JB: I think boards are trying to manage the ever-growing risk universe and ever-evolving threats that they see. That's demanding a number of things in terms of changing behaviour. I think we are seeing increasing prevalence of independent risks functions and chief risk officer roles. Many of those chief risk officers sit on the board, they have a board seat, just like the CEO or the chief financial officer (CFO) traditionally. We're seeing them needing to be day in day out sitting on the board, taking the collective accountability, giving vital input.
It's posing a challenge to organisations where they might be having to set up a completely new way of thinking about risk, which comes with a lot of time and effort and resource investment. We are seeing evolving management information with more focus on tailoring to audiences. [For example,] what the ExCo sees should not be the same as what the board-level risk committee sees, which should not be the same as what the board sees.
We're definitely seeing an evolution towards much more forward-looking trends analysis. Not just saying, ‘this is the risk profile of the organisation, this is where we were last week, or last month, or last quarter and this is where we are now.’ Much more focusing on [thinking about] these are the top risks as they stand today, this is where we're expecting them to go based on the trends that we're seeing and based on the up-to-date information, these are the other ones we think you need to be thinking about, because they're not necessarily on our radar at this level, but the trends are indicating that they should be.
We're seeing a lot more opinion from risk functions as well. We're seeing boards are looking for that person internally that they can trust, who has that degree of independence, going back to the three lines of defence model, where they can say, ‘what is your view on this?’ We're seeing chief risk officers, even in cover sheets on management information, having a little box for their own opinion on management proposals, for example, which is quite interesting. And very powerful. It shows that the chief risk officer in those scenarios really has gravitas and authority, which is very important when thinking about effectively overseeing risk.
We're seeing risk committees, which are dedicated to potentially those top risks or those top risk categories, and even working groups which cross the board, executive and management levels. If you think about how an executive risk committee might be an overall effectively enterprise risk committee chaired by the CRO, then underneath that you might traditionally have an operational risk committee, or a credit risk committee, or market risk committee, whatever it might be. We're seeing that a bit more even at the board level now. Boards are thinking, ‘even if it's not a formal committee of the board – a subcommittee as it would be of the of the board – we need a working group where we get certain people who are authorities on this on the board, maybe together with some of the folk from management, who are the experts on this, to have some form of working group where they discuss some of these topics, they share learning and insights, so that we can get ahead of this stuff that ultimately gets covered at the board committee and at the board.
People [are] looking outside the box to tailor their governance to that evolving risk landscape. That involves a bit of commitment that your committee structure isn't necessarily permanent. If you set up a working group tomorrow, [it] doesn't mean it needs to be there forever or for the next ten years or so. It might just be that right now, we think the right thing to do is, we're facing an acute risk here and we need to make sure that it's getting the attention that it gets. The only challenge with that kind of structure, of course, is we need to make sure that this remains a board thing or a board-lead thing, and it's not crossing that line into day-to-day management of the firm.