The evolving capabilities of the risk profession in a regulated environment

  • November 08, 2018

We interviewed Aurore Lecanon, Transformation Risk Director at M&G Prudential, to find out how the risk profession needs to evolve as organisations transform.


In a world where financial institutions are having to transform and embrace digital methods, how do you see the risk profession needing to evolve?

The extent and impact of the digital revolution in the financial services world is striking, especially for companies such as insurance companies and pension funds that are trying to play catch up with banks, prompted by but also helped by Fintechs. At the centre of this very fast paced evolution are the customers and their ever-growing expectations that everything should and will be at their finger tips. Cost reduction and operational effectiveness are another big driver of change. Non surprisingly, with all attention initially focused on the end of the customer facing processes and operations supporting those, Risk is very often lagging behind.          

How can organisations ensure that their risk teams are able to understand more complex risks than ever before?

There are two ways in my view companies can invest in their risk functions to ensure they are fit for purpose now and for the future. The most obvious one is obviously training e.g. on data analytics, data security or cyber risk. I would argue though that what needs to be encouraged is also a less silo mentality when it comes to expertise: having one data scientist or a cyber risk expert in a team is great, but what would be more effective in my view is to form a core of risk or compliance people to understand the whole spectrum of risk their company is exposed to, from op risk to financial risks to conduct or cyber risk. These will be the future risk leaders who can make informed decisions quickly or reach out to the right experts to make them. Creating multi-disciplinary risk and compliance teams, even virtually, who are embedded in specific parts of the business is the best way in my view to learn this fast on the job.

The second way is to actually invest in Risk & Compliance’s own technological revolution. I read in the 2017 McKinsey digital risk survey that whereas 70% of the banks surveyed had digital risk on their radar, but only a portion of the risk budget in the digitalisation of risk management processes. With data legacy systems often cumbersome and processes extremely manual partly for that reason, working in Risk or Compliance is often a long exhausting hurdle race with not much value add. Investing in new technology not only in client facing areas to boost growth or in operations to reduce costs but also in digitising risk processes would open a world of possibilities for the profession but also ensure that time is spent on strategic adding value decisions rather than manual and routine low value work.

How can a risk professional ensure they keep up to speed on the latest risk technology developments?

Well I am not an expert on training risk professionals, having been one only for the last 4 years but I would say that training is often in our own hands rather than in the hand of an organisation. Especially given the beauty of this digital world we live in is this incredible and free access to information. Unfortunately, I have witnessed many times risk and compliance teams being the most reluctant to access that information and use it. I remember inheriting a financial risk team where no one ever read market news. Similarly, if risk professionals are not ready to embrace and make use of new technologies, they will be doomed and will soon be replaced by data scientists or modelling gurus. I am not myself a Cyber risk expert for example, but I would be hard pressed to find a risk conference that does not cover the topic those days. There are so many free events, seminars, blogs available those days that it would be criminal for people who are serious about enhancing their expertise and developing their career not to tap into those resources, especially in an environment where training budgets are the first ones to be cut.

What changes are you seeing in the ways in which risk teams work with each other and across the business? How is the agile way of working evolving and contributing to these changes?

As mentioned above, I think connectivity and embeddedness are key. People can’t work anymore in silos, not only within Risk & Compliance but within the entire business. Within Risk & Compliance, senior managers need to be able to both connect the dots and access quickly the expertise available across the functions. Creating an organisational design (and work environment) allowing this is extremely important. This may need to be supported in some cases by radical changes in culture – hard reporting lines may need to be replaced by matrix organisations or multi-disciplinary “virtual” teams embedded into the business that can input live into the design of new processes or products for example. The latter in my experience does help improve the cadence of advice and challenge given to the business by the Risk & Compliance function, its speed of response and hence its credibility. People may say this is agile working – I would just say, it is being adaptable to the demand of businesses who are working faster and need nimbler brains. Working in silos of expertise and “overseeing” the business from miles away is what could get the Risk profession stuck in time.

How has the need for new processes heightened as risk functions digitise?

I might turn the question slightly differently: “do you need to create new risk management processes so they can be digitise”. In a lot of cases the answer is yes – and not only in Risk but in Finance or Actuarial. Big financial services companies with 100s of years of history often carry a heavy load of outdated systems and practices. Faced with corrupted data or fragmented processes, those professionals have come up with amazing way to cope and do their jobs – one manual control here, one check there, one spreadsheet later etc…interestingly, in a lot of departments, it often results in those individuals understanding that incredibly complex process becoming essential. And when digitisation knocks at the door, the answer almost invariably comes back : “oh no, this is too complex a process to be digitised, you do not understand”. The point I am trying to make here is that more often than not, the process indeed can’t be digitised as it is. The process needs to be looked at with fresh eyes and re-engineered end to end before it can be digitised. That in itself means new ways of thinking and strong collaboration with the business, developers, Finance etc. But it can be done, and it has to be done.

What do you consider to be the main challenges that institutions face as they look to evolve their risk teams and staff whilst going through transformation?

I would say the challenges are often access to talent, culture and rigid organisational structures. As mentioned above, the latter are often focused on separating areas of expertise and are difficult to break – this is what people are comfortable with, not only in Risk but in Finance or HR etc. When we created a Transformation Risk team, it would be fair to say that most of my colleagues wondered whether we were going to overlap with their teams…We did and we still do but with a bit of pragmatism and a very strong sense of collaboration, we are now working seamlessly with our operational, financial and technological risks colleagues.

Finding the right talents for the future is another hurdle. It is also honestly quite difficult to find Risk professionals who are also data scientists or understand new technologies and to find data analytics experts who want to work in Risk. As Director of Transformation Risk it was actually quite a challenge for me to gauge what capabilities the team needed – did I need an op risk person alongside a financial risk one? Did I need programme risk specialists? I ended up deciding that what needed was good brains, able to ask the right questions at the right time, able to collaborate and interact with a wide and diverse set of stakeholders, from other risk colleagues to developers in feature teams to business leads in sales. It was however not that easy to translate that into job specs recruiters would be able to take to the market.  

Finally, culture is often the slowest thing to change. For Risk and Compliance professionals who may tend to be, rightly so, prudent and conservative, embracing a new fast paced world where a Cyber attack could easily wipe down your bottom line or any mishandling of customer data could expose the company to regulatory sanction, is challenging. They are being asked to think fast on situations that would have traditionally required careful consideration and deliberation, they are asked to trust tech guys with risk management processes they have lovingly built. They ask themselves – what if this goes wrong?  Am I not accountable for ensuring nothing goes wrong? What does “fail fast” means in Risk? Those changes are not easy to make, for anyone.

Can you make any predictions for how the risk profession will continue to evolve over the next 5 years?

Well, first of all, the importance of Risk will continue to increase, not because most predict regulatory scrutiny will, but because managing risks (whether reducing those or taking the right ones in the right quantum) is now recognised as core to any business. In that sense it is not only the responsibility of the Risk & Compliance functions to manage risks and the frontiers between first and second line may become more blurred as we move to more agile ways of working.

Secondly I would personally suspect that most Risk professionals won’t be Risk professionals by background anymore – I was myself an ALM expert and had always worked in first line before I joined Risk. This certainly helped me when I became Financial Risk Director at Prudential. Bringing in into Risk & Compliance teams people who have worked in the business, in tech, in operations, in sales is extremely valuable for the effectiveness of those teams but also for the future of the profession, as it will help in my view unlock pool of talents that are currently not necessarily thinking of a career in Risk. Conversely, bringing Risk professionals into the core of the business processes and functions will go a long way to making those fast paced digital transformations secure.

Any other perspectives to add?

I would only add that I had the most exciting times of my career since I have worked at exec level in Risk – we see the big picture and the detail of so many things, we are part of so many key strategic decisions the business needs to make. It is truly, especially nowdays, a fascinating place to be and I would encourage anyone to jump in!

Thank you Aurore!

Aurore Lecanon is since January 2018 Transformation Risk Director at M&G Prudential, responsible for oversight and assurance across all strategic change initiatives at M&G Prudential. Aurore joined Prudential UK in 2015 as Financial Risk Director at Prudential UK and prior to that, held Head of ALM positions at both Old Mutual and Aviva Group. Aurore also spent years in investment banking, at Credit Suisse where she covered large UK insurance companies within the Insurance & Pensions Solutions team and at Société Générale in London where she focused on structuring insurance-linked financing and risk transfers. Her career however had started in the insurance industry, at Aviva, where she worked in a number of roles across the Treasury, Capital and Risk Management areas. Aurore is a graduate of the Ecole Polytechnique in France and holds Masters in Stochastic Mathematics and Financial Engineering from Princeton University and the University of Paris VI.

Find Aurore on LinkedIn.




£ k