By Shankar Bhaskaran, Managing Director – India, MetricStream
Business risk management for modern enterprises has become an increasingly complex function. Risk professionals today are tasked with defending their organizations from a barrage of risks – cyber, geopolitical, third-party, physical, privacy, financial, ESG, and several other risks. What was once distinct risk categories are now evolving to become more intertwined. The expansion of the internet, cloud computing and mobile technologies are driving business transformation and enabling more connectivity. However, they are also leaving businesses entangled in a quagmire of risks.
Forrester’s 2022 prediction report highlights the relationship between growing digital dependencies and enterprise risk among organizations. It shows 60 % of security events come from third-party relationships. Another IT and business leaders survey showed that 76% rated third-party risk as a high-priority risk. According to Allianz Risk Barometer 2023, business interruptions and cyber-related incidents are the biggest company concerns globally. The percentage of both risks is 34 per cent individually. There is also an inherent relationship between cyber threats and business interruptions. Simultaneously, supply chain risks are intensifying due to supply shortages, sanctions, and escalating raw material costs. These risks are compounded by the involvement of subcontractors and other fourth-party entities, adding further complexity to the risk landscape within supply chains.
Modern enterprise ecosystems are complex, where the number of third parties runs into hundreds. Monitoring risks and vulnerabilities across vast business ecosystems using outdated traditional methods that involves manual processes and spreadsheets won’t work. Also, when it comes to risk management, many organizations make the mistake of dealing with risks in isolation. The term “risk silo” is commonly used to describe the practice of managing risks independently and separately rather than adopting an integrated approach. With this approach, departments may fail to recognize the interconnectedness of risks across the organization. Silos within an organization lead to workflow redundancies, reduced efficiency, and noticeable operational gaps.
Risk managers must assess the organizational risk posture holistically. They must do this by evaluating the impact of risk on all interrelated categories of operational, strategic, systemic, regulatory, technology, security, third-party, and physical risks. Failure to comprehend and assess risk interdependencies can lead to misaligned decisions and poor recovery efforts.
The interconnectedness of risks is continuing to intensify. Therefore, risk professionals must understand the cascading impact and develop business strategies for resilience around them. They must adopt a GRC strategy with an integrated and connected approach. It should provide visibility into risk interconnectedness and show the overall GRC posture of the organizations by tying risks to assets, controls, regulations, and processes. To be successful, organizations will require a focused GRC approach backed by automated and autonomous workflows to manage complex risk relationships.
Here are the top five GRC advancements risk professionals should use to navigate tangled risk relationships in their organization:
Risk Quantification
Risk quantification is expressing risk in monetary terms. Organizations must quantify the risk to understand their exposure in the context of their risk appetite, determine which threats to focus on first and ensure optimum utilization of resources. A digital trust insights survey found that 60% of cyber managers are starting to quantify cyber risks, with 17% formulating plans to begin soon.
Quantifying risk allows CROs and CISOs to communicate the organizational risk posture to the board in a manner they can understand. Quantification insights help make decisions such as accepting, rejecting, mitigating, or transferring risk.
Control Harmonization
Control harmonization is a process that helps organizations improve their compliance management processes. By mapping controls to regulations, standards, policies, risks, processes, and assets, organizations can save time, effort, and costs while simultaneously complying with multiple regulations and standards.
Continuous Control Monitoring
Continuously monitoring the effectiveness of controls is important in an advanced GRC program. Doing so enables pre-emptive notification of potential risks and control gaps or vulnerabilities. GRC professionals can use the insights to remediate and resolve issues faster, enhancing compliance and strengthening business resilience.
Automation and Analytics
Agility and efficiency are crucial in an interconnected and constantly evolving risk environment. In such a scenario, advanced technologies, such as artificial intelligence (AI), machine learning, natural language processing and other technologies, can support GRC professionals by improving risk visibility and foresight helping them make timely and well-informed business decisions. For example, a global bank burdened with over 40000 controls from several mergers and acquisitions was struggling to cope with its siloed risk reporting structure. By implementing a single integrated control framework powered by an AI-enabled knowledge centric GRC strategy, the bank was able to to do reduce its controls by 90%, saving millions of dollars in unwanted controls.
AI can be a game-changer in GRC as it can help risk professionals gain insights quickly, recognize patterns, avoid duplication of effort, and drive risk-aware decision-making.
Communication
Managing interconnected risks requires proper communication and collaboration. Business units and teams, from the board and senior management to the front line, must be involved to ensure the effective implementation of a connected GRC strategy.
Thrive amidst a web of risk relationships with a connected approach to GRC
A connected GRC strategy backed with the right strategies and technology can help an organization view risks from a macro perspective. This will help them better understand all the risks they face and their interconnectedness. Technology led GRC advancements, will shatter barriers and enable proactive risk mitigation against cyber threats, supply chain disruptions and other risks. Organizations can stay on top of their attack surface across the extended enterprise as they forge a path toward sustainable growth.
