Digital technologies are enabling new products and service channels, responding to changing customer demands, as well as driving efficiencies and creating competitive advantages. It is, therefore, essential that the second line functions of risk, compliance and security become enablers of innovation and are seen as empowering and guiding, rather than as roadblocks to be overcome or avoided.
Second line functions need to engage with the business, understand emerging technologies to anticipate how they could or will be used, understand potential implementation timelines, and define policies and/or guidance where necessary. Without clearly defined policies, guidance and opinion on the risks new technology imposes, the business will move forward blind to those risks, at worst, or without realizing the value of the second line’s risk experience, at best.
Fundamentally, second line functions need to be at a point where the business is looking to engage with them because they value their advice. This puts a significant part of the responsibility on the second line itself. If the leaders of digitalization initiatives believe that the second line can and will guide them effectively on how to embrace technologies in a risk-informed way and not create barriers, they will consult it. In response, the second line itself has to learn to be more innovative and to find creative solutions where a conflict is perceived to exist between the transformation and regulatory agendas.
Protiviti explores this important transformation in a recently published white paper, Empowering Second Line Functions to Enable Innovation. Here are some questions we recommend asking to help second-line leaders determine whether their organizations are moving in the right direction:
Q: Do leaders of digitalization initiatives actively seek out the guidance and support of the second line?
A: This, of course, is the acid test. If they do, then chances are your second line is evolving to serve in a consultative capacity.
Q: If not, what can the second line of defense do to encourage and engage in a dialogue with the first line?
A: In our experience, this is where most second-line organizations are today. The paper goes into some detail about specific actions the second line can to take to be better prepared to act as an advisor and foster an effective dialogue around digitalization initiatives. The first step for many is acknowledging the need to change.
Q: Is there a cultural obstacle that needs to be challenged and transformed?
A: The answer is yes for many, if not most, organizations, and the transformation will likely be incremental. In many instances, second-line teams may need to demonstrate consultative value in order to earn the trust of their partners. When embracing risk, the second line needs to change its mindset from focusing on what a regulator may not like or regulations may not allow, to thinking about how to bring the regulators along. The regulators are, in reality, trying to encourage innovation, and it is a mistake in most cases to present them as a barrier.
Q: How can the organization improve collaboration and consultation on new technologies and their associated risks?
The answer to this question will vary by organization, but generally speaking, it will involve engaging frontline managers and technology partners to determine ways that the second line can guide and enable transformation, and a willingness to work together toward responsible innovation. If the second line is to be seen as a valued partner, it will need to play a key role in helping the business find solutions.
Q: Is the business aware of the policies and rules associated with research and development and the process to involve risk and compliance?
This, of course, implies that such policies and rules exist. If they don’t, they should, and they should be reflective of the risk appetite of the organization. Ideally, these policies can be leveraged to create an effective communications plan to socialize all frontline managers to the fact that risk and compliance is there to help, not hinder the process. Of course, this is an easy thing to say. The proof, as always, is in the actions and not the words.
Whether a digitalization initiative involves new products, analytics, customer engagement, operational performance or regulatory compliance, in the final analysis, the degree to which risk and compliance will be effective at promoting responsible innovation is going to be directly proportionate to the strength of the relationships that second line management has formed with the front line and their technology partners. That is going to depend on the degree to which they have cultivated and earned the trust and confidence of the leaders of digitalization initiatives.
For a more in-depth analysis of this topic, you can read the Protiviti white paper here.