2.1. Back to basics. Research from the Rotterdam School of Management, Erasmus University in combination with KPMG, shows that knowing the business and being able to conceptualize how new digital technologies can impact businesses, continues to be a key ability hindering digital transformation for organizations. This is why risk functions should primarily invest human capital in the fundamental understanding of digital technologies and software and how it impacts the risk domain, before the training on tooling etc. If not, management may very well find that the return on investment in technical tools is not met, as the utilization of said tools is not applied to actual use cases. If you think about it, digital solutions are developed primarily with a focus on the ease of use, placing more emphasis on users identifying the opportunity for application than the ability to function it.
2.2. Innovation and risk culture. Once a task force is established, the next stage is implementation. The goal is to create a balanced and open culture, that promotes new ideas to morph organically before any noteworthy or excessive investments are made. This ideally fosters a safe environment with which to experiment and successfully 'fail'.
Risk and control functions should focus on laying the foundations to sustain an innovation culture within, through collaboration with the business. The risk function should motivate a risk awareness culture back to the business by organizing virtual (i.e. during the COVID-19 pandemic) innovation sessions with members from different areas of the business. This ensures that risk functions heighten the awareness and importance of risk back to the first line, and in turn bring innovative ideas back to risk and control. This should include not only cross functional collaboration to ensure perspectives of business risks are taken into account, but also knowledge sharing with and from external parties. Using web-based software, a 'crowdsourced' innovation funnel can foster the collection, validation and collaboration on ideas generated from the risk and control domain and even the business.
2.3. Dedicated task force for risk and control. Managing an innovation agenda should be in the hands of a small, accountable and intrinsically motivated task force within the risk management function that understands the needs and ever changing risks businesses are faced with, but focused on innovative ways to improve and add value to the organization. For example, research shows that 71% of organizations regarded as 'Digital Leaders' have designated innovation champions within the internal audit function.
For risk functions, this kind of dedicated task force should be granted a level of autonomy that fosters speed and agility within the broader boundaries of the organization's technology governance policies and procedures. Additionally, they nurture a safe environment for which new ideas can be generated. This task force should establish a reliable relationship with the internal digital and development functions of the organization, to facilitate and support the risk function's digital strategy. Ultimately the task force can be considered as dedicated facilitators or coordinators of the overall innovation agenda and digital strategy.
2.4. Diversity. Inviting rotational or temporary guests into the risk function can offer unique outside-in perspectives, efficient access to key and reliable information, and also bring skill sets not typically accustomed to traditional risk professionals. A robust rotational/swap program will further contribute to innovation in the risk domain and challenge the status quo. On a more permanent role, management should consider hiring people who do not present the profile of a typical risk consultant/officer, but instead people with a forward thinking mindset, has a proficient grasp of the organization's business.