Many CROs may well be asking themselves this question after April's press coverage of Lloyds Banking Group's plan to cut jobs in risk management. It was reported that a review of its three lines of defence structure had concluded the risk function was "a blocker to strategic transformation" and didn't encourage intelligent risk taking. In the internally leaked memo, the group CRO reportedly quoted "time-consuming processes and ingrained ways of working that impede our ability to be competitive".
But do turkeys vote for Christmas? Despite the risk and compliance community's vitriolic reaction, this is only the type of challenge that risk, and compliance functions offer to other parts of their business.
In more than 20 years working both within risk and as a consultant, I have often heard it said that risk management is in its adolescence; it is still rare for organisations to think their risk and compliance approaches are fully mature. In that time, there has been a significant increase in investment and cost, often driven by regulation.
From a positive perspective, most organisations have moved past a 'tick box' mentality to risk and compliance. What has been created can, though, result in a build-up of 'layers' of requirements. Each complex regulatory requirement is added through discrete projects with tight deadlines, often without a focus on embedding and streamlining. Enhancements to the operating model are promised for 'day two'; but that day never comes as the focus rapidly moves to the next time-critical project. Second line functions are left needing to allocate precious resources to sub-optimal processes.
This creates a situation we can often see today – a patchwork of layers of risk and compliance activity, that are costly to operate, and is very difficult for normal businesspeople to fully understand and engage with.
So, what do you do if your CEO calls you into their office and asks you this fateful question? Here are my six tips for success:
Such challenges can provide the impetus to get some perspective from your colleagues – what do they really think of your team? What positive impact is the team having in practice? Are there any areas where they think you duplicate, add to bureaucracy, or create things that people don't need?
While this could be seen as weakness, I think relationships and the buy-in to risk and compliance activities are strengthened by this healthy dialogue. You can also talk to peers, or even some friendly consultants, to get an external perspective.
One option would be to benchmark the size of your function against peers. While I understand the desire to justify functional size, I would advise you to resist this temptation. How risk and compliance responsibilities are discharged and allocated across organisations are often very different, with different mandates and focuses depending on the nature of their organisations.
The key weakness of benchmarking is that it typically focuses on the function and not the activity. It can provide you with a view on the relative cost of your risk and compliance functions. But to focus on cost and efficiency, what you really need is a view on the level and quality of resource dedicated to risk and compliance across the organisation – the total cost of risk and compliance. Whether risk and compliance are efficient and effective is about the balance of resource across the lines of defence. You can have the best second line function in the world, but if the first line is under-resourced or disengaged, the second line will have a limited impact on your business.
Thinking across the organisation often requires consideration of 'line 1.5' or 'line 1b' functions, where people report into risk takers but support aspects of risk and compliance. Views on these functions vary – sometimes they are seen as creating confusion or duplication, as acting as a barrier to embedding risk and compliance fully in business processes and decision making. In other cases, they can be a helpful source of efficiency. I'm pragmatic about their role, so long as the organisation has set them up for success by being clear what they are trying to achieve and the boundaries of their roles.
While the direction of travel in functions is currently to drive efficiency – by more closely coordinating and integrating risk and compliance activity and shifting more accountability from the second to the first line – this sort of transition needs to be managed carefully. No CEO is going to thank you in the long run for throwing responsibilities over the fence without ensuring your colleagues in the first line are well equipped to perform their newfound responsibilities well. The road to many a skilled person review or regulatory intervention started with this approach.
Given a clear sense of the challenges, it's time to think about appropriate solutions. I encourage people to think innovatively, and in the context of your organisation. Sometimes it's enough to change structure and responsibilities; sometimes capability needs to be improved through training or through changing the mix of skills; sometimes functions just need to find a better way of working together. Generally, it will need a combination of changes to be successful.
In child psychology, the move from adolescence to adulthood is often characterised by a change in mindset and relationships, primarily being less insular and forming better relationships with the wider community. A change in mindset and relationships can help to move risk and compliance functions towards adulthood, weening themselves off a parent-child dependence on regulators for their mandate.
While it might seem risky for CROs, being asked to look at the cost of risk and compliance is as much of an opportunity as it is a threat. In practice, a more efficient approach to risk and compliance can be easier to engage with by the wider business – making it more effective in its influence and impact on decision making and making an increasing contribution to the success of your business. Risk and compliance have a key role to play in getting the balance right between protecting and creating value; and balancing this is a challenge CROs face in managing their own personal risk appetites. Sometimes to manage risk most effectively, the best course of action is to take more risk. Perhaps CROs shouldn't wait for the CEO or CFO to ask but should lean into this challenge proactively.
For more information, please contact Justin Elks.
This article was first published on InsuranceERM June 2024.
Insights