Nasdaq BWise: The Road Ahead - Nine Business Risks in 2017
Posted: 14 February 2017 | Author: Ladd Muzzy
2016 has been an interesting year for GRC and risk management; new risk themes arose while some subsided. 2017 promises to be no less exciting. In lieu of a crystal ball, our team of GRC experts has identified nine different topics that will take center stage in the GRC space in 2017, comprising the following (in no particular order):
1. Integrated Risk Management
2. Political Change
3. Digital Strategy
4. Big Data and Analytics
5. Conduct Risk
6. Reputation Management
7. Succession, Retention, and Recruitment
8. Cyber Risk
9. Third party/vendor risk
Over the next few weeks, we will uncover more of the details surrounding each of these subjects and explain why they will be important in 2017.
Digitization will continue to be on the forefront of business and its effects on risk management will push risk managers to unchartered territory. The digitization of processes and interfaces is itself a concern, placing an ever increasing impetus on IT to program well and human interpretation and decision making to be classified in code. Of course digitization also leaves itself susceptible to other risks; attacks on the business continue to show remarkable success despite the litany of system and other controls to thwart them. Moreover, disruption also exists from new market entrants. These organizations are challenging traditional business models, forcing others to rethink how to remain competitive. Of course it is not just about how the organization may be disrupted, but how the organization can disrupt as well. This yields new processes, new activities, new behaviors, new mindsets, new performance goals, and new risks.
Aside from the theoretical fundamentals of setting a digital strategy, the risks that emanate from digitization should be viewed both in isolation and in combination. Coordination must exist across the lines of defense to not only evaluate the efficacy of the existing control environment, but to be predictive and set mechanisms to avoid surprises. In a GRC context, this means developing metrics, whether they be in the form of Key Risk Indicators, Key Control Indicators, or Key Performance Indicators, to monitor changes in the business operating and external environment. It also means developing and executing scenario plans where possible effects of future events are evaluated and how they may impact the business as a whole. In each instance, having GRC software that is configurable offers benefits above software that is pure custom code; the main benefit being speed or the ability to enhance the software to meet the rapid, ever changing business and risk landscape.
Digitization will continue to move rapidly into more and more parts of the business. A dynamic risk strategy supported and enabled by risk technology will allow the organization to identify, assess and manage the risk ramifications of digitization.
Big Data and Analytics
Data becomes ever more readily available, and with this the opportunity of data analysis comes. Most commonly, this is seen as a major opportunity that may well create fantastic revenue and never-heard-before margins. However, with this opportunity there are also more than a few risks. In the context of a high-level overview, we can merely point out the most important ones.
With the opportunity, it should be noted this opportunity is not just there for you, but also for all other players in the market, including newcomers. This may well disrupt your business model by more than you like. So, with the opportunity there is also the need to grasp the opportunity.
Another underestimated risk in big data and data analytics is the potential associated cost. With technology more easily available and less expensive, it may seem that big data projects have become easier. Well, they have certainly become easier to start, but one still needs to understand what to do, and not all data is easy to obtain, requiring cleansing and most importantly interpretation. Don’t underestimate the potential complexity; the power is tremendous, but so is the power of an atomic bomb.
Regulators have become increasingly concerned with the way businesses behave, especially in the financial services business. In the UK, the Financial Conduct Authority (FCA) is a powerful and very active institute that has conduct risk as its sole reason of being. After the recent financial crisis around, regulators have set up new rules that should avoid future crises, or at the very least make them less destructive and more manageable.
One can argue that conduct risk is not really a new risk for 2017, but so are all of the other risks we list. One can also argue it is not very different from the 2016 situation. However, the regulators continue to be very focused on the subject, and there is no opportunity to lean back. Moreover, there are many reasons why managing conduct risk is a good thing, not just for compliance reasons, but also because we all want to behave ourselves, don’t we?
The way people behave determines how a company behaves. This goes beyond conduct risk that deals with the more formal sides of this ‘behavior’. The challenge with reputational risk is that it can come from almost every angle, and therefore most likely being unexpected.
A bad reputation can bring any organization down. In some industries, this will take days (eg. a bank run), in other industries it may take much longer, but eventually any company will probably go down. It should be noted that a ‘bad reputation’ in this context reflects on customers, just as football fans blame any bad behavior on rival clubs and fans. With that in mind, any risk manager is anxious to manage reputation carefully.
One approach is to try to prevent unmanaged communication; this can be done by using certain technology ranging from social media blockers to monitoring tools, but most importantly it requires stringent processes and procedures. With strict rules, it then becomes possible to be saying the right thing at every single moment. It prevents bribery and corruption from happening, potentially damaging the business. However, when not properly implemented, it can also create an atmosphere of extreme bureaucracy or even fear. In that sense, risk managers should look at reputation as a risk, but should also consider seeing reputation management as a risk. Almost by definition, it may take creativity out the organization. This is good where it is concerning corruption, it may be less so in product innovation.