The Evolution of the Risk Manager

This post first appeared on Risk Management Magazine. Read the original article.

Technology promises to alter the practice of risk
management. Will these advances simply change how risk professionals work or
create new, more strategic roles?

As organizations rely more heavily on advances in areas like artificial intelligence, data analytics and machine learning, the nature and focus of many professions will begin to shift. Risk management is no exception. As technology takes on more of the basic, process-driven work that makes up a large part of a risk professional’s current workload, practitioners may be free to concentrate on more “value-adding” work and explore new or underdeveloped areas of risk management that have—until now—been relatively untapped. In this way, rather than posing a threat, artificial intelligence and machine learning may actually enable more sophisticated risk management, if used well.

According to Tom Bigham, risk advisory partner at Deloitte,
the risk professional’s role has already been undeniably impacted by new
technologies, and it will continue to be molded as emerging technologies mature
further. In fact, there is little other choice—evidence suggests that risk
managers need to embrace artificial intelligence, machine learning and other
technologies as a matter of course. In Deloitte’s recent Digital Risk Survey,
60% of senior executives across over 160 global organizations rated the
effective ness of current
risk management tools as five (or less) out of 10—hardly a ringing endorsement
of current capabilities.

Bigham said that the risk management departments “leading
the way” are moving towards using technology to perform more basic, repetitive
tasks. At the same time, they are also looking to improve these processes—for
example, by ensuring that tasks are being completed with a greater level of
accuracy, while also challenging existing processes to remove duplications and
unnecessary layers of governance. In the near future, he believes, tasks such
as manual controls testing (used to gain assurance on an annual basis) will
become automated, and risk managers will use live dashboards to monitor to
ensure tests are configured correctly.

However, over the longer-term, Bigham said, new technologies
will help the role of the risk manager evolve into two camps: “engineers” and
“thinkers.” As one would expect, the “engineers” are tech savvy. “Understanding
the technologies allows these risk managers to ensure they are providing the
right service to the organization and are aligned to their risk appetite,” he
said. “Integrating the risk managers earlier in the development process
(otherwise known as ‘shift to the left’) will ensure controls are considered at
the right point in time, avoiding unnecessary delays later in the process.”

Meanwhile, “thinkers” will analyze their organization’s data
by identifying patterns and rules, creating insights from which senior
management can make decisions based on external events happening to their
organization. “This allows risk managers to inform senior management of the
potential impact of these events, and to introduce safeguards to prevent
negative impact,” he said. “In addition, the risk manager’s expertise is
required to ensure information and data collected from newly introduced tools
is mapped to a common framework and combined to provide an overarching view to
senior management.”

Many believe that new technology will not only change the
future of risk management—it will also drive it. According to Arvind
Govindarajan, partner at McKinsey & Company, a number of “structural
trends” will impact the future of the risk function, including big data,
analytics and digitization, and the growth of a number of emerging risk types,
like cybersecurity. However, other factors will also play a defining role. For
example, expectations from external customers and internal stakeholders for real-time,
more granular and customized insights will affect the focus and work of risk
managers, as will a continuous expansion in the breadth and depth of
regulations. This is amplified by increased pressure on costs and competitive
intensity, often from non-traditional players such as technology companies.

Govindarajan believes that the risk departments of the future will be “a high-intellect, highly automated nerve center.” In the future, advanced models and artificial intelligence will help assess emerging risks, early-warning signals and potential responses. “There will also be increased integration of risk management with other disciplines,” like business strategy, portfolio management and operations, he said. However, this movement will also create new risks that risk managers must address—namely, the risk from increased use of models and digitization, and ensuring that risk professionals fully understand how these models work and what their capabilities (and limitations) are. Additionally, the increased reliance on data will require more focus on managing data risk, including data privacy, access and quality.

In the immediate term, “risk managers are going to have to
check that the technologies they are relying on to enhance risk and management
information actually work and deliver the assurance that they are supposed to,”
said Fergus Allan, head of regulation and compliance at management consultancy
TORI Global. Risk professionals will need to meet these new expectations, which
means investing now in upskilling, training and recruitment.

In the long run, as technology takes on more of the
analytical and processing tasks, risk professionals will be able to take a
longer-term view of risks to the business, with the opportunity to focus more
heavily on “horizon-scanning” for emerging risks that may impact the business
in two or three years. “This will allow risk managers to think more
strategically,” he said.

Allan believes that risk management will become more about
“managing resilience”—ensuring that the business can cope with immediate
shocks, such as natural catastrophes, power outages and supply chain failures,
as well as more long-term disruptive risks, like those caused by new and more
nimble challengers entering the market, new technologies, more stringent
regulation and changing consumer sentiment.

“As technology takes on more of a risk manager’s current
workload, risk managers will need to focus on more value-adding activities, and
that includes the issues underpinning business strategy and the organization’s
resilience,” Allan said. “The business environment is changing much more
rapidly now, and companies can only rely on brand loyalty if their products and
services are better than their rivals and affordably priced—not necessarily
because they are the most established or dominant in the market. Risk managers
need to concentrate on how the organization can sustain itself in an
environment that is more competitive, more highly regulated, and where ‘shocks’
can take place more frequently than before. As a result, it is obvious that
risk managers need to be more engaged in reviewing risks around strategy and
organizational resilience.”

Rob Clyde, immediate past chair of ISACA and director at
data protection software firm Titus, agreed that there is a real need for risk
managers to be more strategic. Indeed, he believes increased automation of the
risk function will allow risk professionals more time and resources to engage
in other activities where they could make a positive impact, and provide an
opportunity for the profession to develop further.

“Risk functions need to move on from simply alerting
management to risks, and they need to steer the organization toward getting the
rewards from effective governance rather than just focusing on managing risks,”
Clyde said. “They need to show that they understand the business, show how
these risks will impact the bottom line, and show how opportunities can be
leveraged from better risk management. Risk managers need to think about how
they can make the strategy work even more effectively and drive more
profitability. They need to think about how they can help the organization
‘win.’”

Clyde believes that risk managers will move away from some
traditional priorities, such as crunching data, and will instead focus on new
and emerging risk areas where artificial intelligence and other new
technologies have not yet made the same degree of impact as data analytics.
These include reviewing cyberrisk, data protection and data privacy risks,
macroeconomic risks, and even the impact that misinformation on social media
might have on the company’s reputation and bottom line.

Other experts, however, are less convinced that adoption of
new technologies will change the underlying focus or approach of risk
management. While they accept that the growth and accessibility of new
technologies will have a positive impact on risk management, they say it does
not necessarily follow that the profession’s priorities or usual tasks will
change much. Instead, they believe that new technologies merely represent new
risk tools that enable different ways of working on the same traditional areas,
rather than revolutionizing what the function does.

Increased automation largely means that risk functions can
concentrate more effectively on what is typically their primary
focus—operational risks. “We’re seeing from our member organizations that
operational risk is increasingly becoming a concern for boards,” said Dr. Luke
Carrivick, head of analytics and research at ORX, an operational risk association
for banks, insurers and asset managers. “Whereas 10 years ago credit and market
risk dominated institutional risk profiles, boards today are far more focused
on their operational risk exposure—for example, their highly valuable digital
assets and how resilient they really are to events such as cyberattacks.”

According to Carrivick, “Boards don’t want to see endless reports showing what has happened previously. Instead, they want to know how their operational risk profile is changing as their strategy advances. Good data analytics is central to providing this forward-looking view.”

Michael Harris, director of financial crime compliance and
regulation risk at LexisNexis Risk Solutions, is skeptical about technology’s
role in shaping the future of the profession, particularly the idea that risk
managers will somehow become more involved in corporate strategy. While
technology may take a lot of the basic tasks away from risk management, it does
not mean that risk professionals will take a more strategic role and become
“risk leaders.” “Executives will still be ultimately responsible for strategy
and risk—not risk managers,” he said.

The extent to which risk managers take on a more strategic
role may depend on the industry vertical. “In heavily regulated industries such
as financial services and pharmaceuticals, for example, there is still going to
be a strong focus on compliance, despite what new technology can—and can’t—do,”
Harris said. “As a result, boards in those industries will primarily want
reassurance from risk management that operational risks are still being managed
appropriately.”

As decision-making becomes more automated, Harris believes
firms will face a greater need for assurance that the technology underpinning
decision-making is working in the best interests of the company and its
customers, and that it is compliant. “It will fall to risk managers to check
that the processes that determine decision-making and produce management information
are working properly,” he said. “This will mean that risk managers will need to
understand the technology and its associated risks, and that will probably
require retraining and upskilling. Over the past few years, risk, compliance
and internal audit departments in financial services firms especially have
grown due to increased regulatory demands and scrutiny. While these functions
will likely cut staff as technology adoption becomes more prevalent, it is
probably fair to say that their roles will stay largely the same.”

Mike Hampson, CEO at Bishopsgate Financial Consulting,
believes that “machines should do the ordinary so that the risk management
function can do the extraordinary.” But the reality may be that “technology
will simply free up risk managers to look at new areas of risk rather than
change their role or the way the function works,” he said.

This may be because regulators shape risk management’s role
more than technology or executives do. “Risk managers may want to play a more
strategic and consultative role in their organizations, but more often than
not, it is regulators that largely define what their areas of focus are going
to be,” he said. “For example, in recent years, regulators—particularly in
areas like financial services—have asked organizations to move away from just
looking at financial risk and market risk to examine areas like operational
resilience, systemic risk, macro-economic risk, climate risk and data
protection. Consequently, risk management functions have had to follow that
lead, providing assurance on other, new risk areas rather than trying to turn
themselves into some kind of management consultancy.”

Despite the influence of new technology and compliance
requirements, risk managers generally will need to become more
commercially-minded and business savvy, Hampson said. This means being much
more conscious about cost, competition and the wider macroeconomic
environment—in effect, looking at external, market-driven risks to the
business.

“At some level, risk managers need to think about rewards
and not just risks,” he said. “Despite the cliché that there is no reward
without risk, it is still true that most risk managers look at the risks
inherent in business strategies, rather than look at the predicted rewards associated
with them. This needs to change. Risk managers need to be more prepared to
question whether the strategy is the best option and, if so, whether it can be
tweaked or improved to deliver even better returns.”

There is little doubt that technology will impact the future
role and work of risk professionals, but how this technology is ultimately
implemented will still depend on what the board—and regulators—deem to be
priority areas. Even if developments like artificial intelligence prove merely
to be tools to enable risk managers to do their current work more effectively,
rather than empowering them to explore new areas to add value, expectations
about what the risk function can and should deliver are also changing.
Regardless of technology’s potential uses, risk professionals will need to be
more sensitive to how the business operates and where the organization can take
advantage of commercial opportunities.

Neil Hodge is a U.K.-based journalist who often
covers risk management.

Leave a Reply

Your email address will not be published. Required fields are marked *