A midsize bank migrated to cloud in order to streamline and automate its operations and introduce customer-centric products and services. However, it soon realized that it needed to bring its risk and security functions along on the transformation journey. Their control teams were still using traditional risk-and-security management practices in the new operating model and couldn’t keep up with the new, faster ways of working. As a result, there was a need for remediation that ultimately delayed the release by about five months.
This example, according to McKinsey researchers, is a familiar one when companies (across many sectors) undertake large-scale digital transformations. In many cases, they focus initially on how to be more digital—move at speed, use data to make decisions, respond rapidly, and so on—and only later think about risk and compliance. However, Risk management can never be an afterthought and the writing is clearly on the wall.
In a recent report by McKinsey, the authors state that 60% of companies still have only ten or fewer working agile teams in operation. To scale their transformations, they will need systems in place that can provide necessary support to agile teams, particularly for control functions such as risk, compliance, legal, cybersecurity, and safety. While banking has been at the forefront of these issues due to the highly regulated nature of the sector, the issues are similar and relevant in other industries as well.
The report found that successful risk-and-compliance functions focus on coordinated actions during digital transformations. This requires leaders and teams in security, risk, IT, and the business unit to work together. Embedding more risk decision making with the front lines, for example, can’t happen unless the corresponding business unit commits to training its people on risk, the authors said.
1. Increase risk ownership at the first line of defense
For risk management to be more than an afterthought, agile teams working on the front lines need to own it and be accountable for it. That requires sufficient tools and training (see more in actions 3 and 6), of course, but the key point is that teams on the front lines have to be given specific decision rights and encouraged to focus on risk from the very beginning. This helps to avoid the “not-my-job” mindset that undermines risk efforts.
Leadership must spend the time to be clear about management and oversight responsibilities, including governance, standards, guardrails, and risk taxonomy. At a large European bank, for example, increasing risk ownership at the first line of defense not only reduced the number and severity of risk issues but also significantly increased speed to market.
2. Identify and manage risk in a more agile way
To rapidly identify and remediate risks, regular agile events (such as quarterly business reviews and release planning) should include risk discussions from the very beginning of the transformation, with clear roles defined for both the first and second lines of defense. This “shift left” approach does not destroy credible challenge; it just moves it earlier in the life cycle and gives regulators something concrete to measure against. Advanced organizations maintain a pool of experts with various risk profiles (operational, compliance, price, reputational, security, and so on) that can be embedded into working agile teams as needed. Risk assessments then happen in the regular flow of development (Exhibit 3).
3. Modernize risk identification
Our analysis indicates that, although 75 percent of companies have not adequately assessed their digital-transformation risks, those that have done so have experienced a 75 percent increase in risk understanding. While this may seem obvious, in practice companies rarely do it at sufficient granularity. Top companies adopt a thorough risk taxonomy and implement an integrated and comprehensive risk assessment that covers all digital and analytics risk areas, such as third party, people and capabilities, audit and compliance, and change risk/overspend (Exhibit 4). This effort helps to identify and monitor risk and develop mitigation activities.
4. Automate controls
Top companies automate not only risk controls but also their monitoring and testing (for example, compliance as code) to ensure that risk-related requirements are being met. Many companies run into issues during the automation process because the technology and risk organizations don’t have a clear view of priorities. Consequently, the automation process is haphazard or generates only the limited value of simplifying the legacy processes. Organizations that successfully automate the risk function, on the other hand, prioritize the technology backlogs that address material risk areas as well as speed to market.
5. Invest in shifting mindsets
Even when the risk function and other teams work together, they can still butt heads. Risk experts block business initiatives because their risk controls are insufficient, for example, while the business regards risk control as a source of constant delays. That needs to change. Risk needs to be part of everyone’s job. One area that companies tend to overlook in this regard is the value of having the second line of defense—typically, risk subject-matter experts—more closely involved in daily team activities so that they can participate more in finding solutions rather than just challenging risk (still maintaining their objectivity, of course).
6. Upskill and manage talent
While plenty of transformation funding goes to engineering and development, risk—particularly the second line of defense—rarely sees much of it. That neglect hamstrings the risk function and ultimately undermines the digital transformation itself. Building up a solid, digital-ready risk-and-compliance function requires investment in new hires and in upskilling existing talent. Acquiring the kind of talent that can balance risk and digital requires some creativity.
A successful transformation, risk controls included
A US bank realized it needed to become more digital, so it launched an enterprise-wide agile transformation across its business and technology functions. As leadership was creating the transformation blueprint, however, they spotted a big problem: the risk-control team wouldn’t be able to keep up with the increased flow of products that the new agile teams would generate. So they pulled in a senior product owner from the second line to partner with the transformation team to re-engineer risk processes to not only enable the transformation but also strengthen the business’s overall risk posture.
One of the areas addressed was governance, which typically required more than 30 meetings to get the various approvals needed for each product. The team noticed that, in many of these meetings, the product team was asked the same questions, so they eliminated the meetings that were redundant. They also assigned a point person from risk to work with the product teams to identify risks, make remediation recommendations, and make sure risk was prioritized in the backlogs. Providing a single point of contact also greatly clarified who had risk responsibility, a big issue before, when there sometimes were as many as 40 to 60 stakeholders for a given product but no certainty about who was actually in charge.
To help manage the program, the transformation team deployed tools to reconfigure workflows so that they could be integrated with backlog tools such as Jira. These helped to clearly identify what risks needed to be addressed, who would address them, and when. As a result, everyone knew what to do, and the product owner had a single view into where progress was (or was not) being made.
The days of “build it now and manage the risk later” are over. Risk is too important, not just for banks, but for any company that wants to become more digital. By taking a more comprehensive approach that treats risk as an enterprise-level issue, companies can not only avoid the fallout from poor risk practices but actually accelerate their digital transformations, the report authors concluded.