It is evident that innovation has been perceived as a key discussion in many organizations. The topic has led to the set-up of corporate-wide transformation projects with the aim of spurring a culture of innovation among employees. The importance of having an innovative culture is also reflected on many organizations' risk assessment exercises, where innovation and digitalization are consistently ranked within top-20 topics that the board needs to pay attention to. As the role of the risk function becomes subject of interest, how should risk professionals position themselves to make their unit more innovative and collectively add value to the whole innovation trajectory?
Innovation risk's correlation and implication to risk management functions
The term innovation risk covers multiple dimensions of the innovation process itself – ranging from the operational and commercial to the financial aspect. The term predominantly focuses on the feasibility of the idea, triggered by the question of a failure probability of a new product or service. It also entails an organization's failure to promote and facilitate innovation culture among its employees.
The successful implementation of the whole organization's innovation agenda is driven by various types of corporate units – which is not limited to the product development and operations team alike. Other key driving forces, such as risk management functions, have increasingly become prominent in the realization of the corporate goals. As such, the risk function should also reshape and innovate in order to stay relevant and contribute to the corporate-wide innovation agenda.
It is worth remembering that risk professionals run a holy mission; to help organizations effectively identify, assess and manage risks. By switching our perspective to the systemic view of risk, we would be able to understand that innovation is strongly connected to different risk domains within an organization's risk landscape:
- The organization's decision to innovate has a correlation with competition risk i.e. the organization's ability to compete with other organizations in the market. The world is changing rapidly and to grasp the initiative in the market, the organization needs to response quickly and in an innovative way. The failure of innovation would endanger the leading position of the organization. However, without a healthy internal environment, the organization might be unable to operate stably to realize its innovation strategy at the starting point.
- Innovation risks can also be observed to be highly associated with HR-related risks – essentially highlighting the organization's capability to attract and retain talent with an innovative mind set. Innovation risks can be triggered by insufficient human capacity, unclear innovation ambitions, limited (financial) support, low motivation and other human factors resulting from an unhealthy organization innovation culture. As to Miles-Snow Model, Prospector and Analyser are keen to innovation than Reactor or Defender, where the latter two are less open and supportive towards innovative culture and ideas.
- Innovation might form a risk cluster with other risks such as Reputation that collectively pose a significant, catastrophic threat to the organization. Risk management functions and assurance providers alike have to expand their knowledge base and to innovate in order to help the organization.
For their strategic role and knowledge of the organization's ever changing risk landscape, risk management professionals are obliged to get themselves aligned and actively involved in helping the innovation agenda, processes and strategy. What steps do risk management functions need to take to innovate their role and service offerings to the business?
1. Risk professionals should create a clear and realistic vision of an innovative risk function
Despite not being typically known as a catalyst to innovate or expected to digitally transform an organization's business model, risk functions should at least align to the corporate-wide digital transformation goals of the organization. The functions need to define an ambition that supports the business, yet maintaining the objectives and KPIs of a risk assurance function. Here risk functions can leverage off KPMG's Five Steps for tackling culture framework to approach complex transformations and programs.
1.1. Make it Clear – Make it Known. To define the ambition for a complex project, risk functions should consider the first 2 steps from the KPMG People and Change model - Make it clear and Make it known. In other words, risk functions should ask themselves why the ambition is required? And what is the desired critical behavior for themselves? This vision should be formalized and communicated within the risk functions and across the company, as a statement and commitment to stay relevant and contribute to the innovation agenda.
Moreover, the ambition which the risk function defines, ought to align with the Three Horizons model: Investing 70% of its resources optimizing or leveraging existing software and tooling, and training, 20 % should be allocated to developing or adopting more advanced technological tools that enable risk functions to enhance its service to the business, such as continuous auditing platforms. Lastly, the remaining 10% should be designated to developing new innovative ways of providing risk assurance using disruptive digital technologies such as Big Data Analytics software and Intelligent Automation tools. A Steering Group combined with independent stakeholders should meet regularly to maintain focus on the goals and objectives, but also to adapt and flex to the often faster changing risk and digital landscape.
1.2. Make it Stick. During the implementation, risk functions can continue monitoring if the team sustains the environment and behaviors for innovation, via surveys or open group feedback to maintain focus on the ambition at hand.
2. Identify capabilities within the risk management functions
2.1. Back to basics. Research from the Rotterdam School of Management, Erasmus University in combination with KPMG, shows that knowing the business and being able to conceptualize how new digital technologies can impact businesses, continues to be a key ability hindering digital transformation for organizations. This is why risk functions should primarily invest human capital in the fundamental understanding of digital technologies and software and how it impacts the risk domain, before the training on tooling etc. If not, management may very well find that the return on investment in technical tools is not met, as the utilization of said tools is not applied to actual use cases. If you think about it, digital solutions are developed primarily with a focus on the ease of use, placing more emphasis on users identifying the opportunity for application than the ability to function it.
2.2. Innovation and risk culture. Once a task force is established, the next stage is implementation. The goal is to create a balanced and open culture, that promotes new ideas to morph organically before any noteworthy or excessive investments are made. This ideally fosters a safe environment with which to experiment and successfully 'fail'.
Risk and control functions should focus on laying the foundations to sustain an innovation culture within, through collaboration with the business. The risk function should motivate a risk awareness culture back to the business by organizing virtual (i.e. during the COVID-19 pandemic) innovation sessions with members from different areas of the business. This ensures that risk functions heighten the awareness and importance of risk back to the first line, and in turn bring innovative ideas back to risk and control. This should include not only cross functional collaboration to ensure perspectives of business risks are taken into account, but also knowledge sharing with and from external parties. Using web-based software, a 'crowdsourced' innovation funnel can foster the collection, validation and collaboration on ideas generated from the risk and control domain and even the business.
2.3. Dedicated task force for risk and control. Managing an innovation agenda should be in the hands of a small, accountable and intrinsically motivated task force within the risk management function that understands the needs and ever changing risks businesses are faced with, but focused on innovative ways to improve and add value to the organization. For example, research shows that 71% of organizations regarded as 'Digital Leaders' have designated innovation champions within the internal audit function.
For risk functions, this kind of dedicated task force should be granted a level of autonomy that fosters speed and agility within the broader boundaries of the organization's technology governance policies and procedures. Additionally, they nurture a safe environment for which new ideas can be generated. This task force should establish a reliable relationship with the internal digital and development functions of the organization, to facilitate and support the risk function's digital strategy. Ultimately the task force can be considered as dedicated facilitators or coordinators of the overall innovation agenda and digital strategy.
2.4. Diversity. Inviting rotational or temporary guests into the risk function can offer unique outside-in perspectives, efficient access to key and reliable information, and also bring skill sets not typically accustomed to traditional risk professionals. A robust rotational/swap program will further contribute to innovation in the risk domain and challenge the status quo. On a more permanent role, management should consider hiring people who do not present the profile of a typical risk consultant/officer, but instead people with a forward thinking mindset, has a proficient grasp of the organization's business.
3. Similar to the business, Risk Functions also need to evolve over time
As businesses continue to make further strides into the digital age, developing technologically innovative products and services more accessible, customer centric and secure, risk functions are challenged to add value and keep up with the rest of the organization in the same manner. Risk functions need to dedicate time to challenge themselves and ask: What risk management related activities are currently being performed and how could we tailor them to help the business responding to drastic changes in the business landscape?
The current COVID-19 pandemic is, albeit a very relevant one, only an example of such a scenario. Teams within the risk function can hold all-inclusive (team size will vary) sessions, which unlock opportunities to break out of the status quo and think outside of the box. These sessions should focus on developing new propositions brought to the business, which would stand the test of time 5-10 years ahead, and not only focus on the present state of the business or economy.
Manager | Internal Audit Risk and Compliance Services
Manager | GRC and Enterprise Risk Management Services
Consultant | Internal Audit Risk and Compliance Services