health and safety risks are an integral part of each and every ‘business’ process.

Enable the business to take risk responsibly

Secondly, it is vital that the first and second line of defence cooperate more intensively. The gap between them needs to be bridged. The three lines of defence model is a rigorous one, and of course, elements of it are tied to your licence to operate. However, I also think it needs to evolve, and I do believe that some relatively small and subtle innovations can reap great benefits. 

Previously, I talked about ‘Risk management enabling the business to take risks in a responsible manner’. Chinese walls between Risk and Business should exist where Risk is acting in its role as independent challenger. But maybe they need not be as robust and impenetrable as the Great Wall of China where Risk is acting in its role as advisor. An emerging practice for closer cooperation across the two lines of defence stems from the agile way of working and includes the creation of risk advisory hubs in the first line, whilst establishing independent expertise teams in the second line. 

The way of working itself can become more agile whilst introducing these initiatives. By getting on board earlier in the process as an expert advisor, the feedback loop between risk experts and development teams becomes shorter and more frequent.

Distribute Risk efficiently across the first and second line

Distributing Risk efficiently across the first and second lines of defence means adjusting all the processes in business and operations to reflect risk requirements. Easier said than done, I acknowledge that. But I’m sure you will agree it needs to be done. When you go for a bite in your favourite restaurant - that is to say, once we are allowed again -, you assume health and safety requirements are embedded in the kitchen design, in the quality of the ingredients used, and in the hearts and minds of the kitchen brigade. I don’t think you start chemically sampling the food to check for poisoning when it lands on your table. 

Integrate risk management straight from inception

Where should you start within your organisation? Well at least, from now on, whenever you create new processes, issue new products or start new services, there is really no good reason why not to integrate risk management and control requirements in the design, straight from inception. Risk by Design. Not a new concept, but many organisations still fail to apply it.  

By demonstrating as a business leader that risk management becomes more effective if risk experts actually participate in the design phase of new initiatives, you will likely motivate others to follow suit. Consider for example lending processes at banks. These are risk processes by default, and risk and control requirements relating to limits and acceptance have been embedded in the end-the-end process (and are often automated). Of course, there is also an independent challenge from the second line, but risk management has been embedded from the start in the process of credit acceptance by the first line.

Never stop reimagining Risk

I hope that by now you realise that in this blog I preach more for evolution than revolution. Of course, we would all wish to have every risk governance issue solved by tomorrow, but as that is not realistic, I would like to argue that these three practical changes, i.e. better distributing responsibility for risk management, moving towards more agility in risk management, and integrating risk management requirements when setting up new initiatives, will help you move in the right direction. This way, Risk can become more forward-looking and value-adding, and hence enable the organisation to both stay ahead of risks and remain relevant. 

In some of my next blogs I will explore other important ways to make risk management more efficient and effective, like rationalisation and automation of the control framework, outsourcing and offshoring parts of risk management, and harnessing the power of data and technology to its full potential.

Also read the earlier parts of this blog series:

• Reimagine risk
• The seven ingredients of risk transformation
• Cost out, value in
• The marketing of risk management
• The taxonomy's role in transforming risk management