Risk & Risk Management
Fraud and Cybercrime remain the highest reported systemic risks for CFOs, although economic headwinds, regional trade issues, and consumer demand concerns seem to be spiking as we enter 2019.
Reports indicate that 62 per cent of businesses expect cyber risk to cause disruption within the next three years, yet nearly three-quarters reported poor cyber maturity. Cyber threats have also raised awareness of issues traditionally viewed as ‘internal’, not least the question of identity & authorised user access to corporate data and systems. This is no longer just a joiners, movers, leavers problem, as systems are ever more interconnected, with suppliers, subcontractors, operational partners, service providers and customers all having access in our streamlined end to end processes. This has led to some unfortunate breaches, and organisations becoming aware that up to 20% of the individuals currently authorised to access systems and data have either left their employer or are no longer appropriate for access.
Culture & tone at the top has hit the headlines again in recent months, with CEO behaviour at Uber and others and the artist formerly known as Elon Musk getting into hot water on some “market moving” comments.
Enterprise Risk Management (ERM) has been a long time maturing. We are moving from a world which has been dominated by policy and control, driven in large part by the compliance regimes of the last decade, towards a broader, more holistic approach to understanding and managing risk and opportunity in the business. With the emergence of so many compliance, regulatory and industry requirements, duplication of risk management and controls effort has become commonplace. Now is the time to take a broader view and eliminate redundant or duplicated effort. Enterprise Risk Management (ERM) provides a stable framework for considering risk across the business, and is becoming the language of business decision making and recognising that risk is part of achieving any outcome.
Our view of risk in today’s world needs to recognise that consumers, shareholders, other stakeholders and the world at large, have a growing keen interest in the ‘how’ as well as the ‘what’ of business. This means that financial results are no longer the sole measure of success. Ethics risk is no longer just about our own organisation, but the overall ecosystem including supply chains, service providers, manufacturers and distribution channels. Risk Management now really is a team game!
The Institute of Internal Audit (IIA)’s “Three Lines of Defence model” is undergoing review after 20 years, responding to criticism that it is overly defensive and reactive and does not address the risk/performance dynamic. There is still too much consideration of risk as a ‘compliance’ issue and dealing purely with ‘harms’ rather than the upside of risk. Business opportunities, big and small, are only created by taking risk. There is much debate on this topic, but it reflects a growing appreciation that risk management is just that: ‘management’. It is essentially about increasing the likelihood that business decisions are informed and intelligent. Accounting Today produced a useful summary on the discussion here
When it comes to technology for risk management, there is great interest and some excellent developments in the use of data analytics and process mining, AI and Machine Learning, and the application of Robotic Process Automation. Possibly stimulated by the need to maintain ‘buzzword relevance’, it seems that “ Integrated Risk Management” (IRM) is set to displace “Governance, Risk Management and Compliance” (GRC) as the guiding term for this discipline. I remain sceptical that there is any fundamental shift in thinking, but sometimes labels matter. But other than the psychological impact, does this label change actually offer any substantial advantage?