The Building Blocks of Agile Risk Management
Protiviti’s Agile Risk Management philosophy enables organizations to focus on growth, improve efficiency and become more effective in managing risks while providing greater value to business partners.
Protiviti Agile Risk Management Philosophy
The rapid pace of technological innovations within the financial services industry threatens to disrupt organizations’ ability to compete. In order to combat the new landscape, financial institutions are digitizing their operations and adopting strategies to reduce their go-to-market lead time. This increased velocity poses new challenges to risk and compliance functions as they strive to ensure sound practices throughout the development, implementation, and transition of new initiatives or products into successful and sustainable business operations. Organizations are increasingly utilizing agile methods for executing technology projects as well as business change initiatives. Agile initiatives are generally completed by nimble execution teams working rapidly to spur business changes. As organizations move to agile delivery, control functions, including risk, compliance and business control teams, will need to rethink their interaction models for execut-ing credible challenge and advising the business in near real-time methods. In this paper, we share Protiviti’s perspective and Agile Risk Management philosophy on establishing leading practices for ensuring that risk management is designed appropriately to keep pace with agile organizations. We define practices for next-generation risk management that are more agile and better aligned, allow for operational excellence, and are focused on customer satisfaction.
Target-State Methodology — Agile Risk Management
As organizations move to agile delivery, control functions, including risk, compliance and business control teams, will need to rethink their interaction models for execut ing credible challenge and advising the business in near real-time methods.
Risk Management in an Agile Organization
Organizations are enabling employees throughout the company with the tools and resources to develop and execute business changes under an agile program management method. For agile teams to complete their objectives sustainably while maintaining agility and minimizing operational costs, an equally adaptive risk management framework is needed. However, most risk and compliance functions are not configured to keep pace with frameworks, resources (people and technology), or monitoring and reporting capabilities in line with the swift pace of agile teams. As agile teams focus on short cyclic bursts of development, implementation and testing (commonly referred to as sprints), risk and compliance functions can provide valuable decision-enabling insight by integrating their oversight and adviser roles throughout the initiative lifecycle and agile delivery.
Successful risk management frameworks align with top-down strategic planning and bottom-up execution and delivery to enable quick deployment of sustainable changes. In an agile state, initial assessment of the inherent risks associated with proposed changes allows management to determine the optimal projects to green light. Control functions have an opportunity to use a portfolio approach and real-time key risk and performance indicators at critical stages in the initiatives’ project plans to provide oversight and deliver insight that addresses risk and compliance considerations. This allows the oversight functions to provide optimal challenge without slowing down agile teams. As business changes are developed and implemented, technology-supported controls and real-time performance metrics can be utilized to monitor and mitigate the new business risks. Ultimately, aligning risk management with agile execution enables companies to improve customer experiences swiftly, thereby giving organizations a competitive advantage.
As organizations use an agile approach to deliver initiatives and products, risk management can enable long-run success of business and technology changes. Control functions (e.g., risk and compliance) can help ensure that business changes align with their organization’s operating environment and strategic objectives by engaging in the following activities throughout an initiative’s project lifecycle:
- Challenge goals and objectives - Risk and compliance functions can participate in initial strategic planning sessions with business leaders to help align objectives of agile initiative teams to firmwide strategy and standards. This can be accomplished by risk-ranking proposed projects and assessing them against the organization’s risk appetite and existing policies and standards, enabling use of firmwide systems and tools, and ensuring that projects consider relevant regulatory requirements and business controls.
- Integrate risk management with agile teams — Risk and compliance functions can further enable agile teams by monitoring and advising both in real time and post-completion to ensure that alignment to enterprise strategy and adherence to requirements are maintained through the project lifecycle. By integrating risk and compliance programs (e.g., requirements inventories, risk taxonomies and forward-looking performance metrics) at the onset of development, agile teams can reduce potential risk and compliance costs once completed projects are transitioned to business-as-usual operations. This can be done by establishing forums in which the control functions can advise and challenge agile teams at key stages in the project lifecycle and also on an as-needed basis, thereby integrating risk management into the project workflow and maintaining agility.
- Enable continuous improvement through self- assessments and risk oversight — A well-defined project oversight and change control framework is critical for maintaining agility when developing and implementing business and technology changes. In an Agile Risk Management framework, the three lines of defense work together to ensure that the newly imple-mented changes are understood, progressed further if necessary and sustainably integrated into operations:
- Business leaders perform self-assessments to validate project results against their organization’s strategic goals to determine whether further changes are needed.
- Control functions independently verify that the new processes perform according to defined expectations and adhere to internal and regulatory requirements. Furthermore, control functions can utilize forward-looking risk metrics to understand the impact of changes and tailor their oversight programs to align with new business needs, thereby optimizing effective challenge while maintaining agility.
Risk-Based Post-Implementation Activities and Analysis
Key activities are conducted based on the level of impact, risk and scale of the project
The Look Ahead
As organizations establish methods for planning and executing projects that work toward achieving strategic objectives, they should consider enhancing their technological and analytical capabilities to optimize the way risk insights are used to enable business change. Emerging strategies offer opportunities for supporting risk-enabled project management frameworks by taking advantage of technological and analytical capabilities to more efficiently deliver business and risk insights. As firms become more agile, they have the opportunity to implement equally agile strategies to more effectively manage risks arising from business and technology changes. The following examples describe such strategies:
- Internal Advisers — Control functions are starting to develop unique channels to provide specialized subject-matter insight to agile initiative teams without impeding their development and imple-mentation lifecycles. Experts in these functions (e.g., risk, compliance, security and technology) can be integrated into digital communication platforms used by agile teams to obtain key information throughout their planning and execution sprints —at their own pace and when most relevant for the agile team. For example, agile teams building a new payments platform for a financial institution integrate compliance specialists into their team communications during their development sprints to understand and manage risk associated with Bank Secrecy Act (BSA) and anti-money laundering (AML) regulations and support the building of automated controls into the new platform to meet the requirements. The compliance specialists can also challenge and test key controls ensuring alignment to business objectives before and after the payments platform is implemented by monitoring real-time project development activity through digital communication platforms. Integrating the control functions into key stages of a project in this manner helps reduce numerous tollgates as well as time spent on waiting for risk and compliance feedback. This enables the agile teams to align their solutions to firmwide standards at the onset, without sacrificing agility and allowing risk and compliance to advise at a rapid pace.
As firms become more agile, they have the opportunity to implement equally agile strategies to more effectively manage risks arising from business and technology changes.
- Dynamic Workflow and Assessments — As agile frameworks mature, implementing a dynamic workflow supported by a single system for managing the inventory and execution of all projects across an organization can enable efficient management of projects and agile teams. The single source of truth can map projects and initiatives to process, risk and control taxonomies, integrate automated and preventive controls throughout project execution, and capture all key project information (e.g., project plans and status, completed deliverables, documentation, and control evidence). Such a workflow also enables automated monitoring, allowing organizations to achieve scalability as more projects are executed under an agile approach. The dynamic workflow also allows business leaders and control functions to run automated deep-dive analysis on in-flight projects in real time by generating tailored reports at various levels of project granularity using early risk indicators to ensure that projects work toward their defined objectives. Furthermore, post-mortem analyses on recently completed initiatives can allow control functions to assess the new equilibrium state of residual risk, and adapt their oversight plans to align with the changing business environments, ultimately resulting in operational excellence.
- Risk Bots — The advancement of artificial intelligence, in the form of natural-language algorithms and Internet of Things technologies, is enabling the application of risk data in business processes in an unprecedented way. Automated assistants can provide information on relevant requirements, real-time development testing results and risk performance metrics throughout development sprints to allow agile teams to gain deeper understanding of their failures and successes. Through advanced machine learning and natural-language processing capabilities, risk bots could advise by suggesting applicable risks and controls based on data obtained from similar projects. This technology, already being applied to customer service departments in the form of chat bots, could allow risk and compliance specialists to reallocate their time toward more analytical activities or true high-priority initiatives. In the prior example of agile teams building a new payments platform, the agile teams would be able to obtain BSA and AML requirements using risk bots. This would ensure that agile teams progress quickly and allow control functions to allocate more of their time analyzing and challenging the changes being developed.
Organizations are implementing new and creative methodologies for allowing new products and initiatives to succeed at a faster rate. This increased velocity poses new challenges and ultimately risks to business operations. By adopting an Agile Risk Management philosophy, firms can utilize technology-supported risk frameworks to achieve sustainable progress while maintaining both speed in execution and a strong risk culture. This will give organizations a competitive edge in deploying market-ready products and services that integrate with their existing business strategy and environment and maintain long-run sustainable operations.