Joanna: Helen and Luke, thank you so much for joining me again today. Thanks for inviting us. And Luke, if I may start with you please. You've been sharing ORX's vision for operational and non-financial risk. What is this vision, and why does it matter for senior risk leaders today?
Luke: In simple terms, the vision is all about setting out how an organisation can thrive in a world that's defined by rapid change, by real extensive digital transformation, and huge external volatility. And the vision itself kind of captures that environment, but also sets out a pathway for how you can achieve success within that. There are some foundational elements, there is a digital core, and then there is a set of capabilities that we will need to master.
Luke: So, within the bottom layer, which is the foundations, there is an element called governance and operating model. That's really about how risk interacts with the rest of your organisation. There is an element about framework, there is an element about culture and communications, and an element about skill.
Luke: So that's the kind of prerequisites for anything to be successful. In the middle, you have a big, ball of stuff, which is called the digital core. That's about technology, AI, data. That's really the beating heart of how you will manage non-financial risk in the future. And at the top, there are capabilities that you need to master.
Luke: So there are things like, uh, emerging risks, seeing what's coming. We call it ecosystem risk as well, that's understanding what's happening on the periphery of your organisation. Huge amount of complexity there.
Luke: There is stuff around change, so how you manage change successfully. And then finally, things about, seeing the whole or a holistic view, and that's really taking into account the fact that, these days, it's not just about loss. It's about reputation, it's about protecting assets as well. And all of that contributes to a successful strategy and a resilient organisation.
Joanna: And the 2025 update highlights six new or expanded strategic priorities for operational and non-financial risk. Which of these do you see as most transformative for the industry, and how should risk leaders respond?
Luke: So it's, it's a really good question. The six are, are really things that existed there already. They're just the things that we've noticed, have been particularly important in the last year and we know people are gonna be working on them in the year to come. So resiliency and strategy both appear in that list. We also have a lot about AI. It's an area where we've seen progress more than anything in the last 12 months. Prior to that, I think you could categorise it as, as lots of good ideas and pilots, but really is, it is making a huge difference, uh, to the industry at the moment.
Luke: We also have speed. That is around the speed of response, so equipping your organisation to be able to respond rapidly to, to whatever comes along. And we also have communication, which is possibly the biggest surprise for the year. That's, I think, an attempt to try and condense all of that complexity into a coherent message.
Luke: And it also tells us that there is demand for that clear picture, and that's typically coming from, from very senior management as well. And within those, what's the most important one? That was your question.
Luke: I think the prerequisite for success is getting good with AI at the moment, and that feels like there's where the transformation's gonna come from. That will enable you to automate things, to automate controls. There's a huge, potential, I think, with genetic AI to actually have much more proactive risk management going on in the organisation.
Luke: But I think to the individual risk manager, the thing that will make the biggest difference is that link to the strategy. So the more that non-financial risk contributes to the strategic success, I think the more it's gonna be asked to do. Currently, the risk teams aren't necessarily well-equipped to do that. It's new territory, and I think we need new thinking in that area as well.
Joanna: And Helen, as Luke, just mentioned there, risks are increasing in complexity influenced by shifting technological and geopolitical environments. What challenges and opportunities does this create for operational and non-financial risk. management?
Helen L’Abbate: Yeah, so I think starting with digital transformation organisations are going through huge amounts of, of transformation, and there is that' strategic imperative to make sure that they are transforming and keeping up, and keeping that pace.
Helen: I think that brings opportunity, like Luke's just talked about there, with the use of different technologies.
Helen: It brings opportunity from both the business perspective but also the risk teams as well. But it also brings complexity from the risk profile, and there is that imperative to understand exactly what does that technology bring from a risk profile perspective, and what does it mean from a risk appetite perspective.
Helen: So how much risk is the organisation willing to take, say, for example, with AI, and, and being able to define risk appetite statements, particularly for AI, is quite a bit of a challenge right now.
Helen: Then I think as part of that transformation, many organisations are using a number of third parties, and that brings complexity to the ecosystem.
Helen: That complexity now means that those organisations are part of the financial services institute themselves, so they need to manage that much more carefully. then you layer in the geopolitical landscape, which brings much more complexity.
Helen: Organisations need to understand where those third parties are being used, what does it mean from that end-to-end process perspective, particularly from a customer perspective, and that then brings the question around resilience. And we've heard over the last few days that resilience is much higher on, the agenda given the linkage to reputation as well.
Joanna: And your report mentions a shift towards a more strategic and resilient approach to risk management. What does resilience look like in practice, and how does it differ from traditional risk management?
Helen: So I think historically, we've seen risk management and resilience being operated quite separately, both in terms of the framework and the risk teams that are embedded within those, um, two types there. And then I think as part of that digital transformation, what's become apparent in recent times is that digital services is just part of our everyday.
Helen: So there's a greater expectation, both from society and customer expectation that those services just work, that they're at our fingertips, they're on 24/7. And when that service is disrupted, there is an imperative that those organisations are able to weather that disruption, they're able to elegantly manage their way through such incidents so that the service continues and we importantly learn from that.
Helen: So I think in recent times, we've seen those two disciplines come together, and that's seen as a real positive in that risk management and resilience are being integrated both in terms of teams and the frameworks themselves. So, there's a real positivity, I think, in seeing the resilience and risk management working together, and I think recognition that good risk management results in the outcomes of positive resilience.
Joanna: And Luke, if I may come back to you, please. Looking ahead, what practical steps can organisations take to ensure their operational and non-financial risk management delivers both resilience today and strategic success tomorrow?
Luke: Really good question. I think it's why we found the vision to be really helpful. It breaks what is a really complex problem down into some building blocks.
Luke: People understand what they need to do, where they can make progress. Without that, I think it's really hard to feel like you're making any progress cause there's so many things going on. But I'll throw out a couple of ideas, and they're both quite soft so they're probably not what people would expect.
Luke: But I think the first one is try and be really creative. So, the digitalisation that we've seen over the last 10 years particularly has really rewired how banks, insurers, financial services work.
Luke: So, stepping back and thinking about in that context what risk management really looks like, it doesn't necessarily mean a faster version of what you have today. It could mean something very different. So, that would be the first tip. Just be curious, sorry, be creative about how you do risk management.
Luke: The second one, which I just pre-empted, is curiosity. I think the number one skill of a risk manager in the future will be the ability to anticipate what's coming, so seeing around the corner, looking for emerging risks, understanding what's happening in that ecosystem. We are, in amongst lots of change that's gonna continue for years and years.
Luke: I don't think anyone really knows where AI is really going. I think the AI we have today, we will laugh at in five years and say, "Wasn't that quaint what we did back then?" I don't think people understand what the impact on humans is gonna be in the wider society. So, trying to get ahead of all of that is going to be the number one thing that makes you strategically successful but also resilient today.
Joanna: Luke and Helen, thank you so much for your time today.
Helen and Luke: Thanks. Thank you very much.
