Risk management is evolving. It has to, because the risks businesses face and the manner in which they emerge are changing.
In a world where past events represent a strong indicator of how similar events might play out in the future, there is little need to continuously update prior knowledge captured within your risk registers or to change the indicators reported. However, when the future is rapidly unfolding in novel and adaptive ways, the past is only of limited use in making sensible predictions about what the future might hold. Can you afford to wait a quarter for the next risk assessment?
The new reality is that everything moves at pace and, with so many things being interconnected, a trend “over there” can very quickly become part of something “over here”. So, what does this mean for risk management? First, it means that chief risk officers are making it a priority for the actual management of risk to sit squarely in the business and not in the risk function. Everybody has always said that the business should manage its risks but the “Three Lines of Defence” model - in which risk is checked by internal management, then internal control functions such as risk control/compliance, and then finally by external functions such as audit - has tended to make the business feel safe because they knew the risk and audit functions were looking over their shoulder.
This distance from the front line matters when things are moving at pace
This distance from the front line matters when things are moving at pace and so it is essential for those closest to the risk to be the ones who call it out and manage it. The value of the risk function is that it does not get tied up in the demands of daily activity and can spend the time to anticipate and look ahead. Of course the risk function can help to provide assurance that the business is managing its risks appropriately, but the majority of its time should be spent in looking for patterns and trends that the business does not have the time or tools to find.
If everything is changing and new, how is it possible to build a coherent risk management system? Well, it is actually not as difficult as you might think, but it does require you to look at the problem a different way. Gathering a body of data over time to support a risk assessment is no longer going to work, because it ages too quickly. You also need to embrace the fact that behaviours arise from interconnections and so the context of all that historical data is the key element.
Risk teams are therefore evolving to help the business embed risk-thinking into their daily activities, rather than having it as a separate additional task. In order for the business to do a good job of managing risk locally, but in a way that also supports the overall objectives, there needs to be a mechanism in place to ensure that everyone has sight of the big picture and how they fit into it. It is this role that the risk teams are now beginning to focus on. By providing more automated tools to help assure that the risk management being carried out by the business is effective, the risk teams can free up their time to do more analysis and communication.
It is a journey that most firms have only recently started, but is being made easier thanks to the widespread availability of new analytical tools which can cope easily with large volumes of data, arriving at high velocity, and potentially being highly unstructured. This enables risk teams in even the largest firms to point their dashboards directly at the source data to find out whether controls are performing as expected, whether assessments are up to date and whether the observed business performance outcomes appear consistent with the risk and control profile being reported. The ability to look at unstructured data means that information can be spontaneously brought into the analysis and also opens access to incorporating a vast amount of “knowledge” about the business environment which is typically ignored.
Traditional risk management methods will quickly become too slow to anticipate or enable meaningful reaction
As companies embed more technology and automation into their processes, it is inevitable that the future will look quite different from the past - and it will move at a significantly faster pace. Traditional risk management methods will quickly become too slow to anticipate or enable meaningful reaction. Those transitioning to approaches that enable those in the business closest to the risk to see and make sense of emerging trends quickly and to communicate effectively will be the winners in this new environment. To stay in the game your risk team needs to become your insight function.
Neil Cantle is a principal and consulting actuary with the London office of Milliman
Milliman helps risk teams get more agile. Hear some of our clients’ perspectives at http://www.milliman.com/risk/