Building risk management skills for the future – where to start?

During many conversations with our clients the topic of the risk management organisation of the future comes up. What will the role of risk management in the future be and what skills should the risk management professionals have in order to successfully support this role? How do we build or acquire those skills and how do we prepare our organisation for this future? Where do we start?

In this article, we set out a simple two-step approach to identifying the skills of the risk management professional of the future and highlight the options for risk leadership to build or acquire these skills.

Risk management is at a crossroads

Effective risk management means enhancing decision making to balance risk and reward as a fundamental driving force to doing business and fostering entrepreneurship. This is not just avoiding risks! Risk management is part of daily decision making and integral to the formulation and execution of strategy. A company can take too little or too much risk!

Risk management is however often seen as a mandatory and bureaucratic activity instead of a means to protect value, let alone to create value and encourage entrepreneurship. It is often reactive and backward looking (past and present control, costs, efficiency), and seldomly forward looking (future control, continuity). Our rapidly changing world and business environments amplify this problem.

Our rapidly changing world demands a shift in skills

The business environment is changing rapidly. In a world characterised by increasing information intensity, extreme transparency and hyper-connectivity, new business models and ecosystems are emerging. Decision making and business change take place via agile approaches to enable organisations to respond to changing customer demands. Technology is transforming the workplace as processes and interactions become digitised and automated. Regulatory pressure is increasing (both in terms of complexity and volume) and there is an increased need for trust. As a result, we see an increased relevance and impact of non-financial risks, whilst risk profiles will change.

As a consequence, the composition of (risk management) jobs and required skills will shift. The key challenge for today’s risk managers is to be engaged as a credible business partner in the transition towards the new digital and agile world. In a previous article (in Dutch), we argued that risk management should reinvent itself by deepening existing skills whilst acquiring new skills for a highly digitised, innovative and agile organisation. Some of these skills are intrinsic, whilst others can be learned. In this article we elaborate on how to enhance existing and acquire new skills.

The development of skills requires a structured approach

Organisations have a number of options to build or acquire the skills they need for the future, see the table below. Risk leadership must choose the right balance of these interventions.


Option High level description
Learning Developing the required skills of the existing workforce by leveraging a mix of learning interventions (from e-learnings to gamification and support tools in the workplace) strongly aligned with the changing work environment.
Recruitment and outplacement Bringing in talent from outside the risk function (from other areas such as the first line or from external to the company) can help to acquire the required skills, as they bring new perspectives. Often this means letting go of people that do not match the future requirements.
Reallocation Moving people around to make better use of their skills.
Partnerships Gaining access to skills through collaboration with other specialised parties .


Start with the definition of the required skills

Risk leaders should start with the definition of the required skills of the risk management professional of the future. The best way to do this is to visualise the risk manager in the future of your organisation, in two steps:

  1. Envisage the role of risk management and what value this brings to the business in the future (i.e. “what risk should do”).
  2. Identify the key skills the risk manager of the future should have: the visible and measurable capabilities to fulfil this role (i.e. “how risk should do it”).

Step 1: Envisage the role of the risk management professional of the future

We can think about the role of the risk management professional of the future by deconstructing the role into a number of dimensions (see figure 1).

Figure 1: Risk management foundation and four major developments demanding a shift in skills.

First, we have the foundational role, the circle in the centre of the diagram. This involves the core role and activities of the risk manager derived from the mandate of the risk management department within the organisation. Next, we can identify a number of major developments impacting risk management. Responding appropriately to each of these developments drives the added value of risk management to the business in the future. Each of these developments in turn demand a shift in required skills of the risk management professional.


The table below shows for each dimension in figure 1 illustrative examples of the role of the risk manager of the future and of the business value of getting it right.

Dimension The role of risk managers of the future
(illustrative examples)
Business value
(illustrative examples)
Risk Management foundation Risk managers of the future have a good understanding of the business and a high organisational sensitivity. They effectively challenge the business proactively, guard that it operates within the risk appetite and are the gatekeepers of the risk management principles and standards. An effective balance between value creation and value protection goals, whilst protecting reputation, guarding that the organisation operates within risk appetite by helping to avoid unnecessary risk-taking and surprises.
Strategic direction of the organisation Risk managers of the future anticipate the impact of the strategic direction, translate this to enhancements to policies, procedures and techniques and embed this into the daily practice. They are driven by curiosity in order to understand the key developments in the business landscape. Empowering the business to effectively and efficiently develop and manage their systems, products and regulatory duties within risk appetite while avoiding unnecessary cost growth as the business reaches further scale.
New ways of working Risk managers of the future work seamlessly with the business and feel very comfortable in the rapidly changing business environment. They advise the business on the design and implementation of effective control environments leveraging control-by-design and compliance-by-design principles. Increasing the pace of sustainable innovation due to a timely and effective identification and mitigation of potential risks and issues which enables faster decision making.
Digitisation and automation Risk managers of the future are well versed in systems, data and disruptive technologies and stay abreast of trends in Information Technology and Data Science to ensure they can challenge and advise the business on pitfalls, risks and issues. Leveraging insights from data exploration and modelling enabling management to take better and faster decisions based on trustable data.
Increasing regulatory pressure and need for trust Risk managers of the future are strong representatives of the 2nd line of defence, working closely together with the business, legal and compliance in order to understand the impact of legal and regulatory requirements on the business and to protect the bank from unacceptable risks. Adhering to regulatory and industry standards with regards to risk management thereby reducing the probability of fines and regulatory interventions.


Step 2: Translate the future role into required skills

The role of the risk manager of the future needs to be translated into the skills required to be successful. These skills can be split into three categories (see figure 2).

Figure 2: Skills framework

Behaviours and soft skills
Risk managers should refrain from pursuing instruments and tools as an objective in themselves and reduce the focus on lists, registers, reports etc and avoid simply forcing the business to identify, document and track all possible risks they may be facing. Risk managers should build the soft skills to help manage risk and not just measure it.

Developing the right set of soft skills – the personal, emotional and social skills that allow someone to operate effectively – will be a big contributor to change.

Knowledge and application
Risk managers are not expected to be subject experts in all domains, but they do require a deep level of awareness and working knowledge of their allocated business domain and any new trends or technologies to be credible in performing their role. Control-by-design and compliance-by-design, for example, are critical components of the control environments of more digitised firms.

Most risk managers should have adequate understanding of new technologies such as blockchain, big data and analytics and artificial intelligence, the products and services the organisation offers and changing regulations. They should be involved at the start of innovations and be comfortable working in an agile environment.

Technical skills and fundamentals
This layer addresses the tools and techniques of risk management. This may include how to perform a risk assessment including how to classify and score risks and record the results.


In summary, the leaders of risk organisations must carefully plan for the future with the identification of new soft, domain and technical skills. Once the skills with tangible business value have been defined, risk leadership should perform a diagnostic assessment to understand the current level of performance and determine the skill gap that needs to be bridged.

In the next article we elaborate on the first intervention – Learning – which focuses on getting the most from existing and new staff.

For more information see our online Risk Management eLearnings.

About the authors:

Arjan Udding (
Arjan believes in the power of imagination, determination, collaboration and integrity and that this leads to sustainable progress. He enables people and organisations to anticipate the future by helping them in identifying and taking the right steps to develop and realise their vision.

Bert Omlo (
Bert is an experienced learning & development professional with many years of experience in the Financial Services industry. He adds tangible value to his clients’ businesses by designing and building effective learning programmes with a strong business focus.

Bram Onrust (
Bram combines extensive experience as a psychologist with a business school degree. He helps organisations to become more successful by enabling their people to work and communicate more effectively through soft skill development.

Ontwerp en gebruik van key risk indicators

AXVECO roundtable over Key Risk Indicators (21 september 2017)

Op 21 september kwamen een aantal financial en non-financial risk managers van vooraanstaande financiële instellingen (banken, verzekeraars en pensioenfondsen) bijeen om kennis en ervaring te delen over Key Risk Indicators (KRIs) binnen hun organisaties.

Lees meer

Risicomanager, ga met je tijd mee!

Ondanks grote investeringen in het verbeteren van risicomanagement en interne beheersing, blijken de huidige raamwerken voor risicomanagement nog altijd kostbaar en bijzonder ineffectief. Wat is er aan de hand en hoe kan het anders?

Lees meer

Spring 2017 newsletter – disruption in the polder

Spring is in the air and the terms Agility, FinTech and Hostile Shareholders echo across the polder.

Lees meer

Managing risk in agile organisations

The concept of agility is currently being extended to apply to governance and organisation, business functions such as operations, and corporate support functions such as IT and HR, but what are the implications for risk management?

Lees meer

Benchmark uw risk management tegen peers en DNB referentieraamwerk

De volwassenheid van uw risk management organisatie is een belangrijke factor voor een integere en beheerste bedrijfsvoering en lange termijn succes. Weet u hoe effectief uw risk management is en waar verdere verbeteringen mogelijk zijn?

Lees meer

Three lines of defence: a panacea?

AXVECO performed a short survey among Dutch Financial Institutions to establish whether the three lines of defence model was still viewed as valid and identify implementation challenges.

Lees meer