Right-sizing the coverage of risk

One of the key tensions involved in understanding what a right-sized risk function might look like is regular driven demand versus improving risk maturity. These two priorities can often align so that delivery of remediation programmes provides significant uplift in risk management capability and mandatory work is rarely completely divorced from the future. Yet, they can and do compete in right-sizing planning – on the one hand, there is a need to provide adequate resources and knowledge to deliver against essential regulator-committed remediation priorities, and on the other, the business-led pull to deliver in the longer term, to make risk management, processes and tools ever more effective, for example being more responsive to the growing array of emerging risks, and providing better risk data that allows more informed business decisions.

Even if you consider your organisation to be mature in terms of risk management, you may be mired in years of regulatory focus, orders of consent, deferred prosecution agreements and the like which inevitably take the focus away from the strategic, long-term, ordered evolution of target operating models. This split in priorities may also result in the skewing of resources to focus on short-term, urgent priorities at the expense of longer-term objectives.

When thinking about how to ensure an organisation has satisfactory risk coverage, industry experts feel there are two sides to the equation – one is an appreciation of the breadth and depth of the risks that need to be managed, and the other is the capability and quality of risk management and business processes and people needed to ensure an effective coverage to manage these risks. There are industry norms and approximate ratios that inform a firm’s ability to benchmark itself in both of these areas. For example, there is a very rough rule of thumb that claims one NFR officer is required per 100 business people – but it’s not just about numbers, it’s about how the appropriate skillsets are deployed and an understanding of how the size and complexity of future and emerging risks are going to impact the operating model.

Global coverage of risk in large, complex organisations requires risk and regulatory subject matter expertise, which might sit in the centralised horizontal pillars of a risk organisation. It will also require business, product and asset-specific expertise that needs to be embedded in – or close to – the relevant vertical business areas. These verticals are important because they are the primary place where the trusted partner relationships are developed.

There is also an argument that regulators want to see thoughtful evolution of risk and control functions. This is clearly in the interest of the industry as a whole and regulators are fascinated by and interested in the evolution of the 1st line of defence. They don’t want to interfere and certainly don’t want to saddle organisations unduly with a short-term remediation ‘tax’…..yet the short-term/long-term riddle remains perhaps the single biggest brake on achieving true maturity and a stable, right-sized risk function.