This is 1 of 3 in this 2017 Risk Series
2016 has been an interesting year for GRC and risk management; new risk themes arose while some subsided. 2017 promises to be no less exciting. In lieu of a crystal ball, our team of GRC experts has identified nine different topics that will take center stage in the GRC space in 2017, comprising the following (in no particular order):
- Integrated Risk Management
- Political Change
- Digital Strategy
- Big Data and Analytics
- Conduct Risk
- Reputation Management
- Succession, Retention, and Recruitment
- Cyber Risk
- Third party/vendor risk
Over the next few weeks, we will uncover more of the details surrounding each of these subjects and explain why they will be important in 2017.
Integrated Risk Management
Integrated risk management is something that’s been hidden in the GRC space for some time. Few risk practitioners would argue that bringing together risk data in a structured way to inform the organization’s risk profile (or the holistic view of all risks across the organization) is the end goal. Unfortunately, this panacea has escaped the vast majority of organizations that have formal risk management programs. The reasons for not being successful are likely vast, but too often a root cause is not having a common platform to pull disparate practices and information together.
As risk management methods have matured, the lines of defense have created their own bespoke way of managing risk. Compliance differs from audit, audit differs from vendor risk, which differs from IT, and so on. Each line has its own way of codifying and structuring risk data and the processes it uses to collect it. The results are apples and oranges, fragmented conclusions of risk and control that obfuscate executives, boards, and regulators on the real drivers of risk within the organization.
Fortunately, GRC software systems have the capability to pull the disparate data together in a cohesive way to summarize risk data. Through a common built taxonomy, GRC technology can facilitate integrated risk management. The benefits are innumerable; examples include:
- It saves time by efficiently summarizing data from various sources
- It can reduce costs by identifying areas of weakness within business processes and optimize (reduce the likelihood of duplicative controls) control spend
- It can provide a common language of risk and control so that when risk data is presented it is less prone to interpretation
- It can streamline asks of the business, reducing the burden on limited resources
- Capital allocation and calculation can be enhanced by comingling risk and control data that takes into account diversification and common controls
Each of these facets brings measurable benefits to risk management process and its outcomes. The days of stakeholder confusion of making sense of contrasting risk conclusions is coming to a close. Capital, resources and time are too fragile to be stockpiled on wasted risk management practices that do not bring insight or value. The result will likely be movement to a more systematic approach to harmonizing risk practices and data. Doing it effectively and efficiently will be the trick.
2016 changes in the global political landscape have demonstrated that black swans can be found in bevies. Political earthquakes have reverberated around the world this year: president-elect Donald Trump, Brexit, French and German elections, and the Italian referendum have created significant uncertainty, which has put domestic and international businesses back on their heels to rethink their corporate strategies. Many are taking a seat on the sideline, waiting for something concrete to occur or are at least waiting for the fog to clear. However, is inaction really the best way forward?
Taking a “wait-and-see” philosophy likely will have some risk management benefits. Compliance is one. In the US, President elect Trump has stated that sweeping financial reforms, principally Dodd-Frank, have hurt the economy and that he would dismantle many of them. Although details are scant, existing tolerances for non-conformity should continue to remain low. It is still in question whether the cost of compliance (capital expenditures, people, time, etc.) actually creates business value. Relaxing activities at this point in time would probably do more harm than good, especially with the ambiguity of how political matters will play out.
Looking at this from a pure risk management point of view, a large part of risk management – and arguably one of the most important – is to try to understand what’s next: what are the events or topics that our organization hasn’t experienced yet but may? There are clear strategic implications of business decisions and how an organization is exposed to, and could take advantage of, new risks. Products and services will be developed, competition for jobs will increase, new customers will emerge as others fall away, and trade arrangements will be challenged. All of these have future functional implications on risk management.
Risk management spans across the organization and produces reputation, operational, and legal impacts. The value of risk management is in the collective evaluation of data to consider how changes in the economy, customer base, currency changes, and political movements influence business decisions. Pulling it together in an integrated way is the trick to capitalize on risk seeking and risk avoidance activities.
Ladd Muzzy is a principal at Nasdaq BWise. He has over twenty years’ experience in developing, implementing, and coordinating risk management programs. He has held senior corporate (Bank of Montreal, Barclays, Capital One) and consulting leadership risk management positions. Many of his experiences involve evaluating an organization’s risk management philosophies and current practices to move them to leading practice.