Risk Functions Must Be Reimagined

Authors

Kevin Smout | Global Lead Partner for Governance, Risk & Assurance Services and a Partner in the Risk Strategy & Technology team | KPMG

Zoe Willis | Data and analytics, Partner, Risk Strategy & Technology | KPMG

 

It’s time for risk to be the responsibility of the whole business, with consideration of the board’s risk appetite, business sustainability, engaging data, and the right technology all vital.

Risk functions have evolved, and in many cases, into structurally separate functions from front line decision making.

Even in mature businesses in which risk and reward are considered together in making initial strategic and investment decisions, the ongoing risk and compliance processes almost always sit separately from the front line.

With the breakdown of public trust across many industries, the reaction from politicians and regulators is to increase oversight, regulations and compliance. The impact is increased costs, and often, an increasing divide between the risk management profession and the operations of the business.

To regain trust, the board, management and operations have to align on risk – in a cost effective efficient manner.

To achieve this, it is vital to evolve the way organisations identify, manage and report on risk. The key is to seize the opportunity in risk, and find value in each risk decision to create sustainable businesses that maintain or regain community trust.

In reimagining the risk business function and processes, organisations need to utilise emerging technology and increasing visibility and use of data so that there is ‘one source of truth’ used for business information, second line of defence compliance and reporting, and also for internal and external assurance.

A holistic approach to risk

To effectively manage risk, organisations need to look holistically at how a board structures its governance and incentivises its management to achieve the business’s purpose.

To achieve the right outcomes the following key steps need to be carefully considered:

What is the organisation’s risk appetite?

‘Risk appetite’ starts at the top. This is where acceptable risk levels in achieving outcomes of shareholder return or service levels need to be set and communicated. The risk levels should be tested through scenarios and workshops to ensure the messages are consistently understood throughout the business.

Remuneration, incentives, KPIs, operations and processes should be reviewed and tested to achieve alignment throughout the business with the board’s view of how the business should be run. This should also translate to a well understood risk culture.

What is the longer term view?

Despite the mandate for regular short-term reporting to capital markets, and short-termism in how results are linked to annual rewards, short-term KPIs can see organisations make decisions that impact sustainability. Determining the appropriate remuneration, reward metrics and KPIs based on a sustainable business model is crucial, or organisations can lose their social licence to operate.

Who is responsible for risk management?

Risk should not seen as only the responsibility of a risk or compliance individual. Risk and the achievement of the required business outcome or return should be all executives’ responsibility. The front line should remain responsible for risk management, and this should include operational risk. 

Equally, if risk functions are to be valued business partners, the business goals should always be considered when managing risk and risk reporting. Ensuring a risk aware culture exists across the business is an ongoing business process requiring education, training and support from the top.

What is the best technology platform?

Meeting regulatory and compliance requirements, linked to corporate level risks, and to the board-led strategic and emerging risks, is not possible in an efficient way without the use of technology. 

The right risk governance and compliance (GRC) technology should enable the governance process, shorten the time between incident reporting and executive awareness, allow trending risks to be identified, and provide insight for management and the board – while keeping a pulse on any new compliance requirements or emerging risks. 

How can data play a role?

Good quality data is at the heart of achieving the previous considerations. Governance over data management is critical in ensuring it is accurate, reliable, and ethical (in other words, as free from bias as possible). Data retention must meet the local, and in many cases EU GDPR, requirements.

Evolving risk maturity

Organisations need to consider the investment needed to bring data to the fore so that can be used to drive risk planning, as well as second and third lines of defence activities. The decision must connect to the business’s risk appetite.

So how does a business measure its risk maturity, and decide the approach and investment required in maturing its risk processes?

To help, KPMG has developed Risk Hub, an innovative data and technology solution that helps organisations to seize the opportunity in risk management.

Risk Hub enables organisations to perform a maturity assessment of their governance, enterprise risk management, or risk and compliance processes, then determine where they would like to mature or evolve. KPMG can then support organisations with any aspect of the risk management process needed.

An innovative technology approach

Risk Hub draws on KPMG’s deep global insights into risk analysis and prediction, as well as understanding processes across functions and industries. It is designed to bring strategy and risk together in the one place, and make obvious the connection between risk and day-to-day business operations.

The platform enables all relevant data to be drawn together, analysed and visualised to give leadership insights and fast understanding of known and previously unforseen risks, helping to facilitate stronger risk-based planning and decision making.

Risk Hub’s artificial intelligence (AI) capabilities can undertake continual scanning, analysis and hypothesis generation of an organisation’s risk profile. Automation and machine learning capabilities enable regulatory compliance requirements to be fulfilled – saving the time and cost of manual handling and freeing people up to focus on higher value tasks.

As part of a holistic approach to risk, the KPMG team can support the implementation of the Risk Hub technology, along with the necessary change management, and data integration, to help get the best results.

For ongoing support, KPMG can also offer an end-to-end managed services solution for risk, which utilises two propriety risk technology solutions and a global alliance with IBM Watson.

Risk becomes an opportunity

Rather than having a ‘retrospective’ or ‘defensive’ approach to risk management, KPMG’s reimagined approach brings risk back to the front line and helps organisations be proactive or on the ‘offensive’. Being on the ‘offensive’ means spotting potential risks early, having useful and relevant data, gaining early insights and making good strategic decisions to achieve better business outcomes.

Reimagining and reposition risk helps align strategy and risk appetite set at top levels of a business. Then through embracing technology and the use of quality data a business sets the foundations for risk management to become a real value add and opportunity. This holistic, proactive and technology driven approach has vast benefits for the organisation, customers, staff, shareholders and the community in which it operates.

Read our short publication on how organisations can evolve the risk business function and processes to identify, manage and report on risk.

For further reading, refer to the AFR Special Report: Risk Reimagined which provides commentary on a recently held AFR roundtable which KPMG hosted considering the evolving nature of the risk function.

Comments

I am surprised this article hasn't drawn more responses. One aspect that is different and interesting is the use of AI for scanning and automation to deal with regulatory and compliance requirements.