Risk transformations: The heart, the art, and the science

This environment drove financial institutions to initiate major risk transformation programs to address incidents, immediate issues, and deeper root causes. These programs have significant monetary costs. However, the opportunity cost for the organization is much higher, given the amount of management attention and organizational capacity required for successful delivery and sustainable conclusion.

The biggest challenge in starting a risk transformation is often not the “why” or the “what,” but the “how.” Questions include how to set it up and conclude it, and then transition back to enhanced business as usual.

Large-scale risk transformations often fail because change is not effectively implemented across the organization: milestones are ticked off without actually improving risk management, addressing underlying culture, or reducing risk.

These transformations are typically business-led, driven by embedded line-one risk and control teams. Such transformations often include process, system, and control mapping; process simplification, digitization, and automation; documenting, decommissioning, and building ideally automated, preventative controls and monitoring in critical process breakpoints; and clarifying responsibilities.

These transformations are typically business-led, driven by embedded line-one risk and control teams. Such transformations often include process, system, and control mapping; process simplification, digitization, and automation; documenting, decommissioning, and building ideally automated, preventative controls and monitoring in critical process break points; and clarifying responsibilities.

These transformations are typically driven by the respective risk experts (such as a money laundering reporting officer for financial crime and chief information security officer for cyber crime) and supported by the risk function. Such transformations often include risk-type framework and operating-model uplift, paired with targeted remediation of severe issues for a specific risk type. They are often triggered by severe incidents, issues, and regulatory scrutiny.

These transformations are typically driven by the risk function. Such transformations often include defining the ambition and value proposition of the risk function; improving the structure of the function (including divisions, risk-type expertise regions, and shared services); simplifying and clarifying the interactions with the business and other functional areas; and identifying and hiring capabilities to deliver.

These transformations are typically board or CEO-sponsored programs involving all businesses and functions and considering all (nonfinancial) risks. Such transformations often include

• uplifting the risk management framework and policy governance;
• establishing, improving or operationalizing the risk taxonomy;
• improving the risk appetite statement, in particular, for NFR metrics cascaded into business and operationalization;
• uplifting and implementing a code of conduct and consistently operationalizing the three lines of defense model.

Risk transformations often take two to three years of dedicated effort, with enterprise-wide transformations typically taking three to five years. While transformation setups differ, most have a central program team of five to ten full-time equivalents (FTEs) for smaller transformations, with holistic risk transformations running central teams of 15 to 50 FTEs that focus on coordination, tracking, quality assurance, sharing of best practices, and support for the most challenging problems, including the coordinated delivery of change across business areas and functions.

After supporting numerous businesses through transformations, we have found that while the science of transformations is crucial to get right, it is the heart and the art that deliver transformation programs to their successful conclusion and sustainably embed the change across the organization.

With science and art, the key conditions are in place for a successful risk program. But the heart is a prerequisite for deep cultural change, which is required for a sustainable enterprise-wide transformation.

• Science speaks to the mechanics that need to be in place around program structure, integrated plan development, delivery mechanisms, and regulator engagement throughout the process.
• Art refers to capabilities, accountability, prioritization, and the use of targeted interventions to keep the program on track.
• Heart includes genuine shared motivation or purpose, a transformation mindset, a willingness to challenge cultural norms, and a program of communication that connects with the professional identity of employees. 

“Because the regulator wants it” is not an intrinsic motivation—one needs to dig deeper and consider the motivations of employees. Successful transformation in any circumstance will require as much of a change in mindset as in any system or process.

An in-depth diagnostic of the psychology of the organization can help define a vision of change that connects to the collective motivation and purpose of the organization and ensures that the desired change will stick in the long term. “Serving our customers better” is an example of collective motivation.

The mindset of the transformation needs to balance delivery discipline and accountability; agility and pragmatism; continuous improvement; and a sense of chronic unease.

This mindset will enable organizations to do what they say while still being able to course-correct and improve when new information becomes available and to quickly spot and address emerging challenges. If a risk transformation is initiated in response to a major incident, an honest appraisal of what drove the failures and adequate humbleness when considering the magnitude of the required cultural change is key.

Organizations have a variety of cultural traits that help them thrive in transformation but also some that hold them back. Traits that often lead to unsuccessful or stalled transformations include being too siloed or too collaborative. This can lead to change being implemented inconsistently or stopped by a few business areas, or over-collaboration that results in a lack of productivity and missed deadlines. 

Motivation must reach the hearts and minds of employees. An intensive and continuous dialogue with a broad set of stakeholders allows a transformation program to keep its finger on the pulse while also enabling staff to own challenges and drive solutions. Communication needs to build on the organization and its leadership’s personal motivation—this is what makes it genuine and effective.

• The skills required to transform are often not those required to manage.
• A risk transformation program team must have capabilities across project execution, strategy, and risk management.
• The team should adopt both an inward- and outward-looking mindset that leverages the experiences of others.
• Key roles in the business and the risk function may require new talent to bring fresh impetus to transform or deviate from ingrained practices (that is, breaking the mould).
• Targeted external support for the expertise and ongoing challenges and advice is reasonable.

Large-scale risk transformations require collective accountability: the whole executive team must stack hands to deliver the target outcome. The complexity and duration of these programs make them hard to execute; they are often costly and feel more like a burden than an opportunity. Balancing the accountabilities of individuals versus the whole organization, and linking program outcomes to remuneration, are both critical. Strong top-down authority from the board and CEO is essential in supporting prioritization, providing advice, and clearing roadblocks.

One of the biggest challenges is managing competing priorities and ensuring that the organization can absorb the amount of change required. This requires clear articulation of short- and long-term milestones to prioritize and sequence change at regular intervals. A radical simplification lens, which addresses gold plating by particular framework teams and over-implementation by the businesses, can reduce the need to deprioritize and descope.

Means to anticipate hurdles and support course correction must be created: formal mechanisms to identify expected challenges in the form of regular premortem exercises and formal program reviews are essential. The central decision-making body needs the authority to rapidly course correct through reprioritizing or redeploying resources. This is also critical to address change fatigue, which will naturally occur over the course of a three-year program.

Banks often consider risk transformation as the accountability of the risk function. However, this setup may just scratch the surface and fail to address root causes and systemic issues.

Effective large-scale risk transformation requires particular accountability for the program to be assigned across functional leadership and business areas, where many of the inadequacies in systems, processes, and behaviours originate.

Coordination between these stakeholders is essential and often driven by a neutral, central program team that sits outside of lines one and two.

Implementation of complex change across the business (line one) is often where risk transformations fail. The best-designed set of change initiatives can fail without an effective delivery mechanism that supports implementation and sustainable embedment of change.

Developing a mechanism to ensure appropriate engagement between lines two and one in the design of change initiatives—and a well-coordinated and considered delivery mechanism for supporting line one implementation—is critical. vv

Transparency and continuous dialogue with regulators are important. Proactive, professional, and respectful engagement can enable greater understanding and appreciation for regulators with respect to the challenges faced in large-scale risk transformations and can encourage offers for guidance and positive reinforcement.

Regulators might share their own expectations and observations from other institutions and provide insight into their own priorities.

As the above three elements (heart, art, and science) demonstrate, successfully concluding a risk transformation seldom ends with just milestones in a work plan, ending a monitorship, or meeting regulatory commitments.

These are important, but genuinely transformative success lies in the smooth shift from programmatic setup to sustainably uplifted business-as-usual operations with embedded mechanisms for further improvement.