Risk appetite, culture and responsibility are key in establishing a proactive value-adding risk management function.

At the heart of any entrepreneurial venture is the basic relationship between risk and reward. And whilst any successful business has at the helm minds which have managed risks, differences in the maturity of risk functions across different enterprises abound. Although the more risk-mature models manage risks efficiently and effectively, we believe that today's organisations need to re-imagine risk management so that it becomes a value creator in its own right.

The risk landscape that faces our businesses is indeed a rich one. Key risk areas include cybersecurity, sustainable finance, regulation, people, operational resilience, fraud & financial crime, third party management to name but a few of the risks that are currently consuming most of the Three Lines of Defence's bandwidth within organisations. Added to these, we cannot neglect risk areas which have been there for years and continue to require attention: credit, liquidity, corporate governance.

Today's chief risk officer has to keep tabs with a growing list of risks: some of which will be increasing in importance, others which are more stable and others yet that are becoming less relevant with the passage of time. And whilst the 'back-of-the-envelope' risk list set out above will apply to different sectors in varying ways, the implication is inevitable - the risk function has a crucial role in helping the business navigate through its risks.

In all this, risk management is typically structurally separated from front-line decision-making. Often risk functions are reactive and deemed by business decision makers as those that "put the breaks" on business. Whilst some organisations manage to bridge this divide when making the initial investment decisions, fewer manage to keep this strong partnership bond between First and Second Line for ongoing risk (and compliance) processes. This is certainly not the optimal use of the resources employed to manage risks. It is time to unlock the potential there is hidden within risk functions.

The greatest value to be obtained from the Risk Function is when there is the belief that the game is one of opportunity rather than of risk, one of proactiveness rather than reactiveness. Seizing opportunity means that each risk decision becomes a means not only to achieve business growth but also to become more trusted by the external stakeholders. An 'offensive' stance is where you spot potential risks early, making good strategic decisions through insights gained from useful and relevant data.

To achieve this change in risk management requires that the enterprise takes the right steps in relation to Risk Appetite, Risk Culture and Risk Responsibility.

Risk Appetite needs to be set from the top and translated into an enterprise-wide risk strategy and risk management framework. It also needs to be firmly, unequivocally and consistently communicated through all levels of the organisation, including the Board. This communication can take various forms from printed/online messaging, to information sessions and to the continuous alignment of remuneration, incentives and KPIs with this appetite to ensure that appropriate behaviour is re-enforced. Despite pressures to do so, organisations cannot fall into the trap of reaching short-term goals without considering the long-term ones.

Achieving the right Risk Culture is also key to enabling risk management in providing greater value. Risk Culture within enterprises has a habit of swinging from one extreme to the other. And at present, with the greater scrutiny of external stakeholders, risk functions (and the workforce in general) have a tendency to be very risk averse. We should, rather, aim to make the organisation 'risk aware': fully knowledgeable of the entity's risk appetite, the business should be in the hands of people who are fully aware of the risks and parameters in which to operate and seize opportunities.

This leads to the reversal of the siloed manner in which the business functions often operate from the risk and compliance functions. Managing risk should certainly not be the responsibility of the Second Line only - it is the responsibility of everyone within the organisation. From their end, Second Line functions must continue fostering a valued business partnership with the First Line, by keeping business goals central in the day-to-day execution of their work.

The change in mentality to proactively manage risks requires a transformation which will launch the risk management approach that your organisation needs to have in place. KPMG's reference model of the risk function is built upon a number of components covering:

  • the overarching elements of Strategy, Vision and Risk Management framework;
  • the function's organisational framework;
  • operational, day-to-day elements of the function; and,
  • performance monitoring in place for the function.

Data and technology underpin the success of this transformation. Significant data is created within organisations - but without proper tools, leveraging data becomes impossible. The right technology allows for the organisation and analysis of such data, whilst ensuring that data quality is kept high. When one platform allows different parts of the entity access to such data, further alignment of the different parts of the business is achieved. One such application is KPMG's Risk Hub, a managed service developed through a global alliance with IBM. Risk Hub is particularly powerful in that it integrates information and data across all levels of the business and brings to the users a holistic view of risks. Risk Hub avails of Artificial Intelligence capabilities to achieve ongoing monitoring of the risk profile of an organisation, as well as automating a number of processes to free people up to focus on higher-value tasks.

Achieving this transformation will not take place overnight. It needs a clearly designed path, proportionate investment and ongoing monitoring. It is, however, the path that leads to a return to the resources employed in a risk function as it allows for identifying and capturing opportunities.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.