The interconnected nature of modern business necessitates a holistic approach to risk. When an organization's governance, risk, compliance (GRC) and security functions are siloed, it's difficult to deal effectively with the total scope and potentially cascading effects of that which can harm the company, its customers and partners. As the pace of business accelerates and operations become increasingly digital, more organizations are forming enterprise risk management (ERM) groups or committees. Not surprisingly, new platforms are helping to facilitate the shift.
"Digital transformation requires a very tightly knit coordination between all of these functions," said Forrester Research Analyst Alla Valente. "We're seeing the growth of an enterprise risk management function and they're taking on responsibility for operational risk, for financial risks, in many cases compliance, and business continuity as well."
Why the various risk functions are fragmented
Company structures tend to differ based on the industry in which they operate, their size and their organizational philosophy. Many businesses have expanded the C-suite over the past couple of decades to include some combination of chief security officer (CSO)/chief information security officer (CISO) chief privacy officer (CPO) and chief risk officer (CRO).
Whom those positions report to also varies. For example, the CPO may report to the chief legal officer (CLO) or the CSO/CISO. The CSO/CISO may report to the CIO, COO or CEO.
"So many of these departments are organized according to the organizational structure of the business. The problem with that is the business is always changing," said Kreg Weigand, partner, Internal Audit & Enterprise Risk at KPMG.
Many risk functions were created in response to a major event like the 2008 financial crisis or a regulation such as Sarbanes-Oxley (SOX) or GDPR. Similarly, computer, network and cybersecurity were created as the result of technologically enabled threats. Now, companies without ERM groups or committees are feeling the effects of organizationally and technologically siloed efforts. Specifically, each risk-related function is using its own GRC system when the effects of many risks are cross-functional. For example, when a hacker steals data, the security team probably isn't the only team impacted. Other groups may include compliance, governance, legal and traditional risk management (financial risks).
"[P]articularly between compliance, privacy and security there's sometimes an underlying assumption that a specific area is being covered by one of the others and sometimes we see things slip through the cracks," said Joe Nocera, a principal in PwC's Cybersecurity and Privacy practice. "They tend to use different scales of measuring risks and they tend to use different workflows and mechanisms for risk acceptance and mitigation activities."
Why enterprise risk management is critical
Organizations are forming ERM groups or committees so they can manage risks holistically. While boards of directors tend to have a committee that oversees corporate risks, the operative word is "oversees" when it comes to directors. Other people execute. Oversight and execution are more effective when there's a layer of continuity and collaboration across risk-related functions. The ERM group or committee supplements whatever risk management is being done by specialized teams. Their cross-functional view also benefits the board's committee.
"[W]hen board members come to us and they say why when compliance talks to me and cyber talks with me and internal audit and risk management they all give me a different top risk and why aren't they coordinating together to make sure that when I get a report as a board member that I understand what truly are the top 3 – 5 risks facing the organization, not just within the siloes, but I need to be able to look at that horizontally," said KPMG's Weigand.
The trend toward ERM is also reflected in technology consolidation from several function-specific governance, risk and compliance (GRC) systems to a common system. In fact, for the past couple of years Gartner has been predicting the demise of GRC systems in favor of Integrated Risk Management (IRM) systems.
However, an IRM system isn't an ERM strategy. An ERM strategy considers people, processes and technology.
"Even within IT, you have project risks, you have development risks, you have risks that are associated with audit and compliance, but they're not dealt with in a very comprehensive way," said Christine Coz, principal research advisor at Info-Tech Research Group. "The key thing is sponsorship at the right levels of people in those conversations and that there is a goal to sort of act as a subset of the board of directors to ensure from an oversight perspective that there's a management of controls in place, that risk acceptance is in line with corporate tolerances and that you have a consistent level of risk tolerance and acceptance across the enterprise."
The digitization of everything necessitates the need for ERM, not only because digital businesses operate much faster than their analog counterparts, but because risk management is a brand issue.
"When you have a lot of competition in an industry, which is where I think we are now, every product and service [is] replaceable, our car insurance, your mortgage, our telecom carrier, your food app, you name it," said Forrester's Valente. "The minute you're not securing my data, you're infringing on my privacy, all these things that can go wrong, now all of a sudden risk management becomes a differentiator."
AI, machine learning will help
Every aspect of ERM is ripe for enhancement by intelligent technologies and techniques including AI, machine learning and robotics process automation (RPA). Right now, the big difference between GRC systems and IRM systems is generational. According to Gartner, GRC systems have yesteryear's traits (e.g., closed and aimed at a technical audience) versus IRM systems that have modern traits (open and aimed at business leaders).
"We already have continuous controls monitoring now and important instruments in the environment [monitoring risks]," said Rik Parker, principal, Cyber Security Services at KPMG. "I think in the next three years there's going to be more machine learning and artificial intelligence to help us start to think of using robotic process to not only identify and alert on risk and risk thresholds, but to help automate some of the decision-making process. It's going to have information that is based on decisions, based on performance, based on key events that take place in the environment where the alerting can be more intelligent and help surface things."
Modern times and new business models necessitate a more comprehensive approach to managing the growing scope and faster impact of risks. These days, organizations need a cross-functional ERM group or committee in addition to specialized security and GRC functions to more effectively assess, identify, monitor and manage risks. These evolving risk management capabilities are being facilitated and optimized by a new generation of IRC systems that will become increasingly automated and intelligent.
For more on risk, governance, and security, read these articles: