Forward-thinking cyber controls, incentive-driven risk mitigation, algorithm audits and increased data privacy demands are among the trends that will shape risk managers' agendas in the coming year.
Friday, January 25, 2019
By Brenda Boultwood
If there's anything that we've learned from 2018's scandals around data privacy, money laundering and sexual misconduct, it's that an organization's performance and success are only as good as its risk management abilities.
Like anything worthwhile, an effective risk management program takes time: it cannot be established overnight, it cannot be tacked on as an after-thought and it certainly cannot be the responsibility of just a few teams. Rather, it must be an enterprise cultural exercise that is deeply ingrained into the DNA of the organization from the start.
Keeping this point of view in mind, here are my 2019 risk management predictions:
1. Cyber Controls Will Be Baked into Digital Processes from the Outset
Today, entire business models are being rebuilt around the cloud, big data analytics, artificial intelligence and the internet of things. As the “digitization of everything” takes shape, cyber threats and attacks will only escalate.
To offset their impact, companies in 2019 will be challenged to treat cybersecurity as a forethought on their digital journeys rather than an afterthought. Instead of building or deploying a new tool and then thinking about the possible risks, companies will need to proactively anticipate and mitigate potential threats.
As the digital process is envisioned, potential cyber risks will need be acknowledged, and corresponding controls built in to mitigate the potential failure.
2. Risk Management Will Become More Engaging and Incentive-Driven for the Front Line
Instead of focusing on how the front line should adapt to risk management, companies will look at how risk management can be adapted to the first line. How can risk processes be made so easy, engaging and intuitive that they become an inherent part of employee daily routines?
As an example, a large financial institution recently created an intranet portal to capture issues, incidents and risks in plain English. Most employees don't know the difference between these three terms. To make matters simpler and to minimize the hassle of training, the portal has been set up to capture basic information about an issue, incident or risk. This data is then routed to a business risk specialist, who can prioritize, taxonomize and investigate the details.
Another financial institution has linked risk management to their rewards and incentives programs by running contests on who can report the highest proportion of self-identified issues within a specified period. Naturally, recognition is provided to the business that closes out high-priority actions in a timely manner.
A third approach that is being tested is the layering of compliance questionnaires into transaction systems. When a business person enters the transaction, defined data thresholds trigger the required responses, which are then routed to compliance personnel via SMS texts for immediate action.
Innovative approaches like these will become more commonplace, as every company seeks to build a strong, risk-aware culture across its first line of defense, directly supported by relevant functional experts.
3. Consumers Will Be Willing to Pay for Higher Levels of Data Privacy
Reports of personal data being misused for financial gain have left consumers mistrustful and wary of corporate data governance practices. Six months after the EU's General Data Protection Regulation (GDPR) was enforced, UK consumers registered up to 19,000 data-related complaints with the Information Commissioner's Office (ICO). Meanwhile, 70% of global consumers in a Gemalto study reported that they would stop doing business with a company if it experienced a data breach.
As the demand for trust and transparency increases, companies will need to demonstrate that they are doing everything in their power to ensure that personal data is handled ethically and securely. Many consumers will be willing to pay for higher levels of data security and privacy, just as they would do for better internet bandwidth or more data storage space.
4. A Risk-Based Trigger Approach Will Become the Norm
For years, traditional GRC functions such as risk management, compliance and audit have followed a risk-based approach in their activities. Going forward, if they haven't already done so, other “peripheral” GRC functions - be it business continuity management, IT compliance management, cybersecurity or vendor governance - will also adopt risk-based methodologies.
Meanwhile, risk assessments and control testing, which were earlier based on pre-defined calendar schedules, will now be triggered in a more dynamic manner based on risk. Regardless of whether we're talking about, say, a large loss event that has just taken place, or an issue that has stayed open for more than three months, or a cybersecurity incident that has recurred, risks will be assessed as and when they arise, so that companies can be better prepared to take mitigating action.
5. The Business-to-IT Translator Role Will Become Critical
As IT resources and support for enterprise applications are moved offshore, companies will need to appoint an onshore team with both the functional expertise and domain knowledge to act as a translator between the business and IT. This is important, because business stakeholders might want to know how a new risk management solution or third-party governance framework will add value to their business.
Some may be looking to customize a tool to their specific requirements, while others may want to optimize the reporting capabilities offered by a standard out-of-the-box software. The translator's role will be to understand and communicate these requirements between the business and IT support teams, so that new GRC applications, as well as processes and frameworks, can be rolled out smoothly and efficiently.
6. Algorithm Audits Will Be in Demand
Rapid advancements in artificial intelligence and big data analytics have enabled companies to achieve the extraordinary - whether it's the ability to detect financial fraud in near real time, or diagnose diseases faster, or build self-driving cars. But with these technologies and their underlying algorithms come the inherent risk of errors and biases that, if left unchecked, can trigger the wrong decisions that harm both a business and its customers.
To offset these risks, investors and regulators will expect companies to audit their algorithms. Indeed, GDPR already requires companies to be able to explain their algorithmic decisions to customers.
Continuous assurance about the quality of the algorithm will become the norm. As societies seek to ensure that AI is used ethically, algorithm auditing will evolve into a proper science with specific standards, procedures, training and reporting.
7. Risk Management Will Not Only Promote Revenue Quality, but Also Grow Revenue
For years, the risk function served to create frameworks and boundaries internally, through which an organization could pursue revenue-generating opportunities. Today, in contrast, the risk function is being called to do more - to become actual enablers of revenue growth.
Companies are looking to their risk managers for intelligence and insights that can help the business differentiate itself, grow revenue and cut costs. But how can this be achieved?
As products are digitized, companies can layer in data protection and vulnerability controls while educating marketing personnel on the value to consumers. A firm can also increase throughput by embedding transaction risk and compliance tools into the system.
For example, a services company can run projects with global transparency around labor skillsets and utilization. An IT company, on the other hand, can reduce costs by replacing an offshore model with an onshore one supported by the correct translation capabilities between the business and offshore support personnel. NIST, CoBIT, GDPR, ISO and other cyber standard controls can also be rationalized to minimize the duplication of effort and resources.
Led by the risk function, these practices will enable companies to make smarter, better decisions that result in stronger performance and profitability.
Brenda Boultwood is the senior vice president of industry solutions atMetricStream. She is responsible for a portfolio of key industry verticals, including energy and utilities, federal agencies, strategic banking and financial services. Prior to joining MetricStream, she served as senior vice president and chief risk officer at Constellation Energy. Before that, she worked as the global head of strategy, Alternative Investment Services, at J.P. Morgan Chase, where she developed the strategy for the company's hedge fund services, private equity fund services, leveraged loan services and global derivative services. She has also been a board member of the Global Association of Risk Professionals (GARP), and currently serves on the board of the Committee of Chief Risk Officers (CCRO).