It’s time to change the way we ‘do’ risk management


Chief Risk Officer, Michelle Griffey


“The pace of change has never been this fast, yet it will never be this slow again.” Canadian Prime Minister Justin Trudeau’s words at Davos last year demonstrate just how fast the business world is evolving.

As a result of this rapid change, the world of risk management and compliance must also evolve – shifting our focus from tick-box exercises that show we have simply ‘done what the regulators ask’, to genuinely protecting the end-customer in an increasingly complex world.

In recent years we have seen the introduction of far more regulation, much of which has been appropriate and is welcomed. In the aftermath of the financial crisis, for example, it was wholly right that more stringent rules were introduced to protect both the industry and consumers from similar future events.

Traditionally, of course, our methods for ensuring compliance have been to fill out seemingly endless spreadsheets and to enter round upon round of questions, so we can tick the box when complete. We would simply ‘do’ compliance.

The irony of this approach is that in reality, it does a disservice to the exact person we are looking to protect – the end-customer. Because looking at spreadsheets and ticking boxes removes our focus from the rapid changes and emerging risks rising from this fast-changing world, and also away from their experience.

So how do we adapt – to ensure the end-customer is front and centre of what we do? The answer is to embrace a more holistic approach to risk and compliance, one that focuses on ‘doing the right thing’ at all times. So instead of thinking ‘have we done ISO27001?’ and ‘now we need to move on to PCI and ISO22301’, let’s have an approach that considers all of these requirements within the context of what’s right for the end-customer – in the context of what will protect them, what will ensure they have resilience in their operations and what will ensure they can adapt to emerging risks and challenges.

Of course, there will always be a requirement to ensure we have met the technical requirements of the regulators. Tools and technology can help with that too. But if our focus becomes doing the right thing for the end-customer, the principles of our activities will ensure we meet regulators’ requirements while also enhancing customers’ experience.

What’s more, regulators are also becoming increasingly focused on resilience. They are increasingly asking whether levels of service to the end-customer can be maintained at all times; what controls are in place to ensure that level of service can be retained amid rapid changes and emerging risks. Resilience is about business continuity, data-protection governance, health and safety governance, information security, cyber risk management, and more. Delivering on that requirement absolutely requires moving away from tick-box compliance and toward a more holistic approach that includes a collaborative working relationship with the client.

Changing our approach in this way will not only better protect the end-customer – but it will also help businesses achieve the thing that is increasingly driving retention and acquisition of customers across sector and industries: trust. The fast-changing, rapidly evolving world I described earlier creates new concerns and worries for customers, who are also more aware of risk than ever before and more savvy when it comes to the brands they buy from. That means trust has become new ‘value add’ in the brand-customer relationship. Having customers’ trust is the cornerstone to good business.

Focusing on the end-customer in everything we do will ensure we build that trust; ensure the regulators can see we are delivering on their requirement to demonstrate resilience, and allow us to be much more adaptable to a world that is change faster than ever before – and will never change this slowly again.



Michelle Griffey, our Chief Risk Officer shares her thoughts on managing digital risk, discussing the evolution of traditional risk management and the challenges of managing risk with pre-digital processes. Read more about the approach Communisis take to Risk Management.


We use cookies to ensure that we give you the best experience on our website. By continuing to browse the site you are agreeing to our use of cookies.

Find out how we use cookies