Introduction
Over the years, organizations have had to grapple with increasingly complex and interconnected risks—be it regulatory pressures, data breaches, and geopolitical risks, or climate change, IT disruptions, and liquidity risks. Then came COVID-19. Suddenly, businesses were thrust into a dual financial and health crisis that transformed customer engagement protocols, shocked supply chains, and prompted a move to remote working on an unprecedented scale. Digitalization efforts that would have otherwise taken months or years were compressed into a few weeks. With that, attack surfaces expanded.
Risk professionals have found themselves in the eye of this storm. Not only do they need to anticipate, identify, and manage the risks of doing business in a pandemic, but they also need to help tackle process disruptions and ensure timely reporting of issues. Now more than ever, a robust risk management and control program is critical to ensure organizational resilience on all fronts—be it cybersecurity, compliance, or third-party governance.
Key Takeaways
To delve more into these trends, MetricStream surveyed chief risk officers (CROs) and risk managers across geographies and industries. Here are six key takeaways from “The State of Risk Management Survey Report 2021”.
Risk Professionals are Most Concerned about Cybersecurity Risks
Nearly half of all respondents (48.91%) identified cybersecurity risk as their top organizational risk, followed by compliance (23.91%) and operational risks (23.91%).
Even before the pandemic, cybersecurity risk was among the top three risks. But since then, its impact has only been amplified by the speed of digital transformation, as well as the widespread shift to remote work. Cyber-attackers see the pandemic as an opportunity to increase criminal activities by exploiting the vulnerability of employees working from home. That makes it all the more important for organizations to have a sound cybersecurity program with strong threat detection, monitoring, and alerting capabilities. In fact, more than 60% of respondents said their top priority is to assess the effectiveness of cybersecurity risk management programs.
The Biggest Risk Management Challenge is Aligning Risk Priorities with Business Strategy
When the pandemic struck, companies had to swiftly rethink customer and employee engagement, initiate telecommuting across their enterprises, and roll out new digital technologies faster than ever. Business priorities, objectives, and strategies suddenly changed—and have continued to do so, as new strains of the coronavirus, coupled with a rising number of cases trigger new lockdowns and travel restrictions in certain countries.
Risk professionals have had to keep pace with these changes and their impact on business strategy. In fact, survey respondents reported that their biggest challenge lies in aligning risk priorities with business strategy. If the two aren’t linked, then risk management activities can end up becoming reactive, disparate, and compliance-centered. What’s more, misaligned risk efforts may focus on low-impact risks that aren’t relevant to the business at the moment.
On the other hand, when risk priorities are in line with business strategies, objectives, and priorities, risk professionals can truly add value with targeted and timely risk insights that strengthen strategic decision-making.
The Future of Risk Management is Integrated Risk Management
More than half of the respondents that have already deployed integrated risk management (IRM) solutions (52.63%) reported that they did not make any changes to their risk management plans, approaches, and activities during the pandemic. This is most likely because their IRM solutions gave them the agility and resilience they needed to respond quickly to the pandemic’s disruptions.
On the other hand, respondents with traditionally manual or siloed risk management tools had to make significant changes to their risk program to contend with the pandemic. About 57% of respondents reported having to modify their risk management approach. Of them, 41.5% use risk management software that isn’t integrated with compliance, cybersecurity, third-party risk management, and other key functions.
Today’s business leaders want comprehensive and real-time visibility into risks and controls. This is best achieved with an IRM solution that can consolidate risk data from across the enterprise into a unified view. When risk-related issues and insights are easily visible through a single source of truth, senior management can make faster and better-informed strategic decisions.
Despite the Benefits of IRM Solutions, Only 21% of Organizations Have Implemented Them
To manage risks, most respondents still use office productivity software (24%) or point solutions that are not integrated with other functions (39%). This could adversely impact their risk identification, assessment, reporting, and mitigation capabilities.
Among the respondents who use office productivity software such as spreadsheets, only 22.73% reported being able to aggregate and report risks. Even that is likely to involve some amount of manual intervention which could delay risk reporting. In addition, 50% of the respondents believe that spreadsheets and other office tools cannot be used as a risk repository. This suggests a need for better risk management technology.
21% of respondents have invested in IRM solutions. These tools are used in a number of ways—be it to create a centralized risk library (100%), track and monitor key metrics (71.43%), aggregate and report risks (71.43%), automate risk and control assessment and scoring (64.29%), or leverage analytics to strengthen risk insights (57.14%).
Risks are most commonly aggregated based on organizational structure, risk categories, business processes, and business objectives. Only 16.3% of respondents agreed that they can aggregate risks by geographical structure. This might need to improve. Given the number of geopolitical risks, third parties scattered across geographies, and countries locked down during the pandemic, it has become critical for organizations to aggregate and view risks based on geography.
Operational Resilience is a Top-three Priority for Risk Professionals
Since operational risk events are systemic in nature and can disrupt entire markets and systems, it’s no surprise that operational resilience is a key focus area for organizations. About 45% of respondents said their top priority is to evaluate the strength of operational resilience programs and frameworks.
Sometimes, operational risks such as data breaches, pandemics, or IT infrastructure failures due to natural disasters can’t always be prevented. But what organizations can do is to strengthen their risk preparedness and ensure that they are well-equipped to respond and recover from the risk event if it does arise. This is the foundation of operational resilience.
According to our findings, the key elements of an effective operational resilience program are enterprise and operational risk management, followed by business continuity management, cybersecurity, and third-party management. By coordinating these functions through an IRM program, organizations will be better prepared to navigate an uncertain world and adapt quickly to disruptions.
Going Forward, Risk Teams are Most Likely to Invest in Upskilling
In the wake of the pandemic, around 48% of respondents reported that they’re most likely to direct their investments towards upskilling risk managers on emerging risks and cutting-edge technologies. 45% of organizations are also investing in enabling the frontline to manage risks.
Since frontline employees often become aware of emerging risks before others, they play a critical role in risk management. Through technologies like chatbots, companies can empower the front line to report potential risk issues, incidents, and control weaknesses in a simple and intuitive manner.
As more users begin participating in risk reporting, richer insights will flow up to the risk team, management, and board, enabling them to proactively act on risks before they snowball into larger issues.
Conclusion
The pandemic has been a major driving force for companies to re-evaluate their risk management programs and approaches. The need to make risk management more agile, integrated, and technology-driven is no longer a matter of choice but a critical option for organizations to thrive in the new normal.
Over the years, organizations have had to grapple with increasingly complex and interconnected risks—be it regulatory pressures, data breaches, and geopolitical risks, or climate change, IT disruptions, and liquidity risks. Then came COVID-19. Suddenly, businesses were thrust into a dual financial and health crisis that transformed customer engagement protocols, shocked supply chains, and prompted a move to remote working on an unprecedented scale. Digitalization efforts that would have otherwise taken months or years were compressed into a few weeks. With that, attack surfaces expanded.
Risk professionals have found themselves in the eye of this storm. Not only do they need to anticipate, identify, and manage the risks of doing business in a pandemic, but they also need to help tackle process disruptions and ensure timely reporting of issues. Now more than ever, a robust risk management and control program is critical to ensure organizational resilience on all fronts—be it cybersecurity, compliance, or third-party governance.
To delve more into these trends, MetricStream surveyed chief risk officers (CROs) and risk managers across geographies and industries. Here are six key takeaways from “The State of Risk Management Survey Report 2021”.
Nearly half of all respondents (48.91%) identified cybersecurity risk as their top organizational risk, followed by compliance (23.91%) and operational risks (23.91%).
Even before the pandemic, cybersecurity risk was among the top three risks. But since then, its impact has only been amplified by the speed of digital transformation, as well as the widespread shift to remote work. Cyber-attackers see the pandemic as an opportunity to increase criminal activities by exploiting the vulnerability of employees working from home. That makes it all the more important for organizations to have a sound cybersecurity program with strong threat detection, monitoring, and alerting capabilities. In fact, more than 60% of respondents said their top priority is to assess the effectiveness of cybersecurity risk management programs.
When the pandemic struck, companies had to swiftly rethink customer and employee engagement, initiate telecommuting across their enterprises, and roll out new digital technologies faster than ever. Business priorities, objectives, and strategies suddenly changed—and have continued to do so, as new strains of the coronavirus, coupled with a rising number of cases trigger new lockdowns and travel restrictions in certain countries.
Risk professionals have had to keep pace with these changes and their impact on business strategy. In fact, survey respondents reported that their biggest challenge lies in aligning risk priorities with business strategy. If the two aren’t linked, then risk management activities can end up becoming reactive, disparate, and compliance-centered. What’s more, misaligned risk efforts may focus on low-impact risks that aren’t relevant to the business at the moment.
On the other hand, when risk priorities are in line with business strategies, objectives, and priorities, risk professionals can truly add value with targeted and timely risk insights that strengthen strategic decision-making.
More than half of the respondents that have already deployed integrated risk management (IRM) solutions (52.63%) reported that they did not make any changes to their risk management plans, approaches, and activities during the pandemic. This is most likely because their IRM solutions gave them the agility and resilience they needed to respond quickly to the pandemic’s disruptions.
On the other hand, respondents with traditionally manual or siloed risk management tools had to make significant changes to their risk program to contend with the pandemic. About 57% of respondents reported having to modify their risk management approach. Of them, 41.5% use risk management software that isn’t integrated with compliance, cybersecurity, third-party risk management, and other key functions.
Today’s business leaders want comprehensive and real-time visibility into risks and controls. This is best achieved with an IRM solution that can consolidate risk data from across the enterprise into a unified view. When risk-related issues and insights are easily visible through a single source of truth, senior management can make faster and better-informed strategic decisions.
To manage risks, most respondents still use office productivity software (24%) or point solutions that are not integrated with other functions (39%). This could adversely impact their risk identification, assessment, reporting, and mitigation capabilities.
Among the respondents who use office productivity software such as spreadsheets, only 22.73% reported being able to aggregate and report risks. Even that is likely to involve some amount of manual intervention which could delay risk reporting. In addition, 50% of the respondents believe that spreadsheets and other office tools cannot be used as a risk repository. This suggests a need for better risk management technology.
21% of respondents have invested in IRM solutions. These tools are used in a number of ways—be it to create a centralized risk library (100%), track and monitor key metrics (71.43%), aggregate and report risks (71.43%), automate risk and control assessment and scoring (64.29%), or leverage analytics to strengthen risk insights (57.14%).
Risks are most commonly aggregated based on organizational structure, risk categories, business processes, and business objectives. Only 16.3% of respondents agreed that they can aggregate risks by geographical structure. This might need to improve. Given the number of geopolitical risks, third parties scattered across geographies, and countries locked down during the pandemic, it has become critical for organizations to aggregate and view risks based on geography.
Since operational risk events are systemic in nature and can disrupt entire markets and systems, it’s no surprise that operational resilience is a key focus area for organizations. About 45% of respondents said their top priority is to evaluate the strength of operational resilience programs and frameworks.
Sometimes, operational risks such as data breaches, pandemics, or IT infrastructure failures due to natural disasters can’t always be prevented. But what organizations can do is to strengthen their risk preparedness and ensure that they are well-equipped to respond and recover from the risk event if it does arise. This is the foundation of operational resilience.
According to our findings, the key elements of an effective operational resilience program are enterprise and operational risk management, followed by business continuity management, cybersecurity, and third-party management. By coordinating these functions through an IRM program, organizations will be better prepared to navigate an uncertain world and adapt quickly to disruptions.
In the wake of the pandemic, around 48% of respondents reported that they’re most likely to direct their investments towards upskilling risk managers on emerging risks and cutting-edge technologies. 45% of organizations are also investing in enabling the frontline to manage risks.
Since frontline employees often become aware of emerging risks before others, they play a critical role in risk management. Through technologies like chatbots, companies can empower the front line to report potential risk issues, incidents, and control weaknesses in a simple and intuitive manner.
As more users begin participating in risk reporting, richer insights will flow up to the risk team, management, and board, enabling them to proactively act on risks before they snowball into larger issues.
The pandemic has been a major driving force for companies to re-evaluate their risk management programs and approaches. The need to make risk management more agile, integrated, and technology-driven is no longer a matter of choice but a critical option for organizations to thrive in the new normal.
