Enterprise Risk Priorities for 2022

Enterprise Risk Priorities for 2022


January 30, 2022

As we kick-off 2022 and our first steps into a post-COVID-19 world, I thought I would share our top six risk management priorities for 2022, with a focus on Enterprise and Operational Risk Management.

Cyber Risk (& Resilience)

Take a cursory glance over any annual report of the top risks faced by firms, including our own Capital Markets Risk Sentiment Index (CMRSI), and Cyber Risk will appear in the top three risks faced by Financial Services firms. Often it is the number one risk faced.

Even before the COVID-19 pandemic, Cyber Risk was high on the risk management agenda of most firms. The pandemic only accelerated and amplified the Cyber Risk threat.

According to a report from Mckinsey, the COVID-19 pandemic with its work from home mandates accelerated firms' digital transformation by seven years. Echoing this acceleration, The Bank for International settlements (BIS) issued a bulletin in early 2021 which found that Financial Services have been impacted relatively more than other industries by Cyber-attacks and incidents during the pandemic.

In 2022, we will be working with existing and new customers, and a range of partners to bring a complete, integrated, real-time Cyber Risk & Resilience proposition to market.

Operational Resilience

Since 2018, the two primary financial services industry regulators within the U.K., the Bank of England, Prudential Regulation Authority (PRA) and Financial Conduct Authority (FCA), have published a joint discussion paper on improving operational resilience across financial services.

This discussion paper has ushered in an evolution in operational risk and business continuity practices within the U.K. Financial Services industry and is now driving the international regulatory agenda around Operational Resilience globally.

March 2022 will see the first milestone reached on the UK operational resilience agenda. By March 31, 2022, regulated firms must have identified their important business services, set impact tolerances for the maximum tolerable disruption, and carried out mapping and testing to a level of sophistication necessary to do so. Firms must also have identified any vulnerabilities in their operational resilience.

Post the March milestone, there is a roadmap of other steps and requirements that ultimately reaches another important milestone on March 31, 2025. By this point, regulated firms are required to be able to demonstrate they are managing their operational resilience dynamically; they are remaining within their impact tolerances for each important business service in the event of a severe but plausible disruption.

Working with customers and a partner during the second half of 2021, we demonstrated how the Risk Cockpit enables firms to deliver on their operational resilience obligations, now and in the future. We will build on these projects in 2022.

Risk Culture (& Conduct)

For several years now, culture and conduct have been an important conversation between regulators and the firms they regulate. Good progress has been made for many firms, but a significant challenge remains; how to measure risk conduct effectively.

A mix of approaches has been adopted by firms. Key Performance Indicators (KPIs) and Key Risk Indicators (KRIs) have been used extensively, often presented on a Risk Culture Dashboard. Some firms have explored more sophisticated analytical approaches such as artificial intelligence and predictive machine learning.

Watch this space as we set out thinking around Risk Culture and delivering an enhanced 'Risk Culture Dashboard' capability via the Risk Cockpit, which brings together technology, data and a proven framework.

Risk Quantification

As many readers will know (and likely, would have experienced), qualitative RAG based risk registers and dashboards are used extensively within the world of Enterprise and Operational Risk Management. While this approach has a role to play, we believe that our customers benefit from a more quantitative, data-driven approach or using a combination of qualitative and quantitative approaches.

Working with customers recently, we have developed an approach to risk quantification which enables them to incorporate their existing quantitative approach to the risk and control self-assessment (RCSA) process with a more advanced probabilistic approach.

We will embed a probabilistic approach into our Business Impact Analysis and Scenario capabilities (coming out in Q2).

This will enable our customers to generate financial and non-financial insights from across the risk framework and deliver comprehensive risk-based management information for board and executive decision-making.

Artificial Intelligence

The use and application of Artificial Intelligence (A.I.) and associated technologies such as Natural Language Processing (NLP) and Machine Learning (ML) has exploded over the last 3-5 years.

Within the Enterprise and Operational Risk Management space, Artificial Intelligence has not been adopted as fast as in other areas of risk management such as market risk, credit risk and regulatory risk (where our partner, Waymark.tech provide a Regulatory Change Management built on Natural Language Processing (NLP) technologies).

In 2021, we undertook two proof of concept projects to understand Artificial Intelligence better and determine its applicability to our customers and our platform.

These proof-of-concept projects had their own unique learning curve; however, they ultimately proved to be very beneficial and demonstrated that we could solve a specific customer problem and generate additional, powerful insights for our customers using this technology. Watch this space for further updates on our Artificial Intelligence initiatives as we embed this technology into the Global Risk Platform (GRP) and Risk Cockpit.

Risk Appetite and the linkage to Strategy

Risk Appetite is the amount of risk that a firm is willing to take in order to achieve its objectives and is a core part of a firm's risk management approach and framework. Many Financial Services regulators globally require their regulated firms to set out their risk appetite within a Risk Appetite Statement.

While setting a Risk Appetite and producing a Risk Appetite Statement is often seen as an activity to meet a regulatory requirement, taking this approach is a missed opportunity. The Board and executive should define Risk Appetite to set the firm's risk-taking boundaries and monitor the alignment of risk-taking to the risk appetite to enable the firm to optimise its risk-taking.

The purpose of risk management should not necessarily be to reduce or eliminate risk-taking; instead, it should be to optimise risk-taking within clear risk appetite limits to enable the firm to achieve its strategic objective.

During this year, we would add a significant enhancement to our risk appetite capabilities to enable our customers to improve how they manage risk appetite, produce risk appetite statements and optimise their risk-taking at the enterprise level. The ultimate goal of this work is to provide our customers with a solution that enables them to take a risk-based approach to deliver their strategy.