The Future State Integrated Risk Management: A Real-time Understanding of Risk Relationships

Best Practices for Future Ready Integrated Risk Management Program

The idea of IRM programs is not to replace everything that has happened before, but rather to understand the relationship between various risk profiles, so that new risks can be proactively identified. The IRM program of the future looks to leverage existing risk management infrastructure, maintaining its federation and independence as required. However, it also seeks to build an overarching integrative layer that establishes the relationships between different risks. It then focuses on streamlining risk assessment and mitigation plans in an agile and unified manner across business functions and risk groups. Through this approach, risk information is available instantly, in digestible and logical pieces, enabling the board of directors and senior leaders to make informed risk-based decisions.

To build a future-ready integrated risk management program, here are some best practices to follow:
 

Establish an Integrated Risk Framework Aligned to Business Objectives

The first step in an IRM program is to establish a common understanding of its outcomes across various risk functions. That is done by defining corporate objectives, and then contextualizing them within the constraints defined by regulatory requirements, as well as the organization’s risk appetite.

The constraints and objectives together are translated into a set of policies and standards which then become the guardrails for the organization to operate within. They also serve as the bedrock for risk management processes that cascade down across the three lines of defense. These processes help measure and manage risks through appropriate controls and issue remediation efforts.
 

Link Risk Monitoring Tools to The Integrated Risk Framework

By establishing an IRM framework, organizations can draw in information from the ecosystem of tools used to monitor and manage risk. Various risk programs for both financial and non-financial risks can now communicate with each other through a common point of contextualization i.e., business objectives.

The IRM framework leverages the ecosystem of risk monitoring tools through an integrated issue and action management capability where identified risks and their treatment plans are captured and aggregated. This can be linked to the risk universe to uncover commonalities between the issues identified.

The integration of issues and actions with the common risk universe can be used to define a risk treatment plan with a coordinated effort from various risk groups (spread across risk functions, regional entities, legal entities, and business functions).
 

Enable Continuous Risk and Control Monitoring to Provide Real-time Information and Reduce Risk Response Time

For integrated issue management to be truly effective, organizations need to identify risk events in real time, perhaps even pre-emptively. For example, a leading financial exchange tracks “rumors” on “pump and dump” schemes for certain stocks through a real-time social media risk monitoring tool. These rumors are flagged as issues within the IRM program. Based on the relationships defined within this program, accountability is assigned to risk officers and market surveillance teams. Immediately, risk mitigation actions are coordinated by consumer protection teams. The perpetrators of the rumors are informed, and compliance teams take action to prevent these market participants from participating in the trade of these stocks.
 

Move Risk Identification to The First Line of Defense

Since the first line of defense often becomes aware of emerging risks before others, they play a critical role in an IRM program. The integrated issue and action management capability must be extended to them so that all issues identified at the first line are aggregated and consolidated with the issues identified by the ecosystem of risk monitoring tools.

The result is a single repository of all risk-related issues from the three lines of defense. This data enables the first line to allocate resources for issue remediation based on the areas that are important to strategy or contribute to corporate objectives.
 

Enable The First Line of Defense with Chatbots and Robotic Process Automation

The process of capturing and aggregating issues and risk events from the first line of defense can be quite time-consuming and resource-intensive due to the large number of participants involved. However, technologies like robotic process automation (RPA) and chatbots have exponentially increased the ability of risk functions to gather information from the first line of defense in a simple, efficient manner. For example, at a leading mortgage financing company, mobile-device-based chatbots offer an easy and jargon-free way for first-line participants across the organization to report issues and risk events.
 

Integrate Cyber Risks Within The Larger Risk Management Framework

As digital organizations increase cloud adoption and process automation, IT and cyber risks are also increasing. These risks have a compounding effect when considered in terms of their intersection with other more traditional risks.

Established frameworks like FAIR (Factor Analysis of Information Risk), as well as risk management solutions have made it easier for organizations to identify and quantify IT and cyber risks across information assets. The ability to aggregate the risk findings, and map them to other risk profiles, is key to a truly integrated risk program.

Ultimately, an IRM program enables organizations to identify issues from multiple risk monitoring programs and tools that were previously managed in siloes. Using this data on issues, organizations can correlate different risks and, at their intersection, find previously “unknown-unknown” risks. Advancements in artificial intelligence (AI) and machine learning (ML) will make the process more efficient and effective.
 

Build an Ecosystem of Integrated Risk Methodologies and Taxonomies

With an IRM program, organizations gain a single source of truth for risk. The next step in the evolution of this program is to develop a systemic, industry-wide risk management dataset that can help organizations identify and prepare for risks that might not yet have materialized within their enterprises, but have done so in others with similar business interests, operating in similar markets. Early efforts to build such systemic datasets have included the external operational loss databases created by ORX and GOLD. In the future, we’re likely to see industry-wide risk datasets being built not just for operational losses and risk taxonomies, but also for issue aggregation and risk treatment plans.
 

Find Unknown- Unknown Risks with AI And ML Enabled Risk Intelligence

Integrated repositories of risks and issues, coupled with systemic risk datasets, will offer organizations the ability to correlate issues and risk remediation actions. This golden source of information can be aligned to the risk universe, and then acted on by AI and ML analytics to identify both unknown risks and unknown relationships between issues. Based on these insights, organizations can formulate an integrated risk response strategy.
 

Enable Growth with Purpose

To become future-ready, organizations today need to think beyond financial statements and profits, and work towards becoming a purpose-driven entity that strives for global sustainability and enables global communities to thrive. Concerns related to Environmental, Social, and Governance (ESG) issues are quickly becoming a top agenda item for every board of directors. In addition to climate risks, there is a growing global awareness of diversity, inclusion, and equity in organizations. Organizations need to incorporate ESG performance metrics in their overarching risk management framework as going forward this will determine how consumers, regulators, investors, and other stakeholders gauge an organization’s progress and success.