Australians are asking why it should take Royal Commissions, withering media reports, shareholder activism and litigation before boards and senior leaders recognise that issues of Governance, Culture, Remuneration, and Accountability (GCRA) represent material business risks.
Non-financial risk management in the financial services sector is managed according to a Three Lines of Defence (‘3LoD’) model. Following risk management failures, most post-mortems conclude that the 3LoD model was insufficiently well ‘embedded’ within a firm. Typical call-outs include: inadequate clarity in roles and responsibilities, coordination challenges, broken processes, and inaccurate risk reporting, collectively enfeebling the ‘voice of risk’ in the organisation. The question is: why does this pattern of failure persist?
The truth is that the model itself doesn’t manage risk, people do. At many firms, operational risk management has become little more than a Kabuki theatre, designed to provide comfort that things are taken seriously and to produce demonstrable (if spurious) “evidence” of thoughtful activity to placate concerned stakeholders without actually shifting things at all. Such false comforts are costly and produce immense frustration when risk management failures appear.
We don’t need better frameworks that help with more box-checking. We need real-time insights into cultural drivers of behaviour so that firms can course-correct when things look likely to hop the guardrails. We need real-time, evidence-based and data-driven insights that provide leading indicators of risk before it is made manifest, rather than backward-looking surveillance systems designed to catch bad actors after-the-fact.
Rather than waiting for risk to materialise, leading firms (and their regulators) will invest in predictive approaches to drive proactive risk mitigation and operational resiliency.