Our crystal ball sees, among other things, the dissolution of the three lines of defense model, the rise of sustainability as a top risk, the integration of ERM in critical economic functions, and a heavier dose of CRO input in emerging and strategic risk decisions.
Friday, January 10, 2020
By Brenda Boultwood
On the heels of ushering in a new decade, it makes sense to reflect on not only how far we've come but also where we are headed. While risk management is perhaps not completely mature, it is light years away from its start as a fledgling discipline.
Believe it or not, Basel guidance on risk began roughly 32 years ago. For most of the ensuing time, businesses viewed risk management primarily as a tool for regulatory compliance. Today, in contrast, just about everyone sees the potential for risk management to change businesses for the better.
There are, moreover, a significant wave of revisions on the horizon. Let's now consider five 2020 predictions that could eventually bring about a sea change in risk management:
1. The three lines of defense business model, as we know it, will end
We can pretend this is driven by budget cuts and a loosening of regulations, but we know the changes to this model are long overdue in financial services. Firms in other industries (including manufacturing) never adopted the three lines of defense model, because they never needed it.
In 2020, financial services firms will reconsider their approach to non-financial risks, managing them more like financial risks. Risk metrics will be created in transaction systems, while risk systems will aggregate, apply correlations and produce analytics. Qualitative risk factors will continue to rely on expert judgement, supported by quantitative metrics.
Second-line-of-defense functions, such as risk management and compliance, will continue to thrive and prosper, with a focus on framework, policy, methodology and analytics. Their expertise will help the business reimagine resilient customer fulfillment.
What's more, sustainability, cybersecurity and third-party management will be built into business processes. Risk assessments will be unwittingly completed by people closest to the risk, using assessment questionnaires triggered by thresholds, incidents and events (see diagram, below).
Embedded Risk Management Through Assessment Questionnaires
Internal audit assurance will remain vital, but will become a thin layer responsible for reviewing continuous monitoring of controls; advising business on key controls; and monitoring the efficacy of functional group (e.g, risk and compliance) activities. Business will be better, because the focus will be on the critical economic functions and how customers are fulfilled within an acceptable level of risk.
2. Business process automation will be reimagined
A combination of automation, robotics and AI will be further embedded in risk management. To digitize and sustainably provide services and goods for the achievement of both societal and customer objectives, resources will be redeployed.
Digital interaction will incite collaboration and work fulfillment, and, through layering into transaction systems, standalone risk management software applications will eventually “disappear.” Moreover, data lineage software will be used to locate existing intelligence across multiple internal systems, and risk appetite statements for the degree of process digitization will become common.
Relationships between internal issues and incidents and customer complaints streaming through Twitter will be recognized, and this intelligence will assist in ranking the most critical actions.
There will also be a variety of platform approaches to integrate technologies, whether through the cloud or internal infrastructure. Artificial intelligence, for example, will become a common tool for regulatory change management. Natural language processing will establish firms' risk and compliance taxonomies, building the relationships between the taxonomy data objects such as risks and controls.
What's more, managed services through consortiums or third-party services will be more common. This will include third-party management, regulatory changes, cyber threat monitoring and AML bad-guy profiling through cross-industry consortiums. Firms will near-shore outsource authentication, as well as software asset management and regulatory reporting.
Stress testing will become more focused on operational resilience, including internal and external factors such as climate change. Firms, of course, will want to understand the effects of these factors on revenues, earnings and capital - but regulators and customers will want to comprehend the impact of mishaps on customer outcomes.
Firms will also set thresholds for what customer service inconveniences and disruptions they expect, while regulators will set tolerances based on what is acceptable. Customers and third-parties should expect this information to be more readily disclosed, as firms more carefully manage their reputation and sustainability.
3. Sustainability will emerge as a top risk
Our understanding of this risk is in its infancy. Like cybersecurity risk, it will depend greatly on a firm's ability to respond to events out of their control.
The outcome of sustainability is directly connected to how long an organization survives, and is largely dependent on a firm's ability to manage geo-political events, third-parties and disruptions to its business processes.
A sustainability risk taxonomy should be developed to evaluate not only a firm's environmental risks but also its operational resilience and reputation.
4. ERM will be integrated through critical economic functions
Coming full circle from the first prediction about the disappearance of lines of defense, financial and nonfinancial risks will be tied to the critical, customer-centric economic function. Tolerable levels of potential failure, or risk, will be measured by thresholds aligned to growth, risk appetite and operational resilience objectives.
Whether a firm's risks are primarily financial or nonfinancial, they will have effects on both short-term earnings and long-term reputation and survival.
5. The CRO will sometimes play the role of futurist
As the key consiglieri to the CEO about what factors will impact the present, the emerging and the strategic, the CRO will grow stronger and stronger. But he or she cannot be strictly focused on, say, the interest rate option vega position or the absolute size of operational losses.
Instead, the CRO must be about evaluating how a new digital mortgage loan underwriting and fulfillment process increases financial and nonfinancial risk exposures in unexpected ways. Or how airplane assembly supply chain could be impacted by an unexpected production halt. Or how car production is impacted by a new round of tariffs.
The scenarios go on and on.
In 2020, we'll likely see significant changes in risk models, processes and functions. The CRO storyteller must focus the firm on what is most critical, while guiding the discussions about the impacts of digitization and third-party dependencies on the business process for the good of the firm, the customer and society.
Brenda Boultwood is a Risk Advisory Partner at Deloitte. She is the former senior vice president and chief risk officer at Constellation Energy, and has served as a board member at both the Committee of Chief Risk Officers (CCRO) and GARP. Prior to joining Deloitte, she was a senior vice president of industry solutions at MetricStream, where she was responsible for a portfolio of key industry verticals, including energy and utilities, federal agencies, strategic banking and financial services. Before that, she worked as the global head of strategy, Alternative Investment Services, at J.P. Morgan Chase, where she developed the strategy for the company's hedge fund services, private equity fund services, leveraged loan services and global derivative services.