Case study: How Inpay built a brand new risk management function from the ground up

No comments

If you were given free rein to design your own risk function from scratch, what would you build? Dr Camila Witt at Danish cross-border payments company Inpay tells Sara Benwell how she met this ‘once in a risk manager’s lifetime’ opportunity

YOU’VE RECENTLY BUILT A RISK MANAGEMENT FUNCTION. HOW DID THE PROJECT START?

Inpay chief risk officer Dr Camila Witt: I joined Inpay in January 2022 as chief risk and compliance officer to develop the company’s already strong focus on compliance.

It’s been fantastic to build out a risk management function at a fintech company that’s revolutionising the payments sector.

building blocks

Inpay is growing rapidly and was recognised in 2021 by the Financial Times as the fastest growing company in Denmark and sixth fastest growing fintech company in Europe.

When I joined Inpay, our founder Jacob Tackmann Thomsen told me that he was looking for someone to bring the risk function to a whole new level of maturity and he gave me carte blanche to do that.

“There was a willingness from the senior leadership team and especially from our owner, to invest in the foundation of proper risk management.”

What he wanted, fundamentally, was risk management that makes sense to our business.

I have worked in other companies where you cannot challenge existing frameworks. Inpay is the opposite to that. There was a willingness from the senior leadership team and especially from our owner, to invest in the foundation of proper risk management.

I was given the luxury of designing that in the way that I saw fit and to present it to the board of directors. It was a once in a lifetime opportunity.

HOW DID YOU GO ABOUT BUILDING THE FRAMEWORK?

Witt: In the beginning, we spent a lot of time properly understanding the business model and realistically looking at what risks we face in the cross-border payment sector.

We wanted to try to embed risk management in the culture of the company and to show people the value that proper risk management can bring.

One of the things that we told our colleagues is that risk and opportunity go together.

I emphasised to the team that risk management is about preparing for a journey so that you can make the most of it. People can relate to that.

They think: ‘If I sit down and think about the risks I might face, I can tackle them beforehand. I will face them with open eyes and aligned stakeholders so I can minimise the chance of disruption.’

“One thing that was very important to me was avoiding fragmented or disintegrated risk management, with myriad Excel spreadsheets that no one updates.”

When employees do this, the business runs more smoothly.

The next part was defining the framework. We invested in qualifying the team and deepening our knowledge of risk management to devise a plan that suited our business.

I’m a big fan of Douglas Hubbard’s book The Failure of Risk Management. For me, it separates proper risk management from guesswork.

One thing that was very important to me was avoiding fragmented or disintegrated risk management, with myriad Excel spreadsheets that no one updates.

Instead, we invested in a governance risk and compliance system that provides a holistic picture. We record policies and can link them to the process. We can perform risk assessments in the system, put the controls there and assign actions to owners.

“Ultimately, people can use their time to think about risk management rather than tedious admin tasks.”

If a gap analysis shows that a process hasn’t been designed, we can talk to the process owners, make it operational, and perform a risk assessment.

If that shows a control missing, then we can put an action in the system with a deadline and an owner. The action might be to implement a sample-based control or have a dialogue with the developers to improve a feature.

We have oversight, which means the risk function can easily check in with colleagues and ask if they need support or training. This saves so much time and uncertainty.

Ultimately, people can use their time to think about risk management rather than tedious admin tasks. And for us at Inpay, this is highly important.

HOW DID YOU CHOOSE THE RIGHT THIRD PARTY SYSTEM FOR YOUR NEEDS?

Witt: We interviewed several vendors, and we had a strict selection process.

Because we’d spent time deep diving into best practice, we knew what we wanted. We had scores for primary needs and analysed what features were available.

We also looked at vendor availability. You need to know if you’re their number one customer or number ten customer, because that dictates how much attention they’ll give to you.

“We wanted a vendor that would be open to a dialogue to adjust their systems according to our needs and our methodology”

We also looked into time zones. There are some vendors that might be wonderful, but if the time difference is eight hours and you need to quickly solve issues, that might not be optimal.

We wanted a vendor that could support our scalability ambitions and that would be open to a dialogue to adjust their systems according to our needs and our methodology.

The most important thing for Inpay was that we could link the processes to the policies, risk assessments, controls and actions. Having this integrated and comprehensive view of risk management was what led us to choose our vendor.

WERE THERE ANY KEY CHALLENGES YOU FACED ALONG THE WAY AND HOW DID YOU SOLVE THEM?

Witt: One challenge most organisations face is getting the buy-in from people within the company on why risk management matters. This is something that we overcame by breaking down silos.

We made our function extremely approachable and have an open-door policy. We reach out to the business to understand their needs.

For example, if we want to launch a product, we need to decide: should we build it in-house or buy from someone else? What is the time to market? etc. We looked at questions that are quite intuitive, but which explained to stakeholders the value that they were getting by integrating risk management in their day-to-day work.

HOW WOULD YOU CHARACTERISE THE IMPACT IT HAS HAD ON YOUR ORGANISATION?

Witt: We have more accountability in terms of ownership. That drives further developments because when you perform risk assessments, you naturally discover the need for enhancing data architecture and capturing.

Once people start to do proper risk management, they see how to improve their processes.

WHAT’S NEXT?

Witt: We’re on a maturity journey. Two key things for us are value creation and value protection.

Keeping the organisation engaged is a non-stop task for a company growing at our level, especially with regards to onboarding new employees. That is part of our everyday and we must get that right.

“We’re on a maturity journey”

We’re also looking into collecting more data points that will help our risk management. We have hired quality assurance staff resource because we want to improve our controls and the process regarding the feedback loop from those controls.

IS THERE ANYTHING ELSE THAT YOU THINK WAS IMPORTANT WHEN SETTING UP THE RISK MANAGEMENT FUNCTION?

Witt: One of the things that made it e asier, or certainly more fun, is that despite being in Copenhagen, we have more than 50 nationalities in our teams.

People tend to see the risks according to their life view and the experiences that they have, so when you have people from so many different backgrounds, it’s an enriching experience. You expand your catalogue of risk events because you have more diverse inputs