Tightrope walker on mountain

Risk efficiency and effectiveness

Getting the balance right

Justin Elks, Partner, Head of Risk Consulting and Isaac Alfon, Director, Risk Consulting
21/08/2023
Tightrope walker on mountain

Risk and compliance functions are used to considering the effectiveness of their approaches against good practice guidelines and regulatory requirements. The same sort of rigour should be applied to considering the efficiency of risk and compliance in the business. This can result in a lower cost, more efficient and effective operating model, and an increased return on the investment in risk and compliance activity.

Risk management and regulatory compliance are well-established disciplines in financial services, yet there continue to be challenges around risk effectiveness, and increasingly about efficiency. Why is this, and what can companies do about it?

Risk management is the art of helping an organisation to achieve its objectives by understanding the uncertainties that it is susceptible to, and – most importantly – doing something about them through its strategy, business activity and decision making.

Risk management and compliance functions have been a feature of the organisational models of financial services and insurance companies for some time. Yet we see increasing numbers of companies considering how to enhance risk and compliance approaches to increase not just their effectiveness but also their efficiency.

No organisation wants to reduce the effectiveness of risk management or increase regulatory scrutiny. However, while systems may be effective in meeting regulatory expectations, increasingly organisations can feel they have the worst of all possible worlds - an approach which they do not feel is providing benefits, while being cumbersome and expensive to operate.

Why is this the case?

We think there are five main reasons.
Unclear or shifting stakeholder expectations

Sometimes the board, CEO and CRO and/or Chief Compliance Officer have not had a clear and honest conversation around what the focus, scope and remit of roles needs to be at a point in time, and how priorities can be balanced. In the absence of clear guidance, control functions have no option but to focus on what they see as the key priorities; but without having a clear steer about needs and priorities, frustrations can arise on all sides.

If expectations are initially clear, stakeholder expectations can change over time. Organisations can increase in size. Owners can change. Perceived levels of risk to regulators’ statutory objectives can change. Regulatory views on how organisations ought to be managing their risks also evolve and change, as their objectives change and as their own stakeholders clarify expectations. This can place more guidance and requirements on firms. Even where these are not aimed at the risk function directly, these changes typically require the risk function to re-consider its approaches in the context of changing stakeholder requirements.

Focusing on the function instead of its broader insight, impact and output

We often see, through regular consideration of mandates and effectiveness reviews, companies seeking to get a view on the effectiveness of their second line functions. However, all too often this consideration can focus on the coverage and approach to processes and reporting, without giving sufficient consideration of the impact of the functions – how do they and their processes have an impact on decisions. They produce a lot of volume and input, but do they provide valued insight and output?

First line resourcing often a source of unresolved tension

It is often said, risk management and compliance are everyone’s business. In other words, effectiveness and efficiency of risk management and compliance is a business challenge and not just the challenge of the risk and compliance functions themselves. Fundamentally, it is about a dialogue - how the rest of the business (the first line) can deliver against internal and external risk management expectations.

Often first line resourcing of risk and compliance activities can be a significant source of tension within a business. Many businesspeople still feel risk and compliance is 'done to' them rather than 'done with' them, by technical experts who lack business experience and pragmatism. This can have a negative impact on their confidence and ability to make risk-based decisions.

Equally, some risk and compliance functions feel they are the only people worrying about managing risk and regulatory compliance and are making up for the deficiencies of the wider business, which detracts from their ability to provide support and challenge.

Changes in risks and uncertainty as to how they will evolve
Risk management and compliance need to evolve as the risks faced by businesses evolve. It is often said we live in an increasingly volatile, uncertain, complex, and ambiguous world, where risks are continuously evolving and changing. An organisation’s understanding of risk evolves in complex areas as more detailed understanding and data is obtained – as in the case of climate. As risks become more complex, risks become more difficult to measure and compare to appetite. Risk-based decisions must be taken with imperfect information or metrics, and the approach to risk management needs to evolve to keep pace with changes in risks.
Regulatory project management and implementation increasing layering and inefficiency and worsening effectiveness

For many years, the change agenda of leaders of risk and compliance functions has been dominated by the need to respond to increased regulatory requirements. As regulatory requirements can themselves be complex and ambiguous, and required implementation is typically required under relatively tight timescales, change has typically been undertaken in discrete projects led by technical experts. As a result, the focus of project delivery is often about ensuring the core activity gets delivered in line with required deadlines.

While in the past companies under pressure to meet deadlines would follow an ineffective ‘tick box’ type approach, requirements are now much more principles based. As a result, requirements are typically met by ‘layering on’ additional activities or sometimes by creating a new ‘framework.’ Few organisations typically feel they have the time and space to consider how they can refine their operating model more holistically to reflect regulatory requirements ‘by design’ and capture wider business benefits.

While these approaches could ensure that regulatory expectations are met, they do not typically contribute to the effectiveness and efficiency of risk management. Sometimes we hear concerns about the costs of ‘layering on’ these changes, and the extent to which risk management and compliance across an organisation is efficient. In other cases, we see increasing confusion in the business about how different initiatives fit together. Sadly, it is much less often we hear people speaking of the tangible business benefits of the work.

What can firms do about this? 

Getting the balance right

While there is value that can be delivered by seeking to enhance the efficiency of risk and compliance activities in the business, it is important to recognise that this work is complex and stakeholder expectations are critical. Regulators are focused on ensuring effective risk and compliance arrangements so changing arrangements from the perspective of efficiency risks being seen as negative – a reduction in focus, and therefore of effectiveness - with the risk of increased regulatory scrutiny.

As a reaction to perceived inefficiencies, and sometimes as part of a broader cost reduction programme, sometimes first line and finance teams start to focus only the efficiency of the processes and resources that allow the business to manage its risks in a timely manner. There is a danger that this approach will fail to consider the required effectiveness. If efficiency is considered on its own, or without a lens on effectiveness, there can be unintended consequences for the risk management and compliance in the business and alignment with regulatory expectations. This can happen inadvertently; particularly where requirements are complex or were implemented in a 'layered' manner with interdependencies that are not well understood.

Effectiveness and efficiency can be seen as opposites; however, we believe a sharper focus on efficiency is a sign of enhanced risk maturity. Done in the right way, increasing efficiency can reduce cost and complexity, increase embedding, and ultimately improve effectiveness. A well-understood, efficient approach to risk management and compliance that is well-understood by the wider business can be better implemented and embedded. It is therefore likely to be much more effective and sustainable in practice. 

 

Getting started

To mitigate these risks and build a sound business case, we typically recommend a focused diagnostic phase. This has proved to be of value across a number of types of projects – whether looking at a specific process area (such as the effectiveness and efficiency of a strategy and planning process), specific areas of business decision making, or at a particular problem or challenge (such as inefficiencies and overlaps between risk and compliance).

We recommend this approach for three reasons:

  • the significant variety in the nature, size and complexity of businesses, and the different roles often undertaken by the first and second lines of defence, and their teams and departments, means that there isn’t a one-fits-all path to enhancing efficiency and effectiveness
  • it can be helpful to start by looking at effectiveness, then move on to look at optimising efficiency having assurance yourself that the underlying process and outcomes being achieved meet your expectations for effectiveness from design and performance perspective
  • different  tactical solutions can be applied to achieve a given strategy. For example, an organisation wanting to address the balance of risk-focused resources across the first and second lines of defence could do so by a combination of: refining the formal structure of risk and compliance; adjusting responsibilities and accountabilities across the organisation; building capabilities in key areas; and/or refining ways of working between teams.

A diagnostic phase will help by exploring the challenges and identifying the most cost-effective solution options, which can then be assessed and considered in more depth, saving time and effort. 

Assessing and improving effectiveness and efficiency is more than an analytical challenge. It is also a communication and engagement challenge with the client and with senior management. The role of the project sponsor, typically the CRO, CEO or CFO, is vital in laying out initial hypotheses about effectiveness and efficiency, and guiding engagement with senior management.

While these projects typically start as an opportunity to validate concerns about effectiveness and efficiency, and develop solutions for remediation, it is not unusual for the engagement process to lead to a significant change in perspective on the nature of the problem, or the best solution to resolve it. This makes it even more important to engage an external perspective in this work. Equally, it is important that the process of coming to solutions is collaborative. Solutions created in partnership with key stakeholders in the business are more likely to be efficient, and sustainable for the longer-term.

The case for change

Risk and compliance functions are used to considering the effectiveness of their approaches against good practice guidelines. The same sort of rigour should be applied to considering the efficiency of risk and compliance in the business through: 

  • increased clarity about roles and responsibilities with the right people involved at the right time
  • integration of processes and tools into first-line activity, resulting in greater engagement and effectiveness
  • reduced overlaps and duplication of activity
  • reduced dependence on key people
  • more timely, forward-looking insights that feed into management information and reporting
  • improved risk culture, enhanced understanding, and ownership of risk throughout the business
  • an increased ability to measure progress in efficiency and effectiveness
  • a greater confidence in risk activity and risk-based decisions.

In subsequent articles and posts we will explore challenges and opportunities we have helped clients address and capture. We will provide tangible examples and practical tips as to how organisations can enhance the efficiency and, through this, the effectiveness of their risk and compliance approaches.

How Crowe can help

We are experienced in looking at the effectiveness of risk and compliance, and are increasingly helping organisations to enhance the efficiency and effectiveness of risk and compliance approaches through:

  • efficiency and effectiveness assessments – helping you to identify, diagnose and prioritise the opportunities, and build the business case for enhancement
  • design and delivery of enhancements to enhance efficiency and effectiveness, including the following areas:
  • functional structure and organisation
  • responsibilities and accountabilities
  • governance
  • capabilities
  • culture
  • ways of working
  • decision making
  • infrastructure and technology
  • data and models
  • management Information
  • process and framework optimisation
  • planning and managing risk change and transformation programmes - to improve efficiency and effectiveness
  • reviewing and enhancing change and transformation approaches - to address efficiency and effectiveness ‘by design'.

For an initial discussion, please get in touch with Justin Elks or Isaac Alfon.

Contact us

Justin Elks
Justin Elks
Partner, Head of Consulting
London