Part 2: Risk transformation and the intersection with business transformation Download The big picture: Australia’s regulatory environment has prompted a rethink of organisations’ risk management capabilities. One area to start driving change: The Enterprise Risk Management Framework should be fit-for-purpose and cover the latest trends.Risk culture: Another key area for organisations.Go deeper: This second-in-a-series paper delves into risk transformation approaches that have proven effective. Download Topics Board Matters Internal Audit and Corporate Governance IT Management, Applications and Transformation Risk Management and Regulatory Compliance Business Performance Data, Analytics and Business Intelligence Industries Insurance Banking and Capital Markets Risk maturity is a measure of an organisation’s risk management capabilities and culture. As organisations raise their risk maturity, it enhances elements across governance and framework, processes, people and organisations, methodologies, systems and data at different speeds. This article is the second part of a two-part series on business and risk transformation, building on insights from the first part, which explores value chain risk transformation in Australia’s evolving regulatory landscape. Here, we dive into some of the effective approaches organisations take when uplifting the design of their risk management, and the synergies they have with business transformation. One of the fundamental areas to start driving change is through an organisation’s framework. As an organisation matures, it is expected to have an Enterprise Risk Management Framework (ERMF) that continues to be fit-for-purpose and cover the latest and emerging risk-related trends. The framework typically encompasses details around the risk management strategy, risk appetite, and clarity around the three lines of defence. Organisations also have continuous review and monitoring of supporting policies, standards, guidelines, handbooks and other tangential material.Organisations that may be further along in their maturity come to recognise the importance of addressing product-related issues and incidents through uplifting risk fundamentals. Since the Australian Securities and Investments Commission’s Design & Distribution Obligations and Product Intervention Powers went into effect,1 ASIC-regulated entities have invested more into product remediation programs, monitoring programs, and enhancing rigour around the product management lifecycle. They have been taking the opportunity to identify risks across the end-to-end product value chain and enhance controls and product risk management practices where practicable. Risk culture is another key area for organisations. This may entail an evaluation of existing performance metrics, incentive structures, and assessment of whether desired risk behaviours are rewarded and/or what the consequences would be for misconduct and/ or non-desirable risk behaviours. Entities regulated by the Australian Prudential Regulation Authority (APRA) should utilise guidance from APRA’s Risk Culture 10 Dimensions, which takes into account aspects across risk architecture and risk behaviours including leadership, decision-making and challenge, and communication and escalation.2Enhancing the Design of Risk ManagementBelow are areas organisations should consider.ElementsRisk Management Design Sample FocusGovernance & FrameworkRisk management frameworkGovernance structure, supporting documents, and accountabilitiesRisk management strategyTransparency around methodologies and procedures for current and emerging risks across the organisationValue chain governance and how to respond to market opportunitiesGovernance decisions for risk assumptions, constraints, priorities, tolerance, etc.Risk appetite framework and statementRisk taxonomy, metrics and tolerances consistently applied across artefactsRisk reporting across divisions that aligns back to the divisional and group risk appetite statement to ensure the right quantitative data and qualitative insights are being reported in the respective forumsContinual monitoring of risk categories and events as part of the risk taxonomyGovernance forums, accountability and decision-makingClarity and transparency around enterprise and divisional risk forum responsibilities, terms of reference and delegation authority for decision-making. Noting the Financial Accountability Regime (FAR) imposes a higher responsibility and accountability framework on the industry and its leadersProcessesProcess modellingUnderstanding critical and non-critical business processes and identifying risk, controls, obligations, third-party providers and key data dependencies. Leverage design-thinking workshopsReassess inherent risk ratings and control adequacy. Revise risk profile as appropriatePeople & OrganisationsThree lines of defencePeriodic review of target operating model across three lines of defence, assessing and aligning capability and skills, ensuring alignment to organisational design principles, entity, and business unit strategiesRisk culture frameworkAppropriately incentivise and encourage right behaviours and conductPropagating a risk-aware mindset that recognises the uncertainty of activities within the product value chain and proactively seeks to identify, analyse and respond to risksReceptive initiatives that uplift risk culture by considering APRA’s Risk Culture 10 DimensionsRegular pulse checks of risk culture across all levels of seniority and functions within the organisationInvest in risk awareness training through in-person experiential workshops for all functions to better appreciate risk management in their daily workMethodologiesDesign-thinkingApply double-diamond to reach an agreement of the problem area(s) to address and solutioniseApply Rose, Bud and Thorns throughout existing risk management, operations and business processesPrioritisation matrix and roadmap for uplift opportunitiesSystems & DataRisk reportingA standardised baseline of reporting requirements and attributes that form the foundation for ease of cross-functional comparison, product-led and/or enterprise aggregated risk reporting and insightsDefinition of what meaningful risk reporting consists of and how data should be presentedPeriodic review of organisation’s risk taxonomy, risk event categories, matrix and ratings to reflect macroeconomic changes, industry trends, regulatory requirements and other factorsEnsure central governance, risk and compliance tools are fit-for-purpose and can integrate with relevant software and other technologyClarity of data lineage, reduced time lag for data reporting, ease of data extraction, and design ofdata presentation Practical tipsWhen it comes to enhancing risk management practices, there is no one-size-fits-all. An organisation’s regulated nature, size and maturity may also determine the appropriate level of detail and uplift needed. It’s important to ensure the organisation isn’t overengineering its risk transformation. Risk management isn’t meant to hinder the growth of a company — rather, it should enable an organisation to identify, measure and manage risks according to its risk appetite, with the end goal of better managing the business, among other benefits. Driving Efficiencies: The Intersection PointRegulators such as APRA have started to highlight the importance of integrating business process management and risk management. APRA’s new Prudential Standard CPS 230 Operational Risk Management looks at strengthening the operational resilience of APRA-regulated organisations. CPS 230 requires an APRA-regulated entity to manage its operational risks by assessing the impact of business and strategic decisions on the entity’s operational risk profile and resilience, implementing operational risk controls and identifying and responding to operational risk incidents. Such organisations are required to have better transparency around the value chain of their critical processes. This includes developing and optimising business continuity plans, monitoring compliance, and reporting on any failures to comply. These requirements exemplify the focus regulators are placing on an integrated business process and risk management approach — potentially a good benchmark for non-APRA regulated entities as well.3For clarity around what risks apply across an end-to-end business or product lifecycle for example, risk events can be mapped out across the respective value chain, to consider what risks the business and/or product may encounter for each process. Once risks are identified, businesses can allocate a rating to better understand the organisation’s susceptibility. An organisation may want to consider specific exposures within its products and processes that could impact operational risk. For example, new customers must go through a Know-Your-Customer verification check. If not done properly, the organisation could be onboarding customers that don’t fit the organisation’s risk appetite. Another example is if products aren’t properly designed for their target markets, such as if a credit card designed for low-income earners actually has very high fees and interest rates built in. This could directly upset the targeted customer base, leading to a poor reputation and penalties for failure to meet consumer-related regulatory requirements.In addition to understanding risks across the value chain, it is also important for an organisation to adopt a growth mindset by evaluating the effectiveness of existing controls and determining control uplift opportunities. These can be identified through internal testing and performance monitoring, and can take the form of simplification, streamlining, enhancement or creation of controls. For example, new controls can be introduced to address emerging risks, redundant or ineffective controls can be collapsed, and existing controls can be strengthened through automation and standardisation.Organisations often use a combination of control types based on their specific needs and resources, with the preference to automate where possible to reduce human error, and to prevent the risk from occurring in the first place. Two common classifications used to categorise risk management controls are:Preventative vs. detective controls:Preventative — a control implemented to prevent a risk from occurringDetective — a type of control that seeks to reveal problems in the organisation’s processes after they have occurredAutomated vs. manual controls:Automated — a system control that automatically identifies and mitigates when a process goes beyond a risk-tolerance levelManual — manual inspection of a risk event to determine ifIn Figure 1 below, we illustrate the common areas where risk transformation intersects with business transformation. When undergoing both business and risk transformation, consider the synergies and outputs that can be better worked on together. What operating model inefficiencies have been uncovered in the product business? Are there handover points that can be streamlined? How can we ensure there is one single source of truth for data? How can we ensure systems integrate and can produce dynamic reporting? Image Implementation, Embedment and Benefits RealisationAfter the design phase, organisations gradually then transition into the development, implementation and embedment phases for change initiatives. This article does not explore these phases due to the sheer content that would be needed, but ensuring an effective change and communication strategy and plan is a key factor for these subsequent phases.Phasing out the changes across cohorts or workstreams, and deciding when and how to communicate, may allow for learnings to be applied for the remaining change areas. Appropriate monitoring mechanisms are often used throughout embedment and beyond. Checks for adherence against objectives and stakeholder feedback are some ways to carry out monitoring. It is important to monitor benefits realised, taking note of any learnings to apply during the warranty period and for any related future projects or business-led initiatives.Below are some real-life client examples to whom our subject-matter experts have provided support in delivering risk transformation initiatives.Examples of Tangible BenefitsStreamlined Controls: One member-owned organisation simplified and enhanced controls across its product value chain, leading to 20+ optimised processes, 20+ risk and control taxonomy uplift opportunities. This indirectly prevented the organisation from further non-compliance penalties and adverse reputational impact.Enhanced Governance: A banking division established a centralised risk product governance team through target operating model design and implementation, resulting in clearer accountability and more efficient decision-making around product-related risks. Product incidents became transparent and any regulatory breaches followed a standardised process for internal and external intervention.Modernised Governance, Risk & Compliance (GRC) System: An outdated GRC system was replaced with a new, cloud-based off-the-shelf solution offering better reporting, and improved collaboration capabilities.Product Governance System: A bank implemented a central enterprise-wide product governance Softwareas- a-Service (SaaS) solution for easy monitoring of product performance, and product lifecycle management. This solution replaced 6 systems with 1, and saved 50% time spend in product management monitoring and 90% of time spent preparing product risk reporting documents. The Ongoing Process of Risk ManagementRisk management is an ongoing affair where an organisation’s risk controls can be adjusted depending on business needs and drivers. Changing macroeconomic, market, geopolitical, artificial intelligence and other strategic risks require businesses to be more agile than before. Businesses should not only react to these conditions but pre-empt and mitigate the likelihood and/or impacts of them so that they can continue to operate into the future. Risk management should not be isolated to risk professionals, but rather embedded into every staff’s remit and mindset. With the right level of risk intel, businesses can then be equipped to make better-informed decisions.ConclusionWe have explored approaches and elements of both business and risk transformation, as well as their intersection points. Effective business transformation relies on a strong foundation of risk management, and effective risk management should be underpinned by clear business management objectives. By proactively addressing risks, organisations can unlock new opportunities and achieve sustainable long-term success.AcknowledgementRuby Chen, Kalina Hall, and Anthony Le contributed to this piece. [1] Australian Securities and Investments Commission “RG274 Product Design & Distribution Obligations”.[2] Australian Prudential Regulation Authority “Risk Culture 10 Dimensions,” Accessed 16 August 2023.[3] Australian Prudential Regulation Authority “Operational risk management,” Accessed 14 August 2023. Find out more about our solutions: Risk Management Consulting Protiviti helps organisations around the world assess risk and develop tech-enabled solutions to manage risk in an agile manner and minimise potential losses. We bring leading insights and innovative capabilities to help you meet future challenges. Regulatory Compliance Disruptive technologies, regulatory pressures, evolving customer loyalty, and pressure to enhance economic returns are just some of the challenges organisations need to overcome by innovating and managing their compliance risks to succeed over the next decade. Financial Services Protiviti helps finance leaders address their current challenges, prepare for future challenges, and explore opportunities for continuous growth, delivering innovative solutions and supporting finance as a forward-thinking, strategic partner for the business. Value chain mapping for risk transformation in Australia’s new regulatory environment Australia’s financial services industry continues to face evolving community expectations, regulatory change and scrutiny. A trio of new regulations has created a need to demonstrate better governance, clearer senior executive accountability across end-to-end processes and risks, and operational resilience: Read more Executive Perspectives on Top Risks for 2024 and 2034 The 12th annual Top Risks Survey report highlights top-of-mind issues for directors and executives around the globe over the next year - 2024 - and a decade later – 2034. Read more