Risk Matters: author talks video series
McKinsey experts take a ‘deeper dive‘ and share their insights and perspectives on our recent knowledge publishing
Many financial institutions have recently undergone major risk transformations that drove universal risk capability uplift and cultural shift. Uplifting risk management capability for financial institutions can be particularly challenging if the required transformation requires coordination across business areas and functions. For two decades, there has been (and still is) an intense focus on nonfinancial risks (NFRs). While regional or global “super incidents” originally drove the emergence of NFRs as a theme, the evolution of NFR management is ongoing, with variations in form and severity from one region to another (Exhibit 1). NFR can arise from shifting customer or community expectations, change to or breaches of regulations (for example, financial crime, privacy), malicious external attacks (such as fraud, cyber), or external events (for example, the COVID-19 pandemic).
The implications of a super incident can be significant and include direct financial losses, fines (Exhibit 2), compensation or remediation costs, and reputational damage. Secondary effects could include reduced sales or accelerated disintermediation by other market participants (such as fintechs) due to lost trust.
This environment drove financial institutions to initiate major risk transformation programs to address incidents, immediate issues, and deeper root causes. These programs have significant monetary cost. However, the opportunity cost for the organization is much higher, given the amount of management attention and organizational capacity required for successful delivery and sustainable conclusion.
The biggest challenge in starting a risk transformation is often not the “why” or the “what,” but the “how.” Questions include how to set it up and conclude it, and then transition back to enhanced business as usual. Large-scale risk transformations often fail because change is not effectively implemented across the organization: milestones are ticked off without actually improving risk management, addressing underlying culture, or reducing risk.
In this article, we consider different forms of risk transformations and unpack the heart, art, and science of their successful delivery and conclusion. (For more on key success factors for a large-scale transformation, see “An interview with Scott Wharton: Insights from the frontline of large-scale transformations.”)
The shapes and forms of risk transformations
There are four broad categories of risk transformations:
- Business area or end-to-end process capability uplift and remediation (for example, global markets, business banking, mortgages). These transformations are typically business-led, driven by embedded line-one risk and control teams. Such transformations often include process, system, and control mapping; process simplification, digitization, and automation; documenting, decommissioning, and building ideally automated, preventative controls and monitoring in critical process break points; and clarifying responsibilities.
- Risk-type-specific capability uplift and/or remediation (for example, financial crime, cyber, privacy, conduct). These transformations are typically driven by the respective risk experts (such as a money laundering reporting officer for financial crime and chief information security officer for cyber crime) and supported by the risk function. Such transformations often include risk-type framework and operating-model uplift, paired with targeted remediation of severe issues for a specific risk type. They are often triggered by severe incidents, issues, and regulatory scrutiny. Typically, significant resource buildup occurs to work through issues and incidents, as could be observed in financial crime programs at global banks using hundreds and even thousands of case analysts.
- Risk function operating-model uplift (for example, changes to structure, internal risk functions, and company-wide processes). These transformations are typically driven by the risk function. Such transformations often include defining the ambition and value proposition of the risk function; improving the structure of the function (including divisions, risk-type expertise regions, and shared services); simplifying and clarifying the interactions with the business and other functional areas; and identifying and hiring capabilities to deliver.
- Holistic enterprise-wide risk transformation (for example, uplift of underlying frameworks, governance, risk culture, remuneration, accountabilities). These transformations are typically board or CEO-sponsored programs involving all businesses and functions and considering all (nonfinancial) risks. Such transformations often include uplifting the risk management framework and policy governance; establishing, improving or operationalizing the risk taxonomy; improving the risk appetite statement, in particular, for NFR metrics cascaded into business and operationalization; uplifting and implementing a code of conduct and consistently operationalizing the three lines of defense model; uplifting risk culture measurement; uplifting remuneration for risk-based adjustments, and so on. Holistic risk transformations generally do not focus on direct risk reduction but rather on changing the general way the business operates—they are broader business transformations.
Risk transformations often take two to three years of dedicated effort, with enterprise-wide transformations typically taking three to five years. While transformation setups differ, most have a central program team of five to ten full-time equivalents (FTEs) for smaller transformations, with holistic risk transformations running central teams of 15 to 50 FTEs that focus on coordination, tracking, quality assurance, sharing of best practices, and support for the most challenging problems, including the coordinated delivery of change across business areas and functions.
After supporting numerous businesses through transformations, we have found that while the science of transformations is crucial to get right, it is the heart and the art that deliver transformation programs to their successful conclusion and sustainably embed the change across the organization (Exhibit 3).
Science speaks to the mechanics that need to be in place around program structure, integrated plan development, delivery mechanisms, and regulator engagement throughout the process.
Art refers to capabilities, accountability, prioritization, and use of targeted interventions to keep the program on track.
While the science of transformations is crucial to get right, it is the heart and the art that deliver transformation programs to their successful conclusion and sustainably embed the change across the organization.
Heart includes genuine shared motivation or purpose, a transformation mindset, a willingness to challenge cultural norms, and a program of communication that connects with the professional identity of employees. With science and art, the key conditions are in place for a successful risk program. But heart is a prerequisite for deep cultural change, which is required for a sustainable enterprise-wide transformation.
Getting to the ‘heart’
While we live in a rationality-driven work environment, human actions and behaviors are driven by deeper mindsets and cultural traits. Driving a transformation that changes those mindsets and cultural traits is hard; it needs to go below the surface and work with what motivates the organization and its individuals.
- Motivation. “Because the regulator wants it” is not an intrinsic motivation—one needs to dig deeper and consider the motivations of employees. Successful transformation in any circumstance will require as much of a change in mindset as in any system or process. An in-depth diagnostic of the psychology of the organization can help define a vision of change that connects to the collective motivation and purpose of the organization and ensures that the desired change will stick in the long term. “Serving our customers better” is an example of a collective motivation.
- Transformation mindset. The mindset of the transformation needs to balance delivery discipline and accountability; agility and pragmatism; continuous improvement; and a sense of chronic unease. This finely balanced mindset will enable organizations to do what they say while still being able to course-correct and improve when new information becomes available and to quickly spot and address emerging challenges. If a risk transformation is initiated in response to a major incident, an honest appraisal of what drove the failures and adequate humbleness when considering the magnitude of the required cultural change are key.
- Culture. Organizations have a variety of cultural traits that help them thrive in transformation but also some that hold them back. Traits that often lead to unsuccessful or stalled transformations include being too siloed or too collaborative. This can lead to change being implemented inconsistently or stopped by a few business areas, or over-collaboration that results in lack of productivity and missed deadlines. Continuous reflection is required to be aware of and address deeply rooted cultural challenges, including honest appraisal of successes and failures, celebration of positive cultural behaviors, and constructive challenging of cultural norms, all while maintaining psychological safety.
- Communication. Motivation must reach the hearts and minds of employees. Intensive and continuous dialogue with a broad set of stakeholders allows a transformation program to keep its finger on the pulse while also enabling staff to own challenges and drive solutions. Communication needs to build on the organization and its leadership’s personal motivation—this is what makes it genuine and effective.
Appreciating the ‘art’
More basic than the heart but still more fundamental than the science of transformation is the art. The art supports smooth and effective delivery of a program that leads to sustainable change–versus merely delivering a set of activities and milestones.
- Capability. The skills required to transform are often not those required to manage. A risk transformation program team must have capabilities across project execution, strategy, and risk management. The team should adopt both an inward- and outward-looking mindset that leverages the experiences of others (for example, learning visits at global peers and regular exchange with local peers). Key roles in the business and the risk function may require new talent to bring fresh impetus to transform or deviate from ingrained practices (that is, breaking the mold). Targeted external support for expertise and ongoing challenges and advice is reasonable.
- Accountability. Large-scale risk transformations require collective accountability: the whole executive team must stack hands to deliver the target outcome. The complexity and duration of these programs makes them hard to execute; they are often costly and feel more like a burden than an opportunity. Balancing the accountabilities of individuals versus the whole organization, and linking program outcomes to remuneration, are both critical. Strong top-down authority from the board and CEO is essential in supporting prioritization, providing advice, and clearing roadblocks.
- Prioritization. One of the biggest challenges is managing competing priorities and ensuring that the organization can absorb the amount of change required. This requires clear articulation of short- and long-term milestones to prioritize and sequence change at regular intervals. A radical simplification lens, which addresses gold plating by particular framework teams and over-implementation by the businesses, can reduce the need to deprioritize and descope.
- Intervention mechanisms. Means to anticipate hurdles and support course correction must be created: formal mechanisms to identify expected challenges in the form of regular premortem exercises and formal program reviews are essential. The central decision-making body needs the authority to rapidly course correct through reprioritizing or redeploying resources. This is also critical to address change fatigue, which will naturally occur over the course of a three-year program.
Excelling at the ‘science’
Last but not least, the science is not merely technical. There are ways to optimize the science of transformation, to excel at it.
- Program structure. Banks often consider risk transformation as the accountability of the risk function. However, this setup may just scratch the surface and fail to address root causes and systemic issues. Effective large-scale risk transformation requires particular accountability for the program to be assigned across functional leadership and business areas, where many of the inadequacies in systems, processes, and behaviors originate. Coordination between these stakeholders is essential and often driven by a neutral, central program team that sits outside of lines one and two. The rationale is that the engagement between these lines is often part of the problem, as in the three lines of defense model, and that the capability and mindset of both lines require improvement. The central team intervenes and escalates when the program is off track, with support from a communications team and change infrastructure. While the central team is accountable for coordination, it is important that the accountability for framework design and implementation delivery remains with the business-as-usual owners (line two/functional teams and line one/business teams, respectively).
- Integrated plan. Integration of roles, responsibilities, and deliverables within the overall program is challenging. Creating an integrated view of change by using an integrated plan allows for prioritization, sequencing, and interdependency management. It also allows for a clear lineage between relevant problem statements, target states, activities, milestones, and outcomes. Structuring the plan into design, implementation, and embedment is helpful to coordinate delivery and distinguish the shift from the design of framework elements in functional areas to their implementation in business areas. The embedment stage includes ensuring new practices become part of the organization’s DNA and smoothly transitioning back to enhanced business as usual.
- Delivery mechanism. Implementation of complex change across the business (line one) is often where risk transformations fail. The best-designed set of change initiatives can fail without an effective delivery mechanism that supports implementation and sustainable embedment of change. Developing a mechanism to ensure appropriate engagement between lines two and one in the design of change initiatives—and a well-coordinated and considered delivery mechanism for supporting line one implementation—is critical. Ideally, this mechanism is aligned with natural business rhythms such as quarterly delivery and performance cycles.
- Regulatory engagement. Transparency and continuous dialogue with regulators are important. Proactive, professional, and respectful engagement can enable greater understanding and appreciation for regulators with respect to the challenges faced in large-scale risk transformations and can encourage offers for guidance and positive reinforcement. Regulators might share their own expectations and observations from other institutions
and provide insight into their own priorities. It is crucial to understand the regulator’s priorities and motivation—they are large institutions with public profiles, reputations, and individual ambitions.
The end is often only the beginning
As the above three elements (heart, art, and science) demonstrate, successfully concluding a risk transformation seldom ends with just milestones in a work plan, ending a monitorship, or meeting regulatory commitments. These are important, but genuinely transformative success lies in the smooth shift from programmatic setup to sustainably uplifted business-as-usual operations with embedded mechanisms for further improvement.
For this to happen, the uplifted capabilities need to be fully embedded into the regular business and risk cycles owned by their business-as-usual owners. They need to be regularly reviewed for fit-for-purpose and scope for further improvement. These regular cycles can include annual strategic planning, risk appetite refresh, policy reviews, assurance, audit schedules, quarterly change prioritization, and performance tracking as well as trigger-based uplifts driven by new business, new products, new regulations, and incidents.
The relatively short time frame of a risk transformation allows for improvement of frameworks, processes, and governance, but it takes time and often a few improvement cycles for the organization to fully embrace and internalize them.
Finally, the learnings of the transformation should be captured and shared because the external environment is constantly evolving, and often another risk transformation looms around the corner.