Introduction
In a world of poly-crisis, organizations are faced with multi-dimensional risks – supply chain disruptions, geopolitical tensions, regulatory changes, operational disruptions, cybersecurity, climate risk, financial risks, and more – one after the other, or all at the same time. As the scale and scope of risks continue to expand and evolve at an unprecedented pace, businesses need to reimagine their risk management programs. And as PwC’s 2022 Global Risk Survey showed, 74% of respondents indicated they are investing more toward adding technology and digital capabilities to the risk function workforce.
What makes the situation more challenging is markets and organizations are increasingly more interconnected than they ever have been. The points of intersection among and between risks are also increasing. Today, nobody should view risks as isolated to individual teams, programs, or strategies. We all have to recognize the interconnectedness between traditional risks (e.g., market risks), organizational risks (compliance, personnel, project risks), and systemic risks (e.g., a pandemic, economic, and geopolitical unrest).
For many, traditional risks are known risks, where the only unknown aspect is the scale or measure of the risk. In theory, these risks can be easily defined and mitigated without too much challenge. On the other hand, emerging and systemic risks and their impact on traditional risks is relatively unknown and unpredictable. As their scale, scope, velocity, and severity often cannot be as easily identified or defined as traditional risks, their potential impact also cannot be as clearly anticipated. The pace and scale of these heretofore unknown risks, which have the real potential to expose organizations to uncomfortable levels of uncertainty and loss that they cannot prepare for are becoming increasingly common.
Against this backdrop, this eBook explores the current state of risk management, the rapid changes it is undergoing, and the new challenges programs at organizations are facing. Ultimately, successful risk management programs must expand their scope to better capture and manage risks from all angles and increase their speed and agility to more rapidly and effectively process and mitigate a near-constant flow of risk events.
The Current State of Risk Programs
1. Siloed Risk Programs Designed to Address Point-in-time Challenges
Many risk management programs, especially those dealing with non-financial risks, have naturally evolved as independent functions across organizations to address specific risk and regulatory requirements in applicable jurisdictions. Many of these programs have largely been reactive in nature, and many organizations conducted risk assessments on a six-to-twelve-month schedule. These programs have focused on addressing “known unknown” organizational risks, which materialize primarily as regulatory actions. While some of these programs may have developed the maturity to monitor and manage individual risks over time, they are rarely integrated with other risk management frameworks across the enterprise.
Maintaining separate risk programs across an organization is not sustainable because risks don’t typically fit into neat and arbitrary divisions, locations, or timeframes. Today, we see risk awareness and reporting across divisions, functional areas, and regions, often reporting the same risks, moving across traditional categories. As risks become more interconnected, assessments and impact cannot be justifiably assumed to remain contained to an individual risk category. For example, recently at a large bank, a multi-million-dollar risk event materialized as a credit loss, but it actually had crept into the organization many years earlier when repeated control failures due to a lack of validation between the loan approval and loan disbursement process in core banking systems. If the bank had enabled a more holistic and proactive approach to risk awareness and management, ensuring multiple divisions were alerted to the control failures and appropriate action was taken to address them, the risk event could have been averted.
In its Global Risks Report 2023, the World Economic Forum (WEF) observes, “The way risks play out over the next two years has ramifications for the decade to come.” It added, “…present and future risks can also interact with each other to form a “polycrisis” – a cluster of related global risks with compounding effects, such that the overall impact exceeds the sum of each part.” Understanding these risk relationships, extensions across categories, and interconnections will require moving beyond silos and tracking how risk mitigation actions impact the realization of other risks
2. Hyper-Connectivity Leading to Unknown-Unknown Risks
Organizations have become increasingly dependent on services, infrastructure, and specialized capabilities outside of their own capabilities and boundaries, more often for mission-critical services than most would admit. As a result, both the range of risks and their interconnectedness are increasing exponentially. Today, losses associated with a risk event aren’t just determined by impact at a single organization, but by the velocity through which that impact spreads through interconnected organizations and relationships.
A risk management program that does not transcend risk types or departments, it becomes very difficult to accept and anticipate risk interconnectivity and the speed at which relationships can spread risk impact. Yet, it is within the intersection of disparate risks that unknown-unknown risk events with catastrophic losses often originate and spread. It is essential for organizations to recognize the scale, speed, and severity of risk events, as well as how their risk management approach may exacerbate and spread a risk impact across its extended world.
The pace of change around the world seems to accelerate, creating new challenges for businesses and GRC leaders. While the Internet of Things, increasing digitization and automation of key functions, and other technology innovations promise new operational efficiencies and savings, not all innovations are as easily understood or predictable. In recent years, as technologies like blockchain and cryptocurrency cross into more common usage in business applications, they represent new risks to the organization and should be seen as both opportunities and threats across multiple risk categories. Traditional risk management programs have trouble keeping up with technological changes that affect multiple parts of the business.
In the last few months, nothing has fit that model of not yet-understood benefits and risks related to technological disruption like artificial intelligence (AI). There has been a rush of some businesses and people to embrace AI chatbots, AI enhancers, and generative AI tools such as ChatGPT, Bard, and others. The pace of change around AI and the excitement for what AI could provide for many business processes has created a Pandora’s Box of new opportunities, threats, and optimism. It’s hard not to dream big. But at the same time, organizations should be adapting their expectations and honestly assessing the risks some AI tools represent to the business. Again, AI, like many other technological advancements, needs to be viewed holistically and realistically by businesses, and only a broad and integrated risk management program can allow for the degree of review it requires.
As an example, while the primary use of AI chatbots has been to automate customer interactions and deliver accurate information more efficiently than a human can, even this better-understood application of AI creates organizational risks. For example, when robo-advisors provide wealth management service assistance for customers (based on their inputs and accounts), customers should know that they are dealing with an automated bot and not a real human being – and act accordingly. While AI chatbots are usually assessed against direct organizational risks, such as information security and data privacy, what is often ignored is their strong correlative impact on credit risks – especially if the self-learning AI models used to provide investment advice develop biases towards a certain class of financial products. Worse still are the conduct risks that could arise, should the chatbots become racially biased, as we have seen in the past. Any financial advisory deploying AI chatbots may save money by doing so, but must also understand the risks created if the bot isn’t specifically limited in its capabilities.
Currently, organizations with siloed risk programs are unlikely to identify and monitor the interconnectedness between various risks associated with new technologies like conversational AI. The unknown-unknown risks that originate from the intersections between traditional and emerging risks can grow to catastrophic proportions, sometimes coming to the organization's notice only when a massive loss event or massive loss of customers occurs.
3. Growing Awareness of Risk Interconnectedness and Its Domino Effect
The interconnectedness of operating markets, coupled with emerging risks and their relationships with other risks, has given rise to a contagion effect that extends beyond the boundaries of the enterprise. Today, the risk posture of a given business line can be impacted by risks originating from multiple parts of the organization, or even other enterprises. If these risks aren’t seen from a broader perspective, they could continue to grow within their silos, emerging as a systemic, industry-wide failure at some point.
Regulators and businesses are becoming increasingly aware of such risks. In the UK, new rules on operational resilience (SS1/21) came into force on 31st March 2022, requiring financial services firms to “ensure they are able to deliver their important business services within impact tolerances in severe but plausible scenarios.” In November 2022, the European Council adopted the Digital Operational Resilience Act (DORA), which aims to ensure that the European financial sector can stay resilient through a severe operational disruption. In the US, the Board of Governors of the Federal Reserve System, the Office of the Comptroller of the Currency, and the Federal Deposit Insurance Corporation (the agencies) released an interagency paper on Sound Practices to Strengthen Operational Resilience in 2022, followed by the Federal Reserve’s notes on An Approach to Quantifying Operational Resilience Concepts in 2022.
The supervisory authorities believe that operational resilience is important for ensuring financial stability and safety and soundness of firms and FMIs, and safeguarding customer interests. This represents a significant shift in perspective from a time when risk management was looked at and enforced within silos within organizations to organization-wide investigations and enforcement, as well as across entire markets.
Preparing the Organization for an Integrated Risk Management Approach
The traditional risk management approach is no longer effective to tackle the high-velocity risks of today’s hyperconnected world. Organizations must adopt an integrated approach to risk management that would strengthen their risk preparedness by eliminating organizational siloes, facilitating harmonization between business processes and functions, and improving visibility into existing and emerging risks.
Integrated risk management (IRM) as a program will require significant changes in people, skills, processes, and technology. Some of the core aspects of change will involve:
Reallocation: With risk monitoring and issue identification moving to the first line of defense, skills will have to be transferred from the first line to the second line. As the latter gains a deeper understanding of issues and risks realized by the first line, they can then design programs that will be owned and operated by the first line.
Reskilling: The reskilling of risk practitioners is a two-fold endeavor. The first part is about building the ability to understand emerging risk categories and their behavioral patterns, while also strengthening risk monitoring capabilities. Take, for example, cyber risk. Not only is its velocity and interconnectedness with other risks greater than that of traditional risks, but it also requires a level of monitoring that is far more real-time and data-intensive.
The second part of reskilling is about understanding the concurrence of risks. Essentially, risk practitioners will need to cultivate a multi-faceted understanding of risks. For example, the use of AI algorithms in business services has given rise to information security risks which, in turn, are closely associated with compliance risks linked to data privacy regulations like the General Data Protection Regulation (GDPR). Practitioners of compliance risk and data privacy management will need to be aware of the risk intersections and dependencies across both their disciplines. They cannot restrict themselves to measuring risks in silos.
How MetricStream Can Help
MetricStream provides a range of easy-to-use products and solutions that enable organizations to structure and streamline their risk management processes and workflow in a manner that is aligned with the corporate strategy objectives. The MetricStream Integrated Risk Management solution cuts across organizational silos by standardizing risk and control taxonomies and enabling stakeholders to effectively coordinate and unify risk management activities across all business functions.
The solution enables organizations to
A multinational pharmaceutical giant wanted to simplify and standardize risk processes to provide timely insights into global quality, supply continuity, and manufacturing risks. Its previous manual approach and lack of efficient collaboration across business units and geographies limited its visibility into key risk and compliance areas and therefore its decision-making abilities.
The company sought a solution that could help address the existing challenges and bring structure and consistency to risk and compliance activities across locations. Toward this goal, it chose MetricStream Integrated Risk Management Solution. With the implementation, the company is achieving increased visibility and measurement into key risks along with increased speed, agility, and scalability in risk processes based on industry best practices and global quality requirements. In fact, it has compressed time frames – up to 30% – in managing risks and resolving issues through greater accountability across 20,000+ products in over 36 facilities worldwide.
In a world of poly-crisis, organizations are faced with multi-dimensional risks – supply chain disruptions, geopolitical tensions, regulatory changes, operational disruptions, cybersecurity, climate risk, financial risks, and more – one after the other, or all at the same time. As the scale and scope of risks continue to expand and evolve at an unprecedented pace, businesses need to reimagine their risk management programs. And as PwC’s 2022 Global Risk Survey showed, 74% of respondents indicated they are investing more toward adding technology and digital capabilities to the risk function workforce.
What makes the situation more challenging is markets and organizations are increasingly more interconnected than they ever have been. The points of intersection among and between risks are also increasing. Today, nobody should view risks as isolated to individual teams, programs, or strategies. We all have to recognize the interconnectedness between traditional risks (e.g., market risks), organizational risks (compliance, personnel, project risks), and systemic risks (e.g., a pandemic, economic, and geopolitical unrest).
For many, traditional risks are known risks, where the only unknown aspect is the scale or measure of the risk. In theory, these risks can be easily defined and mitigated without too much challenge. On the other hand, emerging and systemic risks and their impact on traditional risks is relatively unknown and unpredictable. As their scale, scope, velocity, and severity often cannot be as easily identified or defined as traditional risks, their potential impact also cannot be as clearly anticipated. The pace and scale of these heretofore unknown risks, which have the real potential to expose organizations to uncomfortable levels of uncertainty and loss that they cannot prepare for are becoming increasingly common.
Against this backdrop, this eBook explores the current state of risk management, the rapid changes it is undergoing, and the new challenges programs at organizations are facing. Ultimately, successful risk management programs must expand their scope to better capture and manage risks from all angles and increase their speed and agility to more rapidly and effectively process and mitigate a near-constant flow of risk events.
1. Siloed Risk Programs Designed to Address Point-in-time Challenges
Many risk management programs, especially those dealing with non-financial risks, have naturally evolved as independent functions across organizations to address specific risk and regulatory requirements in applicable jurisdictions. Many of these programs have largely been reactive in nature, and many organizations conducted risk assessments on a six-to-twelve-month schedule. These programs have focused on addressing “known unknown” organizational risks, which materialize primarily as regulatory actions. While some of these programs may have developed the maturity to monitor and manage individual risks over time, they are rarely integrated with other risk management frameworks across the enterprise.
Maintaining separate risk programs across an organization is not sustainable because risks don’t typically fit into neat and arbitrary divisions, locations, or timeframes. Today, we see risk awareness and reporting across divisions, functional areas, and regions, often reporting the same risks, moving across traditional categories. As risks become more interconnected, assessments and impact cannot be justifiably assumed to remain contained to an individual risk category. For example, recently at a large bank, a multi-million-dollar risk event materialized as a credit loss, but it actually had crept into the organization many years earlier when repeated control failures due to a lack of validation between the loan approval and loan disbursement process in core banking systems. If the bank had enabled a more holistic and proactive approach to risk awareness and management, ensuring multiple divisions were alerted to the control failures and appropriate action was taken to address them, the risk event could have been averted.
In its Global Risks Report 2023, the World Economic Forum (WEF) observes, “The way risks play out over the next two years has ramifications for the decade to come.” It added, “…present and future risks can also interact with each other to form a “polycrisis” – a cluster of related global risks with compounding effects, such that the overall impact exceeds the sum of each part.” Understanding these risk relationships, extensions across categories, and interconnections will require moving beyond silos and tracking how risk mitigation actions impact the realization of other risks
2. Hyper-Connectivity Leading to Unknown-Unknown Risks
Organizations have become increasingly dependent on services, infrastructure, and specialized capabilities outside of their own capabilities and boundaries, more often for mission-critical services than most would admit. As a result, both the range of risks and their interconnectedness are increasing exponentially. Today, losses associated with a risk event aren’t just determined by impact at a single organization, but by the velocity through which that impact spreads through interconnected organizations and relationships.
A risk management program that does not transcend risk types or departments, it becomes very difficult to accept and anticipate risk interconnectivity and the speed at which relationships can spread risk impact. Yet, it is within the intersection of disparate risks that unknown-unknown risk events with catastrophic losses often originate and spread. It is essential for organizations to recognize the scale, speed, and severity of risk events, as well as how their risk management approach may exacerbate and spread a risk impact across its extended world.
The pace of change around the world seems to accelerate, creating new challenges for businesses and GRC leaders. While the Internet of Things, increasing digitization and automation of key functions, and other technology innovations promise new operational efficiencies and savings, not all innovations are as easily understood or predictable. In recent years, as technologies like blockchain and cryptocurrency cross into more common usage in business applications, they represent new risks to the organization and should be seen as both opportunities and threats across multiple risk categories. Traditional risk management programs have trouble keeping up with technological changes that affect multiple parts of the business.
In the last few months, nothing has fit that model of not yet-understood benefits and risks related to technological disruption like artificial intelligence (AI). There has been a rush of some businesses and people to embrace AI chatbots, AI enhancers, and generative AI tools such as ChatGPT, Bard, and others. The pace of change around AI and the excitement for what AI could provide for many business processes has created a Pandora’s Box of new opportunities, threats, and optimism. It’s hard not to dream big. But at the same time, organizations should be adapting their expectations and honestly assessing the risks some AI tools represent to the business. Again, AI, like many other technological advancements, needs to be viewed holistically and realistically by businesses, and only a broad and integrated risk management program can allow for the degree of review it requires.
As an example, while the primary use of AI chatbots has been to automate customer interactions and deliver accurate information more efficiently than a human can, even this better-understood application of AI creates organizational risks. For example, when robo-advisors provide wealth management service assistance for customers (based on their inputs and accounts), customers should know that they are dealing with an automated bot and not a real human being – and act accordingly. While AI chatbots are usually assessed against direct organizational risks, such as information security and data privacy, what is often ignored is their strong correlative impact on credit risks – especially if the self-learning AI models used to provide investment advice develop biases towards a certain class of financial products. Worse still are the conduct risks that could arise, should the chatbots become racially biased, as we have seen in the past. Any financial advisory deploying AI chatbots may save money by doing so, but must also understand the risks created if the bot isn’t specifically limited in its capabilities.
Currently, organizations with siloed risk programs are unlikely to identify and monitor the interconnectedness between various risks associated with new technologies like conversational AI. The unknown-unknown risks that originate from the intersections between traditional and emerging risks can grow to catastrophic proportions, sometimes coming to the organization's notice only when a massive loss event or massive loss of customers occurs.
3. Growing Awareness of Risk Interconnectedness and Its Domino Effect
The interconnectedness of operating markets, coupled with emerging risks and their relationships with other risks, has given rise to a contagion effect that extends beyond the boundaries of the enterprise. Today, the risk posture of a given business line can be impacted by risks originating from multiple parts of the organization, or even other enterprises. If these risks aren’t seen from a broader perspective, they could continue to grow within their silos, emerging as a systemic, industry-wide failure at some point.
Regulators and businesses are becoming increasingly aware of such risks. In the UK, new rules on operational resilience (SS1/21) came into force on 31st March 2022, requiring financial services firms to “ensure they are able to deliver their important business services within impact tolerances in severe but plausible scenarios.” In November 2022, the European Council adopted the Digital Operational Resilience Act (DORA), which aims to ensure that the European financial sector can stay resilient through a severe operational disruption. In the US, the Board of Governors of the Federal Reserve System, the Office of the Comptroller of the Currency, and the Federal Deposit Insurance Corporation (the agencies) released an interagency paper on Sound Practices to Strengthen Operational Resilience in 2022, followed by the Federal Reserve’s notes on An Approach to Quantifying Operational Resilience Concepts in 2022.
The supervisory authorities believe that operational resilience is important for ensuring financial stability and safety and soundness of firms and FMIs, and safeguarding customer interests. This represents a significant shift in perspective from a time when risk management was looked at and enforced within silos within organizations to organization-wide investigations and enforcement, as well as across entire markets.
The traditional risk management approach is no longer effective to tackle the high-velocity risks of today’s hyperconnected world. Organizations must adopt an integrated approach to risk management that would strengthen their risk preparedness by eliminating organizational siloes, facilitating harmonization between business processes and functions, and improving visibility into existing and emerging risks.
Integrated risk management (IRM) as a program will require significant changes in people, skills, processes, and technology. Some of the core aspects of change will involve:
Reallocation: With risk monitoring and issue identification moving to the first line of defense, skills will have to be transferred from the first line to the second line. As the latter gains a deeper understanding of issues and risks realized by the first line, they can then design programs that will be owned and operated by the first line.
Reskilling: The reskilling of risk practitioners is a two-fold endeavor. The first part is about building the ability to understand emerging risk categories and their behavioral patterns, while also strengthening risk monitoring capabilities. Take, for example, cyber risk. Not only is its velocity and interconnectedness with other risks greater than that of traditional risks, but it also requires a level of monitoring that is far more real-time and data-intensive.
The second part of reskilling is about understanding the concurrence of risks. Essentially, risk practitioners will need to cultivate a multi-faceted understanding of risks. For example, the use of AI algorithms in business services has given rise to information security risks which, in turn, are closely associated with compliance risks linked to data privacy regulations like the General Data Protection Regulation (GDPR). Practitioners of compliance risk and data privacy management will need to be aware of the risk intersections and dependencies across both their disciplines. They cannot restrict themselves to measuring risks in silos.
MetricStream provides a range of easy-to-use products and solutions that enable organizations to structure and streamline their risk management processes and workflow in a manner that is aligned with the corporate strategy objectives. The MetricStream Integrated Risk Management solution cuts across organizational silos by standardizing risk and control taxonomies and enabling stakeholders to effectively coordinate and unify risk management activities across all business functions.
The solution enables organizations to
A multinational pharmaceutical giant wanted to simplify and standardize risk processes to provide timely insights into global quality, supply continuity, and manufacturing risks. Its previous manual approach and lack of efficient collaboration across business units and geographies limited its visibility into key risk and compliance areas and therefore its decision-making abilities.
The company sought a solution that could help address the existing challenges and bring structure and consistency to risk and compliance activities across locations. Toward this goal, it chose MetricStream Integrated Risk Management Solution. With the implementation, the company is achieving increased visibility and measurement into key risks along with increased speed, agility, and scalability in risk processes based on industry best practices and global quality requirements. In fact, it has compressed time frames – up to 30% – in managing risks and resolving issues through greater accountability across 20,000+ products in over 36 facilities worldwide.
