The seven ingredients of risk transformation

Do you have the answers to questions such as: how the risk organisation is governed? Whom does it serve? How can it increase its attention to new and emerging risks, contribute to business decision making and enable strategy execution? How does it manage costs? How can it use technology and data analytics to enable this change and stay relevant?

These are the seven things to start with, or the seven ingredients to cook up a good risk transformation:

1. Renew your risk taxonomy

Societal and environmental developments have rendered the conventional risk taxonomy outdated. Our rapidly changing world has resulted in a wide range of new and emerging risks. This calls for a more forward-looking risk taxonomy and risk appetite framework in which new risks - e.g. cyber and technology risk, conduct and behavioural risk, environmental and climate risk - are fully integrated. I believe that these emerging risks are insufficiently captured by today’s risk management frameworks.

2. Restructure risk management

The organisational structure of the risk function needs to reflect the renewed risk taxonomy. Looking at the typical org chart of today’s risk functions, these are outdated and do not properly reflect the main risks your organisation will have to deal with. Risk management needs to be far more integrated into the first line of defense. Processes in the first line need to be reshaped to adequately reflect risk management requirements and build in first line controls, achieving what  I call ‘risk management by design’.

3. Transform your workforce

Changing times and new risk types also require a different skill set. Organisations need to staff their risk functions - traditionally the domain of people with a financial economic or internal control profile - with professionals of different backgrounds and with new expertise, e.g. technology and data analytics, human behaviour, climate change. People who understand the dynamics between risk and business, who look across the silos of an organisation, and understand increasing correlations between various risk types.

4. Align risk with strategy, purpose and values

The biggest risk is not taking risk. In order to remain relevant and resilient in a fast changing environment, risk management needs to be more aligned with the strategy, purpose and values of your business, rather than solely aiming at compliance with laws and regulations. Successful businesses will be those with a risk function that guides organisations to take risk responsibly. This way, Risk can become a true partner in strategic decision making, with your purpose, your customers and society in mind.

5. Outsource and offshore risk management

Do what you do best and let others do the rest. With cost-effectiveness high on the agenda, a widely used practice is to engage third parties to take on parts of the risk and control activities. Especially those that can be rationalised, standardised and automated. Outsourcing to specialised service delivery centers within or outside your own organisation will not only reduce cost but also increase quality. Offshoring to more cost-effective locations will free up even more cash to invest in building your future-proof risk management.

6. Rationalise your control framework

To respond to regulatory scrutiny and mitigate all risks, more and more controls have been piled on to the internal control framework. And none have been taken out. The increasing number of procedures, checklists and sign-offs has led to a complicated, burdensome and expensive control environment. We need to take a fresh look at this. My hypothesis is that you can simplify or even switch off a large percentage of controls without losing significant risk mitigating effects. Less might very well be more.

7. Harness the power of technology and data

Data will talk if you are willing - and able - to listen. I believe risk management needs to operate in a more predictive, preventive and proactive manner and make the most of next-generation technologies and data to create better insights. Automation, advanced analytics and quantitative modelling can enable more accurate and timely identification, assessment and quantification - and hence mitigation - of risks. It will help you to get a grip on risks relating to human behaviour, technology and cyber threats, and the impact of climate change.

In the upcoming weeks, together with some of my PwC colleagues, we will crack these seven challenging nuts one by one and elaborate on how you can make risk transformation happen. Before we do that however, my next blog will explore how you can invest in a transformational journey whilst being under pressure to cut costs in the short term. Stay tuned.

Read also part 1 of this blog series:

• Reimagine risk