Enterprise risk management has taken center stage as organizations grapple with the lingering effects of the COVID-19 pandemic. Executives quickly realized that stronger ERM programs were required to remain competitive in these rapidly shifting times. Risk leaders viewed the pandemic as a call to explore enterprise risk management as a competitive differentiator to take advantage of new opportunities when circumstances dictate change.
The mainstream newspapers are filled with stories of new kinds of risks that weren't considered important just a few years ago. "It's not necessarily that there is new risk, but [the risks] are more connected," said Alla Valente, senior analyst at Forrester Research.
Businesses are increasingly more interconnected with an ecosystem of partners, vendors and suppliers across global markets. "We find that when there is significantly more risk in one of those categories, Valente explained, "it can have a ripple effect that impacts other categories." The impact of a local natural disaster, for example, can cascade across an entire global supply chain.
Eight security and risk management trends are reshaping the risk landscape and influencing business continuity planning.
1. Risk maturity frameworks consolidate workflows
More enterprises are considering a risk maturity framework as a way to manage the growing interconnectedness of vulnerabilities in the risk landscape, Valente observed. This method mirrors other frameworks like the capability maturity model widely used in software development. Risk management maturity requires addressing processes and technologies.
On the process side, risk management leaders must put together a team of risk stakeholders. This team should combine the technical and business expertise necessary to make fast and intelligent risk-based decisions, establish policies and procedures, and implement the proper controls. Risk managers also need to ensure established processes for consolidating workflows across disparate agencies.
The technology side includes the IT infrastructure for centralizing and contextualizing information about risk management and automating risk policy enforcement.
2. ERM technology stacks expand into GRC
Enterprise risk management has expanded beyond simple financial governance, reaching into security, IT, third-party relationships and governance risk and compliance (GRC). A comprehensive GRC platform can be a critical integration tier for all types of risk management activities to create and manage policies, conduct risk assessments, understand risk posture, identify gaps in regulatory compliance, manage and respond to incidents and automate the internal audit process.
CIOs need to confirm that their risk technology stack is adequate for each task and used thoughtfully, proactively and not just reactively, Valente suggested. Consider integrating the following into a more comprehensive risk technology stack:
- intelligence analytics for geopolitical risks, natural disasters and other incidents;
- third-party risk assessment tools to track sanctions, security incidents and financial health;
- security systems to assess the potential impact of vulnerabilities, breaches and cyber attacks; and
- social media monitoring capabilities to track sudden changes in brand reputation.
3. ERM seen as a competitive advantage
Many companies view risk management as a way to increase their competitive advantage instead of simply avoiding bad situations -- especially since the onslaught of the COVID-19 pandemic. "Although many companies suffered economic losses during the pandemic," Valente noted, "we also saw many companies pivoting to new opportunities that did not exist before."
Valente's research team has been exploring the differences between traditional chief risk officers (CROs) who are laser-focused on minimizing risk and transformational CROs who see risk management as a competitive advantage -- examining how risks can interfere with business strategy and limit revenue streams.
"Companies with a transformational approach to risk," Valente explained, "can mobilize their teams and business leaders quickly to jump on a new gap in the market." When, for example, Ikea's store traffic plummeted during the initial pandemic lockdown, the retail furniture company quickly implemented a new contactless pickup system that allowed customers to securely pick up their purchases, according to Valente.
4. Wider use of risk appetite statements
Risk appetite statements emerged in the financial industry to improve communication with employees, investors and regulators. Some risk is required to expand a pool of loans, but if too many customers default, a bank needs a program in place to trigger decisive action. So, for example, banks might establish a safety baseline for mortgage defaults or fraudulent transactions that still allows them to turn a profit.
Risk appetite statements are starting to gain popularity in other industries to replace rudimentary "check the box" exercises with a process that more definitely guides day-to-day risk management decisions, observed Chris Matlock, vice president, advisory -- corporate strategy and risk practice at Gartner. "It is difficult to do," he added, "but the payoff for organizations that do it is extremely high."
Yet companies face numerous challenges in implementing an effective risk appetite statement. Some executives believe it could limit their ability to pursue new opportunities, while others are concerned that a poorly worded statement might be misinterpreted as condoning unacceptable practices.
5. Panels of subject matter experts expedite risk assessment and response
Bringing all the risk information together is important, but experts are also required to make sense of it. Enterprises are increasingly using the GRC platform to create an informed network of subject matter experts for critical projects, Matlock said. When issues emerge that span multiple departments, such as a security incident involving IT, legal and HR, an appropriate panel of experts in those areas can quickly and automatically be included to assess the risk and take action.
Risk assessment at the beginning of a new project is table stakes. Devising the best plan and finding a system that supports a timely risk response yields the best results. "It is the maintenance of risk and the timely response to risk throughout a project's lifespan that has the biggest impact on success," Matlock reasoned.
6. Risk mitigation and measurement tools multiply
Tools for actively measuring and mitigating risks are getting better, said Keri Calagna, principal at multinational professional services network Deloitte. Among the improvements are internal and external risk sensing tools that help generate the risk intelligence that detects trending and emerging risks.
In addition, Calagna reported that enterprises are turning to more integrated tools that do the following:
- present a holistic view of risks across the organization;
- capture leading indicators to show how a risk is trending;
- promote accountability for the actions taken to mitigate risk; and
- provide real-time risk reporting to aid in management decisions.
7. GRC meets ESG
Enterprises are also improving connectivity between risk and environmental, social and governance (ESG) efforts. Expect a rise in scenario planning and assumption testing capabilities, Calagna said. Companies are also using simulations, war games, tabletops and other interactive workshops to promote more cross-functional thinking about risk to help assess the impact of different futures on corporate business planning and strategies.
"As companies begin their ESG risk planning, they should ensure that the actions they are taking are significant and genuine," cautioned Clifford Huntington, global assistant vice president, sales, for risk products at ServiceNow. Organizations need to demonstrate that they're not greenwashing and instead making measurable progress. "Business leaders," Huntington said, "are realizing that ESG risk is a business risk and are taking steps to mitigate it in conjunction with their enterprise risk initiatives."
8. CIOs broker C-level ERM buy-in
Enterprises are prioritizing resilience beyond just risk management to handle the disruptions caused by the COVID-19 pandemic, said Huntington. Companies with established ERM strategies that tie in all departments can pivot quickly.
To solidify risk and resilience plans within the enterprise, CIOs need to bridge the divide among their C-suite executives. "CIOs are the perfect broker to open up these conversations," Huntington advised, "and help their peers solve this essential need since they are in charge of providing technology and services to many of their peers."