Deborah Ritchie speaks to Adam Ennamli about how enterprise risk management is embedded into his organisation’s growth engine, the shift from bureaucracy to decision enablement, and about how AI and pragmatism are redefining the modern risk function


How would you describe the General Bank of Canada’s approach to enterprise-wide risk management? What distinguishes its structure or culture from other institutions you’ve worked with?

General Bank of Canada is making enterprise risk a core part of its growth system. We see trust as a competitive advantage in the marketplace, and we have unified our capabilities to reduce friction, crisis response time and costs. At GBC, risk is not seen as a source of bureaucracy, but as a partner for decisions. Easier said than done, I know, but that’s where the rubber hits the road. Over the past three years, we have reduced the number of risk assessments by 80 per cent, as risk considerations are now embedded in our business processes, seamlessly.

Our risk professionals are connected to their business counterparts through a centralised risk partnering model where understanding the processes in depth is a priority, along with automation. The programme has been right-sized, leading to 60 per cent hard efficiencies and more clarity. Finally, and most importantly, the culture is more durable. We are introducing a microlearning programme that takes the training burden from an average of four hours per domain to 12 minutes of targeted education, where content is generated through AI depending on the audience.

Your background spans technology, compliance and operational resilience. How does that technical grounding shape the way you approach risk decision-making, and communicate with other senior stakeholders?

It helps with being able to understand the reality of each department and adapt the risk function to those realities. A lot of the friction between the risk function and the rest of the organisation stems from theoretical frameworks that cannot be adopted due to operational constraints, due to the high indirect cost that they impose on the first line, or due to their complexity. Speaking multiple sub-languages is a very helpful catalyst to build trust with counterparts, and maximise the effectiveness of risk guardrails, without bureaucracy. For instance, when working with our tech teams on an upcoming transformation, I can discuss concrete integration points of failure previously encountered during ERP implementations or cloud migrations, then translate those risks into business impact terms for mainstream audiences.

Risk management theory can look neat on paper, but the real test is in daily operations. Where do you see the biggest gap between risk frameworks and risk in action – and how do you bridge it?

We need to be pragmatic when we expect a product function to fill out a 10-page risk assessment when their own business case was only a one-pager. Logic has left the room. I am not advocating for a total laissez-faire, but to make risk invisible, effective and embedded into every day operations – less jargon, more connection. For our last three new product and markets, there was no documentation produced by risk; everything was part of one unified, comprehensive business case that addressed any potential challenges or risks at the onset of the project. Concretely, each business case follows a structured template that prompts consideration of key risk domains seamlessly. We’ve just eliminated the redundancy. For example, strategic risk is addressed through market share and product portfolio considerations, while operational risk is discussed through the execution section.

As a member of the Forbes Technology Council, you’ve a clear vantage point on emerging tools. How do you see AI and data-driven systems transforming the way risk teams analyse, report and respond?

In the past 15 years, most of the risk teams have executed low-value, necessary but bureaucratic tasks at 60-80 per cent+ of their capacity, leaving very little time and energy for high-value thinking that can move the needle and get organisations to be proactive and actually address emerging trends, rather than just react. AI can be used to automate these tasks – to simplify them, so that we can transition that 80 per cent into real decision enablement. We have started to do that, with success, at GBC. For example, our due diligence for third parties has been automated at 77 per cent thanks to a partnership with a US risktech. We have also started automating our risk model validation through another partnership, where our pilot case has yielded 90 per cent cost efficiencies and 70 per cent faster validation compared with traditional use cases.

You’re a member of the Risk Management Awards judging panel. Having judged this year’s award entries, what struck you most about the next generation of risk professionals? Which capabilities or mindsets stand out?

I see more diversity of thought, and more integration and creativity, which is wonderful. Risk is moving away, slowly, from its ivory tower reputation, with fewer barriers to entry and more openness to other domains. One submission showed how a risk professional applied design thinking to redesign a specific process, cutting resolution time in half without major capital investments or new resources. Everyone has something to contribute, and risk can be a central hub to channel those strengths. More use of technology as well, which is always great as it refocuses efforts where they truly belong.

You lead a complex portfolio, sit on advisory boards and contribute regularly to industry dialogue. How do you manage that spread of responsibility – and what keeps you motivated about the future of the profession?

Advancing mindsets, one idea at a time. Professionally, the first and foremost priority is to support the growth of our bank and to help my colleagues focus on our top priorities as a risk team. My thought leadership work is about modernising the function and exchanging with fellow risk and compliance officers globally to reduce fragmentation, and increase automation and pragmatism. Risk is not about fear; it’s about decisions. The more that risk leaders get involved in industry dialogue, the more positively the risk domain will evolve.

---