The concept of agility is currently being extended to apply to governance and organisation, business functions such as operations, and corporate support functions such as IT and HR, but what are the implications for risk management?
During many conversations with our clients the topic of the risk management organisation of the future comes up. What will the role of risk management in the future be and what skills should the risk management professionals have in order to successfully support this role? How do we build or acquire those skills and how do we prepare our organisation for this future? Where do we start?
In this article, we set out a simple two-step approach to identifying the skills of the risk management professional of the future and highlight the options for risk leadership to build or acquire these skills.
Risk management is at a crossroads
Effective risk management means enhancing decision making to balance risk and reward as a fundamental driving force to doing business and fostering entrepreneurship. This is not just avoiding risks! Risk management is part of daily decision making and integral to the formulation and execution of strategy. A company can take too little or too much risk!
Risk management is however often seen as a mandatory and bureaucratic activity instead of a means to protect value, let alone to create value and encourage entrepreneurship. It is often reactive and backward looking (past and present control, costs, efficiency), and seldomly forward looking (future control, continuity). Our rapidly changing world and business environments amplify this problem.
Our rapidly changing world demands a shift in skills
The business environment is changing rapidly. In a world characterised by increasing information intensity, extreme transparency and hyper-connectivity, new business models and ecosystems are emerging. Decision making and business change take place via agile approaches to enable organisations to respond to changing customer demands. Technology is transforming the workplace as processes and interactions become digitised and automated. Regulatory pressure is increasing (both in terms of complexity and volume) and there is an increased need for trust. As a result, we see an increased relevance and impact of non-financial risks, whilst risk profiles will change.
As a consequence, the composition of (risk management) jobs and required skills will shift. The key challenge for today’s risk managers is to be engaged as a credible business partner in the transition towards the new digital and agile world. In a previous article (in Dutch), we argued that risk management should reinvent itself by deepening existing skills whilst acquiring new skills for a highly digitised, innovative and agile organisation. Some of these skills are intrinsic, whilst others can be learned. In this article we elaborate on how to enhance existing and acquire new skills.
The development of skills requires a structured approach
Organisations have a number of options to build or acquire the skills they need for the future, see the table below. Risk leadership must choose the right balance of these interventions.
|Option||High level description|
|Learning||Developing the required skills of the existing workforce by leveraging a mix of learning interventions (from e-learnings to gamification and support tools in the workplace) strongly aligned with the changing work environment.|
|Recruitment and outplacement||Bringing in talent from outside the risk function (from other areas such as the first line or from external to the company) can help to acquire the required skills, as they bring new perspectives. Often this means letting go of people that do not match the future requirements.|
|Reallocation||Moving people around to make better use of their skills.|
|Partnerships||Gaining access to skills through collaboration with other specialised parties .|
Start with the definition of the required skills
Risk leaders should start with the definition of the required skills of the risk management professional of the future. The best way to do this is to visualise the risk manager in the future of your organisation, in two steps:
- Envisage the role of risk management and what value this brings to the business in the future (i.e. “what risk should do”).
- Identify the key skills the risk manager of the future should have: the visible and measurable capabilities to fulfil this role (i.e. “how risk should do it”).
Step 1: Envisage the role of the risk management professional of the future
We can think about the role of the risk management professional of the future by deconstructing the role into a number of dimensions (see figure 1).
Figure 1: Risk management foundation and four major developments demanding a shift in skills.
First, we have the foundational role, the circle in the centre of the diagram. This involves the core role and activities of the risk manager derived from the mandate of the risk management department within the organisation. Next, we can identify a number of major developments impacting risk management. Responding appropriately to each of these developments drives the added value of risk management to the business in the future. Each of these developments in turn demand a shift in required skills of the risk management professional.
The table below shows for each dimension in figure 1 illustrative examples of the role of the risk manager of the future and of the business value of getting it right.
|Dimension||The role of risk managers of the future
|Risk Management foundation||Risk managers of the future have a good understanding of the business and a high organisational sensitivity. They effectively challenge the business proactively, guard that it operates within the risk appetite and are the gatekeepers of the risk management principles and standards.||An effective balance between value creation and value protection goals, whilst protecting reputation, guarding that the organisation operates within risk appetite by helping to avoid unnecessary risk-taking and surprises.|
|Strategic direction of the organisation||Risk managers of the future anticipate the impact of the strategic direction, translate this to enhancements to policies, procedures and techniques and embed this into the daily practice. They are driven by curiosity in order to understand the key developments in the business landscape.||Empowering the business to effectively and efficiently develop and manage their systems, products and regulatory duties within risk appetite while avoiding unnecessary cost growth as the business reaches further scale.|
|New ways of working||Risk managers of the future work seamlessly with the business and feel very comfortable in the rapidly changing business environment. They advise the business on the design and implementation of effective control environments leveraging control-by-design and compliance-by-design principles.||Increasing the pace of sustainable innovation due to a timely and effective identification and mitigation of potential risks and issues which enables faster decision making.|
|Digitisation and automation||Risk managers of the future are well versed in systems, data and disruptive technologies and stay abreast of trends in Information Technology and Data Science to ensure they can challenge and advise the business on pitfalls, risks and issues.||Leveraging insights from data exploration and modelling enabling management to take better and faster decisions based on trustable data.|
|Increasing regulatory pressure and need for trust||Risk managers of the future are strong representatives of the 2nd line of defence, working closely together with the business, legal and compliance in order to understand the impact of legal and regulatory requirements on the business and to protect the bank from unacceptable risks.||Adhering to regulatory and industry standards with regards to risk management thereby reducing the probability of fines and regulatory interventions.|
Step 2: Translate the future role into required skills
The role of the risk manager of the future needs to be translated into the skills required to be successful. These skills can be split into three categories (see figure 2).
Figure 2: Skills framework
Behaviours and soft skills
Risk managers should refrain from pursuing instruments and tools as an objective in themselves and reduce the focus on lists, registers, reports etc and avoid simply forcing the business to identify, document and track all possible risks they may be facing. Risk managers should build the soft skills to help manage risk and not just measure it.
Developing the right set of soft skills – the personal, emotional and social skills that allow someone to operate effectively – will be a big contributor to change.
Knowledge and application
Risk managers are not expected to be subject experts in all domains, but they do require a deep level of awareness and working knowledge of their allocated business domain and any new trends or technologies to be credible in performing their role. Control-by-design and compliance-by-design, for example, are critical components of the control environments of more digitised firms.
Most risk managers should have adequate understanding of new technologies such as blockchain, big data and analytics and artificial intelligence, the products and services the organisation offers and changing regulations. They should be involved at the start of innovations and be comfortable working in an agile environment.
Technical skills and fundamentals
This layer addresses the tools and techniques of risk management. This may include how to perform a risk assessment including how to classify and score risks and record the results.
In summary, the leaders of risk organisations must carefully plan for the future with the identification of new soft, domain and technical skills. Once the skills with tangible business value have been defined, risk leadership should perform a diagnostic assessment to understand the current level of performance and determine the skill gap that needs to be bridged.
In the next article we elaborate on the first intervention – Learning – which focuses on getting the most from existing and new staff.
About the authors:
Arjan Udding (email@example.com)
Arjan believes in the power of imagination, determination, collaboration and integrity and that this leads to sustainable progress. He enables people and organisations to anticipate the future by helping them in identifying and taking the right steps to develop and realise their vision.
Bert Omlo (firstname.lastname@example.org)
Bert is an experienced learning & development professional with many years of experience in the Financial Services industry. He adds tangible value to his clients’ businesses by designing and building effective learning programmes with a strong business focus.
Bram Onrust (email@example.com)
Bram combines extensive experience as a psychologist with a business school degree. He helps organisations to become more successful by enabling their people to work and communicate more effectively through soft skill development.
Quite often I am being approached by clients with the following request.
“The level of risk management in our organisation needs to go up, so I think my people need training. I am looking for some basic training in – for example – risk appetite, risk identification and risk assessment?”
We should stop treating training as a solution
There is a big chance that, over the course of your career, you picked a training course (or worse: you have been sent to one) that did not lead to a change in the way you worked. Although it was enjoyable and the facilitator knowledgeable, the added value of the training to the organisation was most likely limited, questionable or not known.
Still, one of the first solutions that springs to mind to help increase the performance of a team or an organisation is send people to a training. In a way, this is not strange, since everybody has been to school and therefore grown up with the idea that training is the way to develop oneself. This has led to a still persistent belief that learning equals training and that training is the be-all and end-all to performance improvement.
I would like to plead for a more critical approach to the use of training (and more people with me (see for example Tulser 2009)), because:
- learning new skills will only create value to the organisation in specific circumstances
- the value of the training needs to expressed as results for the entire organisation
- reaping the benefits often involves a much broader set of interventions than just training
Learning itself needs to be aligned to the work environment of the professional and address his/ her development needs
Let’s look at the client question above. Yes, training can be a great way to kickstart the development of new skills or improvement of existing skills. It is good practice to use regular training, for example through e-learning, to maintain a good level of risk awareness and knowledge of basic risk management principles, i.e. the risk management foundation. Also, training can be a great way to help risk managers be better prepared for their future business environments, characterised by for example new business models, shifting risk profiles, disruptive technologies, digitisation and automation, ecosystems, platforms and agile ways of working.
What happens often in practice is that old internal risk management training material is given a good dusting down and brought back to life or standard external off-the shelf training courses are chosen. We know, however, that the effectiveness of learning is significantly increased if the learning environment closely resembles the work environment of the professional where the multiple skills also interact in a complex way (knowledge, application, behaviour, attitude). This is because the improvement opportunity presumably lies not so much in the knowledge of the risk management instruments themselves. It should instead be sought in the skills that enable professionals to apply the instruments within the context of the business and product domains, or in the soft skills that enable a risk manager to effectively and proactively challenge and advice the business on policy areas or risk appetite (e.g. through more emphasis on soft controls).
This means that the context within which one learns and applies these skills is a crucial factor for the success of the training. A training purely focused on the instruments most likely will not have a big impact on the organisation. The challenge is to define a solution that addresses the actual learning and development needs and appropriately reflects the work environment of the employees.
Learning new skills will only create value if a skills gap exists causing a lower performance
Developing (new) skills will only lead to added value to the organisation if the existing performance is too low because of the skills gap (knowledge, behaviour, attitude).
Senior management often wants a training without having done a solid investigation into the nature and root causes of the organisational performance issue: why is it that our risk management maturity level is not what it should be? Is it really caused by a shortage of skills or could there be other reasons? Consequently, there is a lack of understanding of what is needed to address the issue. This leads to a situation which is a breeding ground for unmet expectations and the training could prove to be a costly intervention.
To make it worse, external training providers tend to overestimate training outcomes and substitute these for value add to the organisation. They raise expectations of senior management who rely on the training being the solution to their problem and have a high likelihood of becoming disappointed since the effect of the training intervention will most likely be limited.
It is like teaching the caterpillar to fly.
Focus on evaluate the value to the business
Investigating the nature and root cause of the issue also provides essential input to the quantification of the value of the performance improvement opportunity. I am a strong advocate of measuring the business impact and value to the organisation for three reasons: 1) to improve the learning programme itself, 2) to maximize the transfer of learning into actual behaviours of the participants and tangible results, and 3) to demonstrate the value of training to the entire organisation.
Let us assume that a skills gap is indeed present and that this gap is a significant cause of the performance of the team or the organisation to be low. Management can then build a business case comparing the costs of doing nothing, versus the costs and the benefits of the training. Skipping this step, however difficult it might be, will lead to a situation where senior management clearly sees the costs of the proposed intervention, without having enough insight in the quantitative and qualitative benefits to the organisation. This obviously undermines sound decision making and makes it difficult, if not impossible, to steer management away from choosing the cheapest option.
Too often training is found to be “non-essential” and during cost reductions becomes one of the first programmes to be cut. Each time this has happened, one factor they have in common – the value of the programme was not evaluated at the right level.
Kirkpatrick (1994) introduced four levels of evaluating training programmes. The four steps of evaluation are:
- Step 1: Reaction – How well did the learners like the learning process?
- Step 2: Learning – What did they learn? (the extent to which the learners gain knowledge and skills)
- Step 3: Behaviour – What changes in job performance resulted from the learning process? (capability to perform the newly learned skills while on the job)
- Step 4: Results – What are the tangible results of the learning process in terms of reduced cost, improved quality, increased production, efficiency, etc.?
Often, step 1 and 2 is where the evaluation stops. We call this the happy sheet: the participants fill out an evaluation form stating they liked the training, it was fun, the trainer was knowledgeable and if they were motivated they may have learned something new. What does this tell you? It may make you feel good that the participants enjoyed the training, but there are no actual results here. Therefore, this holds little meaning unless accompanied by real results.
Step 3 and 4 are essential to demonstrate the strategic value to the organisation. Indeed, this is where you must start. If you do not know your end goal how do you know what you need to teach? Determining upfront the expected value to the organisation – i.e. the results at level 4 – is crucial to build a solid business case, to define the performance indicators to measure benefits realisation and prove the programme has impact.
When the resources, processes and values of the organisation are not aligned, even the best learning programme will not help
As soon as concrete skills with tangible benefits to the organisation have been determined a diagnostic assessment can help to identify the learning and development needs of the target population. Even if we did close the existing skills gap, however, this may not necessary lead to a higher performance, since training will not solve any other issues that may be present.
Firstly, often, multiple reasons can be identified that cause the level of risk management to be lower than desired, for example due to capacity constraints, low levels of risk awareness, lack of first line of defence ownership, ineffective processes, knowledge drain due to staff turnover, lack of clarity around roles and responsibilities etc. Some research (Deming (2000) and Rummler (2004)) even shows that approximately 80% of the organisational challenges are not caused by a shortage in skills of the employees, but due to other barriers and issues in the work environment.
Secondly, new skills need to become an integral part of the way people work and behave. This will only happen if there is ample space to put these into practice and when other barriers are removed. In other words, if the processes (ways of working, organisation, communication, etc) and values (decision making, culture, etc) do not allow employees to put the new skills into practice even the greatest learning programme will not be able to address the performance issue.
For example, one insurance company sent a group of their talented managers to a programme to boost their innovative capacity. Senior management was disappointed when nothing changed upon their return. Existing processes, structures, performance drivers and decision making were not aligned to the new way of thinking and stifled any the initiatives.
Learning is the first step in a behavioural and organisational transformation
What, then, would be the best way to learn and develop these skills and how we can capture the most value of this investment? To answer this question it is important to realise that learning new skills and applying these in practice requires a fundamental change in the way we act and operate.
And changing our behaviour is very difficult.
We are often comfortable in our status quo and derive an important part of our identity – who we think we are – from what we do. If we are being asked to change the way we do things, we need to let go of a part of who we are and transition to a new – unknown – image of ourselves (a new status quo): a new identity.
This requires a structured approach with a set of interventions that follow a specific order and patience.
We generally go through several steps in a change process:
- Mindset: being open to change and having a mindset that allows oneself that things can be done differently
- Awareness: seeing how things can be or should be done differently – a vision of the new situation and what this means for us
- Intrinsic motivation: Recognising that it is worth making the transition – value to the organisation and – importantly – for yourself
- Ability: Learning new skills and having access to tools in support of the transition
- Opportunity: Applying the new skills and tools in practice and integrate them in day-to-day operations
The speed and duration of going through these steps vary per person. Skipping one or more of them may have a negative impact on the outcome or time needed for the behavioural and organisational leading to the performance enhancement.
This also means that a one-off training exercise will have limited effect. Isolated classroom based trainings are truly outdated. Learning will be more effective where the learning activities are a mix of on-the-job (online, eLearning’s, microlearning available upon request of the professional) and off-the-job (traditional formal setting). This is called blended learning and it is a great way of embedding continuous learning in your organisation what is required to solve many of today’s real life challenges.
Dominant logic and importance of mindset
The change programme will have a greater effect or will be embraced more quickly if participants themselves see that things must change. They will participate more actively if they clearly see the benefits of the transition and if these are higher than the pain of remaining in the status quo.
A key enemy of change and innovation are cultural norms; something also called dominant logic, or institutionalised thinking. It is driven by the established beliefs within organisations and acts as a blinder to peripheral vision, thereby impacting openness and receptivity to new ideas and constraining creative thinking.
We need to be aware of these established beliefs have the mindset, ability and opportunity to push ourselves to get out of our comfort zones. Senior management needs to create a positive and stimulating environment to support this transition actively demonstrating tone-at-the-top behaviour, sponsoring, coaching and aligning governance and performance management.
Combining learning and other performance improvement initiatives – a case study
In a recent project for a large Dutch bank, we developed a learning and development programme as part of a wider initiative aimed at developing their risk professionals towards becoming risk managers of the future. An important part of the learning activities were designed to increase the knowledge of disruptive technologies and their impact on the organisation’s business models and associated risk profile.
The programme was set up in a way that even the formal training consisted of 20% listening and 80% doing. The participants were asked to identify areas for improvement in their current environment, leveraging new technologies, new skills, etc. A shortlist of ideas were chosen and further developed in teams – in an agile way. The best ideas were pitched to a panel of senior business executives (Dragons’ Den), who picked a winning idea based on several criteria, including innovative character, value to the business, ease of implementation. Senior management committed budget and resources to further develop, test, refine and roll out the idea in practice.
This example shows how developing new skills through training can go hand in hand with other performance improvement initiatives, whilst a concrete opportunity is given to the professionals to put these skills into practice.
One cannot become a butterfly by remaining a caterpillar
We should stop treating training as a solution. One has to go through a process of change which involves becoming less and less of a caterpillar while becoming more and more of a butterfly. We need to recognise that any transformation process is uncomfortable and that it takes confidence, commitment and intrinsic motivation to go through the change process and actually implement something. Management needs to understand this and in order to provide the level of support needed to create a somewhat different future.
By constraining our thinking, we are limiting the potential of our people to develop, innovate and transform themselves and our organisations. Developing new skills will only create value to the organisation if a skills gap exists that causes the performance of a team or an organisation to be lower than required/ expected. Often, realising tangible results for the business involves a much broader set if interventions than just training and should be viewed as a driver of organisational transformation. Tying your training to business objectives and evaluating the real results to the entire organisation is what drives success.
I will leave you with a few questions:
- How do you determine the success of your (risk management) training?
- Did you design the training/ learning programme what the end in mind?
- What behaviours are you trying to change?
- What skills and knowledge are needed to accomplish this?
- How are you going to continue to support participants after the training is over?
Following the global economic crisis, financial institutions have embraced the imperative to enhance their risk management capabilities. In many cases, the maturity of hard controls needed enhancing, but, as we have seen from more recent incidents, this has not fully addressed the risk management challenges.
Banks, insurance companies and asset managers launched an extensive range of improvement programmes to redesign frameworks, policies, procedures and instruments (hard controls) to detect and mitigate potential risks. The effectiveness of hard controls to address the risk of incidents is limited however, for two reasons:
- Firstly, risk management instruments and procedures can only be effective when they are used in the right way and at the right moment.
- Secondly, research tells us that more procedures, more rules or more regulation leads to a decline in clarity and employee accountability, which in turn lowers the quality of professional judgement and commitment to living up to ethical standards.
A problematic risk culture is often found to be at the root of major incidents. ‘Risk culture’ denotes the values and beliefs about risk (and compliance) and the mindset and behaviour towards risk of individuals and groups within an organization. It is a way of thinking and embedded within the organisation’s DNA through core values, patterns of behaviour, involvement, empowerment, transparency and tone at the top. It determines the collective ability of an organisation to identify and understand, openly discuss, and act on the organisation’s current and future risks.
It is important to note that a strong risk culture does not imply taking as little risk as possible, but instead helps companies consciously take appropriate risks that fit the risk appetite, vision and strategy.
Risk cultures, of course, may differ per organisation and may provide a competitive edge to companies, if implemented well. As part of our recent roundtable with CROs and Senior Risk Managers, AXVECO conducted a survey on risk culture amongst 18 financial institutions to see how much and on what aspects they may be different. The results of the survey and related discussions with participants indicate that there is a wide spread in the degree to which risk culture is prioritised on the agenda within companies as well as the perceived strength of the existing risk cultures.
Since the financial crisis, supervisory scrutiny on risk culture has significantly increased. Regulators recognise that cultures may differ and see a “mono-culture as undesirable since it diminishes diversity”. The conduct authority in The Netherlands, Autoriteit Financiele Markten, (“AFM”), traditionally supervises conduct and culture within Dutch financial institutions, such that they act in the best interest of customers, public interest and the effectiveness of the financial markets. Their centre of expertise has combined forces with the University of Utrecht to integrate scientific research with practical implementations. Further, the Dutch prudential authority, De Nederlandsche Bank (“DNB”), have increased their focus on culture and awareness over the years, including the establishment of a centre of expertise with professionals from governance, risk, change and organisation psychology. They perform regular onsite visits and thematic reviews to assess the appropriateness of risk cultures at financial institutions.
5 tips to help companies with making a start with developing their risk culture
Tone at the top, noise in the middle
Risk culture is a board responsibility. The behaviours and attitudes of the top executives of a company have a disproportionate impact on the risk culture of a company. The best way to start improving your risk culture as a company is therefore by making sure the top executives establish the right tone of the top. Top executives should be aware of their role model status and walk the talk to create the right risk culture awareness within their organisation. Attention should be given to instilling and growing the right culture and behaviours at the level of middle management – the top 100 or so of directors and management teams which direct business activity. Without this, the employees experience ‘noise’ as their seniors’ behaviour may differ from that desired by the board.
Communication is key
Building a strong risk culture starts with defining a clear risk vision, strategy and appetite. These set the values, believes and boundaries that guide the desired behaviours. What is even more important though is to communicate the risk vision, strategy and appetite very clearly and repeatedly in the organisation. Our research on risk culture points out that in 69 % of the companies, senior executives drafted a risk vision, strategy and appetite, but only 39% of the companies communicated these clearly in the organisation. Consequently, the awareness amongst employees of the risk vision, strategy and appetite was relatively low (rated as sufficiently aware in 33% of the companies). The lack of awareness makes it very hard for employees to behave in the way that best suits the risk vision, strategy and appetite.
Create an adaptive organisation
An adaptive organisation is an organisation that is able to keep up with rapid changes in the environment and is entrusting decision making power and associated resources to its employees. This type of organisation is the most resilient in terms of risk culture. Adaptive organisations are formed by creating an atmosphere within the company whereby employees are encouraged to speak up and challenge the way things are done. Stimulate discussion and bottom-up input and consider agile and new forms of organising change. Employees should feel free to voice their opinion and raise the alarm in case they detect undesirable risks in the company. Mistakes and failures should be used to learn from. This can be done within the organisation, but also between organisations. The platform thefailcon.com is an example of an initiative of fintech companies to organise conferences for learning from each other’s mistakes. Next to that, make sure there is an accurate system of countervailing power in place. Prevent blaming and share lessons learned throughout the organisation.
Make the risk culture explicit in the performance review process
Establishing an appropriate risk culture can be a long-term process that requires dedication of (senior) management. Even if all involved managers are sufficiently aware of the importance of building a sound risk culture, it is advisable to ensure their dedication by explicitly setting goals for risk culture. It is important to realise that an implied vision on risk culture is not enough. The perceived risk culture amongst employees might deviate from your implied vision. One can therefore think of measuring the risk awareness amongst employees or the perceived openness to challenge. By embedding these goals in the yearly performance reviews, companies can make sure risk culture will stay on the agenda of (senior) management.
Use a structured framework
Our research on risk culture indicates that many financial institutions struggle to measure their risk culture and create a transparent picture that illustrates the strengths and weaknesses of the aspects of their risk culture. Having such insight, however, provides an incredible strong foundation for any change initiatives. A structured framework is crucial to map out the desired risk culture and to measure the perceived risk culture and the effect of risk culture optimisation initiatives. An example framework is shown below in Figure 1, consisting of four main areas and 18 sub-areas.
Since risk culture is not a static concept but evolves over time in relation to events in the organisation and in the environment of the organisation, it is necessary to assess the risk culture on a recurring basis. AXVECO’s risk culture optimisation stairway, shown in Figure 2, can serve as a basis for a cycle of continuous improvement.
For more information see our online eLearnings via menu “Start learning”
Figure 1 – AXVECO risk culture framework.
Figure 2 – AXVECO risk culture optimisation stairway.
Initiatives to align the risk culture with the organisation’s risk vision, strategy and appetite are a smart investment since they can help companies reach their strategic goals and prevent expensive scandals and incidents. Next to that, we have seen a heightened focus from regulators on companies’ risk cultures. Therefore there are enough reasons to start improving your organisation’s risk culture. The 5 abovementioned tips give a starting point for building a sound risk culture.
 Katz-Navon (2005), Knights V Collinson (1987), Grandpre, Alvaro, Burgoon, Miller & Hall (2003)
 See for example the very recent publication: Gedrag en Cultuur in de Nederlandse financiële sector.