For decades, the risk profile of financial services firms has been relatively predictable. An economic downturn might push credit defaults to unusually high levels. Market prices might move against an insurer’s investment position. A rogue trader might defraud a bank of hundreds of millions of dollars. These are the kinds of risks that preoccupied risk departments, guided in part by expanding regulatory demands and in part by experience.

That’s changed today. Previously second-tier, nonfinancial risks, such as cyber risk, conduct risk, other operational risks, strategic risks, and business model risks, have become a top priority. At the same time, banks are more driven than ever by a rise in regulation-based rules and controls. This combination has reduced the agility of financial services firms, especially their risk departments. In some, risk departments have even become a bottleneck.

Risk managers know this. Our recent surveys of chief risk officers of leading European banks and insurance companies showed that most are concerned about their organization’s ability to adapt quickly enough. They understand that good risk management can no longer rely on rigid methodologies and processes. They understand that risk departments must be agile, but where should they begin?

Forward-Looking Approach Needed

For starters, risk departments should take a more forward-looking approach to risk identification and measurement. Rather than relying largely on historical data, agile risk divisions should give greater emphasis to what is coming. Advanced scenario analysis is currently the best way to incorporate a changeable variety of risk factors into loss forecasting. Most institutions now use stress testing in their internal planning processes, but few apply it to the full range of tasks where it has real value, such as risk identification and credit decisions.

Risk divisions must also have timely access to as much relevant data as possible. Some leading institutions are more closely integrating risk model builders with IT developers and ensuring that they use the same coding language.

Most of all, risk departments will need to rethink their operating model in several ways. First, agile risk departments will have to have a best-of-breed network of specialist third-party providers who supply focused expert reviews or analyses. That’s a marked change from traditional risk functions, which typically undertake all key elements of the risk management in-house. The traditional approach is both expensive and suboptimal given that, in many areas, third-party providers are quicker, cheaper, and more effective.

Risk departments should take a more forward-looking approach to risk identification and measurement. Rather than relying largely on historical data, they should give greater emphasis to what is coming.

Risk managers, especially at a senior level, will also need to develop a broader skill set and embrace greater diversity to avoid siloed thinking. Staff members need to rotate through a wide range of roles and work closely with other functions, such as IT, finance, and compliance. A leading European bank is experimenting with this concept by differentiating between “base camp” teams, who perform day-to-day credit risk assessments, and “mission” teams, who develop new models.

Adaptability Is Key

Agile risk divisions need equally adaptable employees and managers. They must be able to think through the business implications of risk management and provide content based on challenges to the wider business. That means they must have a hunger to learn continuously and recognize the value of cognitive and skill diversity within the team. The days are fast disappearing when 70 percent of a risk function’s work focused on a single risk type. Agile risk functions are changing their recruitment, development, and leadership models accordingly.

Rethinking Agility at Financial Firms

In parallel, banks and insurers will need to change their wider governance models and decision-making processes. The digital industry practice of making decisions fast, even with limited supporting evidence, and releasing new products as beta versions is hard to replicate in a risk division given the requirements of regulators and shareholders. But it doesn’t mean that improvements are impossible.

Risk divisions need to determine which decisions need the full governance process and which can be fast-tracked. Most organizations are still applying a one-size-fits-all approach to decision-making. Local empowerment and more flexible escalation mechanisms are key, as is accelerated decision-making within a formal governance model.

Other areas have achieved improvements of 50 percent to 75 percent across a range of performance indicators, such as time required to respond to new operational requirements, speed of strategic decisions, and success in change management. There is no reason why such gains cannot be achieved in risk management, too. For example, we believe that an agile risk function could cut credit decision-making time by half or more. The agile organization of staff, external providers, and new technologies could reduce the size of risk teams by over 50 percent.

All of these recommendations must be carried out amid changing commercial imperatives. Customers’ expectations for speed and ease of transactions keep rising, so risk functions need to reduce friction by minimizing data demands on customers. They should use publicly available data wherever possible and make risk assessments quick, transparent, and transferrable. Meeting future demands will require agile working practices.

Risk functions are rightly cautious in their estimates of risk and in the advice they provide business lines. That’s their job. But an inability to adapt quickly will increase the chance of nasty surprises and of slipping behind traditional competitors and fintechs in an era of open banking. Risk functions need to get agile.

A more in-depth version of this piece first appeared in the Oliver Wyman Risk Journal vol. 7.