COVID-19 has a directly effected the Risk Management profession. However, which developments will become a permanent aspect of Risk Management?
The COVID-19 crisis has left its mark on the world: The world economics have changed and both politics and business had to reconsider their priorities. Supply chains, business models and jobs of people have completely transformed and many of these changes will remain after COVID-19 has passed.
Even before the COVID-19 crisis, it was already noticeable that the Risk Management profession was changing. The world became more complex and interconnected, and the rate of change accelerated as trends and structural breaks continued to reshape many industries. Risk Management was lagging behind and forced to change to earn its place within the firm by creating, and reflecting on their ability to contribute to, added value. Due to COVID-19 many organisations looked to their Risk Managers to guide the organisation through this crisis. Risk Management was suddenly granted the opportunity to demonstrate its worth and to accelerate many of the developments within their profession. Just like many other changes resulting from COVID-19, it is to be expected that these developments within Risk Management are here to stay.
The current COVID-19 pandemic proves that we live in an increasingly uncertain, complex, and interconnected world. The momentum is here; now is the time for Risk Management (professionals) to add even more value to the organisation. The pandemic has led to a realisation that Risk Managers must move closer towards the analysis of strategic, emerging and disruptive risks, actively engaging the wider C-Level audience. Risk Managers must not only focus on monitoring 'enterprise resilience' towards the crisis, but also on looking forward to achieve the business goals for the 'new normal'.
Besides the repositioning of Risk Management within organisations, the global health crisis has also urged corporations to allocate investments and further accelerate towards digital, remote, and intelligent automation of business processes. As such, the digitisation of processes will help corporations mitigate operational and compliance risks.
The function is no longer perceived as a check-the-box activity – it is now an essential and integral part of strategic and business decision making. It is no longer an add-on to the transformation agenda, but rather an essential approach and integral part of the business to continuously monitor and drive the achievement of organisational objectives.
These developments will also result in a demand for new skills and capabilities for Risk Management professionals. Until COVID-19 many Risk Managers focussed on internal and compliance-related risks. Now, however, Risk Managers also need to be able to discuss and understand more external and strategic risks. They need the capabilities to act as a strategic business partner for both senior management and other stakeholders within the organisations. Thus, Risk Managers need to understand the strategic planning process, but also the new business models that the organisation might move towards (including the connections with the current business model).
Additionally, they need to be able to break the silos within the organisation and collaborate with other departments to understand the increasing interconnectivity between risks. This leads to an increased need for interpersonal skills besides the usual analytical and technical skills.
Furthermore, Risk Managers need to focus more on defining risk responses and on how to put these plans into practice when a risk event occurs. COVID-19 showed that significant external risks cannot be avoided. Organisations cannot ignore the realistic possibility that a crisis similar to COVID-19 will happen in the future (e.g. a next pandemic or a climate change crisis). No matter what, an organisation will be impacted by this next crisis in one way or another. Risk Managers need to be familiar with crisis management in order to effectively respond to the next crisis. It is all about limiting the impact and recovering from the next crisis as fast as possible. Only then will Risk Management be able to help to increase the business resilience of the organisation.
Thanks to the advancement of digital technology, Risk Management functions and corporations have gained many benefits. The burden on Risk Managers is largely lifted by diverse types of risk solutions that enable them to monitor risk and assurance activities across different business units and processes in their organisation.
The business landscape is continuously changing and in order to stay relevant, risk professionals have to envision how their role will look like in the future: How can we further develop and generate the maximum benefit from the use of technology within Risk Management?
As risk professionals gradually reposition the role of Enterprise Risk Management in the organisation, the use of cutting-edge technologies and techniques will accelerate, particularly on the following corridors:
1. Understanding of risks
Organisations ideally would need a set of technologies to do real-time analysis of trends. We are blessed with an abundance of information on the World Wide Web which can provide us with ideas about signals of change. External data will become essential to continuously identify signals of change that can be considered as a risk or opportunity in the midst of an increasingly complex and fast-changing environment. As such, Big Data and Machine Learning will enable us to analyse global publically available news, blogs, and research papers.
Strong Risk Management practices should be backed up by a comprehensive Risk Universe, which helps organisations identify trends that may not be on the radar of management. Technology will enable organisations to keep their Risk Universe up to date, at any given time.
The decision making process must embed techniques to quantify both outcomes and probabilities to better understand the uncertainties involved. Quantification means that the uncertainty is expressed in a (monetary) value. Such techniques provide a strong basis to make strategic decisions and choices, and (equally important) to question them. For example, does the organisation really wants to invest a certain amount to mitigate the risk if the actual value at risk is lower than that amount.
Quantification of risk would help organisations to draw the size and monitor the risk trends they are facing. It is also useful to assess the organisations' capability to remain resilient in times of crisis.
2. Managing risk
Due to the new focus areas and developments, Risk Managers will have less time available to manage the internal and compliance-related risks. However, this does not mean these risks can be ignored by the business. In some organisations the Risk Management department can allocate these tasks to an Internal Control or Compliance team. However, if this is not possible the Risk Managers need to be able to increase the efficiency of their traditional tasks.
The aim of control automation is efficiency, whilst maintaining control effectiveness. Automated control execution provides greater certainty, because the more data is analysed the more controls can be executed consistently. Cost effective automation of routine control and compliance activities will equip the first line to take ownership of the quality of their processes and controls. This would enable Risk Managers to free up time to focus on strategic and emerging risks.
Continuous monitoring provides management with information on key performance metrics in (close to) real-time. This allows for better insight into issues as they arise, thereby improving their ability to manage risks and opportunities.
Continuous monitoring is typically embedded in modules of GRC solutions available in the market. By automating control execution, Risk Managers can reduce manual efforts and increase quality. Improved management and monitoring of controls through clear data & analytics dashboards allow Risk Managers to show stakeholders within the organisation how to obtain real-time compliance and process insights. This will ultimately lift the burden off the second and third line, reducing the extent to which detailed testing of controls is required and allowing the organisation to better focus on setting risk policies and tolerances that match their business model and changing economic conditions.
There is no 'one size fits all' approach for Risk Management. Organisations, industries and goals differ. Therefore, Risk Management requires a tailored approach to create the most value for the organisations. KPMG can help you to understand the desired Risk Management approach for your organisation, and identify the gaps and steps needed to stay relevant and become the key business partner within your organisation. Please contact Bart van Loon or Marjolijn Herman for more information.
With special thanks to Archi Kristamuljana and Thijs Theunissen for co-writing this publication.