Risk transformation is a broad term, so what does it really entail? And, if you’ve been tasked to ‘transform’ risk in your business, where should you begin? We share some starter ideas.
1. What is your risk management objective?
One of the main risks of a risk transformation program is that you end up tackling tools and ideas piecemeal (and in response to ad hoc board member or executive requests), rather than delivering a cohesive risk vision.
Try to combat this from the start by defining a clear risk management objective.
For many companies in our Network, the overarching objective tends to be improving risk’s ability to support the achievement of strategic objectives.
Underlying this, there are often goals around developing a risk taxonomy, defining risk appetite, reviewing the risk matrix, improving control effectiveness, integrating assurance and implementing technology.
Where does this insight come from?
To get involved in an upcoming collaboration on risk transformation, book a discovery call here. |
2. Should you start by measuring maturity?
How will you monitor your risk transformation program? After all, if you are asking your leadership to commit time and resources, they are likely to ask for proof-of-value in return.
One common suggestion is to undertake a risk maturity assessment at the start of the process and periodically repeat it to demonstrate ‘tangible’ improvements. This is usually communicated via a scoring system.
Before you commit to measuring the entirety of your success via a single numerical output, think about whether this approach suits the objectives you have identified.
Risk maturity assessments can be very quantitative, with a list of criteria around artefacts in place, risk registers completed, risk reports generated and so on. They often focus on implementation (which is easier to ‘tick off’) versus the actual change outcomes. They have not always evolved to reflect contemporary objectives around strategic risk management.
Consider developing your own maturity criteria that align to your goals. Elevate and discuss these early with the board and executive to establish buy-in for what you want to achieve.
Transformation programs are often launched in organisations with lower maturity risk functions, which means that risk culture must be part of program design.
However, companies frequently underestimate the change management required. Or, they bundle it in with the implementation of a risk technology system.
One of the key issues many companies face is incomplete and inconsistent risk information. Understandably, technology is seen as a solution to this problem. And, in part, it is. However, there are also underlying behavioural causes.
Risk information is often incomplete because there isn’t a culture of transparency and reflection. People are nervous to speak up or their leaders simply don’t prioritise risk, so why should they?
Culture and technology need to be treated as separate work streams within the broader transformation program, as flagged by risk leaders in one of our collaborative sessions. Those who have been through it know well that a technology roll-out can fail without targeted change management.
|
Member case study View the full case study here. |
4. Should you prioritise 'quick wins'?
Risk transformation is typically a three-year journey, risk leaders on the call agreed. But three years is a long time in business (and performance is usually monitored annually). So, do you need to deliver short-term wins to gain long-term traction?
Opinions were mixed. Some risk leaders felt that quick wins could detract from (and even jeopardise) a longer term plan. However, others felt that a few easy initial changes might help demonstrate value to build engagement.
Some ‘quick win’ ideas (relative to a full transformation program) can be found below:
|
Quick wins
|
5. Achieve a balance of leading and lagging KRIs
There's a strong preference in our network for a balance of leading and lagging indicators, with a sustained focus on high-quality leading indicators.
Lagging indicators can be useful, to identify gaps or areas where the business is not performing well. A greater focus on leading indicators though, will better equip the organisation to take a proactive approach towards risk management and mitigate risks with a low appetite before they can materialise.
Where to next?
We'll continue to support our members on their risk transformation journey by facilitating tailored collaboration in line with their specific challenges.
If you're starting, or in the middle of, a risk transformation journey, please book a discovery call to discuss how we're supporting peers at a similar stage to you, and how you could be involved.
Share this
Five ways to partner with the business to develop KRIs
How has risk appetite evolved in the past 3 years?
