Delivering effective controls change management in the 1st line

When thinking about delivering effective controls change management, practitioners inevitably focus on the organisational and business constraints that limit the pace and sophistication of change. Chief among these are finite resources, and the competition between change and ‘run the bank’ resources within the risk and control function itself. All too often, the change capability is compromised by urgent operational, short-term issues and remediation programmes that focus on short-term deliverables.

These urgent priorities often trump important longer-term change objectives. This is not wrong, and many would say it is inevitable, yet no mature financial institution can have ambitions to develop a long-term, effective risk management capability without investing in continuous and strategic change – strategic in terms of meeting the future risk landscape while also aligning with and supporting business purpose and key customer objectives.

It is also rare that a target operating model is designed on a greenfield site – there are usually complex legacy controls, systems and processes that complicate change management. One risk expert describes it as akin to re-wiring your house while you are living in it. It can be messy, inefficient and painful. Think, for example, how difficult the industry has found it to implement continuous control testing in an environment where the bulk of controls are still manual and where continuous testing was never designed into controls when they were first implemented.

So, what to do? How does the 1st line deliver effective controls change management? Our experts agree on some common themes.

First, the need to commit to innovation in all its forms – especially from technology, data, and controls platform standpoints. This means using good practice processes such as design thinking and investing in best-in-class technology such as AI and machine learning. Successful innovation helps to break through traditional linear growth models that assume that twice the work requires twice the resource. One example is the recent investment many firms have made in supervisory platforms. At their best, these bring disparate data sources together in a single, dynamic view that allows supervisors to assess risk, identify early warning flags and be much more proactive in discharging their supervisory duties.

Secondly, the need to build partnerships and collaborate with all key stakeholders – whether that be within the business or across the 3 lines of defence. There is sometimes the feeling that risk functions across the 3 lines are chasing the same resources and competing with each other, for example with respect to data-mining capabilities. By committing to common change goals and objectives, by sharing resources and by communicating clearly the link between delivery of change and delivery of business purpose, the organisation can be much more strategic and holistic in its approach to controls evolution.

Thirdly, the need to mix and match internal and external change resources and to understand the value of both sets to enterprise-level change management. This might, for example, mean using specific consultancy subject-matter expertise to develop emerging risk capabilities such as ESG and digital assets. It might involve blending vendor platforms with in-house builds. Or it might mean developing multi-disciplinary controls teams that integrate new skills such as data science expertise to allow effective pattern-analysis of disparate control data sources. There is a balance to how external resources are deployed and this balance ebbs and flows with the particular needs of the business at any given time. There should not be an over-reliance or key dependency risk on consultants and vendors, but there is clearly value in using them to provide a kick-start or injection of good practice when needed.

Finally, all of the risk and control practitioners we spoke to emphasised that failure to evolve is potentially very detrimental, whether that means simply covering one’s back, doing the minimum, or not having an ambition to add true value to the business. Control functions have to deliver better insights, advice and guidance as well as more efficient processes. Not doing this is, in itself, a material risk and one likely to manifest at the least convenient time.