It’s time for risk to be the responsibility of the whole business, with consideration of the board’s risk appetite, business sustainability, engaging data, and the right technology all vital.
Risk functions have evolved, and in many cases, into structurally separate functions from front line decision making.
Even in mature businesses in which risk and reward are considered together in making initial strategic and investment decisions, the ongoing risk and compliance processes almost always sit separately from the front line.
With the breakdown of public trust across many industries, the reaction from politicians and regulators is to increase oversight, regulations and compliance. The impact is increased costs, and often, an increasing divide between the risk management profession and the operations of the business.
To regain trust, the board, management and operations have to align on risk – in a cost effective efficient manner.
To achieve this, it is vital to evolve the way organisations identify, manage and report on risk. The key is to seize the opportunity in risk, and find value in each risk decision to create sustainable businesses that maintain or regain community trust.
In reimagining the risk business function and processes, organisations need to utilise emerging technology and increasing visibility and use of data so that there is ‘one source of truth’ used for business information, second line of defence compliance and reporting, and also for internal and external assurance.
To effectively manage risk, organisations need to look holistically at how a board structures its governance and incentivises its management to achieve the business’s purpose.
To achieve the right outcomes the following key steps need to be carefully considered:
‘Risk appetite’ starts at the top. This is where acceptable risk levels in achieving outcomes of shareholder return or service levels need to be set and communicated. The risk levels should be tested through scenarios and workshops to ensure the messages are consistently understood throughout the business.
Remuneration, incentives, KPIs, operations and processes should be reviewed and tested to achieve alignment throughout the business with the board’s view of how the business should be run. This should also translate to a well understood risk culture.
Despite the mandate for regular short-term reporting to capital markets, and short-termism in how results are linked to annual rewards, short-term KPIs can see organisations make decisions that impact sustainability. Determining the appropriate remuneration, reward metrics and KPIs based on a sustainable business model is crucial, or organisations can lose their social licence to operate.
Risk should not be seen as only the responsibility of a risk or compliance individual. Risk and the achievement of the required business outcome or return should be all executives’ responsibility.
Equally, if risk functions are to be valued business partners, the business goals should always be considered when managing risk and risk reporting. Ensuring a risk aware culture exists across the business is an ongoing business process requiring education, training and support from the top.
The front line should remain responsible for risk management, and this should include operational risk.
Meeting regulatory and compliance requirements, linked to corporate level risks, and to the board-led strategic and emerging risks, is not possible in an efficient way without the use of technology.
The right risk governance and compliance (GRC) technology should enable the governance process, shorten the time between incident reporting and executive awareness, allow trending risks to be identified, and provide insight for management and the board – while keeping a pulse on any new compliance requirements or emerging risks.
Good quality data is at the heart of achieving the previous considerations. Governance over data management is critical in ensuring it is accurate, reliable, and ethical (in other words, as free from bias as possible). Data retention must meet the local, and in many cases EU GDPR, requirements.
Organisations need to consider the investment needed to bring data to the fore so that can be used to drive risk planning, as well as second and third lines of defence activities. The decision must connect to the business’s risk appetite.
So how does a business measure its risk maturity, and decide the approach and investment required in maturing its risk processes?
To help, KPMG has developed two innovative offerings Risk Hub our Risk as a Service platform and Powered Risk for enterprise risk transformation to help organisations seize the opportunity in risk management.
Our offerings enable organisations to perform a maturity assessment of their governance, enterprise risk management, or risk and compliance processes, then determine where they would like to mature or evolve. KPMG can then support organisations with any aspect of the risk management process as needed.
Risk Hub draws on KPMG’s deep global insights into risk analysis and prediction, as well as understanding processes across functions and industries. It is designed to bring strategy and risk together in the one place, and make obvious the connection between risk and day-to-day business operations.
KPMG's Risk Hub, our managed service enables all relevant data to be drawn together, analysed and visualised to give leadership insights and fast understanding of known and previously unforeseen risks, helping to facilitate stronger risk-based planning and decision making.
Risk Hub’s artificial intelligence (AI) capabilities can undertake continual scanning, analysis and hypothesis generation of an organisation’s risk profile. Automation and machine learning capabilities enable regulatory compliance requirements to be fulfilled – saving the time and cost of manual handling and freeing people up to focus on higher value tasks.
Our Powered Risk transformation offering is supported by industry leading GRC platforms including ServiceNow and MetricStream leveraging all the features these platforms provide. Powered Risk provides pre-configured and tested solutions aligned to KPMG's experience across the world using the latest technology and leading practice. These solutions are flexible and are able to be modified to meet the specific demands and requirements of the organisation.
Rather than having a ‘retrospective’ or ‘defensive’ approach to risk management, KPMG’s reimagined approach brings risk back to the front line and helps organisations be proactive or on the ‘offensive’. Being on the ‘offensive’ means spotting potential risks early, having useful and relevant data, gaining early insights and making good strategic decisions to achieve better business outcomes.
Reimagining and reposition risk helps align strategy and risk appetite set at top levels of a business. Then through embracing technology and the use of quality data a business sets the foundations for risk management to become a real value add and opportunity. This holistic, proactive and technology driven approach has vast benefits for the organisation, customers, staff, shareholders and the community in which it operates.
Read our summary on how organisations can evolve the risk business function and processes to identify, manage and report on risk.