02-08-2018 | POINT OF VIEW
Agility in the Risk function: Fantasy or Reality?

Firms worldwide plan to spend $1.3 trillion on digital transformation this year. Yet over two-thirds of these initiatives are expected to fall short of stated goals – that’s $900 billion worth of investments that will miss the mark. The financial services sector is no exception to this inconvenient reality.

The business environment gives a tough backdrop to change and transformation in financial services: economic and political uncertainties are clouding over the business landscape; technological changes are accelerating; and competitors are emerging at the banks’ doorstep. At the same time, consumer expectations are changing, demanding increasingly seamless experiences and often in real-time.

The quest to future-proof themselves amidst severe uncertainty has made Agile a priority in boardrooms across financial firms. Rooted in software development, Agile’s empirical approach reflects a shift in management ethos which accepts that firms can’t know everything about the solution from the outset and instead need to foster a culture of iterative inspection and adaptation. This is in contrast to defined-process methodologies such as Waterfall, when the steps of the process are planned out up front and then executed against to achieve the desired results.

Achieving the optimal level of agility requires greater collaboration and even integration across all business functions. In doing so, a key challenge for most large financial institutions is to instil an agile culture and way of working at Enterprise functions – Risk and Regulatory Change in particular.

Agile at Risk

Make no mistake; risk management and regulation are not secondary to customer experience and business performance. The efficacy of regulatory adoption and risk management is fundamental in ensuring a frictionless customer experience for almost every customer touch point in financial services. And for financial institutions to accelerate the speed at which they can respond to industry trends and to deliver change, they must ensure that Risk does not become a choke point.

A common perception is that Risk and Regulatory Change can be too complex for Agile. This is an oxymoron. Risk and Regulatory Change programmes are well suited to empirical delivery approaches as they are rarely simple in implementation or predictable in outcome – MiFID II, for example, spanned 1.5 million paragraphs and 30,000 pages. Compliance is also, by its nature, a moving target. Tens of thousands of regulatory updates are published each year; it is estimated that over 300 million pages of regulatory documents related to financial services will be published by 2020.

But there are hurdles to defining and adopting the right level of Agile at Risk and Regulatory Change functions. A key constraint is the “technical debt” at Risk functions. Since the Global Financial Crisis, the regulatory burden on financial institutions has been substantial. This means that the majority of Risk funding has been absorbed on legal, regulatory and mandatory requirements with a limited amount available for strategic investment. With the change capability pushed to breaking-point, most organisations have been forced to make design allowances to relieve cost and capacity pressures in order to meet the regulatory deadlines. This has created complex ecosystems of Risk-supported end-user-computing (EUC) that are outside banks’ IT change control and underpinned by shadow governance structures that are far from nimble.

Adopting Agile while meeting both internal audit and regulatory expectations is another challenge. Major regulatory programmes, such as IFRS9, often require a “big-bang” delivery on a specific date and therefore do not allow for incremental deployment into live. Model governance processes have typically been designed to reflect this, providing sign-off when all deliverables are complete. A key concern is a reliance on documentation to support regulatory change and control processes, which is a direct conflict with one of Agile’s core values “working software over comprehensive documentation”. This challenge is also exacerbated by internal audit processes that rely on the review of specific and detailed documentation in order to provide independent assurance effectively.

Enabling Agile

These challenges have resulted in many failed attempts to effectively adopt Agile for Risk and Regulatory Change. With organisational agility now critical to business success, firms must ensure the Risk Function is included as an integral part of the broader Agile Change at organisations. This requires continued investment across six key enablers:

  • Culture – An Agile mindset that is clearly demonstrated by the firm’s leadership is critical. Shifting the culture requires management to commit and persevere with the incremental adoption of Agile across the organisation where trust in strategy is achieved through pragmatism in delivery.
  • Architecture – Technical debt has created complexity and inefficiency that until repaid will hinder the extent to which Risk can adopt Agile. To address this, firms must fix-forward, ensuring that architectural remediation and system decommissioning are factored into future change initiatives while continually optimising and simplifying the future change environment.
  • Governance – Traditional governance processes (such as model validation) that are designed to support defined change methodologies need to be revisited. This requires an incorporation of incremental approval processes and a reduction in the reliance on documentation to prove control.
  • Data – Incremental deployment, particularly for prudential change, requires the availability of analytical-ready datasets to improve the timeliness of data analysis. The consolidation and accessibility of data is key to addressing organisational, functional and product silos.
  • Deployment – While it is not always possible for regulatory programmes to be deployed incrementally into live, firms need to ensure that they have the capability for incremental deployment into shadow environments, with a view to reducing the delivery burden of “big-bang” deadlines.
  • Training – Last, but by no means least, firms need to invest in the training of their staff. Risk and Regulation, more so than other areas of change, is dependant on deep subject matter expertise. It is not a question of swapping these resources for Agile resource, but rather augmenting and upskilling to create a multi-skilled change capability.

The delivery of these enablers will not be simple, nor will the solution be predictable. But to embark on this, teams must avoid falling for the false comfort of a defined process (such as Waterfall). Instead, designing an agile Risk function requires an agile approach underpinned by incremental changes, quality control and testing.

Agreeing a solution, planning how to achieve it, and then attempting to execute that plan is an easy approach for banks to fall back on. But this will not work for the new banking environment scattered with episodes of volatility, uncertainty, complexity and ambiguity. To become truly agile to changing consumer expectations and evolving strategic needs, banks need to resist the siren songs of defining a solution for the future when little is known about what the future will hold.

For more information contact:

Michael Soppitt
Email: msoppitt@pfg.uk.com
Phone: +44 (0) 207 100 7575

@p_f_g - Parker Fitzgerald