Emerging risks such as climate risk reveal the lacking strategic perspective of today's risk functions within financial institutions. The rise of ESG in financial services necessitates the transition from a "control function" to a business partner. The key to this process is the definition of a risk strategy.
Sustainability risks – and first and foremost climate risks – are top of mind for prudential and conduct regulators worldwide. Indeed, as the WEF's 2022 Global Risk Report shows (once more), environmental risks such as climate action failure, biodiversity loss, extreme weather remain the top risk for global businesses in the short, medium and long term.
However, sustainability risks are difficult to deal with because they are hard to quantify (due to the lack of underlying data and recognized methodologies) or have very long-term impacts. More importantly, it is commonly acknowledged that sustainability risks do not constitute a risk category of their own but crystallize across the "traditional" risk categories, thus raising several governance questions within financial institutions. Finally, the modelling of sustainability risks such as climate risk relies on the definition of a few risk/climate scenarios that are applied consistently across the firm.
What is the challenge?
It is fair to say that in most financial institutions the challenges above have been laying bare some fundamental shortcomings in the risk management functions that need to be addressed decisively, not only to ensure compliance but also to support a firm’s future growth ambitions.
Here are a few common examples of such shortcomings:
- Siloed structure: risk management usually operates in siloes along the different risk categories as well as from a legal entity perspective (which often has legitimate regulatory reasons). This leads to the business often having to seek approval on the same matter from different people with different standards.
- Focused on framework: within the siloes, risk managers often develop their own frameworks, methodologies, and scenarios, and have specialized technical backgrounds without in-depth understanding of the operational business. This can result in a mechanical and rules-based perspective on the firm's risk landscape.
- Inconsistent perspective on the firm's overall risk exposure: the different approaches and KPIs to manage the various risks make it not only difficult to see a firm's consolidated risk landscape (considering that different risk types are inherently hard to compare) but also to put it into context with the firms strategic ambitions.
- Legacy technology: the technological setup of many risk functions mirrors its siloed structure with no common database or digital reporting tools, which makes it very difficult to expediently display and manage dynamic and interconnected risks such as climate risks.
What does good look like?
Firms are increasingly looking for a more strategic approach to risk management without impairing its independence as second line of defense. A few recurring themes are arising that characterize an evolved risk management function:
- Central to business strategy: the risk function and risk management are a standing Board level topic and embedded in all strategic decisions, such as new products, new technology, alliances or outsourcing.
- Attuned to helping management meet their objectives: the risk manager is a senior, multi-disciplined partner providing effective challenge and support on eye level with the business.
- Value adding: better and more connected use of technology to enable risk owners to target their efforts on the management of key risks.
- Technology-enabled: a firm-level risk strategy function defines the current and target risk profile of the firm using real-time data and digital dashboards.
How do we get there?
Evolving a risk function towards this future ambition can be a complex undertaking. The following key steps are essential to a successful transformation
- Define risk function strategy: a firm's purpose or vision is the basis on which strategic objectives are defined, along with a respective target risk profile. The risk profile should be underpinned with risk appetite statements, a robust framework and taxonomy as well as clear metrics to allow the management to monitor the amount of risk it is willing to accept in pursuit of the organizational objectives.
- Self-assess skills and capabilities: ensure your risk function is credible and positioned to add to the dialogue around strategic change. This implies a need for action on several fronts, such as hiring, training and career development – there is a fight for talent around technology, digital, ESG and reputation risk skill sets.
- Define roles and responsibilities: define and agree the role of the risk function within the business planning cycle – set out chronologically and map out check points for risk management-facilitated discussions on key strategic initiatives.
- Enhance risk management technologies: make better use of available technologies, visualization tools and dashboarding to support senior decisions on strategic risk. Invest into emerging risks, horizon scanning and stress testing capabilities to support better conversations on long-term implications of strategic decisions.