A midsize bank wanted to go completely cloud native: modern core-technology architecture, agile, and DevSecOps. It moved aggressively, recruiting top engineering talent and automating many controls. However, it quickly realized that it needed to bring its risk and security functions along on the transformation journey. These control teams were still using traditional risk-and-security management practices in the new operating model and couldn’t keep up with the new, faster ways of working. As a result, the company’s regulatory-examination team found deficiencies in its control partners’ ability to provide credible challenge, and the need for remediation ultimately delayed the release by about five months.
Unfortunately, this situation is all too familiar in many sectors when companies undertake large-scale digital transformations. In many cases, they focus initially on how to be more digital—move at speed, use data to make decisions, respond rapidly, and so on—and only later think about risk and compliance. At a small scale, this is fine because companies can muscle through issues on an exception basis. But as companies scale from ten agile teams to 40 or more, that ad hoc approach breaks down.
This is particularly worrisome because 60 percent of companies we analyzed still have only ten or fewer working agile teams in operation, and only 14 percent have more than 35 (Exhibit 1). To scale their transformations, they will need systems in place that can provide necessary leverage and support to agile teams, particularly for control functions such as risk, compliance, legal, cybersecurity, and safety. While banking has been at the forefront of these issues due to the highly regulated nature of the sector, the issues are similar and relevant in other industries as well.
New pressures on risk and compliance
In our experience, many companies have accepted the notion of “risk by design,” where the risk function is embedded into the development process. The issue, however, is that few know what the risk issues are or how to systematically approach them (see sidebar, “Types of transformation risk”). In fact, our research on 100 C-suite leaders and business-unit heads from companies across industries and around the globe found that almost half of them had difficulty understanding the risks generated by digital and analytics transformations—by far the top risk-management pain point.
Even when companies do appreciate the importance of managing risk correctly, their efforts are often on a surface level, such as setting up forums between first- and second-line risk, taking a limited set of risk actions within a single organizational silo, or adopting a few agile ceremonies, such as stand-ups. Risk teams sometimes try to force-fit traditional practices into the transformation framework and, as a result, simply can’t keep pace with agile development teams, leading to further tech and regulatory debt.
The price for not keeping up will just keep rising in the form of significant delays, regulatory scrutiny when companies are unable to provide credible challenge in the new environment, or (worst of all) risk failures and large penalties. A revenue boost of $200 million generated by a digital transformation doesn’t mean much if a company is fined $300 million in related risk-violation penalties. Simply put, companies need to actively account for risk in their digital transformations or they may destroy the value that digital creates.
Avoiding these costly breakdowns during a digital transformation requires a fundamental change in the risk-and-compliance function at an enterprise level. In particular, we’ve found that the best companies establish active collaboration between risk, security, IT, and the business units. They have a comprehensive understanding of the changes needed at the operating-model, technology, and culture levels, and a coordinated approach to the actions to take and in what order. Our analysis shows that the most successful companies significantly outstrip their peers in a few specific actions, including retraining personnel, automating processes, and using new tools.
Companies that make this enterprise-level shift see significant benefits. Not only do they avoid fines and breaches; they are also able to accelerate the pace of their digital transformations and improve customer experience. We’ve also found that remediating risk-function defects through better governance and management earlier in tech delivery can reduce remediation costs by about 10 percent, while embedding tech-risk management in technology delivery can reduce defects by 50 percent. One financial institution was able to reduce overhead by 85 percent by embedding technology-risk nonfunctional requirements (NFR) in Jira backlogs, and it was able to deploy new code 90 percent faster by embedding security checks into agile sprints rather than requiring stage-gate review.
Six concrete actions
We have found that successful risk-and-compliance functions focus on six coordinated actions during digital transformations (Exhibit 2). That point about coordination bears emphasis. Leaders we’ve spoken to have often made progress on one or two of these actions, but rarely more than that, with the result that risk-and-compliance efforts continue to fall short of where a “digital-first” business needs them to be. Successfully implementing these six actions requires leaders and teams in security, risk, IT, and the business unit to work together. Embedding more risk decision making with the front lines, for example, can’t happen unless the corresponding business unit commits to training its people on risk.
1. Increase risk ownership at the first line of defense
For risk management to be more than an afterthought, agile teams working on the front lines need to own it and be accountable for it. That requires sufficient tools and training (see more in actions 3 and 6), of course, but the key point is that teams on the front lines have to be given specific decision rights and encouraged to focus on risk from the very beginning. This helps to avoid the “not-my-job” mindset that undermines risk efforts.
Leadership must spend the time to be clear about management and oversight responsibilities, including governance, standards, guardrails, and risk taxonomy. At a large European bank, for example, increasing risk ownership at the first line of defense not only reduced the number and severity of risk issues but also significantly increased speed to market.
2. Identify and manage risk in a more agile way
To rapidly identify and remediate risks, regular agile events (such as quarterly business reviews and release planning) should include risk discussions from the very beginning of the transformation, with clear roles defined for both the first and second lines of defense. This “shift left” approach does not destroy credible challenge; it just moves it earlier in the life cycle and gives regulators something concrete to measure against. Advanced organizations maintain a pool of experts with various risk profiles (operational, compliance, price, reputational, security, and so on) that can be embedded into working agile teams as needed. Risk assessments then happen in the regular flow of development (Exhibit 3).
At one financial-services company, this approach not only helped to bring down the number of defects the products delivered but also streamlined the risk and governance processes, reducing the number of governance review groups from 33 to seven.
3. Modernize risk identification
Our analysis indicates that, although 75 percent of companies have not adequately assessed their digital-transformation risks, those that have done so have experienced a 75 percent increase in risk understanding. While this may seem obvious, in practice companies rarely do it at sufficient granularity. Top companies adopt a thorough risk taxonomy and implement an integrated and comprehensive risk assessment that covers all digital and analytics risk areas, such as third party, people and capabilities, audit and compliance, and change risk/overspend (Exhibit 4). This effort helps to identify and monitor risk and develop mitigation activities.
Our analysis further revealed that companies with the most mature risk practices manage risks in a single place so they can more easily track and address them. We have found that advanced organizations are also increasingly using automated risk-assessment tools on every new feature or user story. These help product owners review the risks associated with new features right from the start of the development process. They also use quarterly business reviews (QBRs) to anticipate risks and work through how to address them.
4. Automate controls
Top companies automate not only risk controls but also their monitoring and testing (for example, compliance as code) to ensure that risk-related requirements are being met. Controls such as distribution of duties, code reviews, and application security testing (Exhibit 5) can also be automated and embedded within the existing continuous-integration and continuous-deployment (CI/CD) flow. Many companies run into issues during the automation process because the technology and risk organizations don’t have a clear view of priorities. Consequently, the automation process is haphazard or generates only the limited value of simplifying the legacy processes. Organizations that successfully automate the risk function, on the other hand, prioritize the technology backlogs that address material risk areas as well as speed to market.
5. Invest in shifting mindsets
Even when the risk function and other teams work together, they can still butt heads. Risk experts block business initiatives because their risk controls are insufficient, for example, while the business regards risk control as a source of constant delays. That needs to change. Risk needs to be part of everyone’s job. One area that companies tend to overlook in this regard is the value of having the second line of defense—typically, risk subject-matter experts—more closely involved in daily team activities so that they can participate more in finding solutions rather than just challenging risk (still maintaining their objectivity, of course).
While training (see action 6) and clear roles and responsibilities help, one of the most effective ways to effect mindset shifts is by building risk-related objectives and key results (OKRs), such as open remediation activities and time to remediation, into performance management. These metrics have an even greater effect on mindsets when product owners have accountability for them; some companies even have them specifically sign and certify the scorecards.
6. Upskill and manage talent
While plenty of transformation funding goes to engineering and development, risk—particularly the second line of defense—rarely sees much of it. That neglect hamstrings the risk function and ultimately undermines the digital transformation itself. Building up a solid, digital-ready risk-and-compliance function requires investment in new hires and in upskilling existing talent. Acquiring the kind of talent that can balance risk and digital requires some creativity.
One US bank, for example, decided to hire former top tech architects and train them on risk. Upskilling people requires a clear understanding of the specific risk-control skills for which they need training and well-developed programs (for example, to train the trainers) to scale the training across the organization. A financial-services organization trained its product owners (the second line) to incorporate risk controls and processes into the team backlog. These people then became trainers and helped the first-line teams adopt key risk-management practices (such as version control and security checks) in their development process.
A successful transformation, risk controls included
A US bank realized it needed to become more digital, so it launched an enterprise-wide agile transformation across its business and technology functions. As leadership was creating the transformation blueprint, however, they spotted a big problem: the risk-control team wouldn’t be able to keep up with the increased flow of products that the new agile teams would generate. So they pulled in a senior product owner from the second line to partner with the transformation team to reengineer risk processes to not only enable the transformation but also strengthen the business’s overall risk posture.
One of the areas addressed was governance, which typically required more than 30 meetings to get the various approvals needed for each product. The team noticed that, in many of these meetings, the product team was asked the same questions, so they eliminated the meetings that were redundant. They also assigned a point person from risk to work with the product teams to identify risks, make remediation recommendations, and make sure risk was prioritized in the backlogs. Providing a single point of contact also greatly clarified who had risk responsibility, a big issue before, when there sometimes were as many as 40 to 60 stakeholders for a given product but no certainty about who was actually in charge.
To help manage the program, the transformation team deployed tools to reconfigure workflows so that they could be integrated with backlog tools such as Jira. These helped to clearly identify what risks needed to be addressed, who would address them, and when. As a result, everyone knew what to do, and the product owner had a single view into where progress was (or was not) being made.
To ensure that this process worked, the transformation team invested significant time in training. They trained people on the risk team on how to work in agile teams, how the new operating model worked, and what the benefits of the new system were. They trained product teams on how to identify and remediate risk. The key point of this program, in addition to providing a basic theoretical explanation about how to address risk, was that it paired each product owner with a risk person for on-the-job training in which they worked closely together on real projects to address risk issues rapidly and effectively. The product owners could then help their own teams understand and address risk issues as well.
As a result of this approach, the bank’s risk-approval timeline was reduced from roughly 180 days to around 40, while controls automation reduced the number of required artifacts by about 40 percent.
The days of “build it now and manage the risk later” are over. Risk is too important, not just for banks, but for any company that wants to become more digital. By taking a more comprehensive approach that treats risk as an enterprise-level issue, companies can not only avoid the fallout from poor risk practices but actually accelerate their digital transformations.