As we are in the midst of a turbulent time in history and at the brink of a new decade, we asked CROs what keeps them up at night. Many couldn’t just pick one thing, after all, CROs’ attention is split in multiple directions. The usual suspects like credit risk and market risk are on CROs’ radar, but what top the list are risks that will impact an enterprise in the long run.
Before the results are discussed, we’d like to thank the members of the RiskMinds community for sharing their comments and their expertise with us. We look forward to learn more from you at our next event, RiskMinds Americas.
It’s impossible to not pay attention to the current political scene. We’ve been benefiting from a connected, globalised economy, but the world seems to be taking on a new direction where protectionist policies are growing in popularity.
“If this trend continues, it could materially alter fundamental rules that we take for granted and upon which strategies are based”, a CRO told us.
But what puts geopolitical risk on the top of CROs concerns is its unpredictable nature. Both the election of President Trump and the outcome of the EU referendum leading to Brexit shocked the world. Both of these events showed us an increasingly polarised, populist society and provided new challenges for the global risk management community.
A CRO described geopolitical risk (and emerging risks) as “the most difficult to get a good quantitative handle on”.
The manifestation of geopolitical risk could even have a knock-on effect and impact credit risk, market risk, counterparty risk, and more.
A CRO told us: “The world is in the midst of major changes on all dimensions: technological innovation, demographics, geopolitical shifts, economic and financial paradigms, environmental and social issues – people’s aspirations have altered fundamentally.”
For now, it is impossible to say whether the populist movement will demolish democracy. Political scientist Yascha Mounk told us in an interview: “It’s too early to tell what the new world order is”.
Like geopolitical risk, cyber risk earnt its place due to its “limited predictability”.
Holistic cyber risk management is still a challenge for many enterprises, which is not surprising, considering the fast-paced developments in this field.
“Cyber is one of the biggest risks that we face, and it is certainly one of the most unpredictable. Unlike more traditional risks, it’s hard to put your arms around the scale of a cyber attack. Any successful attack is also going to have an impact on what is probably our most valuable currency: trust. We have a responsibility to our customers to ensure that cyber attacks are not successful. We need to increasingly re-imagine ourselves as technology companies rather than just financial institutions, and must continue to invest in people, technology and processes to thwart cyber attacks”, a CRO told us.
What are CROs like Trevor Adams (Nedbank Group) do to mitigate cyber risk?
Besides damaging your trustworthiness and reputation, chinks in your cyber defence can disrupt your business significantly, damage your systems, and directly lead to revenue loss. This makes cyber risk management a huge part of your operational risk management.
“On an everyday basis, operational risk is one that we strongly focus on”, a CRO told us.
Risk management is transforming in many ways: renewed processes, IT developments, and rapidly changing political, regulatory, economic, social, and competitive environments – it’s no wonder why operational risk is on CRO’s minds.
“The aim is to provide effective management, mitigate risk and keep cost-benefit balance while building a strong risk management culture”, a CRO explained.
Earlier this year, risk, wealth and asset management consultant and former CRO Philip Best reported that “a straw poll of CROs regularly yields the result that operational risk is their weakest suit”. Compared to other risks, effective operational risk management needs a more holistic approach that ultimately supports a business-wide culture. Another challenge to the implementation of effective operational risk management is the difficulty of assigning value to it.
Yet, Best reported, “the biggest losses experienced by financial institutions have been conduct related, the second largest, typically fraud or rogue trading, have been operational in nature”.
Besides cyber and conduct risk management, effective operational risk management strategies should also address regulatory compliance.
“We are at the stage where we had 200 regulatory changes that a bank operating on a global level needs to digest every day. Becoming an organisation with the operational capability to assess the impact of regulations in a structured way is a main challenge you need to deal with as a global bank”, Gerold Grasshoff, Senior Partner & Managing Director at BCG, told us in an interview.
Emerging risks: climate change
Much like geopolitical and cyber risk, our ability to quantify emerging risks is limited.
“Emerging risk, by its definition, is inchoate, and therefore subject to difficult challenges”, a CRO noted.
One particular emerging risk that stands out is climate risk.
“More frequent extreme weather and rising oceans are increasing the risk of catastrophic natural events. This is causing us to revisit business recovery and disaster recovery plans to ensure they are still appropriate”, a CRO told us.
Extreme weather events, failure of climate-change mitigation and adaptation, and natural disasters are the top 3 risks most likely to happen according to the World Economic Forum’s 2019 Global Risk Report. This report also puts these 3 risks among the top 5 risks with the highest impact on the world.
“Changing weather patterns will have widespread consequences on P&C and life claims occurrences, as well as on long-term investments”, Frieder Knupling, Group Chief Risk Officer of Scor, told us earlier this year. “The industry needs, on the one hand, to manage the resulting financial risks and, on the other hand, to play a leading role in bringing societies together to work towards global solutions.”
Reflecting on last year’s conversations at RiskMinds International, Roselyne Renel, Global Head of Enterprise Risk Management at Standard Chartered Bank, wrote: “none of us know all the answers yet, but it is a globally important topic that warrants an all-hands-on-deck approach to finding the answers”.
Other: technology risk
In order to develop and apply new technologies, enterprises are very likely to have to work with third party vendors, which might expose organisations to financial, data security, legal risks, and more.
“The emergence of increasingly sophisticated technology like big data, machine learning, and artificial intelligence is forcing the industry to adapt quickly without necessarily understanding the new risk paradigms”, a CRO told us.
A particularly problematic issue that needs careful consideration is data ownership. Best Practice AI Partner Simon Greenman illustrated: “If your data is a strategic asset, such as an insurance company with claims history of millions of customers, you might not want it to be used for the benefit of your competitors.”
With GDPR in force, enterprises must act cautiously when sharing data with third party vendors.
“We have yet to see and appreciate how GDPR will impact our day to day procedures”, a CRO told us earlier this year. “As case law becomes more available, we will need to reconsider some existing processes.”
On top of all of this, risk managers must explore the ethical implications of applying AI. For example, biased decisions made by an AI can damage a company’s reputation significantly.
What will keep CROs awake at night in 2019?