Getting to grips with interconnectedness means identifying the intricate links between the threats we face, then mapping, understanding and preparing for them. Our webinar sought to untangle this complex issue. Sara Benwell reports back.
Identifying and managing interconnected risks has never been more crucial for organisations than it is today.
Increasing globalism, coupled with widespread digitalisation, means that any company can be impacted by events on the other side of the world, and seemingly isolated threats can cause ripples that spread until businesses find themselves in a polycrisis.
For risk managers, developing strategies to manage and mitigate against interconnectedness is critical.
StrategicRISK gathered three experts in a webinar, to share their opinions and advice on unravelling the web of risks we face.
RECOGNISING THE ISSUES
While risks have always been intertwined, there is a growing awareness from firms that these connections must be better understood and methods to identify impacts must become more sophisticated.
Ian Evans, lead solutions consultant at Riskonnect, explained: “Even getting your head around the concept of multiple risks having impacts on each other can be very challenging.
“My clients are certainly struggling with that and so are moving away from some fairly primitive tools like spreadsheets, for example, to being able to visualise and understand how those risks impact their organisations in terms of business processes and assets.”
Dr Camila Witt, chief risk and compliance officer at InPay, agreed, adding that the visibility of the connections between risks is growing, which is spurring many businesses on.
“As we see developments in communications and we move towards a world without borders, we see this connection more closely. We also have access to information that highlights connections, which perhaps wasn’t available before.”
“Digital will speed up the connectivity of these risks. So, the work for risk managers will be very tough.”
However, she cautioned that the very technology that allows us to better understand connected risk also creates new threats. Take for instance cyber criminals using artifi cial intelligence to improve language translation on phishing emails.
There is also evidence that risks are becoming even more interconnected, increasing the threat to organisations and the resultant burden on risk managers. Volkan Can, enterprise risk manager at CIMSA and board member at the Turkish risk management member association KRYD, lists the three trends he sees creating more and deeper connections: a ballooning number of businesses, digitisation and globalisation.
He explains: “Globally today there are around 330 million companies. Just 20 years ago there were only 10–20 million. What that means is that anything regarding the upstream or downstream supply chain directly affects us. And most of these companies have global footprints. Finally, digital will speed up the connectivity of these risks. So, the work for risk managers will be very tough.”
START MAPPING
The panel agreed that there are a wide range of tools, tactics and strategies available that can help risk managers better identify and mitigate the interconnected risks facing their businesses.
CIMSA’s Can stressed the importance of choosing the right framework and highlighted the benefits of taking an enterprise risk management approach as it provides a robust methodology for understanding and mapping out risk interdependencies.
“ERM is a good approach, because it focuses on every risk and opportunity that will aff ect the enterprise value of the company.”
He said: “The problem is that traditional risk management mostly deals with cyclical risks, such as credit risk. There is historical data, so the risk managers are in their comfort zone because they can play around with the data, make the regression, and use models such as Monte Carlo, etc.
“But the problem with interconnected risks is they suddenly pop up. ERM is a good approach, because it focuses on every risk and opportunity that will aff ect the enterprise value of the company.”
KNOW WHO OWNS WHAT
Evans said that sophisticated organisations are looking beyond straightforward supply chain management, to include third and even fourth-party supply chain risk. This, he argued, is critical for getting a holistic picture of the risks facing your organisation.
He explained: “You may not be aware of a risk that some organisation somewhere else is incurring because you’re not dealing directly with them. But it just so happens some of your suppliers may be and you get caught out that way. It’s very difficult to manage that.”
He added that untangling the web of interconnected threats starts with having a simple and clear taxonomy of risk, which allows threats to be defined in a consistent way. On top of this, he said that it’s important to ensure that each risk has clear lines of ownership and accountability.
“You could imagine a data model that shows how all those things are joined up. If you can establish that structure, it does greatly simplify your world and makes it easier to automate.”
Finally, you need to have controls to mitigate each of the individual risks the business is facing. He said: “Those risks might also impact your assets and your business processes. So, you could imagine a data model that shows how all those things are joined up. If you can establish that structure, it does greatly simplify your world and makes it easier to automate.
“Ultimately, what we’re trying to get to is clearer management insights and information. There’s a lot of data out there, and in order to assimilate that data and make sense of it… that requires you to organise your data in a structured manner.”
SPEAK TO EACH OTHER
For Witt, one of the most important elements is ensuring that your risk management structure is linked back to your business goals, objectives and – crucially – risk appetite.
This means having a process that allows you to get feedback from every department whether that’s sales, operations, product development, HR, IT or even fund management.
She explained: “They are vital in understanding the impacts of risks. And then the taxonomy has to be enriched with how you capture the incidents, because quite often we have a vague idea that something is really bad, but perhaps that’s not backed up by the data.
“And finally, we need to have a very good plan for what happens when we breach a key risk indicator. What are the actions that we then take?”
“We need to develop products that have risk mitigation features embedded in them. Communication and culture is really important.”
One critical element of managing interconnected risk is ensuring that you have a strong risk culture throughout the organisation. Everyone from supply chain managers to those on the shop floor needs to understand risk management and the role they play in it.
Can said: “Today’s companies operate in silos. Every function has its own KPIs and this brings some siloed approaches. But there are a lot of situations and issues going on that are cross-functional. The ERM framework works very well with interconnectedness because its core subject is the cross-functional interactions.”
Witt added: “We are only as strong as the weakest of us. Let’s talk about financial crime prevention in a company like mine. We have the salespeople who go to prospective customers; we have to communicate our risk appetite pretty clearly so that they don’t onboard customers that are outside of it. Then, once we do that, we need to develop products that have risk mitigation features embedded in them.
“Communication and culture is really important.”
IT’S NOT ALL NEGATIVE
Amid the talk of risk management and mitigation, the panellists were quick to emphasise the importance of seeing this as tool for making better decisions and ultimately creating and seizing opportunities.
Evans gave the example of the COVID-19 pandemic. While this was a terrible shock and considered a black swan event for many organisations, some managed to transform and respond to new gaps in the market.
He said: “We’ve seen organisations who have made a lot of money out of the pandemic. And we’ve also seen other opportunities and benefi ts from what seemed to be a wholly negative event. The consequence of working from home, for example, is a benefit to many.
“Maybe we have to embrace the risk, because in every sector, every company face risks like COVID, but what differs is how you manage them”
“Even consider how pharmaceutical companies moved quickly to respond and become more innovative. You could put that in any business context – those who thrive are often the ones who are primed and ready to seize opportunities. So, it’s not just about the negative and how we protect against risks, it’s also asking: Are we ready to exploit opportunities?”
Can added: “We always think of the risks we need to avoid. But maybe we have to embrace the risk, because in every sector, every company face risks like COVID, but what differs is how you manage them. The opportunity side is very important.”
MODELS ARE ONLY AS GOOD AS YOUR DATA
As the number of risks facing each organisation increases, and the connections between them deepen, the amount of data and information that risk managers must grapple with grows in tandem.
It is unsurprising, therefore, that the panel turned to emerging innovations such as artificial intelligence and natural language processing (NLP) as solutions that could play a significant role in risk management of the future.
However, Can cautioned that before such approaches can yield results, it’s crucial to ensure that you’re working with quality data.
He explained: “It doesn’t matter which model you use or which tool you invest in – the thing is that if you put garbage in, you will get garbage out. If you don’t increase the quality of your data, you will not get accurate solutions for your problem.”
That said, it was Can’s belief that every dollar invested in risk management and risk management tools will get a better return on investment than any other company spend, due to the huge amount of data that flows through the risk management function. If you can improve and use that data, the value will grow exponentially.
“If you put garbage in, you will get garbage out. If you don’t increase the quality of your data, you will not get accurate solutions for your problem.”
Witt agreed that good data governance is crucial, and pointed out that without this, the use of AI or NLP will instead lead to greater threats. She gave the example of creating an AI chatbot to answer employee questions: you need to label all data internally so you know what is confidential and what isn’t. Otherwise, you run the risk of revealing sensitive or personal data to people who should not have access to it.
However, Witt did point to two key areas where these technological innovations could make a big difference for risk managers, namely pattern identification and visualisation.
She elaborated: “If we see incidents that are repeating, we can we look at pattern identification to spot new behaviours and do trend forecasting. AI is great for that.
“Another thing is visualisation, because, quite often, [interconnected risks can look like] spaghetti with meatballs. We spend a lot of time compiling data and we need to present it in a way that people can understand.
“I’ve yet to come across a risk management or governance, risk and compliance team that is over-resourced”
“With AI, you can say: ‘Please make a graph or a slide that shows this and portrays the interconnectivity of that’.”
Concluding the discussion, Evans highlighted that these tools can be useful for overworked and often understaffed risk teams, of which we are all familiar.
“I’ve yet to come across a risk management or governance, risk and compliance team that is over-resourced,” he noted.
“Any tools that can help us to cut through all this data, look for patterns and analyse contractual documents with third parties as they come on board to see where we may have gaps, should be beneficial.
“This will ultimately improve our understanding of the interconnectivity of risks.”
No comments yet