Risk management programs, especially those dealing with non-financial risks, have evolved independently over time to address specific regulatory requirements in specific jurisdictions. Many of these programs are largely reactive in nature. They focus on addressing “known unknown” risks which materialize primarily as regulatory actions. While some of these programs have developed the maturity to monitor and manage individual risks, they are hardly ever integrated with other risk management frameworks across the enterprise.
This isn’t a sustainable approach because as risks become more interconnected, their impact isn’t contained within individual risk categories. Recently, at a large bank, a multi-million-dollar risk event materialized as a credit loss, but it actually crept in many years ago when repeated control failures occurred in the operational risk program due to a lack of validation between the loan approval and loan disbursement process in core banking systems.
COVID-19 is another risk whose impact isn’t contained to public health alone. A World Economic Forum (WEF) risk perception survey identified seven fallout risks from the pandemic, including a prolonged global recession, surge in bankruptcies, failure of certain industries to properly recover, and high levels of structural unemployment.
Understanding these risk relationships will require us to move beyond silos, and track how risk mitigation actions impact the realization of other risks.
With the rise of the “sharing economy1,” organizations have become dependent on infrastructure and capabilities outside their enterprise boundaries, sometimes even for mission critical services. As a result, both the types of risk and their interconnectedness are increasing. Today, the losses associated with a risk event aren’t just determined by risk frequency and impact, but also by the velocity with which that impact spreads through other interconnected risks.
In a risk program that does not transcend risk types or departments, it becomes very difficult to measure risk interconnectivity and velocity because risk relationships are not well-defined and monitored. Yet, it is within the intersection of disparate risks that unknown-unknown risk events with catastrophic losses could originate and spread.
Today, banks and financial services institutions are adopting conversational AI or chatbots for a plethora of use cases. However, the primary use of these tools has been to automate customer interactions. For example, robo-advisors provide assistance on wealth management services. While these chatbots are usually assessed against direct risks such as information security and data privacy, what is often ignored is their strong correlative impact on credit risks -- especially if the self-learning AI models used to provide investment advice develop biases towards a certain class of financial products. Worse still are the conduct risks that could arise, should the chatbots become racially biased, as we saw with Microsoft’s Twitter chatbot, “Tay”.
Currently, organizations with siloed risk programs are unlikely to be able to identify and monitor the interconnectedness between various risks associated with new technologies like conversational AI. The unknown-unknown risks that originate from the intersections between traditional and emerging risks can grow to catastrophic proportions, coming to the organization's notice only when a massive loss event occurs.
The interconnectedness of operating markets, coupled with emerging risks and their relationships with other risks, have given rise to a contagion effect that extends beyond the boundaries of the enterprise. Today, the risk posture of a given business line can be impacted by risks originating from multiple other parts of the organization, or even other enterprises. If these risks aren’t seen from a broader perspective, they could continue to grow within their silos, emerging as a systemic, industry-wide failure at some point.
Regulators and market participants are becoming increasingly aware of such risks. In its discussion paper on operational resilience, the UK Financial Conduct Authority (FCA) argues that operational disruptions can cause “wide-reaching harm to consumers” and “instability in the financial system”. This represents a significant shift in perspective from a time when risk management was looked at in silos not just within organizations, but in operating markets at large.
Over the years, organizations have invested considerable resources in building the infrastructure and maturity of their risk management programs. However, many of these programs have concentrated on measuring and managing risks in isolation. They have not been designed to respond to fast changing risks, or to understand risk interconnectivity in an environment where the contagion effect of risk spans multiple degrees of separation.
The idea of integrating risk management programs is not to replace everything that has gone before, but rather to understand the relationship between various risk profiles, so that new risks can be proactively identified. The integrated risk program of the future looks to leverage existing risk management infrastructure, maintaining its federation and independence as required. However, it also seeks to build an overarching integrative layer that establishes the relationships between different risks. It then focuses on building an agile, unified, coordinated, and real-time risk mitigation plan across business functions and risk groups through an integrated issue and action management strategy. Through this approach, risk information is available instantly, in digestible and understandable pieces, enabling the board of directors and senior leaders to make informed risk-based decisions.
In building this kind of a future-ready integrated risk management program, here are some best practices to follow:
The first step in an integrated risk program is to establish a common understanding of its outcomes across various risk functions. That is done by defining corporate objectives, and then contextualizing them within the constraints defined by regulatory requirements, as well as the organization’s risk appetite.
The constraints and objectives together are translated into a set of policies and standards which then become the guardrails for the organization to operate within. They also serve as the bedrock for risk management processes that cascade down across the three lines of defense. These processes help measure and manage risks through appropriate controls and issue remediation efforts.
By establishing an integrated risk framework, organizations can draw in information from the ecosystem of tools used to monitor and manage risk. Various risk programs for both financial and non-financial risks can now communicate with each other through a common point of contextualization i.e., business objectives.
The integrated risk framework leverages the ecosystem of risk monitoring tools through an integrated issue and action management capability where identified risks and their treatment plans are captured and aggregated. This issue management capability is then linked to the risk universe to uncover commonalities between the issues identified.
The integration of issues and actions with the common risk universe can be used to define a risk treatment plan with coordinated effort from various risk groups (spread across risk functions, regional entities, legal entities, and business functions).
For integrated issue management to be truly effective, organizations need to be able to identify risk events in real time, perhaps even pre-emptively. For example, a leading financial exchange tracks “rumors” on “pump and dump” schemes for certain stocks through a real-time social media risk monitoring tool. These rumors are flagged as issues within the integrated risk program. Based on the relationships defined within this program, accountability is assigned to risk officers and market surveillance teams. Immediately, risk mitigation actions are coordinated by consumer protection teams. The perpetrators of the rumors are informed, and compliance teams take action to prevent these market participants from participating in the trade of the aforementioned stock.
Since the first line of defense often becomes aware of emerging risks before others, they play a critical role in an integrated risk management program. The integrated issue and action management capability must be extended to them so that all issues identified at the first line are aggregated and consolidated with the issues identified by the ecosystem of risk monitoring tools. The result is a single repository of all risk related issues from the three lines of defense. This data enables the first line to allocate resources for issue remediation based on the areas that are important to strategy, or contribute to corporate objectives.
The process of capturing and aggregating issues and risk events from the first line of defense can be quite time-consuming and resource-intensive due to the large number of participants involved. However, technologies like robotic process automation (RPA) and chatbots have exponentially increased the ability of risk functions to gather information from the first line of defense in a simple, efficient manner. For example, at a leading mortgage financing company, mobile-device-based chatbots offer an easy and jargon-free way for first-line participants across the organization to report issues and risk events.
As digital organizations increase cloud adoption and process automation, IT and cyber risks are also increasing. These risks have a compounding effect when considered in terms of their intersection with other more traditional risks.
Established frameworks like FAIR (Factor Analysis of Information Risk), as well as risk management solutions have made it easier for organizations to identify and quantify IT and cyber risks across information assets. The ability to aggregate the risk findings, and map them to other risk profiles, is key to a truly integrated risk program.
Ultimately, an integrated risk program enables organizations to identify issues from multiple risk monitoring programs and tools that were previously managed in siloes. Using this data on issues, organizations can correlate different risks and, at their intersection, find previously “unknown-unknown” risks. Advancements in artificial intelligence (AI) and machine learning (ML) will make the process more efficient and effective.
With an integrated risk program, organizations gain a single source of truth for risk. The next step in the evolution of this program is to develop a systemic, industry-wide risk management dataset that can help organizations identify and prepare for risks that might not yet have materialized within their enterprises, but have done so in others with similar business interests, operating in similar markets.
Early efforts to build such systemic datasets have included the external operational loss databases created by ORX and GOLD. ORX is already on phase 2 of developing an industry operational risk taxonomy. In the future, we’re likely to see industry-wide risk datasets being built not just for operational losses and risk taxonomies, but also for issue aggregation and risk treatment plans.
Integrated repositories of risks and issues, coupled with systemic risk datasets, will offer organizations the ability to correlate issues and risk remediation actions. This golden source of information can be aligned to the risk universe, and then acted on by AI and ML analytics to identify both unknown risks and unknown relationships between issues. Based on these insights, organizations can formulate an integrated risk response strategy.
By adopting the integrated risk management practices discussed in this e-book, organizations can improve visibility into the health of their business, while also making better-informed strategic decisions. A truly effective integrated risk program doesn’t just highlight downside risks; it also identifies upside risks, enabling organizations to proactively act on opportunities, rather than having them pass by simply because they were unknown or unmonitored.
Today, boards and executive management are expected to understand the nuances of risk from both a governance and business performance perspective. The C-suite is expected to be aware of the organization’s risk appetite and risk culture. They also need to fully understand the integrated risk posture of their organization, so that they can build stability in a highly uncertain operating environment.
What value do we place on understanding and thus reducing uncertainty?
What if we could increase
the predictability of
How can we capture more and more of the upside of uncertainty?
This is the new paradigm for risk management — moving from an information and compliance- focused approach, to a new method that directly links risk management to performance by harnessing uncertainty.
Integrated risk management as a program will require significant changes in people, skills, processes, and technology. Some of the core aspects of change will involve:
Reallocation: With risk monitoring and issue identification moving to the first line of defense, skills will have to be transferred from the first line to the second line. As the latter gains a deeper understanding of issues and risks realized by the first line, they can then design programs that will be owned and operated by the first line.
Reskilling: The reskilling of risk practitioners is a two-fold endeavor. The first part is about building the ability to understand emerging risk categories and their behavioral patterns, while also strengthening risk monitoring capabilities. Take, for example, cyber risk. Not only is its velocity and interconnectedness with other risks greater than that of traditional risks, but it also requires a level of monitoring that is far more real-time and data-intensive.
The second part of reskilling is about understanding the concurrence of risks. Essentially, risk practitioners will need to cultivate a multi-faceted understanding of risks. For example, the use of AI algorithms in business services has given rise to information security risks which, in turn, are closely associated with compliance risks linked to data privacy regulations like the General Data Protection Regulation (GDPR). Practitioners of compliance risk and data privacy management will need to be aware of the risk intersections and dependencies across both their disciplines. They cannot restrict themselves to measuring risks in silos.