Chief risk officers (CRO) will need to keep close watch on a number of strategic, operational, and external risks this year, according to new research by KPMG LLP. Effective risk management and mitigation will be critical , since companies’ strategies, business models, operations, reputations, and, ultimately, survival are on the line.
“CROs today face an unprecedented number of new and emerging risks that can threaten corporate strategy if they are not identified quickly and managed properly,” said Kelly Watson, National Service Group Leader for Risk Consulting at KPMG LLP. “The CRO needs to lead an integrated, organization-wide risk management program that can turn potentially crippling risks into opportunities for innovation, cost reduction, improved compliance and competitive advantage.”
KPMG has identified seven key strategic, operational and external risk areas that should top CROs’ risk management agendas this year:
Technology risk management
The increase in technology risk has caused many IT organizations to establish information technology risk management functions (ITRM). ITRM functions manage and monitor technology risks so that companies can anticipate and avoid problems rather than react to them. CROs who maintain a strong ITRM function and establish a strong connection with this function can proactively manage technology risks rather than reacting to audits, new regulations, new business strategies, and other disruptions.
Third party risk management
Organizations today have thousands, if not tens of thousands, of third-party intermediaries. As the role of third parties in companies’ interaction with governments has grown and supply chains become more stretched, companies’ monitoring of their third parties has become critically important. Companies are challenged to identify which of these numerous third parties are putting them at risk. The CROs should help to vet third parties and help identify those which should be placed under the microscope – not only during the onboarding process, but on a continuous basis. They should also help to determine how technology and the effective use of data analytics can help, rather than hinder, the process.
Fraud and misconduct
Companies should continue to monitor the activities of employees, vendors and third parties to detect and, wherever possible, prevent financial fraud or employee misconduct, that can result in financial losses and damaged reputations. CROs should be especially wary of frauds that indicate collusive behavior. Collusive behavior is on the rise due to the emphasis companies have placed on improving their financial controls environment to comply with Sarbanes-Oxley and other regulations. These controls make it more difficult for individuals to perpetrate frauds. Co-conspirators can enable fraudulent schemes to bypass certain control structures.
CROs should ensure that their companies place a strong emphasis on scenario planning – holding workshops and developing documented plans to prepare for and respond to potential crises such as cyber intrusions, regulatory scrutiny or investigations, compliance challenges, litigation, or workplace violence. Since a crisis strikes without warning and requires a swift response, CROs need to take steps to ensure that on-call arrangements are in place. Lawyers, IT and forensic accounting professionals, and other consultants should be vetted, contracted with, and know the business beforehand to be ready to take action at a moment’s notice.
Diminishing security perimeters have been discussed for some time, but it is now fully acknowledged that corporate security perimeters no longer exist. Data and critical processes cross many organizational boundaries, including customer self-service, strategic sourcing, supply chain integration, business partnerships, and technology enhancement. Being able to understand risk, not just at the technology infrastructure or data levels, but also at the business process level, is critical. Since companies are more connected to more organizations than ever before, CROs need to monitor those connections if they are to better understand how trusted third parties are using and protecting company information. It is also important for CROs to provide their trusted business partners with greater insight into their own control and security environments.
Achieving compliance program effectiveness
The growing number of regulations affect every facet of a company’s operations and are implemented and enforced by an array of agencies worldwide. In this environment, companies need to anticipate regulations before they are implemented and plan for them under the leadership of the CRO and the chief compliance officer. Companies should have a mechanism in place to capture an updated inventory of global regulations; employ a methodology to help prioritize regulatory obligations and manage regulatory change; evaluate compliance program effectiveness with regard to monitoring, testing and reporting; and ensure that they have an enterprise-wide view of regulatory risk and are able to collaborate internally to present a comprehensive report to the board.
Improving risk data aggregation and reporting
As regulatory requirements become more stringent, and the demand for risk data aggregation and improved data quality increases, it is essential that CROs concentrate on improving risk reporting, particularly within the financial services sector. Such improvement involves enhanced report content and the automation of real-time information collection. The ability to identify risk exposure across entire organizations and geographies and the capacity to understand its concentration risk and counterparty risk from a business perspective is imperative.