Risk oversight is a hot topic these days – not only because it is generally recognized to be a fundamental pillar of good corporate governance but also because it is a powerful management instrument which is vital for survival in a risk landscape that is characterized by Volatility, Uncertainty, Complexity and Ambiguity (VUCA).
So what are some of the key trends and challenges that we observe when helping our clients with their Risk Management oversight?
Implementing a balanced risk management program still remains a challenge for many companies. This is easy to understand in the regulated financial sector, which is facing a tsunami of risk-related regulations. But we also see this in non-regulated industries, where boards, audit committees and senior management are often reluctant to implement solid Risk Management and Internal Control systems, out of fear that it will negatively impact the entrepreneurship of the company, and thus its profitability. Yet, the essence of risk management is to support the achievement of the company’s objectives. A paradox indeed.
Defining a clear vision and strategy for what the organization wants to achieve with its risk and compliance functions is, in our experience, a key success factor for achieving a balanced risk management program. It requires active involvement and positioning of top management, as well as the board and committees charged with risk oversight. Risk management is a means to an end, and should never be put out of sight.
Many organizations have several second and third line of defense functions/programs in place. However, often these are not (well) integrated, resulting in both a lack of assurance that all risks are properly addressed and costly inefficiencies due to uncoordinated risk and compliance initiatives. The main reason for this is that organizations rarely think through their Risk Target Operating Model from a global, or integrated, perspective.
We encourage organizations to take some distance from daily operations and go through following steps:
Risk management is clearly recognized as part of good corporate governance and various stakeholders are putting increasing pressure on the organizations to have a robust risk management program.
In the financial sector, the regulator has put a strong emphasis on risk management following the financial crisis. At the same time, customer expectations are also increasing. Customers want a smooth journey when interacting with their banks, which requires “instant risk management”. However, it has become increasingly challenging for the risk function to evolve and innovate at the same pace as the front-office.
Expectations on the role of organizations in the society are also increasing – from risk disclosures to transparency to ESG considerations.
We recommend clients make a risk and compliance stakeholder map, as it allows them to identify all requirements to take into account when defining their future risk and compliance model.
The risk landscape is evolving rapidly, requiring more proactive and less static approaches to risk management. Rather than a separate, annual enterprise risk management exercise, a stronger integration of risk management into management processes is required.
Risk managers are now required to be more proactive and provide insights in emerging trends and signals of change.
New risks – from cyber-attacks, the automation of processes, etc. – require new skills and resources within risk teams.
Now is a good time to fundamentally question your current risk management framework, processes, organization, tools and competences.
Organizations are realizing more and more that successful risk management programs go hand-in-hand with a proper risk culture. However many organizations struggle to make risk culture tangible and have difficulties putting this into practice.
A number of models exist to make risk culture tangible, as well as to measure and improve it. It is just a matter of taking on the challenge.