Front Office Risk Management Technology

A complex tangle of embedded components

Over the past three decades, Front Office Risk Management (FORM) has developed in a piecemeal way. As a result of historical business drivers and the varying needs of teams focused on different products within banks, FORM systems were created for individual business silos, products and trading desks. Typically, different risk components and systems were entwined and embedded within trading systems and transaction processing platforms, and ran on different analytics, trade capture and data management technology. As a result, many banks now have multiple, varied and overlapping FORM systems.

Increasingly, however, FORM systems are emerging as a fully fledged risk solution category, rather than remaining as embedded components inside trading systems or transactional platforms (although those components still exist). For many institutions FORM, along with the frontoffice operating environment, has fundamentally changed following the global financial crisis of 2008. Banks are now dealing with a wider environment of systemically reduced profitability in which cluttered and inefficient operating models are no longer sustainable, and there are strong cost pressures for them to simplify their houses.

Equally, a more stringent and prescriptive regulatory environment is having significant direct and indirect impacts on front-office risk technology. Because of regulators’ intense scrutiny of banks’ capital management, the front office is continuously and far more acutely aware of its capital usage (and cost), and this is having a fundamental impact on the way the systems it uses are evolving. The imperative for risk-adjusted pricing means that traditional trading systems are struggling to cope with the growing importance of and demand for Valuation Adjustment (xVA) systems at scale. Meanwhile, regulations such as the Fundamental Review of the Trading Book (FRTB) will have profound implications for frontoffice risk systems.

As a result of these direct and indirect regulatory pressures, several factors are changing the frontoffice risk technology landscape:

  • The scale and complexity involved in data management.
  • Requirements for more computational power.
  • The imperative for integration and consistency with middle-office risk systems.

Evolving to survive

As banks recognize the need for change, FORM is slowly but steadily evolving. Banks can no longer put off upgrades to systems that were built for a different era, and consensus around the need for a flexible, cross-asset, externalized front-office risk system has emerged.

Over the past few years, most Tier 1 and Tier 2 banks have started working toward the difficult goal of

  • standardizing,
  • consolidating
  • and externalizing

their risk systems, extracting them from trading and transaction processing platforms (if that’s where they existed). These efforts are complicated by the nature of FORM – specifically that it cuts across several functional areas.

Vendors, meanwhile, are struggling with the challenges of meeting the often contradictory nature of front-office demands (such as the need for flexibility vs. scalability). As the frontoffice risk landscape shifts under the weight of all these demand-side changes, many leading vendors have been slow to adapt to the significant competitive challenges. Not only are they dealing with competition from new market entrants with different business models, in many instances they are also playing catch-up with more innovative Tier 1 banks. What’s more, the willingness to experiment and innovate with front-office risk systems is now filtering down to Tier 2s and smaller institutions across the board. Chartis is seeing an increase in ‘build and buy’ hybrid solutions that leverage open-source and open-HPC2 infrastructure.

The rapid development of new technologies is radically altering the dynamics of the market, following several developments:

  • A wave of new, more focused tools.
  • Platforms that leverage popular computational paradigms.
  • Software as a Service (SaaS) risk systems.

More often than not, incumbent vendors are failing to harness the opportunities that these technologies and new open-source languages bring, increasing the risk that they could become irrelevant within the FORM sector. Chartis contends that, as the market develops, the future landscape will be dominated by a combination of agile new entrants and existing players that can successfully transform their current offerings. Vendors have many different strategies in evidence, but the evolution required for them to survive and flourish has only just begun.

With that in mind, we have outlined several recommendations for vendors seeking to stay relevant in the new front-office risk environment:

  • Above all, focus on an open, flexible environment.
  • Create consistent risk data and risk factor frameworks.
  • Develop highly standardized interfaces.
  • Develop matrices and arrays as ‘first-class constructs’.
  • Embrace open-source languages and ecosystems.
  • Consider options such as partnerships and acquisitions to acquire the requisite new skills and technology capabilities in a relatively short period of time.

Chartis

Click here to access Chartis’ Vendor Spotlight Report

Failures and near misses in insurance – Overview of the causes and early identification

General approach

The approach to dealing with failures of financial institutions has witnessed significant changes since the eruption of the financial crisis in 2008, both from the crisis prevention and the crisis management perspective. A changing perspective in the interpretation of the causes, early identification and corrective measures used in the context of (near) failures may create difficulties when trying to compare past failures with current ones, particularly with the advent of recovery and resolution frameworks in finance.

EIOPA has developed its own conceptual approach, which is followed throughout this report. It should be stressed that there is not a conceptual approach which is universally agreed. The aim of the present chapter is to explain the approach followed by EIOPA, in order to achieve a common understanding and support the classification of the different cases of insurance failures and near misses.

This chapter focuses on the following two issues:

  • The definition of the concepts of “failure” and “near miss”, which are essential to understanding the database construction process and the scope of the cases to be included.
  • The need to have a common understanding of the framework for crisis prevention and management, as well as the recovery and resolution tools to be used.

In terms of crisis prevention and management, the fundamental approach followed by EIOPA can be understood as part of a continuum of supervisory activities. Illustration 1 below summarizes the whole process: During business as usual, and in the normal stages of supervision, an initial problem can be identified, and insurers may seek to implement measures to overcome the problem. Supervisors would, in turn, normally intensify supervision and follow-up more closely on the developments of the insurer. Should the initial problem become a real financial threat (e.g. being in breach of, or about to breach, solvency capital requirements) the insurer enters into a new stage, which is linked to an increased risk of failure, i.e. a near miss situation. In this context, the insurer should trigger certain recovery actions to restore its financial position, while supervisors can intervene more intrusively. In general, there should be a reasonable prospect of recovery if effective and credible measures are implemented. Nevertheless, if the situation of distress is extremely severe and the measures taken do not yield the expected results, the insurer enters into resolution.

Eventually, the insurer (or parts of it) is (are) wound-up and exits the market.

EIOPA - Resolution

Near miss

In the context of this report, a near miss is defined as a case where an insurer faces specific financial difficulties (for example, when the solvency requirements are breached or likely to be breached) and the supervisor feels it necessary to intervene or to place the insurer under some form of special measures.

The elements to identify a near miss are the following:

  • The insurer is still in operation under its original form;
  • Nevertheless it is subject to a severe financial distress to an extent that the supervisory authority deems it necessary to intervene; and
  • In the absence of this intervention, the insurer will not survive in its current form and may eventually go into resolution or be wound-up.

Underlying is the idea of success of the measures taken. As such, it should not involve public money or policyholders’ loss.

In other words, a near miss presupposes that the supervisory intervention, either directly (e.g. replacing the management) or indirectly (e.g. request for an increase in capital), contributed in a clear way to overcome the insurer’s financial distress and bring it back to a “business-as-usual” environment. Shareholders generally keep their rights and could potentially oppose any of the measures undertaken.

On a day-to-day basis, insurers and NSAs might have to take different actions that require a certain degree of coordination. A “near miss” in the sense described in this report should be distinguished from these type of situations. Near misses only refer to cases where severe problems were detected or reported and supervisory measures were necessary to ensure the viability of the insurer.

Near misses actually constitute an area of particular interest for this report. In effect, their correct reporting and analysis would allow valuable lessons to be learned from successfully managed distress situations – prospective failure of an insurer and supervisory actions that permitted recovery.

Insurance failure

A failure, for the purposes of the present database, exists from the moment when an insurer is no longer viable or likely to be no longer viable, and has no reasonable prospect of becoming so.

The processes of winding-up/liquidation, which are usually initiated after insolvency, either on a balance sheet basis (the insurer’s liabilities are greater than its assets) or cash-flow basis (the insurer is unable to pay its debts as they fall due), are also encompassed within the definition of failure for the purposes of the database. Failure is thus triggered by “non-viability”.

The failed insurer ceases to operate in its current form. Shareholders generally lose some or all of their rights and cannot oppose to the measures taken by the authority in charge of resolution, which has formally taken over the reins from the supervisory authority.

For classification purposes, any case is considered as a failure (regardless of the final result of the intervention) when:

  • Private external support (e.g. by means of an insurance guarantee system (IGS)) has been received.
  • Public funds by taxpayers were needed for policyholders’ protection or financial stability reasons.
  • Policyholders have suffered any type of loss, be it in financial terms or in a deterioration of their insurance coverage.

The following are examples of resolution tools that may be used by authorities in a case of failure:

  • Sale of all or part of the insurers’ business to a private purchaser. A particular case is the transfer of an insurers’ portfolio, moving all or part of its business to another insurer without the consent of each and every policyholder.
  • Discontinue the writing of new business and continue administering the existing contractual policy obligations for inforce business (run-off).
  • Set-up a bridge institution as a temporary public entity to which all or part of the business of the insurer is transferred in order to preserve its critical functions.
  • Separate toxic assets from good assets establishing an asset management vehicle (i.e. a “bad insurer” similar to the concept used in banking) wholly owned by one or more public authorities for managing and running-down those assets in an orderly manner.
  • Restructure, limit or write down liabilities (including insurance and reinsurance liabilities) and allocate losses following the hierarchy of claims.

This also includes the bail-in of liabilities when they are by converted into equity.

  • Closure and orderly liquidation of the whole or part of a failing insurer.
  • Withdrawal of authorisation.

Lastly, it should be mentioned that the flow of events shown in Illustration 1 does not necessarily take place in a sequential way. For example, there could be cases in which an insurer goes directly into resolution. Thus, what is relevant for the classification of a particular case is whether the insurer recovers (which would then be considered as a near miss or as a case resolution/return to market if some kind of resolution action/tool is used) or has to be fully resolved and/or liquidated.

EIOPA - Sharma Risks

Click here to access EIOPA’s detailed report

Global Governance Insights on Emerging Risks

A HEIGHTENED FOCUS ON RESPONSE AND RECOVERY

Over a third of directors of US public companies now discuss cybersecurity at every board meeting. Cyber risks are being driven onto the agenda by

  • high-profile data breaches,
  • distributed denial of services (DDoS) attacks,
  • and rising ransomware and cyber extortion attacks.

The concern about cyber risks is justified. The annual economic cost of cyber-crime is estimated at US$1.5 trillion and only about 15% of that loss is currently covered by insurance.

MMC Global Risk Center conducted research and interviews with directors from WCD to understand the scope and depth of cyber risk management discussions in the boardroom. The risk of cyberattack is a constantly evolving threat and the interviews highlighted the rising focus on resilience and recovery in boardroom cyber discussions. Approaches to cyber risks are maturing as organizations recognize them as an enterprise business risk, not just an information technology (IT) problem.

However, board focus varies significantly across industries, geographies, organization size and regulatory context. For example, business executives ranked cyberattacks among the top five risks of doing business in the Asia Pacific region but Asian organizations take 1.7 times longer than the global median to discover a breach and spend on average 47% less on information security than North American firms.

REGULATION ON THE RISE

Tightening regulatory requirements for cybersecurity and breach notification across the globe such as

  • the EU GDPR,
  • China’s new Cyber Security Law,
  • and Australia’s Privacy Amendment,

are also propelling cyber onto the board agenda. Most recently, in February 2018, the USA’s Securities and Exchange Commission (SEC) provided interpretive guidance to assist public companies in preparing disclosures about cybersecurity risks and incidents.

Regulations relating to transparency and notifications around cyber breaches drive greater discussion and awareness of cyber risks. Industries such as

  • financial services,
  • telecommunications
  • and utilities,

are subject to a large number of cyberattacks on a daily basis and have stringent regulatory requirements for cybersecurity.

Kris Manos, Director, KeyCorp, Columbia Forest Products, and Dexter Apache Holdings, observed, “The manufacturing sector is less advanced in addressing cyber threats; the NotPetya and WannaCry attacks flagged that sector’s vulnerability and has led to a greater focus in the boardroom.” For example, the virus forced a transportation company to shut down all of its communications with customers and also within the company. It took several weeks before business was back to normal, and the loss of business was estimated to have been as high as US$300 million. Overall, it is estimated that as a result of supply chain disruptions, consumer goods manufacturers, transport and logistics companies, pharmaceutical firms and utilities reportedly suffered, in aggregate, over US$1 billion in economic losses from the NotPetya attacks. Also, as Cristina Finocchi Mahne, Director, Inwit, Italiaonline, Banco Desio, Natuzzi and Trevi Group, noted, “The focus on cyber can vary across industries depending also on their perception of their own clients’ concerns regarding privacy and data breaches.”

LESSONS LEARNED: UPDATE RESPONSE PLANS AND EVALUATE THIRD-PARTY RISK

The high-profile cyberattacks in 2017, along with new and evolving ransomware onslaughts, were learning events for many organizations. Lessons included the need to establish relationships with organizations that can assist in the event of a cyberattack, such as l

  • aw enforcement,
  • regulatory agencies and recovery service providers
  • including forensic accountants and crisis management firms.

Many boards need to increase their focus on their organization’s cyber incident response plans. A recent global survey found that only 30% of companies have a cyber response plan and a survey by the National Association of Corporate Directors (NACD) suggests that only 60% of boards have reviewed their breach response plan over the past 12 months. Kris Manos noted, “[If an attack occurs,] it’s important to be able to quickly access a response plan. This also helps demonstrate that the organization was prepared to respond effectively.”

Experienced directors emphasized the need for effective response plans alongside robust cyber risk mitigation programs to ensure resilience, as well as operational and reputation recovery. As Jan Babiak, Director, Walgreens Boots Alliance, Euromoney Institutional Investor, and Bank of Montreal, stressed, “The importance of the ’respond and recover’ phase cannot be overstated, and this focus needs to rapidly improve.”

Directors need to review how the organization will communicate and report breaches. Response plans should include preliminary drafts of communications to all stakeholders including customers, suppliers, regulators, employees, the board, shareholders, and even the general public. The plan should also consider legal requirements around timelines to report breaches so the organization is not hit with financial penalties that can add to an already expensive and reputationally damaging situation. Finally, the response plan also needs to consider that normal methods of communication (websites, email, etc.) may be casualties of the breach. A cyber response plan housed only on the corporate network may be of little use in a ransomware attack.

Other lessons included the need to focus on cyber risks posed by third-party suppliers, vendors and other impacts throughout the supply chain. Shirley Daniel, Director, American Savings Bank, and Pacific Asian Management Institute, noted, “Such events highlight vulnerability beyond your organization’s control and are raising the focus on IT security throughout the supply chain.” Survey data suggests that about a third of organizations do not assess the cyber risk of vendors and suppliers. This is a critical area of focus as third-party service providers (e.g., software providers, cloud services providers, etc.) are increasingly embedded in value chains.

FRUSTRATIONS WITH OVERSIGHT

Most directors expressed frustrations and challenges with cyber risk oversight even though the topic is frequently on meeting agendas. Part of the challenge is that director-level cyber experts are thin on the ground; most boards have only one individual serving as the “tech” or “cyber” person. A Spencer Stuart survey found that 41% of respondents said their board had at least one director with cyber expertise, with an additional 7% who are in the process of recruiting one. Boards would benefit from the addition of experienced individuals who can identify the connections between cybersecurity and overall company strategy.

A crucial additional challenge is obtaining clarity on the organization’s overall cyber risk management framework. (See Exhibit 1: Boards Need More Information on Cyber Investments.) Olga Botero, Director, Evertec, Inc., and Founding Partner, C&S Customers and Strategy, observed, “There are still many questions unanswered for boards, including:

  • How good is our security program?
  • How do we compare to peers?

There is a big lack of benchmarking on practices.” Anastassia Lauterbach, Director, Dun & Bradstreet, and member of Evolution Partners Advisory Board, summarized it well, “Boards need a set of KPIs for cybersecurity highlighting their company’s

  • unique business model,
  • legacy IT,
  • supplier and partner relationships,
  • and geographical scope.”

CR Ex 1

Nearly a quarter of boards are dissatisfied with the quality of management-provided information related to cybersecurity because of insufficient transparency, inability to benchmark and difficulty of interpretation.

EFFECTIVE OVERSIGHT IS BUILT ON A COMPREHENSIVE CYBER RISK MANAGEMENT FRAMEWORK

Organizations are maturing from a “harden the shell” approach to a protocol based on understanding and protecting core assets and optimizing resources. This includes the application of risk disciplines to assess and manage risk, including quantification and analytics. (See Exhibit 2: Focus Areas of a Comprehensive Cyber Risk Management Framework.) Quantification shifts the conversation from a technical discussion about threat vectors and system vulnerabilities to one focused on maximizing the return on an organization’s cyber spending and lowering its total cost of risk.

CR Ex 2

Directors also emphasized the need to embed the process in an overall cyber risk management framework and culture. “The culture must emphasize openness and learning from mistakes. Culture and cyber risk oversight go hand in hand,” said Anastassia Lauterbach. Employees should be encouraged to flag and highlight potential cyber incidents, such as phishing attacks, as every employee plays a vital role in cyber risk management. Jan Babiak noted, “If every person in the organization doesn’t view themselves as a human firewall, you have a soft underbelly.” Mary Beth Vitale, Director, GEHA and CoBiz Financial, Inc., also noted, “Much of cyber risk mitigation is related to good housekeeping such as timely patching of servers and ongoing employee training and alertness.”

Boards also need to be alert. “Our board undertakes the same cybersecurity training as employees,” noted Wendy Webb, Director, ABM Industries. Other boards are putting cyber updates and visits to security centers on board “offsite” agendas.

THE ROLE OF CYBER INSURANCE

Although the perception of many directors is that cyber insurance provides for limited coverage, the insurance is increasingly viewed as an important component of a cyber risk management framework and can support response and recovery plans. Echoing this sentiment, Geeta Mathur, Director, Motherson Sumi Ltd, IIFL Holdings Ltd, and Tata Communication Transformation Services Ltd., commented, « There is a lack of information and discussion on risk transfer options at the board level. The perception is that it doesn’t cover much particularly relating to business interruption on account of cyber threats.” Cristina Finocchi Mahne also noted, “Currently, management teams may not have a positive awareness of cyber insurance, but we expect this to rapidly evolve over the short-term.”

Insurance does not release the board or management from the development and execution of a robust risk management plan but it can provide a financial safeguard against costs associated with a cyber event. Cyber insurance coverage should be considered in the context of an overall cyber risk management process and cyber risk appetite.

With a robust analysis, the organization can

  • quantify the price of cyber risk,
  • develop effective risk mitigation,
  • transfer and risk financing strategy,
  • and decide if – and how much – cyber insurance to purchase.

This allows the board to have a robust conversation on the relationship between risk, reward and the cost of mitigation and can also prompt an evaluation of potential consequences by using statistical modeling to assess different damage scenarios.

CYBER INSURANCE ADOPTION IS INCREASING

The role of insurance in enhancing cyber resilience is increasingly being recognized by policymakers around the world, and the Organisation of Economic Co-operation and Development (OECD) is recommending actions to stimulate cyber insurance adoption.

Globally, it is expected the level of future demand for cyber insurance will depend on the frequency of high-profile cyber incidents as well as the evolving legislative and regulatory environment for privacy protections in many countries. In India, for example, there was a 50% increase in companies buying cybersecurity coverage 2016 to 2017. Research suggests that only 40% of US boards have reviewed their organization’s cyber insurance coverage in the past 12 months.

LIMITING FINANCIAL LOSSES

In the event of a debilitating attack, cyber insurance and associated services can limit an organization’s financial damage from direct and indirect costs and help accelerate its recovery. (See Exhibit 3: Direct and Indirect Costs Associated with a Cyber Attack.) For example, as a result of the NotPetya attack, one global company reported a decline in operating margins and income, with losses in excess of US$500 million in the last fiscal year. The company noted the costs were driven by

  • investments in enhanced systems in order to prevent future attacks;
  • cost of incentives offered to customers to restore confidence and maintain business relationships;
  • additional costs due to claims for service failures; costs associated with data breach or data loss due to third-parties;
  • and “other consequences of which we are not currently aware but may subsequently discover.”

Indeed, the very process of assessing and purchasing cyber insurance can bolster cyber resilience by creating important incentives that drive behavioral change, including:

  • Raising awareness inside the organization on the importance of information security.
  • Fostering a broader dialogue among the cyber risk stakeholders within an organization.
  • Generating an organization-wide approach to ongoing cyber risk management by all aspects of the organization.
  • Assessing the strength of cyber defenses, particularly amid a rapidly changing cyber environment.

CR Ex 3

Click here to access Marsh’s and WCD’s detailed report

 

Cybersecurity Risk Management Oversight – A Tool for Board Members

Companies are facing not only increasing cyber threats but also new laws and regulations for managing and reporting on data security and cybersecurity risks.

Boards of directors face an enormous challenge: to oversee how their companies manage cybersecurity risk. As boards tackle this oversight challenge, they have a valuable resource in Certified Public Accountants (CPAs) and in the public company auditing profession.

CPAs bring to bear core values—including independence, objectivity, and skepticism—as well as deep expertise in providing independent assurance services in both the financial statement audit and a variety of other subject matters. CPA firms have played a role in assisting companies with information security for decades. In fact, four of the leading 13 information security and cybersecurity consultants are public accounting firms.

This tool provides questions board members charged with cybersecurity risk oversight can use as they engage in discussions about cybersecurity risks and disclosures with management and CPA firms.

The questions are grouped under four key areas:

  1. Understanding how the financial statement auditor considers cybersecurity risk
  2. Understanding the role of management and responsibilities of the financial statement auditor related to cybersecurity disclosures
  3. Understanding management’s approach to cybersecurity risk management
  4. Understanding how CPA firms can assist boards of directors in their oversight of cybersecurity risk management

This publication is not meant to provide an all-inclusive list of questions or to be seen as a checklist; rather, it provides examples of the types of questions board members may ask of management and the financial statement auditor. The dialogue that these questions spark can help clarify the financial statement auditor’s responsibility for cybersecurity risk considerations in the context of the financial statement audit and, if applicable, the audit of internal control over financial reporting (ICFR). This dialogue can be a way to help board members develop their understanding of how the company is managing its cybersecurity risks.

Additionally, this tool may help board members with cybersecurity risk oversight learn more about other incremental offerings from CPA firms. One example is the cybersecurity risk management reporting framework developed by the American Institute of CPAs (AICPA). The framework enables CPAs to examine and report on management-prepared cybersecurity information, thereby boosting the confidence that stakeholders place on a company’s initiatives.

With this voluntary, market-driven framework, companies can also communicate pertinent information regarding their cybersecurity risk management efforts and educate stakeholders about the systems, processes, and controls that are in place to detect, prevent, and respond to breaches.

AICPA

Click here to access CAQ’s detailed White Paper and Questionnaires

The Global Risks Report 2018

Last year’s Global Risks Report was published at a time of heightened global uncertainty and strengthening popular discontent with the existing political and economic order. The report called for “fundamental reforms to market capitalism” and a rebuilding of solidarity within and between countries.

One year on, a global economic recovery is under way, offering new opportunities for progress that should not be squandered: the urgency of facing up to systemic challenges has, if anything, intensified amid proliferating indications of uncertainty, instability and fragility. Humanity has become remarkably adept at understanding how to mitigate conventional risks that can be relatively easily isolated and managed with standard riskmanagement approaches. But we are much less competent when it comes to dealing with complex risks in the interconnected systems that underpin our world, such as organizations, economies, societies and the environment. There are signs of strain in many of these systems: our accelerating pace of change is testing the absorptive capacities of institutions, communities and individuals. When risk cascades through a complex system, the danger is not of incremental damage but of “runaway collapse” or an abrupt transition to a new, suboptimal status quo.

In our annual Global Risks Perception Survey, environmental risks have grown in prominence in recent years. This trend has continued this year, with all five risks in the environmental category being ranked higher than average for both likelihood and impact over a 10-year horizon. This follows a year characterized by high-impact hurricanes, extreme temperatures and the first rise in CO2 emissions for four years. We have been pushing our planet to the brink and the damage is becoming increasingly clear. Biodiversity is being lost at mass-extinction rates, agricultural systems are under strain and pollution of the air and sea has become an increasingly pressing threat to human health. A trend towards nation-state unilateralism may make it more difficult to sustain the long-term, multilateral responses that are required to counter global warming and the degradation of the global environment.

Cybersecurity risks are also growing, both in their prevalence and in their disruptive potential. Attacks against businesses have almost doubled in five years, and incidents that would once have been considered extraordinary are becoming more and more commonplace. The financial impact of cybersecurity breaches is rising, and some of the largest costs in 2017 related to ransomware attacks, which accounted for 64% of all malicious emails. Notable examples included the WannaCry attack—which affected 300,000 computers across 150 countries—and NotPetya, which caused quarterly losses of US$300 million for a number of affected businesses. Another growing trend is the use of cyberattacks to target critical infrastructure and strategic industrial sectors, raising fears that, in a worst-case scenario, attackers could trigger a breakdown in the systems that keep societies functioning.

Headline economic indicators suggest the world is finally getting back on track after the global crisis that erupted 10 years ago, but this upbeat picture masks continuing underlying concerns. The global economy faces a mix of long-standing vulnerabilities and newer threats that have emerged or evolved in the years since the crisis. The familiar risks include potentially unsustainable asset prices, with the world now eight years into a bull run; elevated indebtedness, particularly in China; and continuing strains in the global financial system. Among the newer challenges are limited policy firepower in the event of a new crisis; disruptions caused by intensifying patterns of automation and digitalization; and a build-up of mercantilist and protectionist pressures against a backdrop of rising nationalist and populist politics.

The world has moved into a new and unsettling geopolitical phase. Multilateral rules-based approaches have been fraying. Re-establishing the state as the primary locus of power and legitimacy has become an increasingly attractive strategy for many countries, but one that leaves many smaller states squeezed as the geopolitical sands shift. There is currently no sign that norms and institutions exist towards which the world’s major powers might converge. This creates new risks and uncertainties: rising military tensions, economic and commercial disruptions, and destabilizing feedback loops between changing global conditions and countries’ domestic political conditions. International relations now play out in increasingly diverse ways. Beyond conventional military buildups, these include new cyber sources of hard and soft power, reconfigured trade and investment links, proxy conflicts, changing alliance dynamics, and potential flashpoints related to the global commons. Assessing and mitigating risks across all these theatres of potential conflict will require careful horizon scanning and crisis anticipation by both state and nonstate actors.

This year’s Global Risks Report introduces three new series:

  1. Future Shocks,
  2. Hindsight,
  3. Risk Reassessment.

Our aim is to broaden the report’s analytical reach: each of these elements provides a new lens through which to view the increasingly complex world of global risks.

Future Shocks is a warning against complacency and a reminder that risks can crystallize with disorientating speed. In a world of complex and interconnected systems, feedback loops, threshold effects and cascading disruptions can lead to sudden and dramatic breakdowns. We present 10 such potential breakdowns—from democratic collapses to spiralling cyber conflicts—not as predictions, but as food for thought: what are the shocks that could fundamentally upend your world?

In Hindsight we look back at risks we have analysed in previous editions of the Global Risks Report, tracing the evolution of the risks themselves and the global responses to them. Revisiting our past reports in this way allows us to gauge risk-mitigation efforts and highlight lingering risks that might warrant increased attention. This year we focus on antimicrobial resistance, youth unemployment, and “digital wildfires”, which is how we referred in 2013 to phenomena that bear a close resemblance to what is now known as “fake news”.

In Risk Reassessment, selected risk experts share their insights about the implications for decisionmakers in businesses, governments and civil society of developments in our understanding of risk. In this year’s report, Roland Kupers writes about fostering resilience in complex systems, while Michele Wucker calls for organizations to pay more attention to cognitive bias in their risk management processes.

GRR2018 1

GRR2018 2

Click here to access WEF – Marsh’s detailed Global Risk Report 2018

Mastering Risk with “Data-Driven GRC”

Overview

The world is changing. The emerging risk landscape in almost every industry vertical has changed. Effective methodologies for managing risk have changed (whatever your perspective:

  • internal audit,
  • external audit/consulting,
  • compliance,
  • enterprise risk management,

or otherwise).

Finally, technology itself has changed, and technology consumers expect to realize more value, from technology that is more approachable, at lower cost.

How are these factors driving change in organizations?:

Emerging Risk Landscapes

Risk has the attention of top executives. Risk shifts quickly in an economy where “speed of change” is the true currency of business, and it emerges in entirely new forms in a world where globalization and automation are forcing shifts in the core values and initiatives of global enterprises.

Evolving Governance, Risk, and Compliance Methodologies

Across risk and control oriented functions spanning a variety of

  • audit functions,
  • fraud,
  • compliance,
  • quality management,
  • enterprise risk management,
  • financial control,

and many more, global organizations are acknowledging a need to provide more risk coverage at lower cost (measured in both time and currency), which is driving reinventions of methodology and automation.

Empowerment Through Technology

Gartner, the leading analyst firm in the enterprise IT space, is very clear that the convergence of four forces,

  • Cloud,
  • Mobile,
  • Data,
  • and Social

is driving the empowerment of individuals as they interact with each other and their information through well-designed technology. In most organizations, there is no coordinated effort to leverage organizational changes emerging from these three factors in order to develop an integrated approach to mastering risk management. The emerging opportunity is to leverage the change that is occurring, to develop new programs; not just for technology, of course, but also for the critical people, methodology, and process issues. The goal is to provide senior management with a comprehensive and dynamic view of the effectiveness of how an organization is managing risk and embracing change, set in the context of overall strategic and operational objectives.

Where are organizations heading?

“Data Driven GRC” represents a consolidation of methodologies, both functional and technological, that dramatically enhance the opportunity to address emerging risk landscapes and, in turn, maximizing the reliability of organizational performance. This paper examines the key opportunities to leverage change—both from a risk and an organizational performance management perspective—to build integrated, data-driven GRC processes that optimize the value of audit and risk management activities, as well as the investments in supporting tools and techniques.

Data Driven GRC

Click here to access ACL’s detailed White Paper

The Imperative to Raise Enterprise Risk Intelligence

How to raise enterprise risk intelligence

  • Break down silos and collaborate. To ensure all risks are addressed, finance, operations, compliance, legal and IT functions should work together in managing enterprise risks. According to 53 percent of respondents, there is little, if any, collaboration among these functions to achieve a clearly defined enterprise risk management strategy.
  • Focus on accomplishments that will make a difference. The findings reveal a significant gap between the most important features of a risk intelligence platform and what features are actually accomplished. The features considered most important but rarely accomplished are:
    • Business continuity response (produces plans, runs business impact analyses, resiliency controls and engages stakeholders in crisis drills and recovery)
    • Incident/issue risk response (coordination of classification, collaboration, evidence, policies and reporting across the organization for all operational and security risk events)
    • Operational risk & compliance (creates risk registers and runs Risk and Compliance Self-Assessments (RCSAs) against critical business processes to report key risk indicators (KRIs), findings and loss events)
    • Threat and vulnerability mitigation (automates continuous risk correlation, prioritization and remediation of assets and operation criticality, threat reachability, control and vulnerabilities)
  • Establish a formal budget for enterprise risk management. It is critical to allocate resources specifically designated to achieving a well-executed enterprise risk management program. Fiftyeight percent of respondents say their organizations do not have a formal budget.
  • Engage management and the board of directors in the organization’s risk strategy. The inability to get started was one of the top three barriers to achieving risk management objectives. Senior leadership’s involvement will incentivize and motivate collaboration and a formal process for achieving the objectives of a risk management program.
  • Achieve clarity of your IT assets and infrastructure. A clear map of the infrastructure and categorization of assets, especially high value and knowledge assets, is key to ensuring appropriate risk measures are in place. Only 24 percent of respondents say they have categorized assets based on their business criticality.
  • Assign accountability for the achievement of specific risk management objectives. According to the findings, either no one person has overall responsibility or it is dispersed throughout the organization.
  • Measure effectiveness in risk intelligence efforts. Only 31 percent of respondents say their organizations have specific metrics to determine how well risks are being managed. Many organizations represented in this study are not measuring such key objectives as time to contain threats and attacks, time to identify and pinpoint high-risk areas and time to remediate after containment of the attack.
  • Consolidated risk reporting is essential. Sixty-three percent of respondents say it is essential or very important to have a centralized or consolidated risk reporting (one set of metrics) in order to achieve a strong security posture.
  • Replace complexity with ease of use. The number one barrier to achieving risk management objectives is the complexity of technologies that support risk management objectives. Understandably, the number one feature of a risk management solution is ease of use (53 percent of respondents). Investments in risk management technologies that end up on the shelf because of complexity and the lack of in-house expertise will frustrate any attempts to achieve an enterprise risk management program.

ERM Survey

2017_Report_on_ERM