How To Update Your Risk Management Approach for the Age of Business InnovationPartner at Oliver Wyman
Tools such as data analytics and product customization have begun to spawn a vast array of exciting business opportunities, ranging from robot-driven client advice to smart savings accounts. But these services bring with them additional risks.
Firms that want to make the best of these new tools and products need a fresh approach to risk management—one that adapts to high-tech products developed in unfamiliar ways by innovative people. This means giving risk managers a wider mandate, so as to ensure that the firm neither hampers the pursuit of innovative propositions, nor compromises its security.
Traditional risk management approaches tend to consist of a yes-or-no decision at certain points in time or the periodic review of a stable business process. An IT change or new product, for example, is subject to pre-release approval, and concerns that are identified at this point are translated into additional risk controls. But before and after this approval process, risk managers have limited engagement.
In an age of innovation, this approach is bound to fail. Agile development can mean propositions are never quite finished but are instead in a constant state of development, making point-in-time engagement impractical. In addition, innovation processes are often separated from the traditional business, as firms isolate development teams to allow them to embrace agile working methods. This can make it hard for risk managers to engage.
Finally, when firms are too slow at development themselves, they instead import innovation from outside. That produces other challenges, as these sources are often startups that will only gradually—if ever—meet established corporate standards, leaving a long list of exceptions to corporate policy.
Innovation, therefore, means dramatic changes in the ways institutions must manage risk. We believe that first, they need to establish an explicit institutional appetite for innovation risk; then, they must engage continuously.
Innovation Risk Appetite
Risk managers should work with senior management to codify an explicit statement of risk appetite in relation to innovation. This should address the important questions: Which risks are negotiable and where do we need to draw red lines? Where are we a first mover in our industry and where a follower? Where we do take on risk, what forms of payback are acceptable, and how are these tracked? Is the cost of risk management for a particular product reflected in its business case?
Some answers are clear: Financial crime, for example, should be on the other side of the red line. But in many other areas, risks have to be weighed against potential returns. Where firms create a new market for a poorly served segment (think payroll services for the gig economy as a recent example), would a certain level of fraud be acceptable initially, while the market is being developed?
In other cases, firms might need to follow the competition just to defend an existing customer base. Many banks at first held off introducing mobile wallets such as Apple Pay, as the additional risk seemed to outweigh the likely benefits. But they launched them after a critical number of competitors moved ahead, demonstrating a differentiated, if perhaps not explicit, approach to weighing risks and benefits.
New Controls for New Risks
Digital propositions will fundamentally change the risk profile of a firm. Technology-related risks, from resilience to cyber risks, may increase as heavy reliance is placed on technical infrastructure and previous manual alternatives are disbanded. Fraud may increase if not carefully controlled, as has been observed in the initial stages of many digital propositions.
Risk managers should engage at all stages of development, testing, and implementation—and they should do so on a consistent, rolling basis.
At the same time, less human interaction—both internally and with customers—may reduce risks related to poor behavior, such as embezzlement or mis-selling. Some risks may morph into new forms. To address the risk of a customer ending up with an unsuitable product, their journey needs to be assessed in its entirety, including exit gates for when there is no suitable product for a particular customer. This forms part of the emerging discipline of digital conduct.
Risk managers should contribute to innovative development through risk identification, analysis, and control recommendations—and they should do so on a consistent, rolling basis. To ensure that risk controls are fully integrated into the resulting propositions, risk managers should engage at the stages of development, testing, independent validation, and implementation, as well as regular review.
There are several drivers that make continuous engagement a necessity:
Today’s innovation labs and technology startups operate through cycles of design sprints. For risk management to be effective, it needs to be deeply embedded in the design throughout the development process, ideally right from the start.
As business processes are digitized, manual intervention becomes less desirable and risk controls increasingly must become an integral part of product design.
Regulators and lawmakers are increasingly echoing these demands. The European Union’s General Data Protection Regulation, for example, enshrines “Privacy by Design” as one of its foundational principles.
Once digital products have been launched, there will likely remain exceptions to the usual corporate standards. For instance, a startup firm supplying customer analytics may not have the required cyber-risk certifications. The role of risk management will need to extend beyond the approval stage to ensure that exceptions are eventually closed out to protect the firm’s critical infrastructure and its customers’ data. Firms must be able to iterate rapidly without sacrificing the corporate standards that are the foundations of their customers’ trust.
Making the Transition
Digital innovation could breed new risks that only become apparent over time and may not fit into established taxonomies such as credit and compliance risk, so managing innovation risk will require profound change for a firm’s risk functions. New tools and processes will be required.
Risk management will also need a wider mandate to reflect earlier and later points of intervention. Risk managers will need the appropriate skills for this engagement model, and the organization will have to be supportive of agile working methods.
The risk functions at many firms are starting to tackle the challenge, often prompted by a particularly high-profile project or venture. The next task is to learn from those first moves and embed innovation management as a core part of the risk function’s mandate.
If a firm’s risk management does not adapt, innovation will simply happen elsewhere.