The role of the risk function had changed in the last two decades as it had become driven by technology, said Mr Smout, who is KPMG’s global lead, governance, risk & assurance and risk strategy & technology partner.
“The risk function can start to be seen as value-adding, because it is taking in all the data on the external and environmental factors, and can help (management and the front-line) see how those trends might impact both the current strategy, as well as its traditional role of risk mitigation.”
Fellow roundtable participant Robb Eadie, BHP’s global chief risk officer, said 20 years ago the role of the risk function “revolved around stopping bad things happening”. Now the risk function is “all about making good things happen”, and that is primarily enabled by technology.
The role of technology in risk has also been greatly empowered by the realisation that risk resides at all levels of an organisation, and is not just handled centrally by a risk function, according to Jason Smith, board director at the Risk Management Institute of Australasia.
“Risk management has to be embedded not only in operational performance, but business planning and performance management, and really every function. Technology is accelerating this process.”
If one looked at organisations’ operational risk, said Mr Smith, there was “huge opportunity” to use tools such as machine learning and artificial intelligence (AI).
“That is certainly an area where businesses can start to collect and collate and understand their operational data better, to understand the relationships between the operational data and the key risk indicators, and allow AI and machine learning to start to discern the trends and the relationships between them,” he said.
“Historically, risk managers have tended to rely on what the historical loss events have been, and doing scenario analysis, and it’s actually been very subjective and very backward-looking. Technology is now allowing organisations to be a bit more objective and predictive around what’s happening with the operational risk profile of the organisation.”
But a wonderful kitbag of tech tools did not guarantee great insights, said Mr Smout.
“A tech solution doesn’t fix an inherent problem that an organisation has, culturally, with its attitude to, and appetite for, risk. You can have the best governance, risk and compliance (GRC) platform or system, for example, but if you don’t have the right people, processes, and quality of input data, you can’t use it.
Intuitive interpretation of data still important
“The value in such a platform comes when you start to get the business actually inputting the data into it, owning it, and keeping it up to date. Otherwise, the platform is viewed as not having worked, it gets written off,” Mr Smout said.
“But if it is ‘owned’ by the business, that’s where you get the value in good risk management.”
Mr Smith agreed and said, “Often, it’s not so much that the system doesn’t work, it’s that the system doesn’t give the organisation the value it should.
“Taking the GRC system example further, if it’s just used to allow the business to tick compliance boxes, it won’t be giving them meaningful insights to allow them to be more predictive around the risk profile of the organisation.”
To a large extent, the insights still come from humans – as do the risks.
“The biggest risk you have in any organisation is the human being, because as an entity we are quite error-prone in comparison with the alternative, with the alternative being algorithmic machine-based data analysis,” Mr Eadie said.
“But on the other hand, the one thing that human beings are exceptionally good at is that element of insight – that intuitive interpretation of data. The factual algorithmic interpretation of data is very useful, but sometimes it can miss the subtle nuances that will be seen by people who have many years of experience, and in-depth knowledge and insight into specific areas,” he said.
This factor is “the human in the loop,” said Zoe Willis, KPMG Partner Data and RegTech.
“As we see automated technologies advancing, the human element becomes more important. The ‘human in the loop’ is what actually provides the context,” she said.
And this is the true paradox of technology and data, says Anne O’Driscoll, non-executive director at Steadfast Group. “The business processes themselves are being increasingly automated, and the risk processes and access to data and tools to interpret that data are increasingly prevalent.
“The challenge is ensuring that you have people on the frontline and people in the risk function that have the experience,” Ms O’Driscoll said.
“That’s one of the things that concerns me, seeing the degree to which we are automating these things, how we actually continue to ensure that people, as they grow through organisations, have that judgment that comes by intuition.
“Ultimately, will people have the experience to say, ‘Just because the machine says that, it still doesn’t look right to me, based on my experience?’ That’s my concern,” she concluded.