The business environment is evolving, and risk management needs to evolve along with it. In addition to infusing strategy and risk management, Deloitte has identified three other levers that can be used to modernize risk management for changes in the business:
For risk management functions, taking on ownership of strategic risks will require new organizational constructs, competencies, experiences, and business relationships. Institutions will need to empower chief risk officers (CROs) to have accountability for strategic risk management and establish “owners” of specific strategic risks such as geopolitical, economic, and FinTech risks. Management of strategic risks will require the ability to apply a risk lens to areas such as product development, sales, and culture. This will be a departure for many institutions, where risk management has traditionally focused on financial and regulatory risks. Some organizations have found it useful to bring in individuals from the business either on a rotational or permanent basis, as well as training up existing risk professionals in new methodologies for assessing strategic risk.
Three lines of defense.
Under the three lines of defense model employed by most financial institutions, business units own and manage their risks; the risk management function provides independent oversight and challenge; and internal audit reviews the effectiveness of the risk and control framework. Even if the three lines of defense model is conceptually sound, many institutions have faced practical challenges in implementation resulting in the risk management function effectively playing both first and second lines of defense roles. Embracing a strategic risk approach, including embedding risk into the strategic planning process and utilizing strategic risk tools, allows the risk management function to play a true second line of defense role — providing effective challenge to critical business decisions in order to enhance decision-making and to enable growth.
The latest technologies — such as cognitive analytics, machine learning, natural language processing, and big data — have the potential to fundamentally transform risk management. From a strategic risk management perspective, organizations can use these technologies to continuously monitor changes in the environment to determine which could be truly disruptive; and embed these technologies into enhanced tools such as horizon scanning and scenario planning simulation to drive higher levels of sophistication in managing risk.