A Threatening New World: The chief risk officer (CRO) has always walked a fine line to balance the need to protect the business with the need to run it, but these are challenging times. Managing risk and meeting regulatory requirements are difficult, and emerging risks are exacerbating an already complex task. Cyber-risk, in particular, brings a new set of threats that are global and internet-based and proliferate quickly.
A recent CRO survey indicated that only 42 percent of bank CROs consider their institutions to be extremely or very effective in managing cybersecurity risk1. Yet that risk type is ranked among the top three that will increase in importance in the next two years. And, we know, future risks will be different.
The accelerating cycle of digital business innovation is forcing CROs to take a new look at enterprise risk. As companies integrate technology into more business processes, they open themselves to greater security threats.
CROs must develop more sophisticated responses and take advantage of all the technology and analytic tools at their disposal, many more than they needed to manage traditional risks. The viral nature of cyber-risk demands that they identify early-warning mechanisms to flag where problems may emerge before the risks materialize. They will also need to evolve from their current technical, IT-centric roles of implementing and overseeing controls to collaborating across business units and corporate functions to influence executive policy.
Underlying it all, the CRO will be forced to look for more efficient practices to keep up with the speed of innovation. Companies still require their executives to do more with less, even as market events increase the number of risks.
Who is this next-generation CRO—the CRO 3.0—the one who understands the importance of digital technology and analytics to enable the company’s ongoing pursuit of new markets, products and best-in-class performance? The modern CRO is a mix of business acumen and technical knowledge who can assess risk in digital environments and make recommendations to improve company resilience without overly compromising business performance. Today’s CRO is also a strong communicator who can serve up data in frameworks that easily lead to decisions. Simply said, the CRO must be adept at right-brain as well as left- brain thinking.
Evolution of the CRO
CRO 1.0: The Technician
In earlier risk-management functions, the CRO was responsible for building risk models and creating frameworks to quantify risk and ensure organizational compliance. The role was technically focused, with additional scope to create systems and processes. S/he was not required to forecast future risks and assess asset liability; nor did s/he have a seat at the executive table, where risk remained under the control of business unit leaders. Much changed with the emergence of the digital enterprise, which refocused risk management priorities on strategic, market, cybersecurity and geopolitical risk.
CRO 2.0: The Strategist
As risk functions became subject to business pressures, such as productivity targets and cost saving, CROs assumed greater frontline roles and helped communicate the value of risk management to the board. With their growing influence, CROs were responsible for the company’s second line of defense, behind the firstline business owners, and contributed to decisions affecting business strategy, market risk, product development and asset-liability management. They were also tasked with setting up core enterprise risk management processes and ensuring that good risk habits were embedded in the company culture.
CRO 3.0: The Forecaster
Today’s CRO is becoming the eyes and ears of the business, enabled by big data insights to mitigate emerging risks. With the benefit of predictive analytics, CROs and their data-savvy teams use scenario and trend-impact planning to deliver more accurate predictions. They are valuable business partners who help identify threats and opportunities and develop long-term strategies that balance risk and reward. Most importantly, they are leading the company’s efforts to build a resilient defense to emerging operational andcybersecurity risks.
Digital capability priorities
Companies that are actively integrating digital technologies and tools into their business processes are seeing benefits from their agility, competitiveness and overall effectiveness. CROs have important roles to play in leading that digital transformation, whether it’s on a modest or more comprehensive scale. They must align risk priorities and ensure that controls and metrics are in place to scale risk initiatives to meet market and transaction dynamics while achieving an optimal level of business performance.
To move these initiatives forward, CROs will require an investment strategy that prioritizes the adoption of technology,process and tools that improve accuracy
and process, efficiency and reporting.
Key considerations should be given to solutions that:
- Handle growing volumes of data with greater efficiency
- Provide a single, firm-wide view of risk and control
- Create consistent risk assessments performed on similar processes across the enterprise
- Provide assurance over a larger population of transactions
- Consolidate multiple tools and technologies and siloed reporting standards that impede integrated reporting
- Forecast and develop early-detection mechanisms for cyber-risk and other operational risks
As CROs align these priorities, they’ll likely find inconsistent risk levels across the organization and potential weaknesses in the integrity of business processes and service delivery. Where formerly security practices and systems were segmented, the digital model must have an integrated approach.
Roadmap for Digital Risk Management
As strategic risks increase and the marketplace innovates, CROs must have a plan to innovate and quickly respond to market events and emerging risks. They should also gradually integrate those technologies into the fabric of work, building them into their operating model and the work style of their people.
Create a center for excellence to manage strategy, standardize execution and reduce costs. CROs have learned that they can achieve greater levels of efficiency by centralizing risk processes for reporting and transaction management. Such centers help promote best-practice adoption, competency development and enterprise standardization. They also enable other critical functions, such as the rollout of early-warning mechanisms and development of comprehensive risk reports with consistent standards for board and executive-management audiences.
Implement robotics and automation to improve accuracy and speed of reporting, and provide continuous monitoring. Robotics have many applications that support high transaction volumes, enterprise-wide compliance processing and identifying discrepancies in large data sets. This wasn’t the case ten years ago when CROs relied on manual processes to test controls on a sample basis. But current technology and automation have significant data-management and detection capabilities that allow them to cover a larger group of transactions. For instance, robotics help risk managers focused on fraud ensure that active employees follow authorization rules and departed employees are removed from databases in a timely way.
Accelerate adoption of analytics to assess organizational risk and embed in all risk management processes. The complex and global nature of business and its growing dependence on information technologies are increasing a company’s exposure to events that can deeply impact its operationsand those of its suppliers. While modeling methods and tools exist, many do not fully address the challenges arising from thedevelopment of end-to-end,integrated risk-management systems. Predictive analytics help harness and assess enterprise risk. It allows CROs to pull data from multiple systems to build long-term policies and procedures. They also provide a continuous feed of risk information to facilitate real-time decision-making.
Leverage third party platforms to build risk infrastructure. In order to reap the full benefits of risk strategies, CROs need to ensure that the risk infrastructure is keeping pace with the increased complexity of risk analytics. In the past, with little innovation happening in the outside markets, most of the companies ended up building their own proprietary platforms. Budgets hemorrhaged with cost overruns, deadlines came and went, and it became difficult to keep investing more money for upgrades to keep in line with the changing environment. The situation is drastically different today. A variety of third-party platforms have been developed that are easy to use, integrate well with a variety of data infrastructures, help spread the platform development costs over a wider number of users can deeply impact its operations and those of its suppliers. While modeling methods and tools exist, many do not fully address the challenges arising from the development of end-to-end, integrated risk-management systems. Predictive analytics help harness and assess and provide a continuous stream of upgrades and refinements over time. Companies are finding it much more economical to use third party solutions for their data visualization and reporting, data aggregation and analysis, big data model development and implementation, model scoring, model monitoring as well as their risk decisioning platforms. Some organizations are going even a step further and creating sandboxes to experiment with emerging technologies with third party vendors. These third party solutions not only help fast track major technological augmentation, but also provide muchneeded, real time visibility into threats and organizational readiness.
Develop proprietary assessment frameworks to determine readiness and response time for cybersecurity and critical operational risks. In most organizations, cybersecurity is a boardlevel issue. CROs must work across the enterprise to assess preparedness and fortify resilience. Building and testing new frameworks are critical to proactively identify remediation practices that enhance security and minimize fraud, malware and other operational threats.
Build new talent models with professionals who use machine learning and analytics. As work shifts from human beings to centralized platforms and bots, there will be a shift in the roles and talent profiles required to do those jobs. CROs will need to attract, retain and develop professionals capable of taking big-data assets and providing frameworks for quick business decisions. In lieu of data collection and reporting, digital risk managers will be skilled in analytics and able to provide insights into future risks and how to manage them. They’ll also need to be savvy in cybersecurity risk and effective approaches to minimize threats.
Analytics: The CRO’s new weapon
Analytics are providing CROs with powerful tools to improve their ability to predict and manage risks. With machine learning, new modeling techniques and improved profiling and reporting, CROs can take a more strategic view of risk. They’re able to better target growth with risk models that work across the customer life cycle on an ongoing basis; minimize the cost of compliance with reporting strategies to better analyze trends; improve the accuracy of credit-risk testing; and effectively balance the company’s growth goals and risk appetite. Most importantly, they bring a scientific approach to risk management with models that align risk to a particular level of performance.
Finding the path forward
As CROs shift from technician to forecaster, they must shed their traditional approach to risk management for one that balances technical knowledge with business acumen. CROs will need to be savvy in digital technologies and business models that assess risk in an integrated digital enterprise. They must also proactively identify emerging risks and establish early-warning mechanisms to ward off internet-based threats. To accelerate that transformation, the CRO should focus on a few key areas:
- Increasing risk-management efficiency and accuracy through process standardization across the enterprise
- Prioritizing emerging-risk solutions to address cybersecurity, financial crime and IoT. CROs must bring a scientific approach to identify both threats and opportunities.
- Strategic partnering with the business units and corporate functions to jointly develop risk management plans. CROs will help lead the company through a period of rapid digital innovation and new emerging risks.
- Enabling and sustaining business growth by balancing risk and performance as the company takes on additional risk.
- Becoming a change agent and managing transformation with new collaboration models and pilots based on testing and learning and scaling and deploying.
Like any large-scale, change initiatives, the path will be a zig and a zag. Implementing an enterprise ecosystem of integrated technology, processes and predictive analytics will require strong working relationships across the organization to effect policy and cultural change. Business structures must be reengineered with security priorities in mind. And the CRO 3.0 will need excellent communication skills to work with the board and executive and business unit leaders to embed new risk practices. In an age of increasing technological complexity, these are not easy times. But CROs have never had a better platform to influence business strategy and growth than they have today.
1 Global Risk Management Survey, Deloitte, 2017