Digitalise Risk

Digitalisation is full of catchwords. Whenever these buzzwords emerge, it helps to better understand meaning by going back to the etymology, i.e. the origin of a word. Digitus in Latin means finger, and in modern usage a digit is any of the numerals from 0 to 9, especially when forming part of a number - the connection between the two meanings can be found in the practice of counting on the fingers. 

The Oxford Dictionary defines digital as 'something [such as a clock or a watch] showing information by using figures, rather than with hands that point to numbers'. While I prefer wearing analogue watches, I am a great advocate of digital Risk. But frankly, I often encounter organisations in which the digitalisation of Risk has not yet come to fruition. Let me give my two cents on why by first reviewing the context of digitalisation, and then going into Risk’s role in the puzzle, before giving you some practical tips.

From cupboards to the cloud - a brief history of digitalisation

Traditionally, business in most sectors was done on paper, with documents scattered in cupboards and drawers. With the adoption of computers, more and more information has been recorded electronically in emails, shared folders and ideally, dedicated IT applications. This development has led to two important trends from a risk perspective: first, turnaround times are quicker and threats and risks can be detected and addressed closer to the moment when they occur. This requires Risk to speed up their processes. 

Secondly, data can be aggregated and searched more easily, giving Risk the ability to oversee the big picture and discern information that is of value not just to regulators, but also internally for C-suite decision makers all across the business. And to do so real time, or as close as possible to real time. 

The development from cupboard to the cloud is not linear, and certainly not mutually exclusive - it can nowadays happen that at one department employees are still entering information manually into, and querying information from mainframe systems, whereas the folks next door are tinkering with neural networks - and you have to manage this all. In some cases information is still stored by using on-premise servers.

However, cloud outsourcing, which enables advanced data storage and increased computational power, is becoming a prerequisite for efficient digital operations. Fragmented IT landscapes, intricate IT architecture choices and the need to run operations while continuously upgrading systems makes digitalisation a daunting task - and Risk needs to keep up with these developments. 

Let me pause here for a second - for the sake of simplicity, I use the word digitalising, but what I mean by that is actually two things. The process of converting information from a physical format into a digital one is usually called ‘digitisation’. When this process is used to improve business processes, we talk about ‘digitalisation’. Digitisation and the resulting digitalisation are important for Risk, because the more processes are performed digitally, the more data is generated, ideally in a structured, but often in unstructured form. This data is the raw material for risk analytics, which leads to the risk insights coveted by risk managers, business partners and regulators alike. 

AI - one abbreviation, several meanings 

Artificial intelligence has been one of the most accentuated elements of digital initiatives - and rightly so. While AI itself is not that new (the term was coined in 1956 and its conceptual foundation has been with us for decades), the availability of large quantities of data and the increase in computational power has boosted its application. This topic itself would deserve a separate blog series - to foster a common understanding, what I would like to touch upon now is the different types of AI that you should be able to distinguish:

• Automated intelligence occurs when simple, repetitive tasks are fixed and do not have any human involvement.
• Assisted intelligence requires human judgment and decision-making, but the recommendations provided by the AI system do not change.
• Augmented intelligence focuses on adaptive systems powered by machine learning in which the algorithms learn from humans’ experience, but the ultimate decision-making is done by humans.
• Autonomous intelligence is when the AI system is both adaptive and makes decisions itself, without human involvement.

It is essential that you clarify the type of AI solution before deciding for an implementation - and contemplate whether it is in line with your strategy and your own risk assessments.

Risk’s role in the digital transformation

The business has been grappling with digital initiatives for the past years. Certainly, Risk depends largely on the business, and ‘inherits’ all the problems that are yet to be solved within the chain. Behind the digital façade of glamorous user interfaces, reality is often that due to limited and imperfect functionalities, ‘shadow administrations’ are maintained outside bespoke IT systems. 

Manually modified data points, a lack of uniform data models and the sheer complexity of the IT and data landscape makes it a tortuous task for Risk to aggregate data. Given that Risk is a large data consumer, it also has the obligation to signal the various data issues to the business - those who can fix data at the source. Going back to my etymological musings, pointing fingers in a friendly and constructive manner is crucial to a successful digital embedding and better data quality. 

Next to this, Risk also needs to digitise and digitalise its own processes - and do so in a smart and effective manner. Why? Because digitalisation has major cost saving potential, and it will improve your risk management - when implemented well. What you don’t need is technology just for the sake of it: your starting point should be a problem which can be solved by smart technology. 

Tools lead to more accurate quantification of risks, both traditional and emerging ones, they reduce the amount of manual labour (and hence human errors), and allow for better insights into why (strategic) objectives are not reached. By using data visualisation tools, Risk can convincingly advise the business on what it means to take risks.

To make this happen effectively, you first need a good overview of what is possible, and what is already ongoing. Similarly to how I explained it in my blog on outsourcing: start with compiling a list of products and services your Risk function provides. Then, analyse cost saving and efficiency gaining potential for each of these. Develop a business case per activity, and see whether digitalisation is a feasible option, and whether you want yourself or a third party to do it. 

In some instances Risk as a Service may be a good solution: by choosing this option you do not need to invest in your infrastructure, applications and licences and in your workforce for specific low-volume specific tasks. And be critical if you truly need automation: if you have a small backyard with a piece of grass, would you invest in a fully automatic lawn mower, or would you just cut the grass yourself in the old-fashioned way?

Aspects of successful Risk digitalisation

Effective digitalisation of the Risk function requires a comprehensive strategy, in which IT and data, people and change management play an important role. Starting with the first point, it needs to be crystal clear who comes up with IT and data (quality) requirements, with whom this needs to be communicated, and who translates these into technical requirements and tangible actions. 

From an infrastructure perspective, it is essential to invest in solutions which allow instant access to data and more transparency on where data comes from and flows to. These are lengthy implementations, therefore, Risk needs to balance the efforts of solving today’s issues while dedicating resources to the future state implementation.

As for your people, training and upskilling them is not sufficient - you need to harmonise your people plan with your digitalisation plan. When you train your employees in new digital solutions and they go back to their (virtual) desks after the training and start copying and pasting in Excel again, then your people strategy and IT strategy are not harmonised. It may sound self-evident, nevertheless, I would like to stress that it is crucial that once an employee is trained to use a new tool, they should have direct access to the new tools, problems to solve with them, and incentives to do so with the new way of working. 

Last but not least, managing change is crucial. What I often encounter at clients is that digitalisation is not yet embedded in risk management processes and activities, but left to internal or external digital innovation hubs. Having such hubs is a logical step if you want to build digital capabilities in your organisation. But at some point these capabilities need to be integrated into your business-as-usual processes. Adoption - or making things stick - should be an integral part of your implementation strategy.

Start with your understanding

I believe that using tools and technology will enhance risk management. But digitalisation is not the holy grail: I would argue that digitalisation makes the human factor not less, but more important. It is essential to balance automated risk insights with common sense, logical interpretation and creative thinking. And always keep in mind your organisation’s strategy, purpose and values. Which problems can you - and do you want to - translate into digits, and which problems need a clever, caring and compassionate human eye?  

Digitalisation is a maze-like topic with a great deal to grasp, and an even greater deal to do. But the sheer complexity should not become an excuse not to take up this challenge. I learned from my teenage nephews that ‘dig it’ is a slang expression to understand, approve of or enjoy something. I started this piece on digitalisation in a Shakeaspearean tone, and for the sake of lightness, I would like to conclude it by saying that it’s time for risk functions to just simply dig it.

Also read the earlier parts of this blog series:

• Reimagine risk
• The seven ingredients of risk transformation
• Cost out, value in
• The marketing of risk management
• The taxonomy's role in transforming risk management
• Making Risk work
• Your future Risk workforce
• Risk as strategic partner
• Outsourcing risk management
• Rationalise your control framework