• About us
  • Raising the Bar
  • Raising your Game
  • The Extra G - Geopolitical
  • Risk Matters - Roundtables
  • Leadership Team
  • Events
  • Blog
  • Contact
  • Menu

The Risk Coalition

  • About us
  • Raising the Bar
  • Raising your Game
  • The Extra G - Geopolitical
  • Risk Matters - Roundtables
  • Leadership Team
  • Events
  • Blog
  • Contact

Risk 2.0: Rebooting for Modern Risk Management (part 2)

August 17, 2022

In the first of two blogs for the Risk Coalition, Keith Davies set out the case for change for Risk teams - much needed in view of the changing and increasingly dynamic, connected and multi-stalkeholder environment. In this second (and concluding) blog, he explains the key aspects of how they need to change..

Last week’s post highlighted the new areas that Risk teams should now oversee, in addition to more traditional financial and operational risks, in order to the ever-more complex and interconnected, tangible and intangible risks, that their firms now face. However, in order to meet their formal objective of “protecting and creating value”[1], Risk functions will not only need to expand the scope of their activities but also adopt the forward-looking commercial mindset needed in the fast-moving digital world. Some of the changes needed are highlighted below.  

From hindsight to insight to foresight

Whilst risk functions should always seek to mitigate future risks, many traditional approaches result in backward-looking box-ticking that often only really addresses risks after they have occurred. The modern world requires a mindset shift in which Risk teams recognize the value in using new techniques (e.g. data analytics and behavioural science analysis) and new types of risk data (e.g. stakeholder sentiment, ESG factors in third parties etc) in order to identify risk indicators, trends and patterns, and continually horizon scan for new and emerging threats, opportunities, and new risk combinations. Such activities will become ever more critical as the accelerating rate of change continues to reduce the time that firms have to react once risks crystalise.

Commerciality: being a safety belt rather than handbrake

Risk functions must better align to their organisation’s commercial needs and help deliver new activities quickly and sufficiently safely, rather than adopting a risk averse approach of moving only when risks have been fully understood and mitigated. Risk teams now need to be agile, make timely decisions based on adequate but imperfect information, and accept wrong decisions will be made – not least as the opportunity risk/cost of not changing quickly can now often be greater than the risks of change itself. Risk functions should assess whether they support the delivery of a firm’s strategy within cost and risk appetite with questions like:

  • do they compare the potential benefits of additional controls against the associated cost, effort or disadvantages? ALARP can be overkill for some risks!

  • does risk appetite focus disproportionately on preventing downside risks and hinder an appropriate level of risk-taking? Should some risk appetite statements have a lower as well as upper threshold?

  • does the function look appropriately at business opportunities (e.g. with an opportunities grid alongside the usual risk matrix, or within taxonomies including the opportunity risk of not changing)?

  • do teams focus on traditional processes & reporting at the expense of forward-looking mitigation?

Resilience: ‘when’ not ‘if’ events occur

Risk teams must recognise that in an interconnected, multi-stakeholder world many risks cannot be adequately mitigated by internal, preventative controls – and that the key mitigation will often be the speed and quality of a firm’s response and communications when incidents inevitably occur. The need for both preventative actions and resilience is already recognised for cyber risks and operational activities, but will become increasingly critical as social media and stakeholder capitalism mean that firms can no longer control their own reputation and brand: with anyone - including customers and employees - able to post their views and sinister agents able to create fake news, websites and social media accounts.

Tooling up

Risk functions will need to re-skill and re-tool to meet the new business dynamics they face. There is already a significant increase in the use of data and technology to improve risk management activities. Companies can leverage Robotic Process Automation (RPA) to collect and validate data, and data analytics and AI to be able to turn a wider universe of structured and unstructured data into usable insights and identify emerging and growing risks. And eGRC tools can consolidate information, automatically distribute required risk MI and remedial actions to appropriate people and even automate certain risk actions (e.g. automated patch management).

All these techniques support the implementation of continuous monitoring which permits real-time risk and control testing and reporting, thereby stopping risk management becoming stale and possibly even developing blind spots over time. They not only significantly improve the richness, depth and speed of risk management, but also improve team efficiency by reducing data and processing time and by freeing up existing employees to work on value-adding risk assessment and management activities.

Skills and mindset

Even more importantly, Risk teams will need to employ the skill mix and mindset needed to support the firm in a digital and stakeholder environment. In order to achieve this, CROs may need to make brave hiring decisions:

  • They need a breadth of perspectives above and beyond traditional risk disciplines, with specialists who truly understand the nature of the modern risk profile – including experts from unorthodox sources (e.g. non-related industries already exposed to modern-day risks)

  • They will need people who have worked elsewhere in the organisation and who understand its commercial and cultural fabric and pace of change and can be advocates for appropriate risk culture

  • They need individuals with genuine enterprise-wide knowledge and the intellectual agility to quickly identify, assess and respond to emerging and connected risks

  • They will need to hire those with learning agility and cognitive diversity to complement existing traditional risk skills and approaches.

Such trends are already apparent with CRO recruitment: recent research by Hedley May[2] shows  43% of FTSE 100 Group CRO appointments since 2020 have been “leaders without any significant prior Risk experience”. They will increasingly need to permeate across the whole function in order for teams to get the required balance between modern business understanding and traditional subject matter expertise.

Conclusion: a challenge and opportunity for CROs

The changes in risk profile created by an interconnected, trust-driven, and digital landscape requires risk functions to significantly adapt their coverage, skillset and approaches. This will be a major challenge for many, but one which functions must do to prevent themselves - and maybe their organisations - becoming obsolete, and one which, if done correctly, presents a massive opportunity for functions to elevate their impact and enhance (rather than just protect) their organisation’s long term value.

[1] ‘ISO 31000:2018 Risk management’, International Organisation for Standardization (2018).

[2]  Hedley May (2022) “Chief Risk Officer Succession: The Search for Learning Agility”

Keith Davies, Chief Risk & Compliance Officer at Federated Hermes Limited, is a commercially-focused CRO with a passion and track-record for change and implementing risk frameworks that support all aspects of business strategy – including financial, operational, digital, behavioural, reputational and ESG/sustainability risks. He has worked for over 20 years in global insurance, asset management and banking.

Tags: Keith Davies
Prev / Next

Blog

Featured
Apr 15, 2025
Vera Cherepanova
The future of ESG: navigating a fragmented landscape
Apr 15, 2025
Vera Cherepanova
Apr 15, 2025
Vera Cherepanova
Mar 6, 2025
Mo Warsame, Gavin Hayes
Internal audit and risk management must work together to navigate uncertainty
Mar 6, 2025
Mo Warsame, Gavin Hayes
Mar 6, 2025
Mo Warsame, Gavin Hayes
Sep 4, 2024
Polly Williams, Mia Harris
Three key threats of phishing to be aware of
Sep 4, 2024
Polly Williams, Mia Harris
Sep 4, 2024
Polly Williams, Mia Harris
Aug 25, 2024
Felix Ritchie
Principles versus rules in data and corporate governance
Aug 25, 2024
Felix Ritchie
Aug 25, 2024
Felix Ritchie
Jul 16, 2024
Jane Hunter, Mia Harris
How can you maintain high standards in your business without suffering burnout?
Jul 16, 2024
Jane Hunter, Mia Harris
Jul 16, 2024
Jane Hunter, Mia Harris
Jun 2, 2024
Afshan Moeed
Enforcement of individual accountability in UK banking: a new boardroom recipe for change or continuity?
Jun 2, 2024
Afshan Moeed
Jun 2, 2024
Afshan Moeed
May 28, 2024
Craig Morris, Mia Harris
Three exciting new developments for AI in 2024 that you need to know about
May 28, 2024
Craig Morris, Mia Harris
May 28, 2024
Craig Morris, Mia Harris
May 24, 2024
Stefan Hunziker
The stuff of nightmares: risk management is shut down, and nobody notices
May 24, 2024
Stefan Hunziker
May 24, 2024
Stefan Hunziker
Mar 20, 2024
Neil Tinegate
What should boards know about digital technology?
Mar 20, 2024
Neil Tinegate
Mar 20, 2024
Neil Tinegate
Mar 15, 2024
Francis Kean
The insolvency risk for company directors - are you swimming naked?
Mar 15, 2024
Francis Kean
Mar 15, 2024
Francis Kean
Feb 29, 2024
Andy Watkins-Child
Are you sitting comfortably?  Cyber risk, board attestations and the implications for NEDs
Feb 29, 2024
Andy Watkins-Child
Feb 29, 2024
Andy Watkins-Child
Oct 24, 2023
Mamun Madaser
Risk management and internal audit should collaborate to navigate the poly-crisis of risk
Oct 24, 2023
Mamun Madaser
Oct 24, 2023
Mamun Madaser
Oct 18, 2023
Jim Watson
How to mitigate the risk of cyber security breaches – part 2
Oct 18, 2023
Jim Watson
Oct 18, 2023
Jim Watson
Oct 13, 2023
Nisha Sanghani
Risk management and internal controls: much (needed) work to do as a result of the proposed changes to the UK Corporate Governance Code
Oct 13, 2023
Nisha Sanghani
Oct 13, 2023
Nisha Sanghani
Oct 9, 2023
Jim Watson
How to mitigate the risk of cyber security breaches – part 1
Oct 9, 2023
Jim Watson
Oct 9, 2023
Jim Watson