McKinsey’s mission is to help leaders in multiple sectors develop a deeper understanding of the global economy. Our flagship business publication has been defining and informing the senior-management agenda since 1964 and is the leading source of business insights for senior-level executives around the world.
Successful large-scale risk transformation requires a combination of heart, art, and science
Uplifting risk management capability for financial institutions can be particularly challenging if the required transformation requires coordination across business areas and functions
- For two decades, there has been an intense focus on nonfinancial risks (NFRs)
- NFRs can arise from shifting customer or community expectations, change to or breaches of regulations, malicious external attacks (such as fraud, cyber), or external events
- The implications of a super incident can be significant and include direct financial losses, fines, compensation or remediation costs, and reputational damage
Cookies
Cookies are necessary for the website to function and cannot be switched off in our systems.
- They are only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. All information these cookies collect is aggregated and therefore anonymous.
What are three key success factors for a large-scale transformation?
Motivation matters
- Have a detailed and dynamic plan
- Ensure accountabilities are clear
- A plan is no use unless it drives outcomes
- Careful architecting of accountabilities, coupled with pragmatic governance, will sharpen accountabilities
Program structure
Risk transformation should be assigned across functional leadership and business areas, where many of the inadequacies in systems, processes, and behaviors originate
- Coordination between these stakeholders is essential
- Integrated plan
- Structuring the plan into design, implementation, and embedment is helpful to coordinate delivery
- Delivery mechanism
- The best-designed set of change initiatives can fail without an effective delivery mechanism that supports implementation and sustainable embedment of change
What are typical challenges of a large-scale transformation?
Getting the change to permeate throughout the organization
- Ensuring changes are sustainable
- Establishing an enduring capability beyond the formal program that can monitor, continuously improve, and sustain the outcomes delivered is critically important
Regulatory engagement
Transparency and continuous dialogue with regulators are important
- Proactive, professional, and respectful engagement can enable greater understanding and appreciation for regulators with respect to the challenges faced in large-scale risk transformations
- The end is often only the beginning
- Success lies in the smooth shift from programmatic setup to sustainably uplifted business-as-usual operations with embedded mechanisms for improvement
What role did senior leaders play in the RAP at CommBank?
Senior leaders were deeply involved from the get-go, including participation in key elements of implementation, ongoing learning, and adjustment of the approach.
- The critical foundation for the program was “strong” and “unified leadership from the board and executive leadership team,” which delivered a “consistent and persistent tone from the top.”
- There are four broad categories of risk transformations:
- Business area or end-to-end process capability uplift and remediation (for example, global markets, business banking, mortgages). These transformations are typically driven by embedded line-one risk and control teams and include process, system, and control mapping; process simplification, digitization, and automation; documenting, decommissioning, and building ideally automated, preventative controls and monitoring in critical process break points; and clarifying responsibilities
- Risk-type-specific capability uplifting and/or remediation, driven by the respective risk experts and supported by the risk function. These transformations often include risk-type framework and operating-model uplift, paired with targeted remediation of severe issues for a specific risk type, and are often triggered by severe incidents, issues, and regulatory scrutiny.
Key conditions for a successful risk program
Heart includes genuine shared motivation or purpose, a transformation mindset, a willingness to challenge cultural norms, and a program of communication that connects with the professional identity of employees
- Motivation
- Transformation mindset
- Culture
- Capability
- Accountability
- Communication
- Appreciating the ‘art’
- The art supports smooth and effective delivery of a program that leads to sustainable change-versu merely delivering a set of activities and milestones
- Balancing the accountabilities of individuals versus the whole organization, and linking program outcomes to remuneration are both critical