Enterprise risk management has taken center stage in many organizations as they grapple with the lingering effects of the COVID-19 pandemic, economic uncertainties, the rapid pace of business change and other potential business risks.
Forward-looking corporate executives recognize that stronger risk management programs are required to remain competitive in today's business world. For example, one aspect of the current enterprise risk management (ERM) landscape that companies must contend with is the connectivity of risks between different organizations.
Businesses are increasingly interconnected with partners, vendors and suppliers across global markets, complicating various types of risks they face, explained Alla Valente, an analyst at Forrester Research.
"We find that when there is significantly more risk in one of those categories it can have a ripple effect that impacts other categories," she said. The business impact of a local natural disaster, the ongoing wars in Ukraine and Gaza, higher interest rates or other developments can cascade across an entire supply chain worldwide. Along with other factors, that makes effective risk management a prerequisite for continued business success.
This article is part of
But there's a lot for risk managers to keep up with. Here are 12 security and risk management trends that are reshaping the ERM process and influencing business continuity planning and risk mitigation efforts.
1. Risk maturity models consolidate workflows
More enterprises are considering a risk maturity model as a way to manage the growing interconnectedness of risk vulnerabilities, Valente observed. This method mirrors other frameworks like the capability maturity model widely used in software development. Adopting a risk maturity model requires addressing risk management processes and technologies that can support them.
On the process side, risk management leaders must put together a team of risk stakeholders. This team should combine the technical and business expertise necessary to make fast and intelligent risk-based decisions, establish ERM policies and procedures, and implement the proper controls. Risk managers also need to establish processes for consolidating ERM workflows across disparate entities.
The technology side includes the IT infrastructure for centralizing and contextualizing information about risk management and automating risk policy enforcement.
2. ERM technology stacks expand into GRC
Enterprise risk management has expanded beyond financial issues to also reach into cybersecurity; IT; third-party relationships; and governance, risk and compliance (GRC) procedures. A comprehensive GRC platform can be a critical integration tier for all types of risk management activities. An organization can use one to create and manage policies, conduct risk assessments, understand its risk posture, identify gaps in regulatory compliance, manage and respond to incidents, and automate the internal audit process.
CIOs need to confirm that their risk management technology stack is adequate for each task and used proactively, not just reactively, Valente said. Consider integrating the following functions into a more comprehensive technology stack:
- Risk intelligence tools to analyze geopolitical risks, natural disasters and other incidents.
- Third-party risk assessment tools to track sanctions, security incidents and financial health in other organizations.
- Cybersecurity systems to assess the potential impact of security vulnerabilities, data breaches and cyberattacks.
- Social media monitoring capabilities to identify sudden changes in brand reputation.
3. ERM seen as a competitive advantage
Organizations now often view risk management as a way to increase their competitive advantage instead of simply a risk avoidance exercise, especially since the onslaught of COVID-19.
"Although many companies suffered economic losses during the pandemic," Valente noted, "we also saw many companies pivoting to new opportunities that did not exist before."
Valente's research team has been exploring the differences between traditional chief risk officers who are laser-focused on minimizing risk and so-called transformational CROs who see risk management as a competitive differentiator that can prevent risks from interfering with business strategy and limiting revenue streams.
"Companies with a transformational approach to risk can mobilize their teams and business leaders quickly to jump on a new gap in the market," Valente explained. When, for example, Ikea's store traffic plummeted during the initial pandemic lockdown, the furniture retailer quickly implemented a new contactless pickup system that let customers securely pick up their purchases, according to Valente.
4. Wider use of risk appetite statements
Risk appetite statements emerged in the financial industry to improve communication with employees, investors and regulators. Some risk is required to expand a pool of loans, but if too many customers default, a bank needs a program in place to trigger decisive action. For example, banks might establish a safety baseline for mortgage defaults or fraudulent transactions that still lets them turn a profit.
Risk appetite statements are starting to gain popularity in other industries to replace rudimentary "check the box" exercises with a process that more definitively guides day-to-day risk management decisions, observed Chris Matlock, vice president and advisory team manager for the corporate strategy and risk practice at Gartner. There's a caveat, though.
"It is difficult to do," Matlock warned, but "the payoff for organizations that do it is extremely high."
He explained that companies face numerous challenges in creating an effective risk appetite statement. Some executives believe it could limit their ability to pursue new business opportunities, while others are concerned that a poorly worded statement might be misinterpreted as condoning unacceptable practices.
5. Subject matter experts expedite risk assessment and response
Bringing all the risk information together is important, but experts are also required to make sense of it. Enterprises are increasingly using their GRC platform to create an informed network of subject matter experts for critical projects, Matlock said. When issues spanning multiple departments emerge, such as a security incident involving IT, legal and HR, an appropriate panel of experts in those areas can quickly assess the risk and take required actions.
Risk assessment at the beginning of a new project is table stakes now. Devising the best plan and creating a process that supports a timely risk response yields the best results. "It is the maintenance of risk and the timely response to risk throughout a project's lifespan that has the biggest impact on success," Matlock said.
6. Risk mitigation and measurement tools multiply
Tools for actively measuring and mitigating risks are getting better, said Keri Calagna, a principal at Deloitte who is the professional services firm's advisory leader on strategic risk and resilience in the U.S. Among the improvements are internal and external risk-sensing tools that help generate the risk intelligence needed to detect trending and emerging risks.
In addition, Calagna reported that enterprises are turning to more integrated tools that do the following:
- Present a holistic view of risks across the organization.
- Capture leading risk indicators to show how a risk is trending.
- Promote accountability for the actions taken to mitigate risk.
- Provide real-time risk reporting to aid in management decisions.
Expect a rise in scenario planning and assumption testing capabilities, Calagna said. Companies are also using simulations, war games, tabletop exercises and other interactive workshops to promote more cross-functional thinking about risk management and help assess the impact of different future events on corporate business plans and strategies.
7. GRC meets ESG
Another enterprise risk management trend is connecting the dots between business risk and environmental, social and governance (ESG) agendas.
"As companies begin their ESG risk planning, they should ensure that the actions they are taking are significant and genuine," cautioned Cliff Huntington, general manager of software vendor OneTrust's GRC and Security Assurance Cloud product suite. Organizations need to demonstrate that they aren't just greenwashing and are instead making measurable progress as part of their ESG strategies and programs, according to Huntington.
"Business leaders," he said, "are realizing that ESG risk is a business risk and are taking steps to mitigate it in conjunction with their enterprise risk initiatives."
8. Extreme weather risks grow in importance
With crisis events like extreme weather growing in impact and frequency, CEOs and boards of directors will be called on to implement risk management strategies to mitigate the impact on employees and business assets. In 2023, there were a record 28 billion-dollar weather and climate disasters in the U.S. that caused a total of at least $92.9 billion in damages, according to the National Oceanic and Atmospheric Administration.
"With extreme weather now a norm, CEOs will need to learn about risk mitigation to protect their assets, employees and bottom line," said Mark Herrington, CEO at OnSolve, a software vendor that offers a critical event management platform.
9. Integrating risk management with digital transformation
As business operations increasingly go digital and IT environments become more and more complex, enterprises are increasingly adopting an integrated GRC, or IGRC, program to simplify their risk management activities, said Elizabeth McNichol, a principal at PwC and enterprise technology leader in its U.S. cyber, risk and regulatory consulting practice.
"Due to decentralized, overly complex systems, many companies are not aware of all the kinds of data they have, how it is organized or even if it may be noncompliant with the law," she said. Rules for how organizations handle data and comply with regulations should be clear, straightforward, universal and grounded in a risk-based approach, McNichol added.
IT plays a critical role as both a driver and enabler of IGRC. CIOs and other IT leaders must work with business managers to identify, assess and mitigate risks in accordance with a company's risk appetite. An integrated governance model can help by coordinating strategy, people, process and technology objectives across the enterprise. These steps are crucial for ensuring the risk management component is successfully integrated into broader digital transformation plans.
10. Enhanced and contextualized risk monitoring
Kumar Avijit, practice director for cloud and infrastructure at technology research firm Everest Group, is seeing increased demand for risk management monitoring tools tailored for various roles and personas, such as CIOs, CISOs and business managers. This is because various executives and business users are defining new risk management priorities and mandates. These tools enhance traditional risk analysis with drill-down views that provide the right level of granularity.
Examples of some of the growing risk priorities for different roles include the following:
- CEOs want to drive secure business transformation.
- CFOs want to reduce business risks and the cost of data breaches.
- COOs want to run resilient business operations.
- CIOs want to make security a foundational element of IT strategy.
- CISOs want to quantify cybersecurity risks to aid in decision-making.
11. AI augments risk management initiatives
AI will play a growing role in risk management initiatives. Abhishek Gupta, founder and principal researcher at the Montreal AI Ethics Institute, said he expects the following to be some of the most common manifestations of this trend:
- AI-driven risk identification and prediction. Machine learning is beginning to be used to identify risks more accurately and faster than humans can. That's especially the case in dynamic risk management processes for cybersecurity, in which heuristic- or rule-based approaches can become outdated because adversaries are using AI themselves to mount novel attacks. AI and machine learning tools can also monitor risks and predict how they might develop in the future, enabling mitigation strategies to become more proactive.
- Use of chatbots. They can answer risk management questions from employees, customers, business partners and other parties that would otherwise need to be addressed by risk managers. Chatbots can also navigate internal knowledge bases to surface risk-related scenarios and incidents that were previously encountered in an organization, thus saving time and preventing redundant investments in resolving issues.
- AI in legal and model risk management. AI tools are being used to ensure legal compliance and mitigate related risks. They can also be used for model risk management and stress testing of quantitative and qualitative models to meet regulatory requirements in financial services, insurance and other industries.
12. AI introduces new risks that need to be managed
On the flip side, the surge in interest in AI being driven partly by the emergence of generative AI technologies also threatens to burden enterprises with various new risks that haven't been widely considered before now. Gupta predicted that organizations will adopt the following measures to help manage AI risks:
- AI risk management frameworks. Progress is expected on case studies and tests to determine whether new AI risk management frameworks, such as one developed by the National Institute of Standards and Technology, are effective. If they are, that would remove a big impediment for organizations in getting started on managing AI risks.
- Responsible AI programs. A cohesive responsible AI strategy will be an important component of AI risk management. But some companies likely will struggle to balance idealistic commitments to responsible AI principles with the level of resources required to support and sustain a program. Organizations will need to think seriously about how to achieve that balance.
- AI governance policies. This involves establishing guidelines that align the governance of AI systems with an organization's values and objectives. Without such alignment, the implementation of an AI governance policy could fail due to internal friction, resulting in limited adoption and an inability to effectively manage AI risks across the organization.
- Management of third-party AI risks. Organizations also must address risks that stem from the use of externally developed AI tools. Incorporating these third-party AI risks into existing risk management strategies will separate companies that are successful in their approaches from those that aren't.
George Lawton is a journalist based in London. Over the last 30 years he has written more than 3,000 stories about computers, communications, knowledge management, business, health and other areas that interest him.