Risk management programs, especially those dealing with non-financial risks, have evolved independently over time to address specific regulatory requirements in various jurisdictions. Many of these programs are largely reactive in nature. They focus on addressing “known unknown” risks which materialize primarily as regulatory actions. While some of these programs have developed the maturity to monitor and manage individual risks, they are hardly ever integrated with other risk management frameworks across the enterprise.
This isn’t a sustainable approach because as risks become more interconnected, their impact isn’t contained within individual risk categories. Recently, at a large bank, a multi-million-dollar risk event materialized as a credit loss, but it actually crept in many years earlier when repeated control failures occurred in the operational risk program due to a lack of validation between the loan approval and loan disbursement process in core banking systems.
COVID-19 is another risk whose impact isn’t contained to public health alone. A World Economic Forum (WEF) risk perception survey identified seven fallout risks from the pandemic, including a prolonged global recession, surge in bankruptcies, failure of certain industries to properly recover, and high levels of structural unemployment.
Understanding these risk relationships will require us to move beyond silos and track how risk mitigation actions impact the realization of other risks.
With the rise of the “sharing economy1,” organizations have become dependent on infrastructure and capabilities outside their enterprise boundaries, sometimes even for mission critical services. As a result, both the types of risk and their interconnectedness are increasing. Today, the losses associated with a risk event aren’t just determined by risk frequency and impact, but also by the velocity with which that impact spreads through other interconnected risks.
In a risk program that does not transcend risk types or departments, it becomes very difficult to measure risk interconnectivity and velocity because risk relationships are not well-defined and monitored. Yet, it is within the intersection of disparate risks that unknown-unknown risk events with catastrophic losses could originate and spread.
Today, organizations are adopting conversational AI or chatbots for a plethora of use cases. However, the primary use of these tools has been to automate customer interactions. For example, robo-advisors provide assistance on wealth management services. While these chatbots are usually assessed against direct risks such as information security and data privacy, what is often ignored is their strong correlative impact on credit risks -- especially if the self-learning AI models used to provide investment advice develop biases towards a certain class of financial products. Worse still are the conduct risks that could arise, should the chatbots become racially biased, as we have seen in the past.
Currently, organizations with siloed risk programs are unlikely to identify and monitor the interconnectedness between various risks associated with new technologies like conversational AI. The unknownunknown risks that originate from the intersections between traditional and emerging risks can grow to catastrophic proportions, coming to the organization's notice only when a massive loss event occurs.
The interconnectedness of operating markets, coupled with emerging risks and their relationships with other risks, have given rise to a contagion effect that extends beyond the boundaries of the enterprise. Today, the risk posture of a given business line can be impacted by risks originating from multiple parts of the organization, or even other enterprises. If these risks aren’t seen from a broader perspective, they could continue to grow within their silos, emerging as a systemic, industry-wide failure at some point.
Regulators and businesses are becoming increasingly aware of such risks. In the UK, the Prudential Regulation Authority (PRA), the Financial Conduct Authority (FCA), and the Bank of England jointly published a paper in March 2021 as part of their efforts to put in place a stronger regulatory framework to promote the operational resilience of firms and FMIs. The supervisory authorities believe that operational resilience is important for both financial stability and the safety and soundness of firms and FMIs. This represents a significant shift in perspective from a time when risk management was looked at in silos not just within organizations, but in operating markets at large.
The traditional risk management approach is no longer effective to tackle the high-velocity risks of today’s hyperconnected world. Organizations must adopt an integrated approach to risk management that would strengthen their risk preparedness by eliminating organizational siloes, facilitating harmonization between business processes and functions, and improving visibility into existing and emerging risks.
Integrated risk management (IRM) as a program will require significant changes in people, skills, processes, and technology. Some of the core aspects of change will involve:
Reallocation: With risk monitoring and issue identification moving to the first line of defense, skills will have to be transferred from the first line to the second line. As the latter gains a deeper understanding of issues and risks realized by the first line, they can then design programs that will be owned and operated by the first line.
Reskilling: The reskilling of risk practitioners is a two-fold endeavor. The first part is about building the ability to understand emerging risk categories and their behavioral patterns, while also strengthening risk monitoring capabilities. Take, for example, cyber risk. Not only is its velocity and interconnectedness with other risks greater than that of traditional risks, but it also requires a level of monitoring that is far more real-time and data-intensive.
The second part of reskilling is about understanding the concurrence of risks. Essentially, risk practitioners will need to cultivate a multi-faceted understanding of risks. For example, the use of AI algorithms in business services has given rise to information security risks which, in turn, are closely associated with compliance risks linked to data privacy regulations like the General Data Protection Regulation (GDPR). Practitioners of compliance risk and data privacy management will need to be aware of the risk intersections and dependencies across both their disciplines. They cannot restrict themselves to measuring risks in silos.
MetricStream provides a range of easy-to-use products and solutions that enable organizations to structure and streamline their risk management processes and workflow in a manner that is aligned with the corporate strategy objectives. The MetricStream Integrated Risk Management solution cuts across organizational silos by standardizing risk and control taxonomies and enabling stakeholders to effectively coordinate and unify risk management activities across all business functions.
The solution enables organizations to
A multinational pharmaceutical giant wanted to simplify and standardize risk processes to provide timely insights into global quality, supply continuity, and manufacturing risks. Its previous manual approach and lack of efficient collaboration across business units and geographies limited its visibility into key risk and compliance areas and therefore its decision-making abilities.
The company sought a solution that could help address the existing challenges and bring structure and consistency to risk and compliance activities across locations. Towards this goal, it chose MetricStream Integrated Risk Management Solution. With the implementation, the company is achieving increased visibility and measurement into key risks along with increased speed, agility, and scalability in risk processes based on industry best practices and global quality requirements. In fact, it has compressed time frames – up to 30% – in managing risks and resolving issues through greater accountability across 20,000+ products in over 36 facilities worldwide.