Gaurav Kapoor, COO at MetricStream
Around the world, consumers and investors are demanding better standards of corporate governance and integrity, thereby shifting the emphasis of risk management beyond traditional risk areas such as financial risk, to non-traditional risk areas such as conduct risk, reputational risk, and ethical risks. Meanwhile, emerging digital technologies such as artificial intelligence and machine learning have introduced new concerns around data security and privacy. Added to that, product lifecycles have shortened, and innovation has accelerated, calling for a greater awareness of the associated risks.
In this dynamic environment, chief risk officers (CROs) have a dual role – to help the enterprise protect its integrity and reputation, while also catalysing business performance. It’s a tricky balancing act – one that requires CROs to not only provide credible challenge to the business, but also be supportive of profit and growth. With that in mind, here are three key priorities that are becoming increasingly important to CRO success:
- Strengthening cyber resilience
The CRO seems to have emerged as a guardian of the digital universe where digital data volumes have continued to grow, and with them, the scope of cyberattacks has increased. Today, a single data breach can strike at the very heart of the business, impacting financial gains, investor confidence, regulatory credibility, and legal liability. Therefore, it’s no surprise that cyber risks are the number one business risk for many organisations. A 2017 EY and IIF survey of financial institutions found that 77% of CROs globally ranked cybersecurity as the highest risk.
While chief information officers (CIOs) and chief information security officers (CISOs) may be in charge of mitigating cyber risks, it is the CRO who is ultimately responsible for the overall risk management programme. By virtue of his or her role, the CRO has a broad view of risks across the organisation and can effectively understand how a data security risk can amplify or influence the impact of other enterprise risks, be it reputational risks, compliance risks, or financial risks. The CRO also has the ability to bring together stakeholders and provide the executive team and board with a big picture view of how cybersecurity risks impact the enterprise at multiple levels.
- Safeguarding the customer experience
Social media has amplified the voice of the customers, enabling them to speak up and be heard over issues such as poor-quality service, unfair treatment, and mis-selling. Today, a consumer complaint – whether it’s a video of an airline’s passenger being mistreated, or a tweet about a company’s unethical business practices – can go viral in a matter of minutes, impacting the company’s brand value, reputation, and customer loyalty.
CROs play a key part in mitigating these conduct related risks by driving a corporate culture based on integrity and trust – one that puts customers at the centre of the business and holds stakeholders accountable for their behaviour and actions. CROs are responsible for ensuring that there are sufficient policies, controls, training processes, and reporting mechanisms to keep conduct risks in check. They also need to have monitoring mechanisms in place to flag questionable transactions and employee behaviours.
These requirements aren’t just about checking a compliance box, but about doing the right thing, and treating customers fairly, which in today’s competitive world, can have a major impact on business success and performance.
- Being an enabler of innovation
Rapidly changing consumer demands and fierce competition are upping the pressure on organisations to increase the speed of innovation. There are no margins for error, which means that organisations have to make decisions quickly and get them right. To do that, they need to understand the risks and uncertainties involved and take sufficient precautions to avoid untoward outcomes. This is where the CRO has a pivotal responsibility, enabling organisations to make better, faster choices – for instance, avoiding launching a new product in a market that isn’t ready. By helping stakeholders understand such risks and capitalise on the right opportunities at the right time, CROs can be strong enablers of innovation.
PwC’s 2018 Risk in Review study found that “adapters” – organisations with risk management programmes that effectively manage innovation related risk – were nearly twice as likely as their peers to say that their risk management function helps boost the odds of success or reduce the odds of failure across the business. In fact, adapters that also consider their organisations to be more innovative than those of their peers, are three times more likely to anticipate revenue growth.
Turning to technology
Most of the above priorities of the CRO come down to one core objective – ensuring that stakeholders, particularly the executive management and board, have the risk intelligence they need, when they need it, to make informed business decisions.
For years, that intelligence was buried within mountains of big data. However, today, tools are being developed to sift through this data in near real time. Artificial intelligence and natural language processing are beginning to open up new ways of analysing information to predict risks like potential fraud, or to detect cybersecurity incidents before they occur.
CROs also have access to risk management systems and tools that that can help them automate multiple risk management processes and collaborate with stakeholders in other GRC functions to share and reuse risk information. With the few clicks of a button, they can understand how risks interact with and influence each other, the controls that are in place to mitigate those risks, as well as the associated policies, procedures, control tests, issues, and business units. With this 360-degree, contextual risk visibility, CROs can effectively identify where they should be focusing their time and resources.
As enterprise risks grow more complex and interconnected, CROs play a crucial role. They act as the guardrails of the organisation, enabling the business to go faster, without losing its balance or swerving off the track. Fulfilling this responsibility may be challenging, but it can be achieved with streamlined processes, clearly defined three lines of defence, and robust risk management technology and analytics.