Our vision for the future of operational and non-financial risk in financial services

Simon: So welcome everybody to the ORX podcast. We have a stellar cast because I'm joined by Luke Caravick, is the Executive Director of ORX and Steve Bishop, who is the Research and Information Director. And we're here to discuss a vision for the future of operational and non-financial risk. And this is some work that ORX has been doing this year to explore really quite a simple hypothesis. And the hypothesis is starting with changing the business, the digital transformation, has that had a significant impact on risk profile and risk priorities? And if so, is that change significant enough to give us pause for thought fundamentally about how we approach the management of operational and non-financial risk?

Simon: To inform our views, we've spoken to about 50 risk leaders across the ORX Membership, but they would emphasise that any views that we express during this podcast are very much our own. To kick things off, to warm up a little bit, Luke, before we talk about the content, do you want to share why we do this work? What's motivating us here?

Luke: Sure, sure. A really good question to start, Simon. We do sit in a very privileged position here at ORX. We talk to a wide range of institutions all the time. So that gives us a really good sense of when things are changing. So we pick up little signals, which maybe only when you bring those together do you see the kind of slightly bigger picture. So we sense that things are changing. We also sense that it would be really beneficial for our members to try and pull those ideas together and offer a shared vision. This really allows people to move faster, move forward with more confidence. So those two things coming together, there was something going on and we sensed a real benefit in putting those ideas together as well.

Simon: Okay, so let's dive into the content then and I think what we're going to try and do is actually examine those three parts of the hypothesis. Do we see a transformation in the business? Do we think that transformation in the business is impacting risk priorities and profiles? And as a consequence of that, do we think that operational and non-financial risk management needs to change? So let's start with the first of those. Maybe Steve, if I hand this one off to you, what do we hear? Is there a transformation in the business?

Steve: So I think perhaps unsurprisingly to me, we heard strong consensus that there's real significant change underway in financial services. I think that was particularly apparent in the conversations we had with the sort of chief risk officer community who are, we see very much involved in sort of setting strategy for the organisation. And I think that came across really clearly. I think we heard there's significant effort underway to digitise their traditional businesses, but also really interestingly, a strategic focus on creating new digital businesses. What comes with this? I think a few things stood out.

Steve: Definitely a reliance on what many described as an ecosystem of partners, partners and suppliers that are helping them to both digitise their traditional business and create the new business. We heard a real imperative to change. I think as a result of all of those factors, a real increasing complexity in the financial services landscape.

Simon: Brilliant, Steve, thank you. And Luke, so if that's the background that there is this transformation, it's changing the business, it's changing how we deliver our services, did people see that that was having an impact on risk profiles and how significant was that impact?

Luke: Yeah, very much so. So a lot of the transformation that Steve spoke about feeds directly into an increasing operational non-financial risk profile. So that's increasingly important as well, so in the context of the other risk types, it's now sort of higher up the board agenda, but it's also changing quite rapidly as well. So when you pull those things together, kind of getting bigger, relatively increasing importance and also quite volatile in some cases, that just becomes sort of the biggest challenge for the institution.

Luke: It's also the case that quite a lot of the risks that we're talking about really directly impact strategic change, strategic objectives, sort of capabilities that we need for the future. A lot of the digital things that Steve spoke about. So a lot of the risks are really directly related to how institutions are trying to transform along that digital agenda. So just reiterating some of the things that Steve said, he mentioned ecosystem risk, as he said, that's our word, which I think is a little bit broader than kind of third party. It's just trying to capture the fact that you really rely on that ecosystem of partners.

Luke: People spoke also about permeability and that's a link to this idea of ecosystem in that the boundary of your organisation isn't as crisp as it was say 10 or 15 years ago. More data sits outside, you're reliant on more information coming in. So that kind of boundary, there's lots of things passing through it. Outside of the institution, lots of interconnection as Steve's mentioned as well and also, I think increasingly an emphasis on reputation as well. So no longer is it the case that the primary focus of operational risk is amount reducing loss. I think reputation is coming in and resilience as well.

Luke: Putting all those things together, I think that it is sort of increasingly a really important priority for the boards in members and beyond.

Simon: And Steve, did anything strike you about risk profile changing because of this digital transformation that you want to add?

Steve: I think Luke summarised it really well. And I think it all adds up to that point around just the increasing complexity in the sort of operational non-financial risk profile. And I think what was evident as Luke suggested was the level of board and senior leader focus on the risk now. And I think what was really clear that that is providing a real challenge to management. Essentially be able to manage that risk more effectively going forward. know, it's got real attention from a risk professional. I think that's a good thing to have attention, but I think the flip side of that is that you need to be able to progress the sort of discipline and how we manage that risk.

Simon: And is it a transformation? I mean, from what I've just heard is it's increasing, it's increasingly important, it's changing. But Luke, is it a transformation in risk or is it just what we've seen before?

Luke: I think that really depends on your interpretation of the word transformation. It's a bit of a loaded term. Some people think that it's a huge thing when you say transformation. So I would say it's a major change. And I think if you measure it by looking at how you manage risks in the past and what you need to do in the future, those things are very different. So whether you treat that as a transformation or not depends on your definition of it.

Luke: It's not an inflection point. It's not all of a sudden things have changed. I think it's a gradual transition because a lot of the digital transformation isn't happening overnight. I know that people would like it to, but they're huge projects. They're not rolled out across the whole organisation simultaneously. So correspondingly, the management of that kind of transitions as well, but you will end up in a point where the past and the future look very, very different.

Simon: So before moving on to the future then, do you to pause at just a moment and Steve, why don't we just keep doing what we're doing? Where are we today? Did we get views on that?

Steve: We did. And I think it's a good thing to look at. I think in lots of the conversations I was involved in, I heard that our sort of current operational risk management frameworks, that they weren't designed for a digital environment. Many had their origins 15, 20 years ago in the requirements that came out of Basel and have been evolved since. But what was interesting though is that we didn't hear anybody say that all that work should be tossed in the bin.

Steve: Essentially, we heard lots of people say that elements of it can bring real value. The sort of fundamental components of what they're doing are probably right. So there was a sense that we want to work from the sort of current foundations, but, and I'll emphasise the but there is a real need to sort of lighten the load on the business, on the risk teams.

Steve: We heard lots of discussion about current efforts, ongoing efforts to simplify and standardise the type of work that people have underway to move to more risk-based approaches and to broadly be, I think, more programmatic in the way that they're approaching the management of risk.

Steve: I think in summary, there's a real buildup of good work. It's not seen that it can continue to manage the sort of new challenges in front of people, but people don't want to start again. They think there's value in the underlying concepts that they have and they want to evolve those and take those forward with that theme of simplifying and standardising, I would say.

Simon: Okay. So to play back what we've heard so far, there has been a transformation in the business that has impacted operational non-financial risks, priorities and profiles.

Simon: And the general picture we've seen is that non-financial risk has increased, seen as increasingly important, and it's changing. And whilst we've done good work to date and we want to build off that work, there's a different challenge going forward. And that's to do with speed, the fact that the risks increasingly come from outside you, that you're more permeable to those risks, and that there's more of an emphasis on the interconnection between risks and reputation. So it seems whether it's a transformation in risk or not, it's a challenging environment where I think the consensus we heard was that we need to change to be successful. So Luke, if I can ask you, what does success look like then in that context? What does success for operational non-financial risk look like in the future?

Luke: I think quite straightforward really. I mean, fundamentally it just means creating value for the business, but also that's not just the value you're bringing, but how you're bringing it to the business as well. So there were kind of three pretty big themes that came out of all the discussions we had. One is that to be valuable, you need to provide insights, provide kind of ONFR management in line with how digital businesses scale. So you need to be able to scale in the same way that those digital economies do. Otherwise, you're just never going to keep up. Similarly, you need to be able to keep up with the speed as well. And then beyond that, you really need to generate new insights. And quite a lot of that comes from the points we were making earlier around the fact that we're much more reliant on that ecosystem now. So a lot of where the insights need to be focused on is that external environment. So understanding what's coming over the horizon and all those things really rely on new capabilities in the risk function because quite a lot of what has been done probably doesn't scale at the rate it needs to and it doesn't move as quickly as what is required and it probably focuses more internally than externally as well. just to recap, it needs to be useful but how it's useful is probably the sort of bigger question, I guess.

Steve: And I was just going to add that I do see the challenge that was a real sort of positive for operational and non-financial risk. the opportunity for the discipline really to sort of cement sort of how it enables the business to successfully transform and operate in the digital environment and risk can really be at the forefront of that. And I think that's really positive, I think a really sort of good thought for the future.

Simon: Brilliant. So if that is a sketch of the vision, then how do we get there, Steve? What's the path forward for us as operational non-financial risk managers?

Steve: So I guess the good news for our listeners is that we did hear from the people that we interviewed, lots of ideas, thoughts, activities that they have underway or that they want to progress that are going to help to move forward to, I guess, evolve the way that we manage operation and non-financial risk. We took all those positive things and we really thought about, how do we put a form of structure around that? And really from that we have a sort of pathway forward that starts with creating a set of solid foundations, as you probably expect in any risk management approach. Those foundations need to be fit for purpose, obviously.

Steve: I think the second component is that we see the need to build a sort of digital core, if you like, to sort of support digital and data-driven risk management within the organisation. So that helps with both speed and scale. And then there are real value adds component, which is building the new insights and capabilities. And over time, I think we see that as the real sort of strategic advantage that I guess risk can play into. So building those new insights and capabilities, really supporting effective risk management in a digital business. And we'll obviously go on to explore it, but I think almost everything we heard sort of we could place quite nicely against those three key components. So that really is the pathway forward that we heard.

Simon: Okay, so I think there's quite a lot there, Steve. You might ask yourself and Luke to kind of expand on those three elements. So, foundations, digital core, new insights and capabilities. Steve, can you kick off with the of the fit foundations? What do we mean by that? What's in there? What are people's priorities?

Steve: Yeah, no problem. And I suspect to most listeners, the foundation will be relatively familiar in terms of the things that they're currently working on or focusing on.

Steve: We see five core elements. Firstly, I think it's the sort of governance and the sort of structure that you have in place within your organisation to manage risk. I think secondly is the framework you operate. So how you manage the risk management cycle. Thirdly is the tools that you operate and have in place. And then there's also skills and there's also culture. And I think we saw culture and skills as the really sort of significant to that.

Steve: We sort of spent a lot of time discussing with organisations and there's clearly a lot of thought and a lot of focus on at the moment. In terms of culture, I think we heard a need to establish a positive culture in an organisation. Probably goes without out saying, stating the obvious possibly, but that positive culture needs to be in place. It needs to embrace risk management, particularly in a sort of complex environment that we've described.

Steve: We had also lots of discussion with a wider group of members on this topic as well. And I think some of the themes that we heard from that discussion were culture needs to be driven from the top and risk needs to be involved in helping to set that culture. That culture needs to ensure that the required skills and resources from across the business can really get involved and embrace risk management activity. And I think also that culture needs to allow the organisation to sort of face into that. The complex and interconnected risk environment.

Steve: I mentionekills ashe sort of other one of the five that we heard lots about and had lots of discussions on. And there is clear consensus that risk teams need to be up skilled. I think in particular adding sort of digital and business expertise, we heard very commonly, but we also heard really moving forward, there is a need to have a multidisciplinary risk team bringing digital, bringing business, but we need data and analytical skills. We still need people who can understand and operate an effective framework. We need risk domain expertise. So lots of our members are heading into that sort of multidisciplinary team concept and they'll flex those resources over time, depending on their priorities and their focus. I think probably for all the risk managers listening, I think everyone is realistic. No one is chasing the unicorn employee either. So very much that need to have a balanced team that helps drive forward your agenda.

Simon: So we build those foundations and I think you're right, Steve, I think that's work that we see in pretty much every organisation trying to make that standard framework lighter, easier to operate, more effective. And then we want to build up a new digital core. What does that look like? What do we mean by that? What do we mean by digital core for non-financial risk?

Luke: Yeah, sure. I think before I describe what it is, think it is possibly, I mean, it's critical. It may be the most critical of the foundational elements without that. A lot of what we spoke about probably wouldn't be possible because the more that you digitise how the non-financial risk function operates, the more that you can manage at scale, manage at speed that we mentioned earlier, sort of lowering costs. But I think how you go about that isn't really solely the NFR functions responsibility. It's not really possible to do that in a silo. It's got to be part of the broader digital transformation that the institution is going through.

Luke: Not just for practical reasons like funding or anything like that. It's really that you're going to start relying on data that comes from across the organisation. So it's really got to be plugged into that in a good way. So some people speak about things like risk by design. that's designing things. with risk in mind, not an afterthought rather than building kind of separate systems and putting data in.

Luke: So there's a real practical challenge in building risk through what people do. But I guess sort of describing the longer term vision, I think we get to a place where it's automated real time, really data driven risk management, being able to kind of pull information and the different lenses depending on what you want. So by risks, by controls oriented to by process, by suppliers, whatever it is, being able to pivot very quickly enables you to move at speed. I think it also gives you lot of confidence because for many years, NFR has focused on the data rather than really what the data tells you. So the more confidence you have, the more you move beyond just trying to look at the numbers and you understand what the numbers are telling you.

Luke: But that connection with the business where you've got real data coming in real time. If you combine that with a model, then you're starting to get towards concept of a digital twin, which wasn't mentioned by many, but it's really the sort of leading edge where you have kind of model of the institution, which you can use to understand what might happen in different circumstances. But the difference between a model and a digital twin is that a digital twin is putting real-time data into it. So it's a live up-to-date version of your institution that you can do experiments on in a safe environment.

Luke: That is, guess, probably the ultimate aim of some of this work. And it will all allow you to respond promptly. People can ask questions. And that feeds into that cultural change, not just within the function itself, but across the organisation.

Simon: Okay, So we build those fit foundations. On top of that, we build a digital core. Those two things together allow us to move at speed and at scale.

Simon: And then I think we also heard, and Steve, I'm going to punt this one to you, that there was a demand for new insights and new capabilities as well. So actually not just doing what we're doing now, but creating new value from new insights. What's that speaking to, Steve?

Steve: So coming back to the point I made earlier, I think this is the real opportunity. I would say that the foundations, the digital data-driven core that we've discussed are the of the must-dos, the insights and the capabilities of must-dos, but they're where the real difference can be made, I think, from risk in the future. We heard lots in this space. We heard lots probably that's perhaps more aspirational from the conversations we had, and we've sort of summarised these into sort of five areas as well.

Steve: So I think the first is the need to sort of improve site if emerging risks.I think that's both understanding the perception of emerging risks within your organisation, but also bringing the external view into your organisation. I know lots of people are thinking, well, we have work underway to do that. But I think the difference going forward is that that information, we need to understand what to do with it, how to respond effectively, how to take action to understand and provide insights on what we think things may do to the risk profile.

Steve: The next area was sort of facing into managing change risk. Again, probably no surprises given that the business change that we've heard is underway, but it's really crucial to ensure that teams have the skills and the ability and the methods that enable the business to transform at pace. So that's being flexible, being responsive, being timely, making sure you've got the required business knowledge and finding a way that risk is seen as a true enabler.

Steve: One of the interesting things that I took away from some of the discussions was that changes on a new thing within organisations. We've talked about it before we've published materials on it before, but one of the things that I heard in sort of the context of the move to digital is that many organisations are looking at the ability to transform effectively and efficiently at pace as a real strategic advantage. Faster market, I think is what comes to mind. And I think that risk can play a key role in that.

Steve: The next area was bringing information on the ecosystem. So we've described the ecosystem as the connection of partners and suppliers that we have within our environment, allowing us to change that are providing the types of skills that are hard to come by. And we need to be able to bring information in on the state of that ecosystem and on the state of those partners and suppliers. And that information needs to be timely and it needs to be actionable.

Steve: And we also need to understand the external environment in which we're operating in. You know, one of the other backdrops to this study is the just increasingly complex and turbulent world in which our financial services organisations operate, the sort of geopolitical situations, etcetera.

Steve: There's a role, think, for risk and a really important role in watching what those are, in understanding what is going on across the world and understanding what that means for risk within your organisation. So we've describing this as sort of bringing in that outside view, the outside in view.

Steve: I think the fourth area, and we've touched on this a couple of times, Luke mentioned it earlier, but a need to understand the full impact of a risk. Historically, we've had a real focus on P&L impact that linked into capital. But there is a need to understand the broader consequences of risk. thinking about the sort of reputational impact is the example that came up time and time again. And we heard lots of discussion about a real board focus on understanding the sort of reputational damage that can occur in relation to lots of the risks that we're all familiar with.

Steve: And overall, businesses, when they're prioritising activity and action, that prioritisation needs to be based on a balanced view of that whole risk as well. So that view needs to be brought together and present it. And I think we also heard that that sort of trust and reputation is a real advantage in a digital world and probably is driving that real board focus on understanding that sort of reputational damage impact. The last of the elements around sort of insights and capabilities is what we're describing as connecting the dots, but I think what this means in reality is sort of offering an effective and integrative view of the operation non-financial risk profile.

Steve: So bringing all the information that you have and presenting that in a coherent way to the business, to boards, that sounds easy. Lots of discussion around the complexity of that given the interconnected nature of the risks and the themes, the regulatory expectations and environment. So much going on as the businesses are moving into this digital space that that's not an easy task, but I think is essential. And I think an area where we will look to focus going forward with our members.

Simon: Just on that last point, is that the board wants to know, especially what are our top 10 financial risks, not what are our top 10 cyber risks, what are our top 10 conduct, what are our top 10 regulatory, we'd like to know what our top 10 risks are and how they kind of compound on each other almost to create a true picture, is that?

Steve: Yeah, absolutely. Bringing that picture together from across all of the risk disciplines and synthesising that into a coherent message of, know, what is the state of the operational and non-financial risk profile? Where should we be prioritising action, activity, spend? That's quite tricky to do on a siloed basis. And I think that's exactly what people were getting at. But I'll stress it's not easy.

Simon: No. And I think on that final layer, think you did mention it, but really that's the layer where I think we're least sighted. We have sight of the challenges or the opportunities, but how we solve those, I don't think we heard anybody being comprehensive in their solutions. And really, I think it's right to say that's where we need new thinking, probably new skills, new tools, new technologies. It's a forming area. It's the challenge.

Steve: Absolutely. We had desire. We had efforts to make progress, but they were probably relatively manual at the moment. And I think people are looking to take something forward that's perhaps more of a method and to how they think about that and how they do that and to sort of drive out that sort of coherent picture, I guess, in a more digital fashion to carry on a theme.

Simon: Luke, I apologise for this in advance, because it's not an easy question. But we've got this vision of moving at speed, moving at scale, generating new insights, we build the new foundations, we build the digital core. We do all of that. What does non-financial risk look like in five years time as a function?

Luke: Pulling all of that together, I think, into some sort of soundbites, I guess. A broader purpose and a wider scope. So the range of things that risk is worried about has expanded. So what needs to be protected and preserved is broader than it used to be. What that means you're getting involved in is broader. So that's the kind of broader purpose and wider scope. Positive culture, Steve talked about that quite a lot. I think that is really critical and it's not within the rest of the team necessarily, it's the whole organisation.

Luke: New skills were also mentioned a lot. A digital core that is critical, as we said, I think that enables quite a lot of these things to be done efficiently without the digital core, just the resources needed to operate anything like this would become untenable. And then, the new insights, particularly around emerging risks, so what's happening outside quite often, around change. So what's the impact of what the change is doing on your organisation? That's much broader than the project side of it. It's more about what the institution will look like once you've made that change. Reputation, we mentioned earlier quite a lot. And the interconnections between everything going on in the ecosystem.

Luke: So I think what that means what risk function looks like in five years time is very different to what it looks like today. I think one or two of those things you could probably trace back to what's been done for quite a long time, but actually the majority of that is pretty new and new territory for most risk functions. And that's a massive agenda loop. Do we need to it all at once?

Luke: I don't think, even if you want to do it, I don't think it's possible. I think there is a logical order.

There are things that are much more foundational than others. We've spoken about digital core, I think some of the governance, some of the more cultural things as well potentially, but you need to be agile. And I think as always with these things, you need to kind of demonstrate that you're going in the right direction. So you maybe don't want to do it everywhere all at once as well. But I think a focus of some sort would be particularly useful as well. So the new risks aren't all being created in the same places.

Luke: Focusing on the most material challenges would be beneficial as well. But as I said earlier about the digital core, I think it's quite critical that this isn't a risk thing that they're just trying to do on their own. think it runs through that broad transformation piece.

Steve: I think lots of the discussions that we were involved in, a lot of the activity that we heard is sort of, I guess, building from the foundations up and that that is a logical way to go. But I also don't think that risk has the sort of luxury to just focus on those foundations and digital element. I think risk needs to be able to demonstrate some of those capabilities that we described. So whether that's the sort of getting good at supporting change risk management, bringing new insights, etcetera, there needs to be progress on those. I think that pressure is there and expectation is there that you sort of can't leave those to the end. So, I think again, making incremental progress in those spaces, being able to demonstrate where risk is making a difference, I think is crucial from now onwards. So, it is going to be a tough road. There's no doubt about that. But I think we heard lots of ideas and ambition, which I think was a real positive for me.

Simon: Are we optimistic or are we pessimistic here? Are we optimistic we're going to make the change and is it an opportunity or are we pessimistic that it's a tough road and it's a challenge?

Luke: I think this is an optimistic picture. So we've painted a view of what the future will look like when it's successful, if it's successful. So, I think there's a huge opportunity because there's more value at stake, there's more value to add, there's more benefit that the risk function can bring. That necessarily means that the stakes are higher. So, if you get it wrong, there's more to lose. So, I think there is this opportunity to step up. It requires probably a little bit of a mindset shift. This relates to Steve's cultural point, but traditionally, that hasn't probably been where most people perceive a second line function to do. So, bringing lots of value. there's a shift in the thinking outside of the function as well. But I think when you put those things together, it's a huge opportunity.

Luke: What also makes me optimistic is that I think, as we said right at the start, to be a successful organisation, you need to be good at this. And I think increasingly that's being recognised at the highest levels of organisations you would expect a lot of kind of management support for some of these initiatives as well.

Luke: Just kind of going back to the discussion about doing it all at once, because I think it's quite relevant to, is this sort of opportunity or challenge? I think there are probably opportunities quite near term to demonstrate that this is the way to go. And I think we haven't spoken much about AI, but I think AI is one of those where there is a real demand for a way to manage it at speed and at scale.

Luke: Because it's one of those things that really is scaling in that kind of digital business model. And it's a real challenge. So if people can do that successfully, I think it unlocks the door to showing that this really is the role that the non-financial risk function should play.

Steve: I was going to add that I agree with Luke, that I think this is a real opportunity for operational risk. I don't think anyone underestimates the effort required and the level of change but I think the prize is significant if we can get it right.

Simon: Okay. Just before we close then, is there anything that we haven't covered that we should sort of share? Steve, anything you want to mention?

Steve: I was going to raise regulation. We've avoided it till, we’ve avoided it until now.

Steve: We didn't set out to directly discuss regulation with our members. Perhaps unsurprisingly, it came up in the course of a number of discussions and it came up quite a bit when we gathered our leader community together in London earlier in the year. I think overall consensus is that there is a need for a supportive environment, both from regulators in terms of the policy and the direction of policy, but also I think in terms of the style of supervision and perhaps where that is pushing our members. I think it's on our members and on financial services industries to demonstrate a clear road forward, to demonstrate how that manages risks effectively. I think they're keen to take the supervisors on that journey.

Simon: Okay. Luke, anything from you, we haven't mentioned?

Luke: Yeah, I did mention it very briefly a minute ago. I mentioned AI, was primarily talking about the kind of risks there. But conversely, there is this huge opportunity for the risk function to use AI in how they transform. And I think there are quite a lot of areas where that makes sense because you see one thing that AI allows you to do is work at scale. So you can summarise a huge amount of data very quickly, much more quickly than you could do with a human.

Luke: And that will be one of the challenges. If you've got the digital core, you're trying to bring things together very quickly. So there will be a role for AI in that. And what you've seen quite often more recently with AI isn't necessarily profound insights that no one has come up against. It's really just making interactions between often humans and data and systems more smooth or more efficient.

Luke: And I think that will be an angle on this as well. So if you're trying to make risk insights more consumable, different audiences, different questions. Bringing all that together with AI is something I expect to see. So with any luck, AI will allow some of this to move forward at a greater pace. It's an interesting one because it sits on both sides. It's a risk that we're trying to manage and keep up with, but we may well keep up with it and manage it by using AI itself. It's a kind of circular argument.

Simon: Would you describe it as a double edged sword, Luke?

Luke: Yeah, you could do. But no, it's interesting that there aren't many things where the thing you're managing and the solution are basically the same. But I think there's a few things in the digital world where that is the case.

Luke: But being completely honest, it didn't come up as much in the discussions as we thought, partly due to timing, because I think it's quite easy to think that the discussions around AI have been going on for a lot longer than they have. It's a very recent phenomenon really. So I think quite a lot of the time when we had discussions, it was pretty early days for people to say with any certainty what impact they thought AI would have, certainly on the way that they manage risk. Because it is a sort of emerging discipline at the moment.

Simon: I think a better phrasing question than can AI do is, can AI do it cost effectively, accurately and efficiently? And that's the answer that's not clear. It can do a lot of things, but what do you want it to?

Simon: Before we wrap up, I did want to add one thing, which is that the role we're discussing here, I think, we keep using the language that ONFR needs to do this. But I think what ONFR needs to do is actually lead the effort of the whole firm. And I think it's evident that it is a broad risk. And as we think about the future, think one of the purposes of making the foundations fit for purpose is that they can be used by specialist risk functions, they can be used by the business.

Simon: So that they manage their risk day to day, that risk leads the provision of that digital core, and then risk creates those new insights by bringing in new information and combining information that comes up from the business and from those specialist risk functions. And I think to do that, risk needs to take that leadership role, but risk really does need to empower people. And I think that is about systems and data and tools, but it's also about something we haven't really historically been very good at, which is about communication. So that the people who aren't in risk understand the importance of what we do and understand the context in which they're operating. Maybe it goes back to Steve's cultural point, but I really do think it's a leadership role rather than just a doing role as we go forward.

Simon: Wrapping back up, thank you for staying with us, if you have, we wanted to explore a hypothesis. The hypothesis is really simple to state, which is that there's been a transformation in the business that's impacted operation and non-financial risk profiles and priorities, and that that's going to require a change in how we manage those risks. And I think we think that's the case. And we think that we've uncovered a real value proposition for non-financial risk in the future. That actually successful financial institutions will need to manage operational and non-financial risk well.

Simon: So we're publishing this division. It's quite a short document, but Steve, what will we do after that? Is that we carve it marvel and put it on the shelf? I don't think that's the approach. What happens next for us?

Steve: No, definitely not planning to throw it over the fence and step back. I think we can't emphasise enough that this is a sort of living and breathing document. We've talked about lots of the components today where there are aspirations, ideas, thoughts, desire to move forward. And our aim is to absolutely continue to work with members to support progress. One of the founding principles of ORX is about bringing people together to solve problems that are difficult to deal with on your own. And I think there are lots of problems that people are tackling where that is helpful.

Steve: So, we're to be looking at a program of work stretching out probably over the next sort of two or three years ultimately. That work is kicking off with a focus on sort of deepening our thinking and our understanding of the governance and structural piece. So where are people taking, how they set themselves up to tackle these challenges? What is the direction of travel? What are the models look like across the industry at the moment?

Steve: That sort of generates lots of interest when we talk to members, because people like to understand how they look against their peers. And so, I think that'll be a particularly interesting piece and is one of those foundational elements that we described. And then the other that we're kicking off at the moment as well is looking at that sort of skills piece and what is that skills mix that's required? What is the competencies that are required and trying to create a little bit of a blueprint to enable people to sort of pick that up and help shape and form their teams and perhaps to help shape the types of people that work in or want to work in in operation on financial risk. Post that we will then continue with a program of activity looking at some of those other themes. We'll be talking to our members, particularly our leaders community to help prioritise those over the course of the next year or so.

Simon: Brilliant, thank you, Steve. So then closing thoughts, Luke?

Luke: Yeah, just sort of loop back to your very first question, which is why did we do this? Because we essentially, we thought there was something interesting going on. Hopefully, we've shown that there is. And I just wanted to clarify quite a fundamental point that this is really the collation of lots of discussions we had into what we think is a reasonably good coherent vision. This isn't necessarily the perfect vision or exactly the vision that you might have in your institution, but I think it points everyone in the right direction. And it's very much the case that no one that we spoke to has this done and dusted by any means. So really treat it as a vision rather than something that you think you need to catch up with today. But it's a five year destination for non-financial risk.

Simon: Brilliant Thank you very much, Steve. Thank you very much, Luke. That was a fascinating discussion. And if you would like to read the vision report, then it's free to download from the ORX website. Thank you for listening.