Enterprise risk management has taken center stage as organizations grapple with the lingering effects of the COVID-19 pandemic. Executives have realized that stronger ERM programs are required to remain competitive in this new era. Risk leaders, in turn, are looking beyond the urgent ERM measures required to handle the pandemic to how an effective enterprise risk management program can be a competitive differentiator for their companies.
"It's not necessarily that there is new risk," explained Alla Valente, senior analyst at Forrester Research, to the risk landscape of the pandemic, "but that [the risks] are more connected."
Businesses are increasingly more interconnected to partners, vendors and suppliers across global markets. "We find that when there is significantly more risk in one of those categories it can have a ripple effect that impacts other categories," Valente said. " The impact of a local natural disaster, for example, can cascade across an entire global supply chain.
Ten security and risk management trends are reshaping the risk landscape and influencing business continuity planning.
1. Risk maturity frameworks consolidate workflows
More enterprises are considering a risk maturity framework as a way to manage the growing interconnectedness of vulnerabilities in the risk landscape, Valente observed. This method mirrors other frameworks like the capability maturity model widely used in software development. Risk management maturity requires addressing processes and technologies.
On the process side, risk management leaders must put together a team of risk stakeholders. This team should combine the technical and business expertise necessary to make fast and intelligent risk-based decisions, establish policies and procedures, and implement the proper controls. Risk managers also need to ensure established processes for consolidating workflows across disparate agencies.
The technology side includes the IT infrastructure for centralizing and contextualizing information about risk management and automating risk policy enforcement.
2. ERM technology stacks expand into GRC
Enterprise risk management has expanded beyond simple financial governance, reaching into security, IT, third-party relationships and governance risk and compliance (GRC). A comprehensive GRC platform can be a critical integration tier for all types of risk management activities to create and manage policies, conduct risk assessments, understand risk posture, identify gaps in regulatory compliance, manage and respond to incidents and automate the internal audit process.
CIOs need to confirm that their risk technology stack is adequate for each task and used thoughtfully, proactively and not just reactively, Valente suggested. Consider integrating the following into a more comprehensive risk technology stack:
- intelligence analytics for geopolitical risks, natural disasters and other incidents;
- third-party risk assessment tools to track sanctions, security incidents and financial health;
- security systems to assess the potential impact of vulnerabilities, breaches and cyber attacks; and
- social media monitoring capabilities to track sudden changes in brand reputation.
3. ERM seen as a competitive advantage
Many companies view risk management as a way to increase their competitive advantage instead of simply avoiding bad situations -- especially since the onslaught of the COVID-19 pandemic.
"Although many companies suffered economic losses during the pandemic," Valente noted, "we also saw many companies pivoting to new opportunities that did not exist before."
Valente's research team has been exploring the differences between traditional chief risk officers (CROs) who are laser-focused on minimizing risk and so called transformational CROs who see risk management as a competitive advantage -- examining how risks can interfere with business strategy and limit revenue streams.
"Companies with a transformational approach to risk," Valente explained, "can mobilize their teams and business leaders quickly to jump on a new gap in the market." When, for example, Ikea's store traffic plummeted during the initial pandemic lockdown, the retail furniture company quickly implemented a new contactless pickup system that allowed customers to securely pick up their purchases, according to Valente.
4. Wider use of risk appetite statements
Risk appetite statements emerged in the financial industry to improve communication with employees, investors and regulators. Some risk is required to expand a pool of loans, but if too many customers default, a bank needs a program in place to trigger decisive action. So, for example, banks might establish a safety baseline for mortgage defaults or fraudulent transactions that still allows them to turn a profit.
Risk appetite statements are starting to gain popularity in other industries to replace rudimentary "check the box" exercises with a process that more definitely guides day-to-day risk management decisions, observed Chris Matlock, vice president, advisory -- corporate strategy and risk practice at Gartner. This risk management trend comes with a caveat: "It is difficult to do," Matlock warned, adding that "the payoff for organizations that do it is extremely high."
He explained that companies face numerous challenges in implementing an effective risk appetite statement. Some executives believe it could limit their ability to pursue new opportunities, while others are concerned that a poorly worded statement might be misinterpreted as condoning unacceptable practices.
5. Panels of subject matter experts expedite risk assessment and response
Bringing all the risk information together is important, but experts are also required to make sense of it. Enterprises are increasingly using the GRC platform to create an informed network of subject matter experts for critical projects, Matlock said. When issues emerge that span multiple departments, such as a security incident involving IT, legal and HR, an appropriate panel of experts in those areas can quickly and automatically be included to assess the risk and take action.
Risk assessment at the beginning of a new project is table stakes. Devising the best plan and finding a system that supports a timely risk response yields the best results. "It is the maintenance of risk and the timely response to risk throughout a project's lifespan that has the biggest impact on success," Matlock reasoned.
6. Risk mitigation and measurement tools multiply
Tools for actively measuring and mitigating risks are getting better, said Keri Calagna, principal at multinational professional services network Deloitte. Among the improvements are internal and external risk sensing tools that help generate the risk intelligence that detects trending and emerging risks.
In addition, Calagna reported that enterprises are turning to more integrated tools that do the following:
- present a holistic view of risks across the organization;
- capture leading indicators to show how a risk is trending;
- promote accountability for the actions taken to mitigate risk; and
- provide real-time risk reporting to aid in management decisions.
7. GRC meets ESG
Another enterprise risk management trend is connecting the dots between enterprise risk and environmental, social and governance (ESG) agendas. Expect a rise in scenario planning and assumption testing capabilities, Calagna said. Companies are also using simulations, war games, tabletops and other interactive workshops to promote more cross-functional thinking about risk to help assess the impact of different futures on corporate business planning and strategies.
"As companies begin their ESG risk planning, they should ensure that the actions they are taking are significant and genuine," cautioned Clifford Huntington, global assistant vice president, sales, for risk products at ServiceNow. Organizations need to demonstrate that they're not greenwashing and instead making measurable progress. "Business leaders," Huntington said, "are realizing that ESG risk is a business risk and are taking steps to mitigate it in conjunction with their enterprise risk initiatives."
8. CIOs broker C-level ERM buy-in
Enterprises are prioritizing resilience beyond just risk management to handle the disruptions caused by the COVID-19 pandemic, said Huntington. Companies with established ERM strategies that tie in all departments can pivot quickly.
To solidify risk and resilience plans within the enterprise, CIOs need to bridge the divide among their C-suite executives. "CIOs are the perfect broker to open up these conversations," Huntington advised, "and help their peers solve this essential need since they are in charge of providing technology and services to many of their peers.
9. Cyber and physical risk converge
The emerging risk landscape increasingly must contend with risks that cross multiple organizational boundaries. For example, security attacks like the Colonial Pipeline attack in 2021 highlighted the likelihood of physical and cyber security converging in the future. Increasingly, enterprises will need to improve their ability to detect and respond to events that cross physical and IT systems.
Enterprises will need to consider new roles to consolidate the attention and response paid to these issues.
"Companies need to reorganize their processes, workflow and organizational structure to manage ongoing threats," said Mark Herrington, CEO at OnSolve, an AI event management platform. He sees the rise of the chief resilience officer who is trained to manage all types of risks and to help all the various risk teams collaborate.
He said this new role could develop and bring to maturity a physical response framework (similar to the SOAR platform in cyber security) to automate and orchestrate threats affecting physical systems.
10. Integrating risk management with digital transformation
According to PwC's Digital Trust Insights survey, 75% of executives report too much complexity in their organizations, particularly in their technology, data, and operating environments. Enterprises are increasingly adopting an integrated governance, risk, and compliance (IGRC) program to simplify their risk management activities, said Elizabeth McNichol, principal, PwC US cyber, risk & regulatory - enterprise tech leader.
"Due to decentralized, overly complex systems, many companies are not aware of all the kinds of data they have, how it is organized, or even if it may be noncompliant with the law," she said. Rules for how organizations handle data and comply with regulations should be clear, straightforward, universal, and grounded in a risk-based approach.
IT plays a critical role as both a driver and enabler of IGRC. It is important for CIOs and other IT leaders to work with other management teams to identify and assess the impact in order to mitigate risks in accordance with the risk appetite of the company. An integrated governance model can help by coordinating strategy, people, process, and technology objectives across the end-to-end value chain. This ERM trend is critical for ensuring the risk component is integrated into broader digital transformation plans.