As essential as it is, risk management can also be a thankless job. Rarely is credit given for preventing risks when no such impact occurs. It’s safe to say risk management isn’t going to get any easier as the complexity of the field and the areas it covers continue to expand. However, there are remedies available to manage the challenges ahead.
SEE: Launching a career in cybersecurity: An insider’s guide (free PDF) (TechRepublic)
Technology offers the potential to contribute both to the problem (in terms of risks which can impact organizations) and the solution (in terms of preventive measures). Saptarshi Ganguly, Holger Harreis, Ben Margolis, and Kayvaun Rowshankish of McKinsey and Company believe selective digitization is the answer. Their article, Digital risk: Transforming risk management for the 2020s, focuses on how digitization can “create real business value by improving efficiency and the quality of risk decisions.” Furthermore, “a digitized risk function also provides better monitoring and control and more effective regulatory compliance.”
A recent survey by Protiviti and North Carolina State University that gathered data from more than 1,000 participants outlined macroeconomic risks, strategic risks and operational risks facing enterprises in 2020. At the top of the list were: the “impact of regulatory change and scrutiny on operational resilience, products, and services,” “economic conditions impacting growth,” and “succession challenges; ability to attract and retain top talent.”
It’s worth noting that new or upgraded skill sets to handle digital technologies also appear on the list.
How will risk management change in 2020?
Scott Matteson: What are the current top challenges risk managers must face (internally and externally)?
Matt Kunkel: The top challenges risk managers are facing are typically due to one or more of the following issues: They lack support for risk management at the top of the organization, different processes per business unit or disparate data in different silos across the organization.
Scott Matteson: Can you provide me with some insights into how the day-to-day activities of risk managers can do better?
Matt Kunkel: Some day-to-day activities of risk managers that can always be improved is tracking, aggregating, mitigating, educating and reporting on the different risk vectors in an organization.
Scott Matteson: How are risk and compliance changing?
Matt Kunkel: Risk and compliance are becoming a predictive, proactive function versus a purely reactive function, which it has historically been.
Scott Matteson: What questions should risk managers be asking themselves as strategy changes to a proactive approach?
Matt Kunkel: Risk managers should ask themselves, “How can I use data from my compliance, incident, and risk tracking systems to make strategic bets to protect my organization?” As we forge ahead into a new decade, risks and their variety are increasing at an accelerating rate. This is especially true as software systems are increasingly cloud-based, and leveraging third parties becomes the standard way of doing business.
Scott Matteson: How are the demands of risk managers changing?
Matt Kunkel: Because risk and compliance are becoming integral parts of strategic discussions, the functions touch every part of the organization. Meaning, risk managers need skills beyond purely technical skills.
Scott Matteson: What kind of non-technical skills do risk managers need to possess to be successful in the year ahead?
Matt Kunkel: Risk managers need to work cross-functionally and wield their influence up and down the organizational chart, which requires strong leadership and communication skills. They need to be able to demonstrate influence without formal authority; the company’s future rests on their ability to do so. Historically, these attributes have been beyond the scope of a risk manager, but that is no longer the case.
Scott Matteson: What are three technical skills for risk managers to hone in the year ahead?
Risk quantification and analysis—Quantitative risk management is the process of converting the impact of enterprise risk into numerical terms. This numerical information is used to inform strategic objectives and decision-making.
Data modeling—Data modeling is the process of creating a conceptual representation for the way data will be stored in a database, consisting of data objects, associations between them, and rules.
Data integration/ Extract, Transform, and Load (ETL)—The foundation of any business intelligence solution is the data integration layer, or ETL. ETL enables the collection of data from various sources into one data store, ready for analysis.
Scott Matteson: How should organizations approach risk management from the bottom up in the year ahead?
Matt Kunkel: In order to avoid risk, employees first have to know about and understand it. Companies need a firm foundation of risk management and awareness so there is a first line of defense against risk with the visibility and empowerment to bubble any hazards up through management ranks. That won’t happen without a culture of risk.
Scott Matteson: What sort of training or education do you recommend for risk managers?
Matt Kunkel: Risk managers should focus on leadership and communication skills development because the role is so cross-functional. Formalized certifications to consider include Certified Information Systems Auditor and Certified Information Systems Security Professional.