Written By Justin Calderon with Change Gap
A risk management platform used to be seen as a rarefied tool which was established within corporate elites in a space dominated by a few large vendors. However, today there is a demand from small and medium-sized firms for better and more accessible analytical software to shield against growing uncertainties.
In 2020, it has become more clear than ever that increasingly complex financial regulations, economic crises, the Covid-19 pandemic and ongoing technological disruption have made risk management a necessity, not a luxury.
It does not stop there. Going into the next decade, emerging mega-risks such as climate change and cyber risk promise to serve as chilling reminders that serious risks lie in wait. Pandemic risk was viewed as an extreme unlikely event – which only very few firms’ business continuity plans catered for.
But do the risk management platform vendors serving today’s market have some critical gaps? In our experience, risk management functions often suffer the following pain points:
- Weak analytical capability
- Poor representation of data to enable executive decision making
- Expensive contracts with long lock-in periods
To address these gaps, we need smarter Governance, Risk and Compliance (GRC) tools that are offered as affordable Enterprise-wide risk management platforms that are easy to adopt and use. Firms of all sizes and across all industries should be able to integrate them and as a consequence benefit from better risk management practices.
Today, an evolving approach to risk management demands that platforms offer the following:
- Connected enterprise-wide management across all risk types
- Integrated analytical reporting that informs management decisions
- AI-driven capabilities providing enhanced data capture and features such as predictive loss information
Here, we will outline just what firms — both large and small — should consider when integrating a risk management platform. We will also look at how they should understand risk amid today’s rapidly maturing global standards.
We will cover:
- What defines risk today?
- What are the most common gaps in risk management?
- Why does poor risk oversight occur?
- What are the main challenges with adopting a GRC tool?
What defines risk today?
Risk can be defined as the impact of a potential known or unknown event occurring from a business process. Often, these are extreme events that are thought to be implausible, which is potentially why management traditionally neglects to establish a control framework to mitigate their impact.
However, there is a need for effective and proportionate controls, to both minimise the probability of a risk event occurring and mitigate in case of a risk event occurring.
Risk management is the same today as ever, though the risk landscape is rapidly evolving.
Over the past 25 years, regulatory risks in the financial services sector have increased in response to various financial crises.
Cyber risk now poses a serious threat. In 2020, the average cost of a data breach was $3.86 million, while the average time it took to contain the breach was 280 days, according to an IBM study.
Environmental risks have also proven to grow in recent years, with Climate risk being the subject of intense and constant focus. Conduct risk has also seen dramatic increases in cases with headline-making adverse sales practices incurring long-lasting damage to firms’ reputations.
What are the most common gaps in risk management?
Today, it is fair to say that most firms suffer from incomplete and unreconciled data due to a disparate, spaghetti-like data systems landscape. Moreover, for those firms with a risk management platform already in place, it is common that they still lack a single data repository across all risk types.
Therefore, to accurately assess risk, these firms often rely on teams of people to manually work across data sources to produce detailed reports – a time-consuming effort that can take months. As a result, by the time analytics reports reach the CEO and board level, the data can already be out of date and thus, its ability to evaluate the prevailing risk profile is impaired.
Furthermore, the risk management function has become more esoteric due to disparate data analytics and sources, making the outputs harder to interpret for senior management and boards. This is a central issue, as executives cannot construct a risk framework if they are unable to quickly digest the meaning of data.
Why does poor risk management occur?
The Risk function in a firm operates as the 2nd line of defence (2LOD), with the firm’s Sales function as the 1st line of defence (1LOD) – noting that as of July 2020 the 3LOD model was renamed ‘The Three Lines Model’.
However, in many firms the Sales function does not always accept risk accountability, believing the Risk function is responsible for primary risk management. This ultimately leads to complications because the Sales function demonstrates a mismatched risk profile regarding appetite for loss, potentially impacting the company’s long-term sustainability.
To solve this dilemma, the 1LOD requires a similar skill set as the 2LOD, to identify, assess, measure and monitor risk. Only then will the 1LOD become accountable for its risk profile.
Additionally, poor risk oversight also often manifests as a result of management not having access to a reliable view of the impact and drivers of different non-financial risks.
Senior management sometimes focus too heavily on risk identification rather than on securing a comprehensive plan for risk mitigation through an effective control framework.
Most firms suffer from high volumes of minor risk events that may add up to significant losses pressuring risk appetite tolerances. This can lead to not understanding trends in root causes of control failures.
Many firms are required to extract data from their management systems to perform basic manual analysis which are then reliant upon potentially restricted capabilities of specific risk analysts. This can result in firms being exposed to greater risk as unidentified patterns with risk events that are not communicated to senior management to equip them to take appropriate mitigating actions.
What are the main challenges with adopting a GRC tool?
Integrating a risk management platform that provides effective GRC solutions is no easy task. A firm needs an effective risk management methodology working in tandem with technology solutions to provide an effective risk management capability.
Organisations are finding it harder to keep pace to make necessary adjustments to their business model and operations amid an ever-shifting backdrop of political, regulatory, social, economic, technology and environmental change.
These conditions mean that firms are likely to be insufficiently prepared for risk events occurring. Therefore, we can only expect commensurate impacts on customers and reputation to follow from failed business processes.
Here, the adoption of emerging technologies such as AI hold both a challenge and a solution.
While the talent pool of people needed to handle these advanced tools is still small, such capabilities are essential to effectively employing risk management platforms in the future. Enterprise-wide risk management requires clarity of roles and responsibilities with GRC solutions designed to allow management to focus on risk mitigation and control activities.
GRC solutions should enable, not hinder, a firm’s ability to manage risk, enabling scarce resources to focus on risk management in pursuit of business objectives within the stated risk appetite.
Final thoughts about risk management platforms
Much more can and should be done to mitigate the negative impacts of risk events that threaten the economies of today and tomorrow.
Change Gap has strategic partnerships with RegTech vendors, offering risk management expertise and implementation services for the cloud-based platform offering an enterprise-wide non-financial risk management solution. Some use AI and Machine-Learning technologies which provides firms of all types and size to drive up the effectiveness of their risk management practices across the entire organisation.
Contact us here to learn more about how to help future-proof your business.
Did you enjoy this article? Want to know more or get involved in the conversation? We have good news! We will be writing more about risk management from different angles, including financial risk management and risk management in other industries. We also run industry working groups, risk management Q&A sessions and industry collaborations.
Follow us on LinkedIn for more details.