Future of risk

Organizations are facing more risk than ever, from regulatory complexities to evolving technology threats. As risk gets riskier, managing risk requires more robust and holistic approaches. With better data and insights, it’s possible to transform the risk function and enable the organization to use risk management as a strategic business enabler.

From pandemics to geopolitical strife to supply chain disruptions, the events of the past several years have shone a spotlight on the criticality of risk management to support business resiliency and informed decision making. While tech disruption is one underlying cause of this heightened risk environment, it’s also one of the solutions going forward. Executives recognize that understanding risk is not an option but an imperative to preserve the overall health of the business, reputation and build resilience. But there’s also more interest in shifting the risk function from compliance and control to value creation.

Canada has a very diverse market, including large financial institutions, big tech, and a broad public sector, in addition to a significant mid-market. Many larger organizations, some of which are regulated, have long established formal risk and control functions. On the other end of the spectrum are smaller organizations with less formalized or mature risk and control governance and structures in place - including the technology infrastructure in place to support one.

What’s changing is that Canadian organizations of all sizes are now stepping up and investing in risk. Many global trends and practices outlined in KPMG’s global Future of Risk report apply to Canada, but there are certain key factors that Canadian organizations must consider when improving the capabilities of their risk function.

In the next three to five years, 61% of executives expect to see a significant increase in the level of risk for which they will be responsible, according to KPMG’s Future of Risk global survey of 400 executives, conducted in February and March 2024.

90% of executives indicated that the pace of risk transformation activity has increased over the past year.

In Canada, risk has risen to the top of the C-Suite agenda in organizations of all sizes and across sectors. Boards are asking questions—and the right questions—about how to streamline and get the most out of their risk-related activities. Maturity is also evolving. It’s no longer about why we need risk management, but how to get to the next level when we are in an environment with so much potential for and exposure to disruptions.

Canadian executives across sectors are increasingly looking at risk as an enabler if not an asset, not just another cost to the business. The challenge is making risk management fit into the corporate culture, without becoming yet another compliance control or turning into a ‘no’ based regime. We’re starting to see that shift happen even in less mature companies—because if they’re going to invest in a new market or a new technology, they need data around both strategic and operational-level risks.

Canada’s banking sector is at a much more advanced stage of risk function maturity than other sectors. Risk comes with the territory in running a financial institution, and the chief risk officer (CRO) is a frequent advisor to the business. But that means this sector may be in greater need of transformation. Over the past decade, risk functions have grown and transformed significantly; in many cases growth wasn’t strategic, but rather a response to a regulatory need, a business need or an acquisition. As a result, the risk function has become disjointed, but it’s an opportunity to design a new model for today’s risk landscape.

Risk awareness needs to permeate all levels of an organization, but it starts with the tone at the top, including the C-Suite. Our survey found that the No. 1 factor for C-Suite executives in driving a successful risk transformation is leadership that fosters a risk-aware culture and prioritizes risk management throughout the organization. They may even start to see an upside to risk.

Notably, it’s about empowering employees by changing the perception of the risk function from “feared” to “trusted value creators”, and helping every employee understand their role in managing risk. Organizations can encourage self-reflection to better understand wider risks, and to become more proactive and resilient. By building a risk-aware culture across different risk domains, providing adequate training and education, and developing a robust governance structure, organizations can tap into a diverse range of expertise, enabling them to take a proactive and comprehensive approach to risk management. This, in turn, increases their resiliency and ability to navigate a changing business landscape.

Canadian executives are also starting to reflect on the interconnectedness of risk. It’s increasingly important to understand those interconnection points and how one risk event can impact the velocity and magnitude of other risks. Being more proactive with risk management means looking at data from a holistic perspective to see how risk is changing and evolving, and how that data can be used for risk mitigation and risk-based decision-making.

Understanding how risks are connected requires integration of data, systems, and teams across siloed business units. This can bring significant benefits such as enhanced reporting, consistent risk management, and simplified risk mitigation strategy. The majority of leaders surveyed expect that the integration of risk management data and resources across business units will significantly increase in the next three to five years, which could be due in part to the rising awareness that an integrated approach is better than a fragmented one.

Risk management is only as good as the insights it provides. As executives consider the interconnectivity of risks and their magnitude of impact, they’re putting more focus on thoughtful scenario analysis and stress testing. They’re looking at how they can be better prepared for interconnected risks, how it changes what they may be doing today and what they can do to boost their resilience tomorrow.

In many cases, there’s still a perception that risk is managed by the chief risk officer. While the risk function does provide independent oversight, risk is owned by the business, which is why creating a risk-aware, risk-embracing corporate culture is key in building resilience. The C-Suite and the board are talking about risk every single day, but perhaps not in a formalized manner. A risk-aware culture, however, means that risk is a constant agenda item.

Reinforcing accountability on the front lines continues to be important, but the risk function is evolving: it’s not about clamping down on what employees can or cannot do, but rather about building awareness so they know how to recognize red flags. A cross-functional, cross-disciplinary point of view is also important because every individual has a different area of responsibility and technical depth. The right approach should involve collaboration with these different viewpoints to better strategize and quantify risk.

With a shift toward a more analytical-driven risk function, organizations will in turn need to shift their workforce, whether it’s through training, upskilling or hiring data scientists and AI experts. A talent strategy for the future should align with that shift. To do this, organizations should identify the impact of technology on their workforce. Without considering these impacts, adoption could be limited, since users may not understand the new platform or workflow. At the same time, many organizations may have capacity issues or lack in-house expertise, so outsourcing could be a requirement.

Investments in AI and other technologies call for a workforce with the skills to successfully incorporate these technologies into their everyday workflows—especially as the future of risk management is heading toward greater adoption of digital tools and AI-based automation. The majority of organizations in the survey (59%) said they’re reshaping their workforce by offering special projects, training for new roles, redeployment, and reskilling in recent technologies.

To effectively meet these challenges, organizations will need to leverage technology, including AI, to get the right insights from the right data. They will need to build proactive risk capabilities. And, perhaps most importantly, they will need to invest in supporting a risk-aware culture, ultimately transforming their approach to risk from one that simply avoids damage to one that adds transformative value.

To successfully navigate the complex landscape of risk and compliance, organizations must address interconnected challenges while building robust risk management frameworks tailored to their specific needs. KPMG understands these challenges and offers solutions to help you achieve your goals. Our extensive experience and technical expertise provide powerful risk analytics, advanced modeling techniques, real-time risk reporting, and a trusted AI framework.

We support you in risk transformation, trusted AI, cybersecurity, privacy, third-party risk management, enterprise resilience, and cultivating a risk-aware culture. So, whether you’re optimizing a single function, connecting the entire enterprise, or even transforming your risk program entirely, KPMG can help.

For a deep dive into these insights and more, please read the full global report: