Enterprise risk management has taken center stage as organizations grapple with the lingering effects of the COVID-19 pandemic, the ongoing threat of an economic recession and the rapid pace of business change.
Many executives recognize that stronger risk management programs are required to remain competitive in this new era. For example, one aspect of the current enterprise risk management (ERM) landscape that companies must contend with is the connectivity of risks between different organizations.
Businesses are increasingly more interconnected to partners, vendors and suppliers across global markets, complicating various types of risks they face, explained Alla Valente, an analyst at Forrester Research.
"We find that when there is significantly more risk in one of those categories it can have a ripple effect that impacts other categories," she said. The impact, for example, of a local natural disaster, the ongoing war in Ukraine or high interest rates can cascade across an entire global supply chain.
This article is part of
Here are 12 security and risk management trends that are reshaping the ERM landscape and influencing business continuity planning and risk mitigation efforts.
1. Risk maturity models consolidate workflows
More enterprises are considering a risk maturity framework as a way to manage the growing interconnectedness of risk vulnerabilities, Valente observed. This method mirrors other frameworks like the capability maturity model widely used in software development. Adopting a risk maturity model requires addressing risk management processes and technologies that can support them.
On the process side, risk management leaders must put together a team of risk stakeholders. This team should combine the technical and business expertise necessary to make fast and intelligent risk-based decisions, establish ERM policies and procedures, and implement the proper controls. Risk managers also need to establish processes for consolidating ERM workflows across disparate entities.
The technology side includes the IT infrastructure for centralizing and contextualizing information about risk management and automating risk policy enforcement.
2. ERM technology stacks expand into GRC
Enterprise risk management has expanded beyond simple financial governance, reaching into security; IT; third-party relationships; and governance, risk and compliance (GRC) procedures. A comprehensive GRC platform can be a critical integration tier for all types of risk management activities to create and manage policies, conduct risk assessments, understand risk posture, identify gaps in regulatory compliance, manage and respond to incidents, and automate the internal audit process.
CIOs need to confirm that their risk technology stack is adequate for each task and used thoughtfully and proactively, not just reactively, Valente said. Consider integrating the following functions into a more comprehensive risk technology stack:
- Intelligence analytics for geopolitical risks, natural disasters and other incidents.
- Third-party risk assessment tools to track sanctions, security incidents and financial health.
- Cybersecurity systems to assess the potential impact of security vulnerabilities, data breaches and cyber attacks.
- Social media monitoring capabilities to track sudden changes in brand reputation.
3. ERM seen as a competitive advantage
Many companies view risk management as a way to increase their competitive advantage instead of simply a risk avoidance exercise, especially since the onslaught of the COVID-19 pandemic.
"Although many companies suffered economic losses during the pandemic," Valente noted, "we also saw many companies pivoting to new opportunities that did not exist before."
Valente's research team has been exploring the differences between traditional chief risk officers who are laser-focused on minimizing risk and so-called transformational CROs who see risk management as a competitive advantage -- examining how risks can interfere with business strategy and limit revenue streams.
"Companies with a transformational approach to risk can mobilize their teams and business leaders quickly to jump on a new gap in the market," Valente explained. When, for example, Ikea's store traffic plummeted during the initial pandemic lockdown, the furniture retailer quickly implemented a new contactless pickup system that let customers securely pick up their purchases, according to Valente.
4. Wider use of risk appetite statements
Risk appetite statements emerged in the financial industry to improve communication with employees, investors and regulators. Some risk is required to expand a pool of loans, but if too many customers default, a bank needs a program in place to trigger decisive action. For example, banks might establish a safety baseline for mortgage defaults or fraudulent transactions that still lets them turn a profit.
Risk appetite statements are starting to gain popularity in other industries to replace rudimentary "check the box" exercises with a process that more definitively guides day-to-day risk management decisions, observed Chris Matlock, vice president and advisory team manager for the corporate strategy and risk practice at Gartner. This risk management trend comes with a caveat. "It is difficult to do," Matlock warned, but "the payoff for organizations that do it is extremely high."
He explained that companies face numerous challenges in implementing an effective risk appetite statement. Some executives believe it could limit their ability to pursue new opportunities, while others are concerned that a poorly worded statement might be misinterpreted as condoning unacceptable practices.
5. Panels of subject matter experts expedite risk assessment and response
Bringing all the risk information together is important, but experts are also required to make sense of it. Enterprises are increasingly using their GRC platform to create an informed network of subject matter experts for critical projects, Matlock said. When issues spanning multiple departments emerge, such as a security incident involving IT, legal and HR, an appropriate panel of experts in those areas can quickly and automatically assess the risk and take required actions.
Risk assessment at the beginning of a new project is table stakes now. Devising the best plan and creating a process that supports a timely risk response yields the best results. "It is the maintenance of risk and the timely response to risk throughout a project's lifespan that has the biggest impact on success," Matlock said.
6. Risk mitigation and measurement tools multiply
Tools for actively measuring and mitigating risks are getting better, said Keri Calagna, a principal at Deloitte who leads the professional services firm's strategic risk advisory practice in the U.S. Among the improvements are internal and external risk-sensing tools that help generate the risk intelligence needed to detect trending and emerging risks.
In addition, Calagna reported that enterprises are turning to more integrated tools that do the following:
- Present a holistic view of risks across the organization.
- Capture leading risk indicators to show how a risk is trending.
- Promote accountability for the actions taken to mitigate risk.
- Provide real-time risk reporting to aid in management decisions.
Expect a rise in scenario planning and assumption testing capabilities, Calagna said. Companies are also using simulations, war games, tabletops and other interactive workshops to promote more cross-functional thinking about risk management to assess the impact of different future events on corporate business planning and strategies.
7. GRC meets ESG
Another enterprise risk management trend is connecting the dots between enterprise risk and environmental, social and governance agendas.
"As companies begin their ESG risk planning, they should ensure that the actions they are taking are significant and genuine," cautioned Clifford Huntington, senior vice president and general manager of GRC at software vendor OneTrust. Organizations need to demonstrate that they aren't just greenwashing and are instead making measurable progress as part of their ESG strategies and programs.
"Business leaders," he said, "are realizing that ESG risk is a business risk and are taking steps to mitigate it in conjunction with their enterprise risk initiatives."
8. CIOs broker C-level ERM buy-in
Enterprises are prioritizing resilience beyond just risk management to handle the disruptions caused by the pandemic and economic uncertainty, Huntington said. Companies with established ERM strategies that tie in all departments can pivot quickly.
To solidify risk and business resilience plans within the enterprise, CIOs need to bridge the divide among their fellow C-suite executives. "CIOs are the perfect broker to open up these conversations and help their peers solve this essential need since they are in charge of providing technology and services to many of their peers," Huntington said.
9. Extreme weather risks grow in importance
With crisis events like extreme weather growing in impact and frequency, CEOs and boards of directors will be called on to implement risk management strategies to mitigate the impact on employees and business assets. In 2022, major weather-related disasters in the U.S. caused an estimated $176.9 billion in damages, according to the National Oceanic and Atmospheric Administration.
"With extreme weather now a norm, in 2023 CEOs will need to learn about risk mitigation to protect their assets, employees and bottom line," said Mark Herrington, CEO at OnSolve, a software vendor that offers a critical event management platform.
10. Integrating risk management with digital transformation
According to PwC's 2022 Global Digital Trust Insights survey, 75% of C-suite executives report too much complexity in their organizations, particularly in their technology, data and operating environments. The upshot is that enterprises are increasingly adopting an integrated GRC, or IGRC, program to simplify their risk management activities, said Elizabeth McNichol, a principal in the cyber, risk and regulatory consulting practice at PwC U.S.
"Due to decentralized, overly complex systems, many companies are not aware of all the kinds of data they have, how it is organized or even if it may be noncompliant with the law," she said. Rules for how organizations handle data and comply with regulations should be clear, straightforward, universal and grounded in a risk-based approach, McNichol added.
IT plays a critical role as both a driver and enabler of IGRC. It's important for CIOs and other IT leaders to work with other management teams to identify and assess the impact to mitigate risks in accordance with a company's risk appetite. An integrated governance model can help by coordinating strategy, people, process and technology objectives across the end-to-end value chain. This ERM trend is critical for ensuring the risk management component is integrated into broader digital transformation plans.
11. Cyber risk quantification
Kumar Avijit, practice director for cloud and infrastructure on the IT services team at technology research firm Everest Group, is seeing increased enterprise demand for cyber risk quantification services, particularly from boardroom executives. These services can range from customizing cybersecurity rules to complete risk quantification in terms of monetary value via an exhaustive risk assessment process.
12. Enhanced and contextualized risk monitoring
Avijit is also seeing increased demand for risk management monitoring tools tailored for various roles and personas, such as CIOs, CISOs and business managers. This is because various executives and business users are defining new risk management priorities and mandates. These tools enhance traditional risk analysis with drill-down views that provide the right level of granularity.
Examples of some of the growing risk priorities for different roles include the following:
- CEOs want to drive secure business transformation.
- CFOs want to reduce business risks and the cost of data breaches.
- COOs want to run resilient business operations.
- CIOs want to make security a foundational element of IT strategy.