Shellye: The world is grappling with increasing cybercrime, terrorism, extreme climate events, geopolitical shocks, and more. Within business as well, fundamental disruptions are taking place. No longer is success based merely on a company’s experience, size, or scale. Completely new market entrants like Uber or Airbnb are sweeping away the larger, more established competitors. That is the reality of the digital age. Every day, there are disruptive technologies emerging, more attractive cost models, and more engaging products and services. Companies will need to find ways of riding this wave of disruption and uncertainty, rather than being pulled under
Gaurav: Our markets, economies, and business networks have become so deeply interconnected that a single risk event can cause widespread disruption. We saw it with the Equifax data breach, Brexit, the migrant crisis, and various political upheavals that had implications that extended far beyond local boundaries. Risks themselves are becoming more interconnected -- the World Economic Forum’s report on the top risks of 2017 emphasized how deep the links are between risks such as unemployment and social instability. Similarly, companies are realizing that compliance risks aren’t just compliance risks alone, but are also linked to reputational risks, strategic risks, and financial risks. Understanding these interconnections will be crucial to building risk maturity.
Shellye: Often, companies don’t see the risks and threats coming because they spend so much time looking in the rear-view mirror at what happened, instead of scanning the road ahead. That’s not going to work anymore. The risks and threats, as well as the opportunities, are increasing and evolving swiftly. If companies want to stay ahead, they will need to anticipate what’s coming, and make faster decisions. The way to do that is with data. When companies have the right data -- the right risk intelligence at the right time -- they can make faster, better decisions that drive exceptional business performance.
Brenda: In the past, internal auditors may have been called upon to help the second line of defense identify risks, particularly when resources were scarce. However, that is fast changing – as it should. Internal audit’s role, as an independent and objective assurance provider, is not to uncover or assess risks. They may certainly report risks that the management, board, or risk function might have overlooked. They may even champion the cause of risk management in the organization. But ultimately, the responsibility for risk and control environments falls to the first line of defense.
Brenda: As the risk takers of the organization, the first line is best positioned to own, understand, and manage the risks they take. Therefore, companies will increasingly push risk management down to the frontlines as they seek to move from a traditionally reactive and defensive risk management program to one that is proactive and agile. Meanwhile, the second line of defense will take on a more advisory and strategic role, defining and implementing risk management frameworks, and collaborating with the first line to challenge and strengthen risk-based decisions.
Brenda: In the wake of recent cyberattacks, third-party data breaches, and money laundering incidents, operational risk management (ORM) has received renewed attention. Today, it functions almost as a microcosm of enterprise risk management (ERM) – one that seeks a broad view of operational risks across multiple risk types, including vendor risks, compliance risks, IT asset risks, fraud risks, and disruption risks. ORM specialists will need to find ways of bringing all these risks together in an integrated framework, and then applying analytics and data mining techniques to draw out the risk intelligence required by the business for its operational decisions.
Brenda: To strengthen compliance with BCBS 239, organizations will increasingly bring together the elements of their risk universe into a “single source of truth” which can then be mapped to the business universe, the compliance universe, and the audit universe. By building this tightly-knit, flexible, and centralized information model, stakeholders will have a clear picture of organizational risks, as well as the impact of these risks on each other and on business objectives, audits, compliance processes, and other elements. These insights, in turn, will enable the organization to react to the mushrooming of fire-drills around compliance with ease and discipline.
Brenda: Across an industry, reputations can be tarnished by one bad actor. Within a company as well, governance can be hampered by a single functional area that is unable to execute initiatives, and manage risks. In both cases, it is the lowest common denominator that grabs the headlines and casts doubt on others. When this is the case, it can also be true within a company that executives are hunkered down in their siloes, producing data in their "stovepipes," and lauded for their local perspective on risk and initiative completion. However, this may not be a sustainable approach. CEOs need robust analytics across each business and functional group. They need strong data with consistent quality that can then be mined to identify emerging issues.