Berichten

Building risk management skills for the future – where to start?

During many conversations with our clients the topic of the risk management organisation of the future comes up. What will the role of risk management in the future be and what skills should the risk management professionals have in order to successfully support this role? How do we build or acquire those skills and how do we prepare our organisation for this future? Where do we start?

In this article, we set out a simple two-step approach to identifying the skills of the risk management professional of the future and highlight the options for risk leadership to build or acquire these skills.

Risk management is at a crossroads

Effective risk management means enhancing decision making to balance risk and reward as a fundamental driving force to doing business and fostering entrepreneurship. This is not just avoiding risks! Risk management is part of daily decision making and integral to the formulation and execution of strategy. A company can take too little or too much risk!

Risk management is however often seen as a mandatory and bureaucratic activity instead of a means to protect value, let alone to create value and encourage entrepreneurship. It is often reactive and backward looking (past and present control, costs, efficiency), and seldomly forward looking (future control, continuity). Our rapidly changing world and business environments amplify this problem.

Our rapidly changing world demands a shift in skills

The business environment is changing rapidly. In a world characterised by increasing information intensity, extreme transparency and hyper-connectivity, new business models and ecosystems are emerging. Decision making and business change take place via agile approaches to enable organisations to respond to changing customer demands. Technology is transforming the workplace as processes and interactions become digitised and automated. Regulatory pressure is increasing (both in terms of complexity and volume) and there is an increased need for trust. As a result, we see an increased relevance and impact of non-financial risks, whilst risk profiles will change.

As a consequence, the composition of (risk management) jobs and required skills will shift. The key challenge for today’s risk managers is to be engaged as a credible business partner in the transition towards the new digital and agile world. In a previous article (in Dutch), we argued that risk management should reinvent itself by deepening existing skills whilst acquiring new skills for a highly digitised, innovative and agile organisation. Some of these skills are intrinsic, whilst others can be learned. In this article we elaborate on how to enhance existing and acquire new skills.

The development of skills requires a structured approach

Organisations have a number of options to build or acquire the skills they need for the future, see the table below. Risk leadership must choose the right balance of these interventions.

 

Option High level description
Learning Developing the required skills of the existing workforce by leveraging a mix of learning interventions (from e-learnings to gamification and support tools in the workplace) strongly aligned with the changing work environment.
Recruitment and outplacement Bringing in talent from outside the risk function (from other areas such as the first line or from external to the company) can help to acquire the required skills, as they bring new perspectives. Often this means letting go of people that do not match the future requirements.
Reallocation Moving people around to make better use of their skills.
Partnerships Gaining access to skills through collaboration with other specialised parties .

 

Start with the definition of the required skills

Risk leaders should start with the definition of the required skills of the risk management professional of the future. The best way to do this is to visualise the risk manager in the future of your organisation, in two steps:

  1. Envisage the role of risk management and what value this brings to the business in the future (i.e. “what risk should do”).
  2. Identify the key skills the risk manager of the future should have: the visible and measurable capabilities to fulfil this role (i.e. “how risk should do it”).

Step 1: Envisage the role of the risk management professional of the future

We can think about the role of the risk management professional of the future by deconstructing the role into a number of dimensions (see figure 1).

Figure 1: Risk management foundation and four major developments demanding a shift in skills.

First, we have the foundational role, the circle in the centre of the diagram. This involves the core role and activities of the risk manager derived from the mandate of the risk management department within the organisation. Next, we can identify a number of major developments impacting risk management. Responding appropriately to each of these developments drives the added value of risk management to the business in the future. Each of these developments in turn demand a shift in required skills of the risk management professional.

 

The table below shows for each dimension in figure 1 illustrative examples of the role of the risk manager of the future and of the business value of getting it right.

Dimension The role of risk managers of the future
(illustrative examples)
Business value
(illustrative examples)
Risk Management foundation Risk managers of the future have a good understanding of the business and a high organisational sensitivity. They effectively challenge the business proactively, guard that it operates within the risk appetite and are the gatekeepers of the risk management principles and standards. An effective balance between value creation and value protection goals, whilst protecting reputation, guarding that the organisation operates within risk appetite by helping to avoid unnecessary risk-taking and surprises.
Strategic direction of the organisation Risk managers of the future anticipate the impact of the strategic direction, translate this to enhancements to policies, procedures and techniques and embed this into the daily practice. They are driven by curiosity in order to understand the key developments in the business landscape. Empowering the business to effectively and efficiently develop and manage their systems, products and regulatory duties within risk appetite while avoiding unnecessary cost growth as the business reaches further scale.
New ways of working Risk managers of the future work seamlessly with the business and feel very comfortable in the rapidly changing business environment. They advise the business on the design and implementation of effective control environments leveraging control-by-design and compliance-by-design principles. Increasing the pace of sustainable innovation due to a timely and effective identification and mitigation of potential risks and issues which enables faster decision making.
Digitisation and automation Risk managers of the future are well versed in systems, data and disruptive technologies and stay abreast of trends in Information Technology and Data Science to ensure they can challenge and advise the business on pitfalls, risks and issues. Leveraging insights from data exploration and modelling enabling management to take better and faster decisions based on trustable data.
Increasing regulatory pressure and need for trust Risk managers of the future are strong representatives of the 2nd line of defence, working closely together with the business, legal and compliance in order to understand the impact of legal and regulatory requirements on the business and to protect the bank from unacceptable risks. Adhering to regulatory and industry standards with regards to risk management thereby reducing the probability of fines and regulatory interventions.

 

Step 2: Translate the future role into required skills

The role of the risk manager of the future needs to be translated into the skills required to be successful. These skills can be split into three categories (see figure 2).

Figure 2: Skills framework

Behaviours and soft skills
Risk managers should refrain from pursuing instruments and tools as an objective in themselves and reduce the focus on lists, registers, reports etc and avoid simply forcing the business to identify, document and track all possible risks they may be facing. Risk managers should build the soft skills to help manage risk and not just measure it.

Developing the right set of soft skills – the personal, emotional and social skills that allow someone to operate effectively – will be a big contributor to change.

Knowledge and application
Risk managers are not expected to be subject experts in all domains, but they do require a deep level of awareness and working knowledge of their allocated business domain and any new trends or technologies to be credible in performing their role. Control-by-design and compliance-by-design, for example, are critical components of the control environments of more digitised firms.

Most risk managers should have adequate understanding of new technologies such as blockchain, big data and analytics and artificial intelligence, the products and services the organisation offers and changing regulations. They should be involved at the start of innovations and be comfortable working in an agile environment.

Technical skills and fundamentals
This layer addresses the tools and techniques of risk management. This may include how to perform a risk assessment including how to classify and score risks and record the results.

Summary

In summary, the leaders of risk organisations must carefully plan for the future with the identification of new soft, domain and technical skills. Once the skills with tangible business value have been defined, risk leadership should perform a diagnostic assessment to understand the current level of performance and determine the skill gap that needs to be bridged.

In the next article we elaborate on the first intervention – Learning – which focuses on getting the most from existing and new staff.

 

About the authors:

Arjan Udding (audding@axveco.com)
Arjan believes in the power of imagination, determination, collaboration and integrity and that this leads to sustainable progress. He enables people and organisations to anticipate the future by helping them in identifying and taking the right steps to develop and realise their vision.

Bert Omlo (info@bertomlo.nl)
Bert is an experienced learning & development professional with many years of experience in the Financial Services industry. He adds tangible value to his clients’ businesses by designing and building effective learning programmes with a strong business focus.

Bram Onrust (b.onrust@katahdin-consultancy.com)
Bram combines extensive experience as a psychologist with a business school degree. He helps organisations to become more successful by enabling their people to work and communicate more effectively through soft skill development.

Fit-for-the-future: competentieontwikkeling voor Risk Management

AXVECO werkt samen met een grote Nederlandse bank bij het ontwikkelen van de juiste skills van de risk-community, zodat ze, ook in de toekomst, optimaal waarde blijven toevoegen aan de organisatie .

Lees meer

Ontwerp en gebruik van key risk indicators

AXVECO roundtable over Key Risk Indicators (21 september 2017)

Op 21 september kwamen een aantal financial en non-financial risk managers van vooraanstaande financiële instellingen (banken, verzekeraars en pensioenfondsen) bijeen om kennis en ervaring te delen over Key Risk Indicators (KRIs) binnen hun organisaties.

Lees meer

Risicomanager, ga met je tijd mee!

Ondanks grote investeringen in het verbeteren van risicomanagement en interne beheersing, blijken de huidige raamwerken voor risicomanagement nog altijd kostbaar en bijzonder ineffectief. Wat is er aan de hand en hoe kan het anders?

Lees meer

Spring 2017 newsletter – disruption in the polder

Spring is in the air and the terms Agility, FinTech and Hostile Shareholders echo across the polder.

Lees meer

Managing risk in agile organisations

The concept of agility is currently being extended to apply to governance and organisation, business functions such as operations, and corporate support functions such as IT and HR, but what are the implications for risk management?

Lees meer

Benchmark uw risk management tegen peers en DNB referentieraamwerk

De volwassenheid van uw risk management organisatie is een belangrijke factor voor een integere en beheerste bedrijfsvoering en lange termijn succes. Weet u hoe effectief uw risk management is en waar verdere verbeteringen mogelijk zijn?

Lees meer

The route to a strong risk culture – 5 tips

Following the global economic crisis, financial institutions have embraced the imperative to enhance their risk management capabilities. In many cases, the maturity of hard controls needed enhancing, but, as we have seen from more recent incidents, this has not fully addressed the risk management challenges.

Banks, insurance companies and asset managers launched an extensive range of improvement programmes to redesign frameworks, policies, procedures and instruments (hard controls) to detect and mitigate potential risks. The effectiveness of hard controls to address the risk of incidents is limited however, for two reasons:

  • Firstly, risk management instruments and procedures can only be effective when they are used in the right way and at the right moment.
  • Secondly, research tells us that more procedures, more rules or more regulation leads to a decline in clarity and employee accountability, which in turn lowers the quality of professional judgement and commitment to living up to ethical standards.[1]

A problematic risk culture is often found to be at the root of major incidents. ‘Risk culture’ denotes the values and beliefs about risk (and compliance) and the mindset and behaviour towards risk of individuals and groups within an organization. It is a way of thinking and embedded within the organisation’s DNA through core values, patterns of behaviour, involvement, empowerment, transparency and tone at the top. It determines the collective ability of an organisation to identify and understand, openly discuss, and act on the organisation’s current and future risks.

It is important to note that a strong risk culture does not imply taking as little risk as possible, but instead helps companies consciously take appropriate risks that fit the risk appetite, vision and strategy.

Risk cultures, of course, may differ per organisation and may provide a competitive edge to companies, if implemented well. As part of our recent roundtable with CROs and Senior Risk Managers, AXVECO conducted a survey on risk culture amongst 18 financial institutions to see how much and on what aspects they may be different. The results of the survey and related discussions with participants indicate that there is a wide spread in the degree to which risk culture is prioritised on the agenda within companies as well as the perceived strength of the existing risk cultures.

Regulatory scrutiny

Since the financial crisis, supervisory scrutiny on risk culture has significantly increased. Regulators recognise that cultures may differ and see a “mono-culture as undesirable since it diminishes diversity”. The conduct authority in The Netherlands, Autoriteit Financiele Markten, (“AFM”), traditionally supervises conduct and culture within Dutch financial institutions[2], such that they act in the best interest of customers, public interest and the effectiveness of the financial markets. Their centre of expertise has combined forces with the University of Utrecht to integrate scientific research with practical implementations. Further, the Dutch prudential authority, De Nederlandsche Bank (“DNB”), have increased their focus on culture and awareness [3]over the years, including the establishment of a centre of expertise with professionals from governance, risk, change and organisation psychology. They perform regular onsite visits and thematic reviews to assess the appropriateness of risk cultures at financial institutions.

5 tips to help companies with making a start with developing their risk culture

 

Tone at the top, noise in the middle

Risk culture is a board responsibility. The behaviours and attitudes of the top executives of a company have a disproportionate impact on the risk culture of a company. The best way to start improving your risk culture as a company is therefore by making sure the top executives establish the right tone of the top. Top executives should be aware of their role model status and walk the talk to create the right risk culture awareness within their organisation. Attention should be given to instilling and growing the right culture and behaviours at the level of middle management – the top 100 or so of directors and management teams which direct business activity. Without this, the employees experience ‘noise’ as their seniors’ behaviour may differ from that desired by the board.

Communication is key

Building a strong risk culture starts with defining  a clear risk vision, strategy and appetite. These set the values, believes and boundaries that guide the desired behaviours. What is even more important though is to communicate the risk vision, strategy and appetite very clearly and repeatedly in the organisation. Our research on risk culture points out that in 69 % of the companies, senior executives drafted a risk vision, strategy and appetite, but only 39% of the companies communicated these clearly in the organisation. Consequently, the awareness amongst employees of the risk vision, strategy and appetite was relatively low (rated as sufficiently aware in 33% of the companies). The lack of awareness makes it very hard for employees to behave in the way that best suits the risk vision, strategy and appetite.

Create an adaptive organisation

An adaptive organisation is an organisation that is able to keep up with rapid changes in the environment and is entrusting decision making power and associated resources to its employees. This type of organisation is the most resilient in terms of risk culture. Adaptive organisations are formed by creating an atmosphere within the company whereby employees are encouraged to speak up and challenge the way things are done. Stimulate discussion and bottom-up input and consider agile and new forms of organising change. Employees should feel free to voice their opinion and raise the alarm in case they detect undesirable risks in the company. Mistakes and failures should be used to learn from. This can be done within the organisation, but also between organisations. The platform thefailcon.com is an example of an initiative of fintech companies to organise conferences for learning from each other’s mistakes. Next to that, make sure there is an accurate system of countervailing power in place. Prevent blaming and share lessons learned throughout the organisation.

Make the risk culture explicit in the performance review process

Establishing an appropriate risk culture can be a long-term process that requires dedication of (senior) management. Even if all involved managers are sufficiently aware of the importance of building a sound risk culture, it is advisable to ensure their dedication by explicitly setting goals for risk culture. It is important to realise that an implied vision on risk culture is not enough. The perceived risk culture amongst employees might deviate from your implied vision.  One can therefore think of measuring the risk awareness amongst employees or the perceived openness to challenge. By embedding these goals in the yearly performance reviews, companies can make sure risk culture will stay on the agenda of (senior) management.

Use a structured framework

Our research on risk culture indicates that many financial institutions struggle to measure their risk culture and create a transparent picture that illustrates the strengths and weaknesses of the aspects of their risk culture. Having such insight, however, provides an incredible strong foundation for any change initiatives. A structured framework is crucial to map out the desired risk culture and to measure the perceived risk culture and the effect of risk culture optimisation initiatives. An example framework is shown below in Figure 1, consisting of four main areas and 18 sub-areas.

Since risk culture is not a static concept but evolves over time in relation to events in the organisation and in the environment of the organisation, it is necessary to assess the risk culture on a recurring basis.  AXVECO’s risk culture optimisation stairway, shown in Figure 2, can serve as a basis for a cycle of continuous improvement.

risk culture framework AXVECO

Figure 1 – AXVECO risk culture framework.

risk culture stairway AXVECO

Figure 2 – AXVECO risk culture optimisation stairway.

Initiatives to align the risk culture with the organisation’s risk vision, strategy and appetite are a smart investment since they can help companies reach their strategic goals and prevent expensive scandals and incidents. Next to that, we have seen a heightened focus from regulators on companies’ risk cultures. Therefore there are enough reasons to start improving your organisation’s risk culture. The 5 abovementioned tips give a starting point for building a sound risk culture.

[1] Katz-Navon (2005), Knights V Collinson (1987), Grandpre, Alvaro, Burgoon, Miller & Hall (2003)

[2] See for example AFM publication: ‘Mag ik van u twee frappuccino’s en één integrale cultuurverandering?’

[3] See for example the very recent publication: Gedrag en Cultuur in de Nederlandse financiële sector.

The existential crisis of non-financial risk management

Whilst credit and market risk management have matured, managing non-financial risks has become a growing challenge for financial institutions.

Lees meer

Three lines of defence: a panacea?

AXVECO performed a short survey among Dutch Financial Institutions to establish whether the three lines of defence model was still viewed as valid and identify implementation challenges.

Lees meer