Risk transformations: The heart, the art, and the science - Deepstash
Risk transformations: The heart, the art, and the science

Risk transformations: The heart, the art, and the science

Curated from: mckinsey.com

Ideas, facts & insights covering these topics:

24 ideas

·

147 reads

1

Explore the World's Best Ideas

Join today and uncover 100+ curated journeys from 50+ topics. Unlock access to our mobile app with extensive features.

Risk Transformation: The Premise

Risk Transformation: The Premise

Many financial institutions have recently undergone major risk transformations that drove universal risk capability uplift and cultural shift.

Uplifting risk management capability for financial institutions can be particularly challenging if the required transformation requires coordination across business areas and functions.

For two decades, there has been an intense focus on nonfinancial risks (NFRs). While regional or global “super incidents” originally drove the emergence of NFRs as a theme, the evolution of NFR management is ongoing, with variations in form, region and severity.

2

20 reads

A Super Incident

A Super Incident

The implications of a super incident can be significant and include direct financial losses, fines, compensation or remediation costs, and reputational damage. Secondary effects could include reduced sales or accelerated disintermediation by other market participants (such as fintechs) due to lost trust.

2

15 reads

The Costs Involved

The Costs Involved

This environment drove financial institutions to initiate major risk transformation programs to address incidents, immediate issues, and deeper root causes. These programs have significant monetary costs. However, the opportunity cost for the organization is much higher, given the amount of management attention and organizational capacity required for successful delivery and sustainable conclusion.

2

9 reads

The Question Is How

The biggest challenge in starting a risk transformation is often not the “why” or the “what,” but the “how.” Questions include how to set it up and conclude it, and then transition back to enhanced business as usual.

Large-scale risk transformations often fail because change is not effectively implemented across the organization: milestones are ticked off without actually improving risk management, addressing underlying culture, or reducing risk.

2

7 reads

The Four Broad Categories of Risk Transformations: Business Area

The Four Broad Categories of Risk Transformations: Business Area

These transformations are typically business-led, driven by embedded line-one risk and control teams. Such transformations often include process, system, and control mapping; process simplification, digitization, and automation; documenting, decommissioning, and building ideally automated, preventative controls and monitoring in critical process breakpoints; and clarifying responsibilities.

2

16 reads

Risk-Type-Specific Capability Uplift And/or Remediation

Risk-Type-Specific Capability Uplift And/or Remediation

These transformations are typically business-led, driven by embedded line-one risk and control teams. Such transformations often include process, system, and control mapping; process simplification, digitization, and automation; documenting, decommissioning, and building ideally automated, preventative controls and monitoring in critical process break points; and clarifying responsibilities.

2

8 reads

Risk-Type-Specific Capability Uplift And/or Remediation

These transformations are typically driven by the respective risk experts (such as a money laundering reporting officer for financial crime and chief information security officer for cyber crime) and supported by the risk function. Such transformations often include risk-type framework and operating-model uplift, paired with targeted remediation of severe issues for a specific risk type. They are often triggered by severe incidents, issues, and regulatory scrutiny.

2

4 reads

Risk Function Operating-Model Uplift

Risk Function Operating-Model Uplift

These transformations are typically driven by the risk function. Such transformations often include defining the ambition and value proposition of the risk function; improving the structure of the function (including divisions, risk-type expertise regions, and shared services); simplifying and clarifying the interactions with the business and other functional areas; and identifying and hiring capabilities to deliver.

2

6 reads

Holistic Enterprise-Wide Risk Transformation

These transformations are typically board or CEO-sponsored programs involving all businesses and functions and considering all (nonfinancial) risks. Such transformations often include

  • uplifting the risk management framework and policy governance;
  • establishing, improving or operationalizing the risk taxonomy;
  • improving the risk appetite statement, in particular, for NFR metrics cascaded into business and operationalization;
  • uplifting and implementing a code of conduct and consistently operationalizing the three lines of defense model.

2

8 reads

The Time Factor

The Time Factor

Risk transformations often take two to three years of dedicated effort, with enterprise-wide transformations typically taking three to five years. While transformation setups differ, most have a central program team of five to ten full-time equivalents (FTEs) for smaller transformations, with holistic risk transformations running central teams of 15 to 50 FTEs that focus on coordination, tracking, quality assurance, sharing of best practices, and support for the most challenging problems, including the coordinated delivery of change across business areas and functions.

2

3 reads

What Makes A Successful Risk Program

What Makes A Successful Risk Program

After supporting numerous businesses through transformations, we have found that while the science of transformations is crucial to get right, it is the heart and the art that deliver transformation programs to their successful conclusion and sustainably embed the change across the organization.

With science and art, the key conditions are in place for a successful risk program. But the heart is a prerequisite for deep cultural change, which is required for a sustainable enterprise-wide transformation.

2

6 reads

The Science, The Heart, The Art

The Science, The Heart, The Art

  • Science speaks to the mechanics that need to be in place around program structure, integrated plan development, delivery mechanisms, and regulator engagement throughout the process.
  • Art refers to capabilities, accountability, prioritization, and the use of targeted interventions to keep the program on track.
  • Heart includes genuine shared motivation or purpose, a transformation mindset, a willingness to challenge cultural norms, and a program of communication that connects with the professional identity of employees. 

2

5 reads

Getting to The ‘Heart’: Motivation

Getting to The ‘Heart’: Motivation

“Because the regulator wants it” is not an intrinsic motivation—one needs to dig deeper and consider the motivations of employees. Successful transformation in any circumstance will require as much of a change in mindset as in any system or process.

An in-depth diagnostic of the psychology of the organization can help define a vision of change that connects to the collective motivation and purpose of the organization and ensures that the desired change will stick in the long term. “Serving our customers better” is an example of collective motivation.

2

3 reads

Transformation Mindset

Transformation Mindset

The mindset of the transformation needs to balance delivery discipline and accountability; agility and pragmatism; continuous improvement; and a sense of chronic unease.

This mindset will enable organizations to do what they say while still being able to course-correct and improve when new information becomes available and to quickly spot and address emerging challenges. If a risk transformation is initiated in response to a major incident, an honest appraisal of what drove the failures and adequate humbleness when considering the magnitude of the required cultural change is key.

2

3 reads

Culture

Culture

Organizations have a variety of cultural traits that help them thrive in transformation but also some that hold them back. Traits that often lead to unsuccessful or stalled transformations include being too siloed or too collaborative. This can lead to change being implemented inconsistently or stopped by a few business areas, or over-collaboration that results in a lack of productivity and missed deadlines. 

2

3 reads

Communication

Communication

Motivation must reach the hearts and minds of employees. An intensive and continuous dialogue with a broad set of stakeholders allows a transformation program to keep its finger on the pulse while also enabling staff to own challenges and drive solutions. Communication needs to build on the organization and its leadership’s personal motivation—this is what makes it genuine and effective.

2

4 reads

Appreciating the ‘Art’: Capability

Appreciating the ‘Art’: Capability

  • The skills required to transform are often not those required to manage.
  • A risk transformation program team must have capabilities across project execution, strategy, and risk management.
  • The team should adopt both an inward- and outward-looking mindset that leverages the experiences of others.
  • Key roles in the business and the risk function may require new talent to bring fresh impetus to transform or deviate from ingrained practices (that is, breaking the mould).
  • Targeted external support for the expertise and ongoing challenges and advice is reasonable.

2

5 reads

Accountability

Accountability

Large-scale risk transformations require collective accountability: the whole executive team must stack hands to deliver the target outcome. The complexity and duration of these programs make them hard to execute; they are often costly and feel more like a burden than an opportunity. Balancing the accountabilities of individuals versus the whole organization, and linking program outcomes to remuneration, are both critical. Strong top-down authority from the board and CEO is essential in supporting prioritization, providing advice, and clearing roadblocks.

2

3 reads

Prioritization

Prioritization

One of the biggest challenges is managing competing priorities and ensuring that the organization can absorb the amount of change required. This requires clear articulation of short- and long-term milestones to prioritize and sequence change at regular intervals. A radical simplification lens, which addresses gold plating by particular framework teams and over-implementation by the businesses, can reduce the need to deprioritize and descope.

2

3 reads

Intervention Mechanisms

Means to anticipate hurdles and support course correction must be created: formal mechanisms to identify expected challenges in the form of regular premortem exercises and formal program reviews are essential. The central decision-making body needs the authority to rapidly course correct through reprioritizing or redeploying resources. This is also critical to address change fatigue, which will naturally occur over the course of a three-year program.

2

3 reads

Excelling At The ‘Science’: Program Structure

Excelling At The ‘Science’: Program Structure

Banks often consider risk transformation as the accountability of the risk function. However, this setup may just scratch the surface and fail to address root causes and systemic issues.

Effective large-scale risk transformation requires particular accountability for the program to be assigned across functional leadership and business areas, where many of the inadequacies in systems, processes, and behaviours originate.

Coordination between these stakeholders is essential and often driven by a neutral, central program team that sits outside of lines one and two.

2

3 reads

Delivery Mechanism

Implementation of complex change across the business (line one) is often where risk transformations fail. The best-designed set of change initiatives can fail without an effective delivery mechanism that supports implementation and sustainable embedment of change.

Developing a mechanism to ensure appropriate engagement between lines two and one in the design of change initiatives—and a well-coordinated and considered delivery mechanism for supporting line one implementation—is critical. vv

2

3 reads

Regulatory Engagement

Regulatory Engagement

Transparency and continuous dialogue with regulators are important. Proactive, professional, and respectful engagement can enable greater understanding and appreciation for regulators with respect to the challenges faced in large-scale risk transformations and can encourage offers for guidance and positive reinforcement.

Regulators might share their own expectations and observations from other institutions and provide insight into their own priorities.

2

3 reads

The Bottom Line

As the above three elements (heart, art, and science) demonstrate, successfully concluding a risk transformation seldom ends with just milestones in a work plan, ending a monitorship, or meeting regulatory commitments.

These are important, but genuinely transformative success lies in the smooth shift from programmatic setup to sustainably uplifted business-as-usual operations with embedded mechanisms for further improvement.

2

4 reads

IDEAS CURATED BY

averyb

A negative mind will never give you a positive mind.

Avery B.'s ideas are part of this journey:

Top 7 books for Product Managers

Learn more about problemsolving with this collection

Conducting market research

Analyzing data to make informed decisions

Developing a product roadmap

Related collections

Read & Learn

20x Faster

without
deepstash

with
deepstash

with

deepstash

Personalized microlearning

100+ Learning Journeys

Access to 200,000+ ideas

Access to the mobile app

Unlimited idea saving

Unlimited history

Unlimited listening to ideas

Downloading & offline access

Supercharge your mind with one idea per day

Enter your email and spend 1 minute every day to learn something new.

Email

I agree to receive email updates