Risk management is and always will be an integral aspect of life. This is especially evident when seeing life as a massive web of cause (activity), consequence (reaction), and 'risk' as the deviation from the ideal. I believe that approaching risk in this manner may be liberating because it enables us to forsake activity labeling in favor of considering the uncertainty of established outcomes. For a risk-taker, thinking in these terms reinforces the internal locus of control and contributes to the development of a focus on risk controls and management.
The preceding paragraph emphasizes the critical nature of risk assessment. However, understanding which risks considering is beneficial and necessary if risks are to be detected and handled effectively. The following paragraphs will detail what we believe to be some of the most significant new risks confronting financial institutions. I am reminded of a comment attributed to the late Donald Rumsfeld (former US Secretary of Defense): "Unknown unknowns—the things we don't know we don't know to tend to be the most difficult." We want to shed some light on some of the 'Unknown unknowns' by highlighting some of our top risk patterns below.
The insights are based on a survey by Avantage.
Modeling Pre-Existing Risk
With all of the disruptions caused by contemporary technology, listing well-established risk categories may come as a surprise. However, the requirement for risk modeling effectiveness enhancements is becoming increasingly critical. Particularly in light of persistent regulatory demands, a growing emphasis on 'risk forecasting' (in the aftermath of the Covid-19 Pandemic), and the need for enhanced scenario planning. Only over 20% of CROs indicated that their organizations had sophisticated scenario testing skills in a recent CRO study (Avantage Reply – 2021). Additionally, as rules evolve, numerous audit cycles, compliance, and stress scenarios get more complicated, organizations will need to work harder to stay current.
Cyber security breaches continue to rise in frequency and severity. The Covid-19 outbreak has resulted in substantial shifts in consumer and criminal behavior, necessitating agility on the part of IT teams in addition to perhaps increasing fiscal challenges. For businesses, investment in this area has never been more vital, both for compliance efficiency and consumer expectations management. Additionally, fast cloud adoption combined with the increased pace with which businesses must innovate will continue to enhance cyber security danger levels.
Social and Environmental Governance (ESG)
Unlike its predecessor, 'Corporate and Social Responsibility (CSR), ESG encompasses political, social, and financial goals and provides financial institutions with some tangible benefits. Sufficiently so that regulators at both the Prudential Regulatory Authority (PRA) in the United Kingdom and the Prudential and Resolution Control Authority (ACPR) in France have deemed it essential to implement a 'climate risk' stress testing exercise. We anticipate that this will continue to gain importance since Avantage Reply's CRO survey revealed that "just 35% of respondents had a formal, documented climate change and ESG risk management strategy in place."
Machine Learning/Artificial Intelligence/Emerging Technologies
The magnitude and velocity of technological advancement are self-evident. Moore's law continues to be shown and is at risk of being surpassed. Beyond Moore's law's impacts, there is a more powerful element known as Wright's law, which 'predicts cost drop as a function of cumulative output.' We anticipate that this phenomenon will continue to deflate technology costs, resulting in more technology application and acceptance in areas such as active risk detection and monitoring, regulatory compliance, and business insight creation and analytics. Earlier manifestations of this trend led to businesses investing in more cost-effective data storage (bigger) and processors (faster). Explaining in part the present use of cloud computing.
Risks That Are Not Financial at Risk (NFR)
Curiously, I've always considered the term NFR to be rather deceptive, given any risk type might hurt a firm's balance sheet. While measuring the impact is not always an easy process. Quantification and estimate continue to be a significant issue and potential. This was particularly obvious during the Covid-19 outbreak, which showed a significant deficiency in many organizations' capacity to assess possible operational resilience weaknesses.
When respondents were asked (through the Advantage Reply CRO survey): "If interdependencies and vulnerabilities for each critical business service resource have been identified." Around 34%, a particularly high percentage, either strongly disagree (10%) or disagree (24%). We think that the consequences of rising demand and regulatory scrutiny on Third-Party Risk Management (TPRM), reputational risk, and organizational ways of working (WoW) will keep NFR relevant for years to come.
Finally, the pressures on businesses to achieve more with less are rising all the time. Risk operations are under pressure to reduce costs and improve efficiency. We remain positive, though, about the available prospects. Particularly for organizations ready to actively embrace the changes that emerge from the aforementioned risk trends. Organizations must prioritize both understanding and mitigating these tendencies.