The growing dependency of organizations on multiple third parties for critical business operations and services has made their extended ecosystem highly convoluted. The complexities are turned up a notch with fourth and subsequent parties and the amplified digital interconnectedness of organizations in the current digital-first operational environment.
Outsourcing to third and subsequent parties is critical to doing business. However, it also exposes your organization to governance and risk management challenges. A robust third-party management (TPM) program for effectively monitoring the extended enterprise and staying ahead of the associated risks has become indispensable for continued business operations.
With three feature releases a year, we constantly innovate and enhance our products and platform. We have now undertaken the initiative to host Customer Product Council sessions to have interactive and engaging conversations with our customers to validate new industry trends and understand their requirements and expectations. The objective is to incorporate the feedback in our forthcoming platform and product releases and empower our customers to strengthen resilience and thrive on risk.
To better understand the evolving business requirements from the TPM perspective, we recently hosted our first Third-Party Management Customer Product Council. The session was insightful and provided us with a deeper insight into the latest trends and themes. In particular, three key themes emerged:
Unsurprisingly, ESG is a key theme across the board. With the growing global awareness of climate risks, diversity, inclusion, ethical practices, and sustainability along with heightened regulatory focus, organizations today want to be cognizant of not only their own ESG posture but also that of their extended enterprise. We are already making strides in this area with our recently-launched ESGRC product, which, among other things, integrates with third-party risk product and enables organizations to assess and evaluate the ESG posture of their suppliers based on multiple parameters. To request a personalized demo, click here.
As the number of third parties that an organization deals with continues to proliferate, documenting and managing the relevant information of every individual entity can be extremely cumbersome. This creates several other challenges such as poor visibility into third-party risks, slower onboarding process, duplication of efforts, and other redundancies. Customers are looking for easy ways to simplify monitoring of third-party risks, accelerate onboarding and due-diligence processes, and enhance overall efficiency.
The extended ecosystem of organizations today goes beyond third parties to fourth, fifth, and subsequent parties. Having an effective oversight of the entire network of suppliers then becomes extremely difficult, often leaving blind spots and making organizations vulnerable to associated risks. Based on our customer engagement, organizations today are concerned about three key questions:
We are appreciative of our customers for sharing their honest opinions, expectations, and pain points with us. The feedback will help us drive future innovations in a way that is more meaningful, relevant, and mutually beneficial.
We are currently adding to the council and plan to meet on a quarterly basis. If you’re a TPM customer and want to power what’s next, join the TPM Customer Product Council today! You can reach out to me directly at ahanchinamani@metricstream.com.
The number of ransomware attacks on organizations around the globe is growing at an exponential rate with no signs of slowing down. According to Check Point, ransomware attacks grew by 102% in the first half of 2021 compared to the beginning of 2020.
Cybersecurity Ventures expects ransomware to attack a business, consumer, or device every 2 seconds by 2031, up from every 11 seconds this year, and estimates ransomware damages to cost the world $265 billion by 2031. To operate in this precarious digital landscape, organizations today must go the extra mile to ensure that their cyber defense mechanism is robust and effective.
In the wake of the significant surge in ransomware attacks, the National Institute of Standards and Technology (NIST) has published a new draft on “Cybersecurity Framework Profile for Ransomware Risk Management” that sets out its guidance on how organizations can prevent, respond to, and recover from ransomware attacks.
The document details basic preventive steps to protect against the ransomware threat, including using antivirus at all times, keeping computers fully patched, continuous monitoring, segmenting internal networks, educating employees about social engineering, assigning and managing credential authorization, and many more.
NIST has classified Cybersecurity Framework Functions into five categories: Identify, Protect, Detect, Respond, and Recover, and has suggested key measures under each of these functions to protect against ransomware threats.
Identify - This is the first step and the foundation for the rest of the framework. It requires developing an organization-wide understanding of systems, people, assets, data, and capabilities, and the associated cybersecurity risks. Some of the key suggestions made by NIST under this head include:
Protect – This function is critical to limit or contain the impact of a potential cybersecurity event and involves implementing appropriate safeguards to ensure the delivery of critical services. Some of the key measures include:
Detect – This function requires the implementation of appropriate activities to identify the occurrence of a cybersecurity event and enables timely discovery of cybersecurity events. Some of the key suggestions include:
Respond –Once a cybersecurity incident is detected, the Respond Function is important to take appropriate action and measures to contain the impact. NIST recommends:
Recover – This involves implementing appropriate activities to maintain plans to restore any capabilities or services that were impacted in a cybersecurity incident and helps an organization’s timely recovery to normal operations. Key measures include:
MetricStream welcomes the ransomware guidance from NIST. Such practical frameworks can considerably help CISOs and security teams to develop an effective cybersecurity strategy from the ground up and evaluate their existing strategy for any gaps or loopholes.
The MetricStream IT and Cyber Risk and Compliance solution is aligned to the capabilities detailed in the NIST guidance. It helps organizations to proactively anticipate and minimize IT and cyber risks, threats, vulnerabilities, and multiple IT compliance requirements. The solution cuts across enterprise siloes by facilitating harmonization between various functions and aggregating information and providing a 360-degree, real-time view of IT risk, compliance, policy management, and IT vendor posture. It also enables enterprises to execute and manage an effective business continuity and disaster recovery program. To request a personalized demo, click here.
Our world is being rapidly disrupted by risk. Several emerging factors, including the new organizational challenges introduced by the ongoing pandemic, have made risk management more challenging than ever. As organizations seek new and improved ways to grow more resilient and ‘thrive on risk,’ a comprehensive understanding of the changing risk landscape can inform the right resilience strategies.
Interconnected Risks are Increasing in Velocity and Volume
Headline-grabbing cyber, third-party, and supply chain risks—all of which form complex interconnected risk networks—are increasing in frequency. Cybersecurity threats exploiting remote work environments rank on the top of the list for chief risk offers (CROs) in the US. PwC’s 2021 US Pulse Survey saw 45% of CROs express concern about cybersecurity threats. And when it comes to supply chain disruptions, research from the McKinsey Global Institute, forecasts that disruptions lasting a month or longer can now happen every 3.7 years on average. The interconnected nature of these risks leads to significant consequences, from operational and cost implications to tarnished reputations. In KPMG’s global survey, six out of 10 respondents attribute their organization’s most severe reputational risks to third parties. The consequence: organizations are quickly realizing that they need risk assessment to be in real-time, helping them make faster decisions.
Peripheral Risk Awareness is Expanding
Increasing data volume and regulatory overload is causing peripheral risk awareness to extend beyond the traditional boundaries. The growing digitalization is enabling organizations to produce and digest granular data—expanding the role of risk and control functions. However, data generated by business lines and operational units exist in silos and are thus not able to contribute to the overall view of business. The sheer volume of the growing regulatory change—that grows year-on-year to protect organizations, consumers and other stakeholders—is a huge challenge for compliance teams. In our recently released 2021 State of the Compliance Survey report, it was found that 76% of compliance managers manually scan regulatory websites to track changes and assess their impact on the business.
Such complexity involved in managing growing data and the escalating regulatory change is driving the need for artificial intelligence (AI) and robotic process automation (RPA) solutions.
The Front Line is Best Positioned for Risk Management
A lot of risks start at the front line, but the good news is that they can end at the front line as well. This is because frontline workers hold the unique position of being valuable sources of risk-related information for the organization. However, success depends on, one, the efficient aggregation of the intelligence from those who are dealing with risk firsthand, and two, the effective management and extraction of value from this intelligence. The adoption of digital tools that make it easier to capture, report, and track business anomalies is the obvious answer to empower the front line. Organizations agree. Three out of four (75%) key managerial personnel in KPMG’s Covid-19 Risk Assessment survey named the adoption of digital tools as a crucial priority towards developing a robust risk-assessment approach.
Greater Agility is the Need of the Hour
As organizations become more digitalized, it gives them the benefit and ability to be able to do more. Take for example, contracts—integral to any organization. With digitization, organizations are able to extract a lot more data by comparing and analyzing the information at hand. However, to use this data to make faster strategic decisions, organizations need to be empowered with agility. Risk and compliance intelligence from across business units and departments—including semantically similar issues reported in the past—need to be captured, aggregated, and analyzed in near-real time. As per Chartis Research survey data, 57% categorize real-time event processing in the ‘high impact’ category among the varied impacts of advanced technologies on firms’ GRC architectures.
Disconnected Approaches Call for Integrated GRC and Risk Quantification
Gartner forecasts a growth of 12.4% on the global spending on information security and risk management technology and services, with estimated spends reaching $150.4 billion in 2021. However, several organizations are continuing to approach the management of risk, business continuity, compliance, and internal audit management separately resulting in multiple silos and disparate processes. Near real-time visibility into risk and compliance can only be possible with the integration and harmonization of different perspectives on risk across various functions. For example, standardization of taxonomies in risk communication can help. Another way to is to embrace risk quantification. The moving away from categorizing risks as red, yellow, green, to quantifying the specifics of risk, such as the dollar cost or the impact of a risk is the way ahead.
Helping organizations address and stay ahead of the market trends is MetricStream’s Brazos software release. As outlined in our earlier blog, the Brazos release packs in several features with the aim to simplify regulatory and compliance complexity, quantify the impact of cyber risks, and power next-gen vendor risk management with AI—enabling your organization to become future-ready.
Watch the webinar or download the eBook to learn more on the market trends driving change and how your organization can stay ahead with MetricStream’s Brazos software release.
“Culture eats strategy for breakfast.” The popular phrase attributed to celebrated management guru Peter Drucker holds true not just for organizational culture but for risk culture as well. Drucker was not dismissing the importance of strategy, but rather emphasizing the role of culture in executing strategy. Similarly, a strong risk-aware culture plays an equally crucial role in effective risk management.
An effective risk-aware culture—determined by the awareness, attitudes, and behaviors of individuals and groups inside an organization—supports an organization’s risk strategy and risk management approach. It works to strengthen the core of an organization’s operations. This includes compliance with regulatory and statutory requirements, financial performance, and reputation in the market. Furthermore, building a strong risk-aware culture equips organizations to drive strategy. Whether it is entering a new market, negotiating mergers and acquisitions or investing in organic growth, companies are empowered to make take the right decisions.
Organizations are now ranking risk culture as one of their top ERM priorities. As per Deloitte’s recent Global Risk Management Survey, more than half (55%) of financial institutions are actively building a risk culture across the enterprise. The ongoing pandemic, as discussed in our earlier blog, has further added a sense of urgency in establishing and embedding a strong risk-aware culture.
Faced with the complex challenges in today’s business risk environment, organizations across the globe have moved from a position of protective and reactive risk management to a proactive and strategic stance. They are increasingly acknowledging the risk accountability role played by the front line in developing an integrated and agile approach to risk management. They understand that risk management must be owned and led by the entire business—making it imperative for a strong risk awareness to be embedded in the front lines.
The nurse at the hospital, the teller at the bank, and the customer services executive at the telecom retail outlet all constitute frontline workers. They make up of individuals whose job roles involve engaging with external stakeholders, customers, and partners. Being the first to hold these interactions, they hold the unique position of being valuable sources of risk-related information for the company. However, unless there is a deeply embedded risk culture, they may not even be aware that they hold critical intelligence as they go about their daily operations. It is hence important to involve and empower your front line as they make key risk and compliance decisions every day protecting from or exposing your organization to various risks.
For example, a single suspicious transaction report (STR) filed by a frontline bank executive can actively stop the flow of illegal money and the associated financial crime. But very often, an unsupportive culture or even the lack of reporting tools can work as a stumbling block. Conversely, a strong risk-aware culture would empower this employee with the right awareness levels and tools to act proactively.
Today, with the pandemic causing en masse work from home, every employee is a frontline worker and by extension a risk manager. They will have to be equipped with the right training and reporting systems which will help them identify and report a malicious attack—making it even more important for organizations to actively embed a risk-aware culture.
Strengthening an organization’s risk culture is a continuous process. And when it comes to frontline workers, faster adoption of a risk-aware culture will depend on:
This is where leveraging the right tools and technologies can play a key role in equipping your front line—leading to the building of a strong risk culture across the organization.
MetricStream Observation Management, built on the MetricStream Platform, makes it simple for your frontline employees to capture and report business anomalies. Your employees can report observations discreetly and anonymously (in case they feel it is a sensitive issue). The AI-powered interactive tool which includes widgets for third-party applications, browser plugins, conversational interfaces, chatbots, and intuitive web forms makes it easy for your frontline workers to flag potential risks and report any anomalies and deviations. The AI/ML capabilities provide insights into similar issues or observations raised previously to avoid any duplication of data and efforts. Once an incident or anomaly is reported, the employee can track and view the status of the observation. Finally, as an organization seeking to build a risk-aware culture, you save on training time while gaining the benefit of simplified adoption of GRC across the front line.
Additionally, the MetricStream Integrated Risk Management solution can effectively unify and streamline risk management activities across all business functions—making it easier to instill a risk-aware culture. By cutting across organizational silos, standardizing risk and control taxonomies, and enabling stakeholders to effectively coordinate, the solution can improve risk reporting visibility and efficiency for the executive management and board.
Contact us to know more about how our Observation Management and Integrated Risk Management solutions can help you build a strong risk-aware culture.
The regulatory focus on operational resilience, particularly of financial services institutions, has intensified in the post-pandemic world. Central banks and other regulatory authorities are increasingly publishing guidance and policies to help financial firms navigate these untested waters and recover quickly from any operational disruption.
In March 2021, the Basel Committee published “Principles for operational resilience” to promote a principles-based approach to improving operational resilience. The committee said that the principles aim to “strengthen banks’ ability to withstand operational risk-related events that could cause significant operational failures or wide-scale disruptions in financial markets, such as pandemics, cyber incidents, technology failures or natural disasters.”
In the U.S., federal bank regulatory agencies, including the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation (FDIC), and the Office of the Comptroller of the Currency (OCC), released a paper in October 2020 outlining sound practices for large banks to help them enhance operational resilience.
In the European Union, the draft legislation, Digital Operational Resilience Act (DORA), was published in 2020. The objective is to ensure that all participants in the financial system have the necessary safeguards in place to mitigate cyberattacks and other risks.
In the UK, the Bank of England (BoE), the Financial Conduct Authority (FCA), and the Prudential Regulation Authority (PRA) published a joint discussion paper on Operational Resilience in 2018 followed by a joint consultation paper in 2019 with the primary objective of promoting the operational resilience of firms and financial market infrastructures (FMIs). Similar efforts are being made by regulators in other jurisdictions, including the Monetary Authority of Singapore (MAS), Hong Kong Monetary Authority (HKMA), and others.
The heightened regulatory focus, however, is not surprising given the paradigm shift in the business environment spurred by the pandemic. Organizations today have to operate in an extremely unsettled business environment and withstand cyberattacks, supply chain disruptions, third-party risks, geopolitical upheaval, and many other risks on a daily basis.
[Read more: Top 5 Operational Resilience Challenges in the Post-Pandemic Era (eBook)]
Last year, I wrote this paper based on the focus of the BoE & FCA joint consultation paper and the Institute of Risk Management’s Innovation Special Interest Group focus on this topic of operational resilience. Given the continued market focus on this subject, I have looked to revisit this subject and present prevailing views from across the industry in a new eBook.
I simply look to explore what achieving resilience really means in practice and how financial firms can gain a view and report to the board, investors, and regulators in an agile and meaningful fashion to attest to their “State of Operational Resilience”. Here are some key considerations for organizations:
I believe that to be able to readily view the enterprise status of operational resilience, organizations need to focus on people, processes, systems, and data. To pull these effectively together, they need a simplified clear vision and adaptable risk and controls framework that can adapt and change with innovation and ever-changing regulations and standards pulled together across all three lines on a powerful integrated risk management platform.
Implementing an integrated risk program can help organizations in their pursuit of achieving operational resilience. A technology-driven, integrated risk management program that spans the organization across multiple functions and regions, products, and segments will help aggregate to a single source of truth.
MetricStream Integrated Risk Management empowers organizations to manage both current and emerging risks across geopolitical, digital, strategic, third-party, cybersecurity, and compliance areas. The solution helps to unify risk management activities across all business functions, align assurance programs, and gain comprehensive visibility into both risk exposure and relationships. By providing deeper visibility and understanding of risk inter-linkages and their impact on business performance, Integrated Risk Management Solution strengthens resilience, enhances agility, and empowers risk-aware decision making.
To download the eBook, click here.
Organizations today need to optimize their risk rather than focusing on avoiding the risk – to know which risk should be accepted to enable business success and create value.
When it comes to cyber risks, one of the biggest challenges security professionals face is communicating the associated financial impact to the decision-makers. Assigning a dollar value to cyber risks will better equip the executive management and board to prioritize the risks, drive a stronger alignment between business priorities and cyber investments, and ultimately, make risk-aware decisions.
At MetricStream GRC Summit June 2021 Edition, Gavin Grounds from Verizon joined us for an exciting discussion on how organizations can thrive on risk to get a competitive edge.
In this blog, we have highlighted the interesting points from the discussion on how quantification can help in making the right security investment decisions.
Regardless of whether it is a large organization or a small, one of the common challenges across all organizations in the area of cybersecurity is prioritization, Gavin said.
Organizations today face thousands of risks and a key challenge is to ascertain which of those is the biggest priority. Likewise, they might have hundreds of controls and they need to define the importance of these controls and determine how much to spend on each control. Every dollar they spend on these controls should be justified with the benefits/advantages realized. Because they have a finite budget, they need to use it in the most optimal manner.
The primary objective for the CISO is to drive overall risk down and drive better-informed business decisions. And, cyber risk quantification can greatly simplify the process by quantifying risks in monetary value. As an example, suppose you got a business opportunity of $100M with $1M cyber risk, you can easily see the overall value of $99M and make your decision to go ahead or not. But if you represent your cyber risk in a way like 3 are critical, 5 are high, and 3 are mid risks, in that case, it's difficult to calculate the overall business value of that business opportunity and you might miss the first-mover opportunity on that business.
Prasad Sabbineni, EVP, Product at MetricStream, added that CRQ is the natural extension of the quantitative assessment (high, mid, and low-risk heatmaps) that organizations have been doing as all these factors serve as input to the model to calculate the dollar value of the associated risk. When asked about how organizations can start with CRQ, Prasad suggested that organizations can start small – select key risk areas and apply this quantitative technique to see the results. Once they understand the results and their value, they can gradually expand to other risk areas.
With MetricStream Cyber Risk Quantification (CRQ), a U.S. telco giant was able to make their cybersecurity decisions 50% faster by quantifying the dollar Impact of cyber risks.
MetricStream helped the company harmonize its risk management techniques and methods by driving towards a common risk score across cyber, operational risk, and resilience teams. This score is based on consistent factors and is grounded in a business context.
This combined risk score helps cyber teams accurately weigh the cost-benefit of either a single risk mitigation strategy or a combination of them. It also helps them increase the agility and speed of remediation efforts. MetricStream also provides a top-down and bottom-up 360-degree view of cyber risk.
Top-down views take risk assessment information from the business in terms of dollars—for example, how much it costs to keep an order processing system up and running. Meanwhile, bottom-up views provide data on the costs of mitigating vulnerabilities.
CRQ is important for every organization irrespective of the size and industry. With the interconnected fast-paced digital economy, organizations are exposed to many new risks. Prioritization and communication of risk will help in better decision-making and provide a competitive advantage in the market.
One of the exciting things I’ve noticed since joining MetricStream recently is the high degree of what I think of as “ions”: Collaboration, Adaptation, Acceleration, Motivation.
We listen to customers, we flex fast to meet their needs, and we work hard together.
Above all, to belabor the “ion” metaphor, I’ve been struck by the degree of Innovation. Here are five areas of innovation that are driving risk management and GRC overall, and where MetricStream is taking a fast-forward lead. Let’s take a closer look.
If there is one word that describes risk management and GRC today, it’s “interconnected.” (I guess I should have said “intersection,” to stay with our theme, but you get the point!)
Risks and regulations are coming at us more quickly than ever, and they’re completely connected. As just one example, think of your third parties. We may think of “third-party risk,” but those third parties pose cyber, compliance, and reputational risks. New regulations drive policy. Policy drives compliance. And compliance drives corporate culture and behavior.
Enterprise risk and GRC is a sprawling web of interlinked risks and data – and managing it is, to say the least, a challenge.
That’s where APIs come in. They’re not a new concept – many of us were working with Application Programming Interfaces to connect applications 20 years ago. But today’s APIs enable you to seamlessly integrate and connect your internal and external data to see connections and link risks.
Connect your risk management application such as MetricStream to your internal data sources, applications, and relevant external content (such as security risk ratings, financial data, and much more) for the complete picture. You might even call that a… revelation.
Remember “big data” from a decade or so ago? It was quite the “sensation!” (I am on this roll now – I’d like to apologize, but it’s too fun.) In all seriousness, big data has only gotten bigger – apparently, we create 1.145 trillion megabytes of data a day, according to the internet. I don’t know how to visualize that, but we all know: it’s a lot.
Now imagine sifting through all that data to make risk decisions. Compliance with new regulations. Observations submitted by frontline employees. Third-party questionnaires. Even if it were possible manually, is that how you want to spend your time? Luckily, artificial intelligence and machine learning – which have also been on our collective radars for quite some time now – are coming of age and realizing their promises of intelligence, effectiveness, and efficiency.
AI and ML can quickly:
The full promise of AI, ML, natural language processing, and other neural techniques are just unfolding – but they’re starting to change the game in risk management. Stay tuned.
Wow, an “ion” twofer! However, we know it’s true – a product is only as good as its adoption. It will only be used if it’s intuitive, easy to use, and easy to roll out.
That comes down to a friendly user experience, onscreen and off – and at MetricStream, it’s one of the key themes we hear about. Today, risk management and compliance are what we call “team sports.” They stretch across the enterprise and involve employees from risk management and audit to the board – and on the frontlines. Without being able to easily implement and adopt a product, the ability to manage and control risk is severely compromised.
At MetricStream, we pride ourselves on providing a complete customer experience – from when you first sign up through implementation to an easy-to-use, modern, cloud-based interface. Whatever product you use, adoption is key. Look for a smooth experience – easy to buy, adopt, and use.
One of my favorite movies is “Ferris Bueller’s Day Off.” Do you remember Ferris’s big quote?
“Life moves pretty fast. If you don’t stop and looking around once in a while you could miss it.”
Of course, he wasn’t talking about risk management (though he was clearly a master of it!) but he just as well could have been talking about GRC and risk management today. The speed of change, regulation, and risk is dizzying. Each ransomware and cyberattack we hear is more alarming than the last, from Colonial Pipeline to Kaseya Software. Governments are fast upping the ante on legislation and compliance. Suppliers and third parties are multiplying.
The only way to keep up with such change is to stay ahead and stay agile. The “As” and “ions” I’ve mentioned so far all add up to a fast approach – easy to adopt, integrate and use AI – but risk management as a thought process also needs to be agile. Policies need to be stored, managed, and rolled out in ways that adapt to new situations. (How did your work at home policy fare with COVID-19?)
Agility is a theme not just for software development but building a culture of risk management. We need to stay fast, flexible – and open to change.
Finally, let’s close with a theme we hear about daily – the importance of analytics. Once again, analytics in risk and GRC aren’t new. Most of us have probably been using credit risk models or algorithms for years. But today’s analytics are something else – powerful, adaptive, predictive.
Analytics, combined with data integration and AI, equip you to act on true insight – rather than spending your time gathering and trying to understand data. They elevate risk management to the strategic art and science it is – and provide you the visibility you need to make informed, risk-aware decisions.
I hope you’ve enjoyed our tour of GRC innovation – please reach out to see how MetricStream can help you address any or all of them with a personalized demo. Thank you!
The risk management discipline is making its way toward being a true profession with some practitioners and leading, progressive trade associations among others, leading the way. As the VUCA world (Volatile, Uncertain, Chaotic, and Ambiguous) becomes more and more pervasive for everyone, it is critical that the discipline stakeholders up their commitment to enhancing its capabilities. Accordingly, here are “five big things” that all stakeholders should take account of moving forward.
First, the risk discipline is striving for greater acceptance among decision-makers with a long-term goal of achieving “profession” status. This goes beyond effectiveness to strategic influence. Regrettably, most colleagues of my generation and even the follow-on (Gen X) generation, are still too often perceived to be “insurance” managers. Needed, but not strategic players with influence. Some achieving CRO status are climbing this hill, but even many CROs are “chief” in title only. RIMS is working on this issue. For example, I’ve advised them on the development of an upskilling program to prepare their members to advise their boards more effectively and long term, to prepare them to take board seats as risk experts.
Second, the increasing unpredictability of events that can produce major losses continues to perplex the risk discipline. Emerging risk process has been the key tool/method for getting ahead of low frequency, high severity loss exposures that some consider “black swans” (e.g., Covid) but, it more often involves the “grey swans” and “white elephants” (coined by James Lam) that represent events that are a bit more likely but still highly destructive. Advanced risk systems generally and other insurtech oriented solutions/tools are adding to predictive capabilities that will mitigate this going forward. Clearly, in the case of Covid, the mark was missed.
Third, operational resilience is a fast-rising critical issue especially in the wake of the Covid-19 pandemic. Banks, in particular, have upped their game in this area after experiencing significant disruptive impacts from Covid-19. While strategic risks continue to be the most destructive of value according to the research, operational risks (risks associated with people, process, and technology) can drive “death by a thousand cuts” especially when the events directly relate to serving the customer. Consistently delivering quality customer service, both directly and indirectly, through even substantial disruptive events, is the objective. In order to build and maintain operational resilience to sufficient levels, it is critical to consider among other things, the following: ensure an effective business continuity strategy and plan is in place and regularly tested and updated; understand and track the interdependencies and interconnectedness among and between operational risks; ensure there is a robust third-party risk management process in place; and, have a risk technology capability that can track, assess and manage incidents, extract relevant exposure information from across all segments of the organization and use targeted, refined and actionable risk information reporting to the right risk stakeholders at the right times.
Fourth, the accelerating and more frequent instances of disruptive innovation, technologies, and events are morphing the risk profiles of organizations, especially multinationals. I’ve written about digital risk management as an emerging subset of the risk management discipline that to clearly indicates that those risk profiles of the future are likely to be nearly all digital. In other words, as most new exposures have digital profiles themselves, risk leaders will be increasingly unable to understand the risk, let alone understanding how to manage these risks effectively. Sedgwick can help its customers get ahead of this curve, which will ultimately render them obsolete if not dealt with.
Fifth and finally, as disruption risk rises for all organizations, the business of risk and risk management is continuing to rapidly evolve its capabilities to mitigate disruptors especially through technology-based solutions to risk challenges. The return on these innovation-related investments is driving record amounts of venture capital ($7B in insurtech alone in 2020) to risk-related start-ups and incremental investments in aging solutions. All risk stakeholders stand to benefit from this trend as the destructive effects of disruption find more effective mitigation in the balance. The traditional ways so much of risk management has been done, will not persist much longer as the coming disruptions that will inevitably occur, will be increasingly leveraged for value creation (the upside of risk) and less distracted by loss events (the downside of risk) as in the past.
Chris Mandel will be speaking at the MetricStream webinar, “Strengthening Operational Resilience for Banks and Financial Institutions”, on June 29, 2021. To register, click here.
The banking and financial services market is no stranger to disruption and crisis. The Great Financial Crisis of 2007-09 resulted in some far-reaching structural and regulatory changes across the sector. But no one could have anticipated the events of 2020-21. Even as the COVID-19 pandemic wreaked havoc, the world also had to contend with political upheavals, social unrest, economic slowdown, and significant market dislocation. Banks and financial institutions across the world were faced with an unprecedented crisis that impacted them at different levels. On the one hand, there was revenue loss as interest rates plummeted and bad loans increased. And on the other, there was the sudden need for remote working, social distancing which put significant pressure on established branch infrastructure and ways of functioning.
The Euro STOXX banks index slumped by 40.18 percent while STOXX North America 600 banks index saw a 31.23 percent decline and STOXX Asia/Pacific 600 Banks Index went down by 26.09 percent between December 2019 and April 2020. Through all the chaos and disruption of this year, one thing is evident. The banking sector must relook at its operational resilience strategies and integrate them with their risk management roadmap.
The Basel Committee defines operational risk as “the ability of a bank to deliver critical operations through disruption.” And earlier this year they issued seven guiding principles for establishing an operational resiliency framework. These are comprehensive and build on already established guidelines for resilience and continuity. In my opinion, this is the most important aspect of creating and deploying operational resiliency strategies at this point in time. Most banks had resilience frameworks and continuity plans in place even before the pandemic hit. But the circumstances 2020-21 meant that they had to rapidly adapt their operational models in response to an evolving situation.
Operational resiliency can no longer be an afterthought, it can no longer be a static policy, and cannot be independent of risk strategies. Going forward it is important for banks and financial services companies to base their operational resiliency frameworks on the fundamental understanding that crisis situations are unavoidable and fluid. So, the strategies they deploy, and the business continuity plan they create must be pragmatic and flexible enough to cope with a rapidly changing risk landscape. The focus now has to be on establishing a comprehensive resiliency framework based on the risk landscape. It should be able to understand the impact of various threats on critical activities and provision for the availability of crucial resources during crises.
Risks are interrelated and understanding a risk landscape in its entirety is crucial for successfully navigating an uncertain future. For example, a pandemic-induced economic slowdown can lead to mass unemployment and businesses shutting down. This in turn will trigger not only a slowdown in loans but also a spate of defaults. A comprehensive and continuous risk assessment exercise must be owned by the board of directors or senior management. And their involvement must also extend to periodic reviews, incident reporting and evaluation, and course correction. Banks need to also consider both external and internal risks and understand how operations are interlinked to create an effective plan of action.
A robust business continuity plan with controls, processes, and checks is critical to ensure business-as-usual even under the most extenuating circumstances. The framework should also include incident mapping, escalation mechanisms, threshold setting, and quick governance measures around new issues that can disrupt operations. If the bank works with third-party vendors, then a careful evaluation of their resiliency and risk management plans is a good idea. Central to any operational resiliency framework is technology. As the pandemic proved, technology is inextricably tied in with continuity, access, and even business recovery. Data-driven risk assessment models, robust cybersecurity platforms, and alert mechanisms coupled with an effective cloud and product modernization strategy can guarantee the scalability and flexibility banks need to ensure business as usual in times of crisis.
These are unprecedented times we live in, and they necessitate extraordinary measures. As one of the pillars of global economy, banks have a crucial role to play in the world’s recovery from this pandemic. To do this effectively, banks must remain profitable and innovative in their products and service offerings. Embedding operational resiliency frameworks into the overall risk management plan is a crucial strategic priority to ensure continuity, and to make risk-aware decisions on investments and expansion into new products or territories.
Read more:
1. Moving From Risk to Resilience – Make Your Organization ‘Anti-Fragile’ (Click here to download)
2. Essential Elements of a Successful Integrated Risk Management Program (Click here to download)
3. Robust Risk Management is a Lot About Mind Games (Click here to download)
In today's business world, silos are coming crashing down. The business landscape has been redefined as a result of digitalization and the evolution of the internet, mobile computing, and data sciences have led to a greater interconnectedness of operating markets across geopolitical borders.
The unprecedented after-effects of COVID-19 also made us realize that the world we live in today has a high degree of interdependency. For instance, this slow shift toward working remotely on a permanent basis could result in some long-term impacts on different industry sectors simply because everything is connected. A disruption anywhere on the transaction chain has the potential to create a domino effect and send ripples down the market. If businesses fail to understand and analyze the interconnections, they can make myopic decisions that could cause organizations to fail in developing and executing effective recovery strategies.
Despite the ongoing effort to adopt new technologies and tools to implement a pervasive approach to risk management, business leaders and risk teams are still unable to fully understand the interconnectedness of risks. In our recent webinar, risk professionals and leaders discussed why that happens and how businesses can take a holistic and integrated approach to make risk management processes more efficient and effective.
Even today, businesses implement control without understanding the implications of how it impacts different business areas. Implementing controls within a siloed system can lead to overabundance, overlap, and duplicated controls which are unnecessarily expensive, time-consuming, and eventually reduce efficiency. Therefore, it is absolutely critical to have an integrated approach to risk management where you’re not spending 80% of your time in data collection and only 20% in analysis.
Risk management needs to evolve and help businesses obtain a deeper understanding of all aspects of the risks they face as well as the intricate spider web of interconnections they create because these links among risks can amplify the overall impact, indirectly or indirectly.
And, in order for IRM to be effective, people, processes, technology, and perhaps even data need to come together and work as part of a common ecosystem with a common purpose and goal in mind.
However, risk identification and assessment programs by themselves do not serve the full purpose without having quantifiable measures put in place to support risk identification. This requires some carefully thought-out measurement components to be designed and implemented that would provide useful insight on the risk.
While many of us would like to believe that enabling technology for IRM is primarily about implementing an enterprise GRC tool, it requires some broader thinking. IRM is an extension of your GRC program where risk management practice is seamlessly embedded into compliance, cybersecurity, vendor risk management, and business continuity planning.
Businesses need to understand and break down the complex interrelationships. And that means risk identification needs to happen, where risk happens.
Our MetricStream Platform can help you cut across organizational silos by standardizing risk and control taxonomies and enabling stakeholders to effectively coordinate and unify risk management activities across all business functions. Organizations can use our product to align their assurance programs and gain comprehensive visibility into both risk exposure and relationships. Reach out to us to know how to achieve forward-looking risk visibility with predictive risk metrics and indicators in your Risk Management program today!
Subscribe for Latest Updates
Subscribe Now