From maintaining an inventory of potential risks to holding workshops that develop response plans, CROs must adopt a more proactive approach
Last week KPMG outlined seven risk management issues that chief risk officers (CRO) need to focus on in 2016. The issues represent several strategic, operational, and external risks that companies face.
‘CROs today face an unprecedented number of new and emerging risks that can threaten corporate strategy if they are not identified quickly and managed properly,’ says Kelly Watson, national service group leader for risk consulting at KPMG. Recently, technology risk management, data security, and crisis management have become of increasing concern to CROs.’ The seven key risk areas are:
- Technology Risk Management: Companies face new risks from social media, cloud computing, and connected devices. Many IT organizations have established information technology risk management functions (ITRM), which allow organizations to be proactive, rather than reactive, by anticipating and avoiding problems instead of reacting to audits, new regulations, and new business strategies. ‘The ITRM function operates as an intermediary and a risk advisor to IT,’ says Watson. Establishing an inventory of potential risks, which is updated periodically, can help CROs anticipate and prevent risks.
- Third Party Risk Management: Organizations have thousands of third-party intermediaries that they need to monitor in order to identify those that can put them at risk. ‘The CROs should help to vet third parties and help identify those which should be placed under the microscope—not only during the onboarding process, but on a continuous basis,’ Watson advises.
- Fraud and Misconduct: The business activities of employees, vendors, and third parties need to be monitored to detect and prevent financial fraud or employee misconduct. Collusive behavior (versus individual) is on the rise, partly because of controls that make it more difficult for individuals to commit fraudulent acts. Collusive actions are a special concern for CROs because they are more difficult to detect than actions perpetrated by individuals. It’s more difficult to act alone and easier to get around controls when more than one person is involved in the fraudulent activity. Watson suggests CROs perform background and integrity checks on employees, vendors and other third parties; update the company’s ethics program; and look for red flags, such as signs that an employee is clearly living beyond his or her means.
- Crisis Management: To promote scenario planning by business unit leaders, CROs should hold workshops and develop plans to deal with cyber intrusions, regulators’ queries and investigations, compliance challenges, litigation, man-made disasters and workplace violence. CROs must make sure that arrangements with vetted lawyers, IT and forensic accounting professionals, and other consultants are in place to be able to handle crises quickly.
- Data Security: Companies are connected to an increasing number of organizations and sophisticated attackers have found new ways to infiltrate networks. CROs should understand risk at the business process level as well at the technology infrastructure or data level and monitor connections to other organizations to understand how third parties use and protect their client companies’ information.
- Achieving Compliance Program Effectiveness: Companies need to anticipate regulatory changes and plan for how they will be implemented under the leadership of the CRO and chief compliance officer. Best practices include assessing the ‘effectiveness, efficiency and sustainability of their compliance practices within their business, risk and internal audit areas,’ says Watson. This includes making sure that they have the processes and controls in place to effectively meet compliance requirements.
- Improving Risk Data Aggregation and Reporting: CROs need to focus on improving risk reporting to both the board and C-suite, due to increased regulatory demands to aggregate risk data and improve data quality.
While risks are increasing, a well-organized and effectively implemented risk management program can ‘turn potentially crippling risks into opportunities for innovation, cost reduction, improved compliance and competitive advantage,’ says Watson.