Agile way of working at ING
flat and decentralized decision-making
frequent and flexible adaptation to changes in the market
cross-functional collaboration and fast-paced innovation
Agile vs Traditional Risk Management (3 Lines)
Business unit is empowered to identify and manage risks in real-time, using data and technology to support decision-making
The business unit is responsible for identifying risks, but may have limited access to data and technology, relying more on manual processes and assessments.
Works closely with the business unit to provide real-time risk insights, monitoring and reporting.
Focuses on reviewing and verifying the accuracy of the risk information provided by the business unit and providing independent assessments of the control environment.
Catalyst for change, helping to identify and prioritize areas for improvement and working with the business unit and second line of defense to implement changes
Traditional internal audit activities such as testing controls, assessing the effectiveness of risk management processes, and reporting on findings to management.
Group of expers within a tribe, such as risk management.
Chapters are responsible for ensuring that their area of expertise is well-represented and for providing guidance to other members
A squad is a small, cross-functional team within a tribe delivering specific products / services.
The squad is responsible for defining and delivering the work, and for ensuring that it meets the needs of customers
Senior leader overseeing the work of a tribe and ensuring that it aligns with the bank's overall strategy
The tribe lead is also responsible for providing guidance and support to the squads and chapters
Pros and cons of INGs agile governance structure compared to a more traditional governance structure
(Risk Management POV)
More flexibility and responsiveness to changing business needs and risks
Promotes collaboration and communication between teams which can identify and manage risks more efficiently
Helps to identify and mitigate risks earlier
Risk management can be apparent across the whole insitution
May lack formal controls and oversight
May result in incomplete or insufficient risk analysis and management
Difficult to maintain a consistent approach to risk management