Part 2: Risk transformation and the intersection with business transformation

Risk maturity is a measure of an organisation’s risk management capabilities and culture. As organisations raise their risk maturity, it enhances elements across governance and framework, processes, people and organisations, methodologies, systems and data at different speeds. This article is the second part of a two-part series on business and risk transformation, building on insights from the first part, which explores value chain risk transformation in Australia’s evolving regulatory landscape. Here, we dive into some of the effective approaches organisations take when uplifting the design of their risk management, and the synergies they have with business transformation. 

One of the fundamental areas to start driving change is through an organisation’s framework. As an organisation matures, it is expected to have an Enterprise Risk Management Framework (ERMF) that continues to be fit-for-purpose and cover the latest and emerging risk-related trends. The framework typically encompasses details around the risk management strategy, risk appetite, and clarity around the three lines of defence. Organisations also have continuous review and monitoring of supporting policies, standards, guidelines, handbooks and other tangential material.

Organisations that may be further along in their maturity come to recognise the importance of addressing product-related issues and incidents through uplifting risk fundamentals. Since the Australian Securities and Investments Commission’s Design & Distribution Obligations and Product Intervention Powers went into effect,¹ ASIC-regulated entities have invested more into product remediation programs, monitoring programs, and enhancing rigour around the product management lifecycle. They have been taking the opportunity to identify risks across the end-to-end product value chain and enhance controls and product risk management practices where practicable. 

Risk culture is another key area for organisations. This may entail an evaluation of existing performance metrics, incentive structures, and assessment of whether desired risk behaviours are rewarded and/or what the consequences would be for misconduct and/ or non-desirable risk behaviours. Entities regulated by the Australian Prudential Regulation Authority (APRA) should utilise guidance from APRA’s Risk Culture 10 Dimensions, which takes into account aspects across risk architecture and risk behaviours including leadership, decision-making and challenge, and communication and escalation.²

Enhancing the Design of Risk Management

Below are areas organisations should consider.

Driving Efficiencies: The Intersection Point

Regulators such as APRA have started to highlight the importance of integrating business process management and risk management. APRA’s new Prudential Standard CPS 230 Operational Risk Management looks at strengthening the operational resilience of APRA-regulated organisations. CPS 230 requires an APRA-regulated entity to manage its operational risks by assessing the impact of business and strategic decisions on the entity’s operational risk profile and resilience, implementing operational risk controls and identifying and responding to operational risk incidents. Such organisations are required to have better transparency around the value chain of their critical processes. This includes developing and optimising business continuity plans, monitoring compliance, and reporting on any failures to comply. These requirements exemplify the focus regulators are placing on an integrated business process and risk management approach — potentially a good benchmark for non-APRA regulated entities as well.³

For clarity around what risks apply across an end-to-end business or product lifecycle for example, risk events can be mapped out across the respective value chain, to consider what risks the business and/or product may encounter for each process. Once risks are identified, businesses can allocate a rating to better understand the organisation’s susceptibility. An organisation may want to consider specific exposures within its products and processes that could impact operational risk. For example, new customers must go through a Know-Your-Customer verification check. If not done properly, the organisation could be onboarding customers that don’t fit the organisation’s risk appetite. Another example is if products aren’t properly designed for their target markets, such as if a credit card designed for low-income earners actually has very high fees and interest rates built in. This could directly upset the targeted customer base, leading to a poor reputation and penalties for failure to meet consumer-related regulatory requirements.

In addition to understanding risks across the value chain, it is also important for an organisation to adopt a growth mindset by evaluating the effectiveness of existing controls and determining control uplift opportunities. These can be identified through internal testing and performance monitoring, and can take the form of simplification, streamlining, enhancement or creation of controls. For example, new controls can be introduced to address emerging risks, redundant or ineffective controls can be collapsed, and existing controls can be strengthened through automation and standardisation.

Organisations often use a combination of control types based on their specific needs and resources, with the preference to automate where possible to reduce human error, and to prevent the risk from occurring in the first place. Two common classifications used to categorise risk management controls are:

1. Preventative vs. detective controls:
   • Preventative — a control implemented to prevent a risk from occurring
   • Detective — a type of control that seeks to reveal problems in the organisation’s processes after they have occurred
2. Automated vs. manual controls:
   • Automated — a system control that automatically identifies and mitigates when a process goes beyond a risk-tolerance level
   • Manual — manual inspection of a risk event to determine if

In Figure 1 below, we illustrate the common areas where risk transformation intersects with business transformation. When undergoing both business and risk transformation, consider the synergies and outputs that can be better worked on together. What operating model inefficiencies have been uncovered in the product business? Are there handover points that can be streamlined? How can we ensure there is one single source of truth for data? How can we ensure systems integrate and can produce dynamic reporting?

Image

Implementation, Embedment and Benefits Realisation

After the design phase, organisations gradually then transition into the development, implementation and embedment phases for change initiatives. This article does not explore these phases due to the sheer content that would be needed, but ensuring an effective change and communication strategy and plan is a key factor for these subsequent phases.

Phasing out the changes across cohorts or workstreams, and deciding when and how to communicate, may allow for learnings to be applied for the remaining change areas. Appropriate monitoring mechanisms are often used throughout embedment and beyond. Checks for adherence against objectives and stakeholder feedback are some ways to carry out monitoring. It is important to monitor benefits realised, taking note of any learnings to apply during the warranty period and for any related future projects or business-led initiatives.

Below are some real-life client examples to whom our subject-matter experts have provided support in delivering risk transformation initiatives.

The Ongoing Process of Risk Management

Risk management is an ongoing affair where an organisation’s risk controls can be adjusted depending on business needs and drivers. Changing macroeconomic, market, geopolitical, artificial intelligence and other strategic risks require businesses to be more agile than before. Businesses should not only react to these conditions but pre-empt and mitigate the likelihood and/or impacts of them so that they can continue to operate into the future. Risk management should not be isolated to risk professionals, but rather embedded into every staff’s remit and mindset. With the right level of risk intel, businesses can then be equipped to make better-informed decisions.

Conclusion

We have explored approaches and elements of both business and risk transformation, as well as their intersection points. Effective business transformation relies on a strong foundation of risk management, and effective risk management should be underpinned by clear business management objectives. By proactively addressing risks, organisations can unlock new opportunities and achieve sustainable long-term success.

Acknowledgement

Ruby Chen, Kalina Hall, and Anthony Le contributed to this piece.