Introduction
A crisis like COVID-19 changes everything. It creates uncertainty in markets, stretches healthcare systems, disrupts global supply chains, and unsettles work environments. It also impacts many parts of the global economy, leaving organizations confronting huge losses. Risk and technology executives, in partnership with CEOs and boards of directors, have a critical role to play in managing such crises. Their efforts can position organizations to not only survive the storm, but also adapt and thrive.
When the crisis first began, risk teams and their business counterparts sprung into “react” mode. Their focus was on managing the immediate impact of the event, while also identifying whom the crisis affected, and which operating regions were most vulnerable. Once the dust settled, they began to learn how to adapt. They conducted deeper risk assessments to gain a more holistic picture of the risks of the pandemic and their impact on other business risks. They also began testing for a range of crisis scenarios, and developed risk mitigation measures accordingly. But now, many months down the line, organizational priorities are shifting. The focus is on the future and how enterprises can evolve to drive success and growth. With that in mind, here are the two phases that we believe lie ahead.
The Next Normal
Powering through a Crisis
At some point, crises end, and their impact recedes. In the wake of COVID-19, economic activity has resumed, and businesses are beginning to recover. But the world isn’t the same. Consumer behavior has changed. Digital transformation and innovation have become more of a priority than ever.
New business models, products, and services are emerging. We’re also seeing shifts in risk management. The global pandemic has been an eye-opener into what can happen when organizations aren’t prepared for new, emerging risks. Going forward, leadership teams and boards will rely even more on their integrated risk management (IRM) and GRC functions to effectively manage the risks and opportunities ahead. With that in mind, here are 5 key steps that GRC functions and business leaders can take to build stronger, better businesses that are agile enough to withstand future crises:
Develop a Peripheral View of Risks
Why were so many organizations caught off-guard by COVID-19? Was it because they were so focused on the risks right in front of them, that they failed to notice the big risk coming out of the left field? We don’t have all the answers yet. But what we do know from customer conversations is that the perception of risks is changing. No longer will organizations focus only on the most obvious risks. Instead, they will increasingly incorporate a “peripheral” view of risk data by paying more attention to non-traditional risk factors such as biological hazards, climate change, geopolitics, and transactional data.
Internal risk data will be combined with external signals such as feeds from regulatory authorities, international bodies, and local news agencies. The idea will be to create a rich pool of insights that risk officers can use to connect the dots, uncover patterns, and predict emerging risks. At the center of these efforts will be the GRC hub i.e., a central, cloud-based console of risk intelligence. The hub will bring in data from numerous internal and external sources to offer organizations a truly 360-degree, real-time picture of their risk environment. The result? Better risk insights for better business decisions.
Build an Antifragile Business
Organizations emerge from a crisis in different ways. Some are unsure about the future. Others focus on building their resilience i.e., the ability to withstand future shocks. But still, others find a way to become antifragile i.e., better prepared to handle the unknown.
There’s a thin line between resilience and antifragility. While the resilient business resists shocks but stays the same, the antifragile business gets better. So how does one become more antifragile? One way is to remove risk silos. Most organizations categorize their risks into various buckets, be it financial risk, operational risk, or market risk. That’s fine from an efficiency perspective. But when these silos are so rigid that teams aren’t able to see how various risks impact and influence each other, it leaves the organization vulnerable to a cascading risk effect. Eliminating this issue requires that business leaders look at risks in a much more integrated manner.
Another way to become more antifragile is to structure the organization with backups, strong business continuity plans, and other mechanisms, so that even when critical units go down, the organization can continue to function as a whole. Ultimately, it’s about being prepared. We can’t always predict every single risk, but we can be ready to ride it out. As Michael Rasmussen, GRC Pundit at GRC 20/20 Research, pointed out at the recent GRC Summit, being unprepared for a risk like COVID-19 doesn’t make it a black swan event – it just points to a lack of preparedness.
Gear Up for High-Velocity Risks
Risks are hitting organizations faster than ever. It’s no longer enough to assess these risks once a year or even once a quarter. Continuous risk monitoring and auditing are imperative. Leadership teams need real-time and forward-looking insights rather than retrospective information for decision-making.
At the GRC Summit, Cadambi Janardhan, EVP of Transformation, Risk, and Operations LFI at Mastercard, observed that traditional risk management was about looking at past risk events, and determining how they would impact the future. However, the new risk paradigm is about looking at future risk events and determining how organizations can prepare for them in the present. How does one do this? It all boils down to data. The volume, variety, and velocity of data today are truly astonishing.
With AI and analytics, risk officers can swiftly consolidate, compare, cross-reference, and dive deep into that data to unearth risk patterns, potential issues, control weaknesses, and opportunities—all of which enable businesses to stay one step of risks. In the future, the speed of decision-making will be a key competitive differentiator. Those organizations that have predictive, real-time risk assessments embedded into their strategic decision-making processes will stand to gain.
Rethink Priorities across Business Lines
The need for dynamic and real-time risk assessments has blurred the barriers between each line of defense. No longer is it important to have neatly defined roles and responsibilities for each line. The more important question is whether or not all of them are working together to catalyze business performance. Are they combining their collective strengths to drive business growth? And are they doing all this fast enough? Today, leadership teams need to respond quickly to risks like a cyberattack or a global pandemic.
They can’t wait for data to be manually consolidated and reported through each line of defense. As a result, we’re likely to see more focus on automation – especially in the second and third lines. Already, one of our financial services customers is automating controls to reduce human intervention and error. Financial statements are being automatically populated. AI is being leveraged to review new legislation, and to highlight key areas for implementation. This trend will only increase as organizations seek to accelerate risk reporting.
Meanwhile, the front line will take on a bigger role in identifying, assessing, and predicting risks. AI chatbots will carry out simple, natural conversations with them to automatically capture frontline observations on risks and issues. These insights will enable business leaders to stay updated in real-time on the new risks that are emerging.
Focus on Value
The COVID-19 lockdown has forced many of us to ask ourselves what we really need to live comfortably. And the answer most often is – not too much. We’re finding ways to make do with less. And businesses too are doing the same. With demand slowing down since COVID-19 hit, many organizations are slashing expenses. They’re questioning areas of spend and cutting down on “nice-to-haves,” choosing to focus instead on the investments that will truly generate value in both the short and long term.
Among those investments is digital. Many of the businesses that rode out the pandemic were those that used the full potential of the cloud, mobility, and automation. Going forward, more organizations will accelerate digital transformation and innovation even in GRC. Robotic process automation, AI, machine learning, and other digital tools will increasingly be deployed to strengthen resilience and agility against future crises.
Every adversity brings new opportunities. How will we find ways to catalyze business performance and growth in the wake of a crisis?
Agility, Performance, Resilience
Thriving with Integrity at the Core
In many ways, a crisis like the pandemic can be brutal. But it also compels our organizations to adapt quickly, pivot, innovate, and build our agility and resilience like never before. We gain new insights to transform our businesses for better performance. And that’s the silver lining. Underlying it all is the awareness that to succeed, we need to stay one step ahead of risks.
Apart from COVID-19, we’re also looking at the threat of a recession, coupled with risks from geopolitical events like Brexit, ongoing cyber-attacks, and catastrophic natural disasters. How can businesses thrive and catalyze performance in this risky world? Here are a few key steps.
Align Risk Management to Performance
COVID-19 revealed just how under-prepared many organizations were for disruption. When the crisis hit, they were faced with operational and financial challenges that they hadn’t anticipated. The financial performance had been so much in focus that risk management and resilience had taken a backseat. Not anymore. Risk management will play a key role in driving and guiding business performance in the future. Decision-making processes will include a rigorous assessment of risks.
Risk findings and metrics will be aligned much more closely to resilience and strategic objectives, so that when the next crisis comes, organizations will be better prepared to respond and pivot quickly. At the GRC Summit, Mastercard CEO, Ajay Banga talked about thoughtful risk management. He observed that we shouldn’t be trying to bring the risk down to zero. Instead, we should be finding the right spot on the risk-reward spectrum where we can manage the right risk-reward arbitrage. Thoughtful risk management will be especially important in dealing with the changes in business models that we’re likely to see post-COVID-19.
Some companies may shift to a permanent remote working model. Others may replace physical customer interactions with virtual or self-service options. Most will accelerate digital transformation to drive their business forward. With these shifts will come new risks and regulations. To manage them effectively, companies will need strong risk and control foundations with streamlined workflows, consistent risk taxonomies, and integrated risk visibility. As risk management becomes more deeply embedded into business processes and strategies, it will enable a more nuanced, thoughtful, and sustainable approach to business growth.
Predict to Prevent
COVID-19 has taught us that we cannot afford to wait till it’s too late to identify and respond to a crisis. “Predict to prevent” will be the new mantra. During the recent GRC Summit, several discussions ocused on the importance of being better prepared for future crises like a major cybersecurity attacks. Why businesses must start asking the hard questions, assigning probabilities of occurrence to potential crisis events, testing continuity plans periodically, doing tabletop exercises, and more.
Effective planning and exercising ahead of time will definitely mitigate the impact. To proactively anticipate and mitigate emerging risks, business leaders will increasingly leverage AI and other emerging technologies. Advanced analytics will be used to filter through mountains of data and uncover risk insights for decision-making. AI engines will automatically scour internal data and external feeds to identify potential risk trends. Natural language processing tools will correlate data from thousands of issues and identify the best mitigation strategies. Meanwhile, continuous auditing and risk monitoring, enabled by robotic process automation, will make it easier to detect anomalies.
Stress testing will be accelerated to help risk teams proactively define action plans and early risk indicators. Uncertainty and disruption may continue to dog businesses. But with comprehensive, forward-looking risk intelligence, organizations can be better prepared to land on their feet despite a crisis.
Put Integrity Front and Center
At the GRC Summit, Robert Chesnut, Chief Ethics Officer at Airbnb, pointed out that a crisis reveals a company’s character. COVID-19 certainly has. Companies around the world have rallied together to give back to their communities—be it by donating free sanitizers and personal protective equipment to healthcare workers, or by supporting local small businesses, or even by hiring laid-off workers. It’s heartening to see these examples of integrity in practice. But integrity goes beyond corporate values, social responsibility, purpose, and ethics. It’s also about culture, resilience, good governance, and effective risk management—all qualities that will continue to be important beyond COVID-19.
Customers will increasingly want to know: Are businesses publishing information that is reliable? Are they ensuring that customer data is well-protected especially as workforces become more distributed and remote? Are they being transparent with their employees, partners, vendors, investors, and shareholders? How are they building their organization’s resilience to future shocks? Ultimately, integrity is about trust. Businesses that put integrity at their core will have stronger reputations, greater customer loyalty, and better performance.
The pandemic will eventually be behind us. And the hope is that we will emerge wiser, if not stronger, and more equipped to deal with future crises. How we use the lessons and opportunities from this time will define the success of our businesses in the years to come. Robust GRC and IRM programs will make all the difference to our ability to survive and emerge stronger to power what’s next.
A crisis like COVID-19 changes everything. It creates uncertainty in markets, stretches healthcare systems, disrupts global supply chains, and unsettles work environments. It also impacts many parts of the global economy, leaving organizations confronting huge losses. Risk and technology executives, in partnership with CEOs and boards of directors, have a critical role to play in managing such crises. Their efforts can position organizations to not only survive the storm, but also adapt and thrive.
When the crisis first began, risk teams and their business counterparts sprung into “react” mode. Their focus was on managing the immediate impact of the event, while also identifying whom the crisis affected, and which operating regions were most vulnerable. Once the dust settled, they began to learn how to adapt. They conducted deeper risk assessments to gain a more holistic picture of the risks of the pandemic and their impact on other business risks. They also began testing for a range of crisis scenarios, and developed risk mitigation measures accordingly. But now, many months down the line, organizational priorities are shifting. The focus is on the future and how enterprises can evolve to drive success and growth. With that in mind, here are the two phases that we believe lie ahead.
Powering through a Crisis
At some point, crises end, and their impact recedes. In the wake of COVID-19, economic activity has resumed, and businesses are beginning to recover. But the world isn’t the same. Consumer behavior has changed. Digital transformation and innovation have become more of a priority than ever.
New business models, products, and services are emerging. We’re also seeing shifts in risk management. The global pandemic has been an eye-opener into what can happen when organizations aren’t prepared for new, emerging risks. Going forward, leadership teams and boards will rely even more on their integrated risk management (IRM) and GRC functions to effectively manage the risks and opportunities ahead. With that in mind, here are 5 key steps that GRC functions and business leaders can take to build stronger, better businesses that are agile enough to withstand future crises:
Develop a Peripheral View of Risks
Why were so many organizations caught off-guard by COVID-19? Was it because they were so focused on the risks right in front of them, that they failed to notice the big risk coming out of the left field? We don’t have all the answers yet. But what we do know from customer conversations is that the perception of risks is changing. No longer will organizations focus only on the most obvious risks. Instead, they will increasingly incorporate a “peripheral” view of risk data by paying more attention to non-traditional risk factors such as biological hazards, climate change, geopolitics, and transactional data.
Internal risk data will be combined with external signals such as feeds from regulatory authorities, international bodies, and local news agencies. The idea will be to create a rich pool of insights that risk officers can use to connect the dots, uncover patterns, and predict emerging risks. At the center of these efforts will be the GRC hub i.e., a central, cloud-based console of risk intelligence. The hub will bring in data from numerous internal and external sources to offer organizations a truly 360-degree, real-time picture of their risk environment. The result? Better risk insights for better business decisions.
Build an Antifragile Business
Organizations emerge from a crisis in different ways. Some are unsure about the future. Others focus on building their resilience i.e., the ability to withstand future shocks. But still, others find a way to become antifragile i.e., better prepared to handle the unknown.
There’s a thin line between resilience and antifragility. While the resilient business resists shocks but stays the same, the antifragile business gets better. So how does one become more antifragile? One way is to remove risk silos. Most organizations categorize their risks into various buckets, be it financial risk, operational risk, or market risk. That’s fine from an efficiency perspective. But when these silos are so rigid that teams aren’t able to see how various risks impact and influence each other, it leaves the organization vulnerable to a cascading risk effect. Eliminating this issue requires that business leaders look at risks in a much more integrated manner.
Another way to become more antifragile is to structure the organization with backups, strong business continuity plans, and other mechanisms, so that even when critical units go down, the organization can continue to function as a whole. Ultimately, it’s about being prepared. We can’t always predict every single risk, but we can be ready to ride it out. As Michael Rasmussen, GRC Pundit at GRC 20/20 Research, pointed out at the recent GRC Summit, being unprepared for a risk like COVID-19 doesn’t make it a black swan event – it just points to a lack of preparedness.
Gear Up for High-Velocity Risks
Risks are hitting organizations faster than ever. It’s no longer enough to assess these risks once a year or even once a quarter. Continuous risk monitoring and auditing are imperative. Leadership teams need real-time and forward-looking insights rather than retrospective information for decision-making.
At the GRC Summit, Cadambi Janardhan, EVP of Transformation, Risk, and Operations LFI at Mastercard, observed that traditional risk management was about looking at past risk events, and determining how they would impact the future. However, the new risk paradigm is about looking at future risk events and determining how organizations can prepare for them in the present. How does one do this? It all boils down to data. The volume, variety, and velocity of data today are truly astonishing.
With AI and analytics, risk officers can swiftly consolidate, compare, cross-reference, and dive deep into that data to unearth risk patterns, potential issues, control weaknesses, and opportunities—all of which enable businesses to stay one step of risks. In the future, the speed of decision-making will be a key competitive differentiator. Those organizations that have predictive, real-time risk assessments embedded into their strategic decision-making processes will stand to gain.
Rethink Priorities across Business Lines
The need for dynamic and real-time risk assessments has blurred the barriers between each line of defense. No longer is it important to have neatly defined roles and responsibilities for each line. The more important question is whether or not all of them are working together to catalyze business performance. Are they combining their collective strengths to drive business growth? And are they doing all this fast enough? Today, leadership teams need to respond quickly to risks like a cyberattack or a global pandemic.
They can’t wait for data to be manually consolidated and reported through each line of defense. As a result, we’re likely to see more focus on automation – especially in the second and third lines. Already, one of our financial services customers is automating controls to reduce human intervention and error. Financial statements are being automatically populated. AI is being leveraged to review new legislation, and to highlight key areas for implementation. This trend will only increase as organizations seek to accelerate risk reporting.
Meanwhile, the front line will take on a bigger role in identifying, assessing, and predicting risks. AI chatbots will carry out simple, natural conversations with them to automatically capture frontline observations on risks and issues. These insights will enable business leaders to stay updated in real-time on the new risks that are emerging.
Focus on Value
The COVID-19 lockdown has forced many of us to ask ourselves what we really need to live comfortably. And the answer most often is – not too much. We’re finding ways to make do with less. And businesses too are doing the same. With demand slowing down since COVID-19 hit, many organizations are slashing expenses. They’re questioning areas of spend and cutting down on “nice-to-haves,” choosing to focus instead on the investments that will truly generate value in both the short and long term.
Among those investments is digital. Many of the businesses that rode out the pandemic were those that used the full potential of the cloud, mobility, and automation. Going forward, more organizations will accelerate digital transformation and innovation even in GRC. Robotic process automation, AI, machine learning, and other digital tools will increasingly be deployed to strengthen resilience and agility against future crises.
Every adversity brings new opportunities. How will we find ways to catalyze business performance and growth in the wake of a crisis?
Thriving with Integrity at the Core
In many ways, a crisis like the pandemic can be brutal. But it also compels our organizations to adapt quickly, pivot, innovate, and build our agility and resilience like never before. We gain new insights to transform our businesses for better performance. And that’s the silver lining. Underlying it all is the awareness that to succeed, we need to stay one step ahead of risks.
Apart from COVID-19, we’re also looking at the threat of a recession, coupled with risks from geopolitical events like Brexit, ongoing cyber-attacks, and catastrophic natural disasters. How can businesses thrive and catalyze performance in this risky world? Here are a few key steps.
Align Risk Management to Performance
COVID-19 revealed just how under-prepared many organizations were for disruption. When the crisis hit, they were faced with operational and financial challenges that they hadn’t anticipated. The financial performance had been so much in focus that risk management and resilience had taken a backseat. Not anymore. Risk management will play a key role in driving and guiding business performance in the future. Decision-making processes will include a rigorous assessment of risks.
Risk findings and metrics will be aligned much more closely to resilience and strategic objectives, so that when the next crisis comes, organizations will be better prepared to respond and pivot quickly. At the GRC Summit, Mastercard CEO, Ajay Banga talked about thoughtful risk management. He observed that we shouldn’t be trying to bring the risk down to zero. Instead, we should be finding the right spot on the risk-reward spectrum where we can manage the right risk-reward arbitrage. Thoughtful risk management will be especially important in dealing with the changes in business models that we’re likely to see post-COVID-19.
Some companies may shift to a permanent remote working model. Others may replace physical customer interactions with virtual or self-service options. Most will accelerate digital transformation to drive their business forward. With these shifts will come new risks and regulations. To manage them effectively, companies will need strong risk and control foundations with streamlined workflows, consistent risk taxonomies, and integrated risk visibility. As risk management becomes more deeply embedded into business processes and strategies, it will enable a more nuanced, thoughtful, and sustainable approach to business growth.
Predict to Prevent
COVID-19 has taught us that we cannot afford to wait till it’s too late to identify and respond to a crisis. “Predict to prevent” will be the new mantra. During the recent GRC Summit, several discussions ocused on the importance of being better prepared for future crises like a major cybersecurity attacks. Why businesses must start asking the hard questions, assigning probabilities of occurrence to potential crisis events, testing continuity plans periodically, doing tabletop exercises, and more.
Effective planning and exercising ahead of time will definitely mitigate the impact. To proactively anticipate and mitigate emerging risks, business leaders will increasingly leverage AI and other emerging technologies. Advanced analytics will be used to filter through mountains of data and uncover risk insights for decision-making. AI engines will automatically scour internal data and external feeds to identify potential risk trends. Natural language processing tools will correlate data from thousands of issues and identify the best mitigation strategies. Meanwhile, continuous auditing and risk monitoring, enabled by robotic process automation, will make it easier to detect anomalies.
Stress testing will be accelerated to help risk teams proactively define action plans and early risk indicators. Uncertainty and disruption may continue to dog businesses. But with comprehensive, forward-looking risk intelligence, organizations can be better prepared to land on their feet despite a crisis.
Put Integrity Front and Center
At the GRC Summit, Robert Chesnut, Chief Ethics Officer at Airbnb, pointed out that a crisis reveals a company’s character. COVID-19 certainly has. Companies around the world have rallied together to give back to their communities—be it by donating free sanitizers and personal protective equipment to healthcare workers, or by supporting local small businesses, or even by hiring laid-off workers. It’s heartening to see these examples of integrity in practice. But integrity goes beyond corporate values, social responsibility, purpose, and ethics. It’s also about culture, resilience, good governance, and effective risk management—all qualities that will continue to be important beyond COVID-19.
Customers will increasingly want to know: Are businesses publishing information that is reliable? Are they ensuring that customer data is well-protected especially as workforces become more distributed and remote? Are they being transparent with their employees, partners, vendors, investors, and shareholders? How are they building their organization’s resilience to future shocks? Ultimately, integrity is about trust. Businesses that put integrity at their core will have stronger reputations, greater customer loyalty, and better performance.
The pandemic will eventually be behind us. And the hope is that we will emerge wiser, if not stronger, and more equipped to deal with future crises. How we use the lessons and opportunities from this time will define the success of our businesses in the years to come. Robust GRC and IRM programs will make all the difference to our ability to survive and emerge stronger to power what’s next.
