10 minute read
Risk management 101 for 2020
In its report “Is Business Ready for an Extinction-level Event?”, Deloitte, one of the world’s leading professional services networks, polled a number of high-level executives and senior personnel to find out what they regarded as the greatest workplace risks today.
Almost 65 per cent of respondents put destructive cyberattacks at the top of their list of concerns, supporting Deloitte’s assertion that attack surfaces were growing exponentially in an era of technological transformation and cyber everywhere.
Advertisement
With this in mind, “it’s time for senior leadership to modernise risk management programs and solutions to keep pace with the current threats and technologies to incorporate new educational tools, technical solutions and business strategies,” says Deloitte, adding: “A truly viable cyber-resilience program can benefit an organisation’s ability to recover, respond and be ready for a destructive cyberattack.”
According to Risk.net, the ten main risk categories for 2020 include IT disruption, data compromise, theft and fraud, outsourcing and third-party risk, resilience risk, organisational change, conduct risk, regulatory risk, talent risk and geophysical risk
Here they are that order with interpretations from a range of experts in the various fields.
IT disruption In his article titled “Business Disruption in the Digital World”, Steve Schlarman says IT disruption, with its potential to wreak havoc on reputations, finances and operations, is “top of mind for all organisations”.
Adds Risk.net: “IT failure has been considered alongside IT disruption, where last year the categories were considered separately. Although the drivers and risk management of the issues are very different, the consequences – the loss of critical services leading to parts or all of an organisation being unable to function – end up looking much the same.”
Data compromise Data compromises or breaches can occur in a number of ways according to Kaspersky, from employees using coworkers’ computers and accessing files without authorisation, malicious insiders retrieving data with the intention of using it to harm an individual or company, via lost or stolen devices containing sensitive information or by malicious “outside actors” or hackers. The latter tend to focus on stealing credentials – the vast majority of data breaches are caused by stolen or weak credentials – says Kaspersky. “If malicious actors have your username and password combination, they have an open door into your network. Because most people reuse passwords, cybercriminals can gain entrance to emails, websites, bank accounts and other sources of personally identifiable information (PII) or financial information.”
Theft and fraud Risk assessment is the foundation upon which effective anti-fraud and anticorruption processes are built, says Deloitte in its advisory piece “5 Essential Truths”. “Fraud and theft management is no longer about response,” it maintains. “It is now about detection and prevention. Fraud risk management will help align corporate values and performance as well as protect organisational assets, including reputation, (and) internal controls are one of the great fraud deterrents. Implementing a fraud prevention plan requires commitment and also requires the business to provide the right tools and support to its employees.”
Outsourcing and thirdparty risk For most companies, the answer to how to do this “used to be fairly straightforward” says Logicgate, a cloud-based governance, risk management and compliance (GRC) solution, in an article titled: “GRC 101: What is Third Party Risk?”.
“Barring criminal wrongdoing, companies could be confident that their business records, customer data, and other sensitive information was reliably kept in-house (but) those days are over. Sensitive data, IT infrastructure, and more are all shared with partners and vendors or outsourced to other third parties. Everything is connected to the internet or living in the cloud–which undoubtedly makes many business processes easier and more efficient – but also creates the possibility for mishandling or abuse. This is called Third Party Risk, also known as Vendor Risk or Supplier Risk.”
Resilience risk “Consider the global changes we’ve seen in recent years,” says PricewaterhouseCoopers (PWC), a multinational professional services network of firms (and) you’ll understand why risk resilience has become such a hot boardroom topic.”
“Demographic changes and economic shocks, environmental issues and technological advances. They all represent major risks to your business, whether financial, operational, ethical or reputational. The challenge is to identify the ones you are most vulnerable to and mitigate them effectively.”
There are two stages to becoming more resilient to risk, says PWC: 1. Identifying emerging risks – all businesses should have a deep understanding of all the major risks they are vulnerable to. 2. Managing risks more effectively – businesses also need to evaluate the effectiveness of their current risk management strategies to ensure they remain robust, relevant and (able to) meet the changing needs of regulators.
Getting it right Strategies for managing emerging risks have never been more vital. Is your business clear about its risk appetite and have you developed an appropriate risk management strategy?
How much time does your Board dedicate to the issue and who in the business is responsible for identifying and mitigating emerging risk?
Once you are clear about the risks you face you will need to be confident that your processes for managing them are effective. So your approach to risk management will need to be embedded in everyday working practices and applied consistently across all operations. Is your risk management process driven predominantly by financial concerns? Have you identified ethical and reputational risks, and do you have a strategy for managing them?
Answering these questions, of course, depends on accurate information. And have you got enough of it? Is it up-todate and will it provide a solid base for sound decisions? If the answer’s yes, then the Board will know that risks are well managed, and they will be able to use the data to inform business strategy (shaping remuneration policies for example).
It is this level of awareness that builds resilience businesses – organisations that understand the risks they face and can articulate their risk appetite and define their risk strategy accordingly. And that means better decision-making, greater agility, and sharper competitive edge.
Organisational change US-based news organisation Chron.com says “companies need to change because of continually changing business and economic conditions. Change management is a combination of concepts and strategies for the effective planning and implementation of change. The basic change management process includes establishing a need for change, implementing new procedures and policies, and monitoring results. The main risk factor of any change process is that the new systems and procedures will not work and leave the company worse off than before.
“Operational disruptions are another risk factor of organisational change. One strategy to minimise the impact is to determine the right implementation pace, which will vary depending on the size of the company and the complexity of the project. For example, a small consulting partnership could implement a software upgrade in a few hours without major disruptions. However, a medium or large company that is implementing an enterprise resource planning software solution should expect significant disruptions. Other strategies to limit the financial impact of disruptions include scheduling the change implementation in phases, making hardware and software changes only during evenings and weekends, and training employees in using the new systems and processes.”
Conduct risk Online publishing platform and blog host Medium.com defines conduct risk as the risk that the conduct, acts or omissions of the firm, or individuals within the firm, will: a) deliver poor or unfair outcomes for the customer (retail or wholesale), or b) adversely affect market integrity. “The emergence of scandals around the world coupled with the resulting consumer mistrust towards financial institutions has prompted regulators worldwide to closely examine the root causes of ‘bad behaviours’ in regulated firms, as well as the potential drivers, consequences and remediation requirements that such scandals encompass. Just in case you forgot, ‘Google’ some of these scandals:
• Subprime Mortgage Crisis (2005–2008).
• Lehman Brothers Collapse (2008).
• UK Payment Protection Insurance Scandal (2006 – ongoing).
• Société Générale Fraud (2008).
• Madoff Ponzi Scheme (2008).
• Manipulation of Interbank Offered Rates (2008).
• HSBC Tax Evasion and Money Laundering Scandal (2008).
• Collapse of Spain’s Bankia Group (2012).
• London Whale Scandal (2011–2013).
• Foreign-exchange Rigging (2013–2015)
• Wells Fargo Unauthorised Account Openings (2015–2017).
Regulatory risk Nibusinessinfo.co.uk, a free service offered by Invest Northern Ireland, is the official online channel for business advice and guidance in Northern Ireland. It explains the concept of regulatory risk in this article.
“Compliance and regulatory risks arise from laws and regulations that rely on penalties or sanctions to regulate the operations of a business,” it says.
“Regulatory risk is the effect of a change in laws and regulations that could potentially cause losses to your business, sector or market. Regulatory risks could, for instance:
• increase the costs of running a business – e.g. costs to achieve compliance.
• change the competitive landscape – e.g. perhaps invalidating your business model.
• make your business practices illegal – e.g. new law changing rules on marketing.
• reduce the attractiveness of an investment.
Talent risk Top management tends to assume that talented individuals are going to stay in the company, but when they leave, sometimes unexpectedly and without previous warning, sometimes even to join a competitor, they find out – the hard way – that talent risk should be considered seriously say the authors of a white paper titled: “Managing Talent Risk” by Andrés Hatum Profesor de la Escuela de Negocios de la Universidad Torcuato Di Tella (Argentina) and Lorenzo A. Preve Profesor del Departamento de Finanzas del IAE Business School (Argentina).
Additionally, sometimes, the person who is leaving carries a portion of important knowledge that might not be left in the company, since knowledge is, most of the times, packaged in people. One of the relevant risks of most organisations is Talent Risk; the risk of “attracting and retaining” the talent needed to compete. Companies capable of attracting and retaining the most talented and suitable individuals can provide a sustainable competitive advantage to its stakeholders.
Geopolitical risk Geopolitical risk was thrust into to the world spotlight when coronavirus struck. According to Risk.net the pandemic has wreaked havoc on financial markets and forced governments to scramble to find viable responses.
“Geopolitical risk continues to manifest itself in plenty of other ways, too, says Risk.net. Regulatory uncertainty in the form of Brexit, which also featured in the 2019 Top 10, continues to be an important concern for the financial sector. Almost four years after the UK voted to leave the European Union, there is still no EU- UK trade deal in place, meaning a lack of clarity on equivalence between UK and EU regulators, and on the ability of UK firms to trade in the EU after full separation at the end of 2020.
Another US election is due in November this year, and likely to again present a choice between different regulatory and economic policies.
Climate change, leading the list of emerging global threats, does not appear on this year’s list of top operational risks, but has ascended to the level of a strategic risk for many institutions. Many survey respondents cited disruption from climate change protests and the credit and reputational risks of association with legacy fossil-fuel industry as concerns. The model risk involved in adapting to the new threats to lending and mortgage businesses posed by climate-related disasters such as floods and wildfires is also a worry for banks, Risk.net says.
Solutions In the absence of a foolproof solution, Deloitte recommends that entities adopt a multi-focus strategy comprising vigilance (detecting patterns to predict events) and resilience (being able to contain impact) to deal with emerging threats, identifying anomalies in business processes, managing stoppages from third-party vendors, and preparing for risk-related workplace disruptions.
The forces driving this trend? According to Deloitte, there are a number of forces at play, along with the growing realisation that risks cannot be completely eliminated. Other trends include progress in data analytics, machine learning and artificial intelligence (AI) capabilities, greater information sharing and networking, investment into resources to contain disruptive activities, climate change, natural disasters and political unrest, it says.
Using best in class technology and systems that embrace vigilance and resilience, Deloitte says entities can ameliorate disruptions “across multiple categories of risk, including factory fires and explosions, labour strikes, terrorism incidents, industrial accidents and natural disasters.”
