By Rob Starr, Big4.com
Kelly Watson, the National Service Group Leader of KPMG’s Risk Consulting Practice in the U.S. and the Americas provided some insights about risk issues and opportunities that should top Chief risk officers’ (CRO) agendas. Effective risk management and mitigation is always critical, and CROs will need to watch a number of strategic, operational, and external risks according to the KPMG research.
Can you define a strong IT risk management function that CROs can use to proactively manage technology risks?
To become more proactive and nimble, leading organizations have either established or formalized an IT Risk Management (ITRM) function. That function should manage and optimize processes and technological tools designed to ultimately improve risk awareness, operational effectiveness, financial efficiency, and regulatory compliance. Additionally, an ITRM function should establish a continually maintained overall risk inventory with key risk indicators and with the organization’s risk appetite taken into account. This inventory should be used to measure risks and anticipate and prevent risk events whenever possible.
Why is technology risk management so important ?
The need for technology risk management has intensified in recent years due to the speed of technology change, meaning the amount that technology is driving business, and due to the adoption of emerging and disruptive technologies which change the way business is done, such as cloud, the Internet of Things, connected devices and mobile.
Can you explain the significance of data security monitoring?
Data security has been properly escalated outside of the IT function at companies as it is not simply identified as a technology or IT issue. As such, it is now commanding the attention of operational executives such as CEOs, COOs, CFOs as well as the Board of Directors as data security presents risks to the company’s strategies, business processes, and priorities. Companies rely on their data more than ever before that may be at risk from a cyber incident. This data goes far beyond just the personally identifiable information that tends to be featured in many of today’s headlines. Information at risk includes intellectual property, strategic corporate communications such as email, and operational data used to drive business decisions. It’s important to ensure that companies not just focus on the confidentiality of information, but also focus on the integrity and availability of the information. While it’s important to focus on improving controls to hopefully prevent a cyber incident, it’s also critical that organizations focus on improving their ability to monitor and identify whether they are experiencing a cyber incident and that they have clear and effective cyber response plans and procedures in place.
Explain why monitoring third parties is important.
Organizations today have numerous third-party intermediaries, which play a significant role in their interaction with governments amid an increasingly global business environment. This, coupled with stretched supply chains, has rendered companies’ monitoring of their third parties extremely important. Companies need to properly vet third parties before they are brought on board. Once on board, they must understand who their third parties are, what do they do for the company and how they put the company at risk – do they interact with foreign government officials, have access to sensitive data, perform critical activities, present an indirect cyber threat in that they hold data which might be vulnerable? The organization must also determine how to manage the process of tracking and monitoring their third parties and how to use technology to assist in that management.
Can you explain the regulatory demands on risk data aggregating and reporting ?
While some progress has been made by financial institutions in developing more robust, effective, and efficient risk and regulatory reporting, the process of complying with Risk Data Aggregation and Reporting (RDAR) principles still needs improvement and the application of Basel Committee on Banking Supervision (BCBS) 239 rules for risk data aggregation and reporting remains inconsistent among financial institutions. Recent RDAR-related guidance states that Bank Holding Companies should also conduct a self-assessment of the status of BCBS 239 compliance. This includes designing an integrated control and reporting framework for accounting and risk data.
What are some of the other key risk areas noted in the report?
The other key areas that we have identified in addition to third party risk, technology risk, data security and risk data aggregation and reporting, are fraud and misconduct, crisis management and the need to improve compliance program effectiveness. All of these areas are consistent with what has been top of mind for CROs, the c-suite and the board in recent years. However, some of the more complex and evolving areas including technology risk management, data security and crisis management have been recently escalated among CROs’ concerns. An intensified focus on data security is largely driven by the fact that companies are connected to more organizations than ever before, and, therefore, must have a clearer understanding of how their partners and third parties are using and protecting their information. Greater emphasis is also being placed on data security as attackers become more sophisticated and discover new ways to infiltrate networks. The focus on technology risk management has increased as companies face new risks from adopting emerging technologies. Regarding crisis management, while organizations have always faced the possibility of critical or catastrophic events, as companies are now more highly connected and global, they face even greater threats of disruption to business operations from man-made or natural disasters ranging from cyber-attacks to supply chain disruptions stemming from geopolitical turmoil. And, because organizations are more interconnected, complexities can occur now in in a more widespread and rapid fashion in the wake of a crisis.
Generally, what needs to be done?
Companies operate in an increasingly complex and global marketplace and the risks that exists within this environment are equally complex and many can not necessarily be predicted. To survive and ultimately thrive in this environment, it is essential that companies have an integrated, organization-wide, proactive risk management program in place. This entails having a well-established risk management process dictated by a risk appetite that is understood and agreed upon across the organization and having strong oversight and controls in place. The CRO, a relatively new and evolving role, should help the company identify all risk areas, formulate a strategy and plan to mitigate them to the greatest extent possible and monitor the company’s progress against those plans. And, it is crucial that the CRO partners with the business to help with innovative strategies and solutions for risk management and mitigation.