Many organizations have failed to keep pace with changing trends in risk and compliance. Resource allocation for many risk and compliance initiatives implemented under pressure of a crisis to demonstrate urgency and prioritization or regulators has proven to be unsustainable.
“Firefighting” projects have diverted funds from areas such as customer-facing upgrades and critical investment in creaky legacy systems and have increased the overall cost structure for risk and compliance, restricting business growth. Attempts to effectively build complex processes on inadequate infrastructure have increased headcount and slowed down critical processes. Meanwhile, as firms fight fires, they are losing sight of the real benefit of risk management: looking ahead to identify threats and opportunities.
In an ever-changing environment, boards of directors and senior management need to recognize that current spend on risk and compliance efforts must be arrested and/or start to shrink while also providing added business value.
All those in risk management and compliance roles will need to maximize the resources that have to remain effective. The prevailing model, in which control functions, including the first, second and third lines of defense, tend to be siloed, manual and reactive, is exacerbating the problem. Too often, these functions employ a reactive din-and-fix model, which expends time and resources firefighting immediate issues, such as regulatory actions or internal audit findings within their individual risk silos, rather than working collaboratively on value-added activities such as risk identification and mitigation.
This is not a recent phenomenon. Risk is stuck in a reactionary cycle, where risk and compliance breakdowns are consuming valuable time and resources that could be deployed elsewhere to enable growth and innovation within the business. For risk management to evolve, this cycle needs to be broken; firms that are constantly fighting fires cannot deal with emerging risks and issues.
Firms have recognized that they need to become more efficient in managing risk, compliance and internal audit requirements. Some have made advances in ensuring that the control functions work more closely together, but generally processes still take took long and are mostly manual, with risk management and compliance activities remaining detective rather than preventative.
Likewise, point-in-time solutions for improving risk management, including regulatory compliance, are no longer adequate for firms seeking to create a more effective and efficient risk framework; risk solutions must be agile. The crises of tomorrow will be different from the crises of the past – they will require agile and effective risk management and compliance functions that can move aware from constantly analyzing and reviewing historical information to forecasting future horizons. Equally, risk management and compliance must operate more like business functions to provide value through being agile, responsive and more forward-looking to help enable success for the business.
The time has come for proactive organizations to take the lead by adopting an agile risk management framework to better meet the challenges of today’s customers, shareholders and employees, and of the risk and regulatory environment.
You can read more on this topic in Agile Risk Management: Re-Engineering Risk Solutions to Enable Business Strategies and by exploring these risk management tools on KnowledgeLeader: