CROs today face an unprecedented number of new and emerging risks that can threaten corporate strategy if they are not identified quickly and managed properly.
Chief risk officers (CRO) will need to keep close watch on a number of strategic, operational, and external risks this year. Effective risk management and mitigation will be critical since companies’ strategies, business models, operations, reputations, and, ultimately, survival are on the line.
KPMG LLP has identified seven key strategic, operational, and external risk areas that should top CROs’ risk management agendas this year:
1) Technology risk management – CROs who maintain a strong ITRM function and establish a strong connection with this function can proactively manage technology risks rather than reacting to audits, new regulations, new business strategies, and other disruptions.
2) Third-party risk management – Organizations today have thousands, if not tens of thousands, of third‑party intermediaries. As the role of third parties in companies’ interaction with governments has grown and supply chains become more stretched, companies’ monitoring of their third parties has become critically important.
3) Fraud and misconduct – CROs should be especially wary of fraud that indicates collusive behavior. Collusive behavior is on the rise due to the emphasis companies have placed on improving their financial controls environment to comply with Sarbanes-Oxley and other regulations. These controls make it more difficult for individuals to perpetrate fraud. Co-conspirators can enable fraudulent schemes to bypass certain control structures.
4) Crisis management – Since a crisis strikes
without warning and requires a swift response, CROs need to take steps to ensure that on-call arrangements are in place. Lawyers, IT and forensic accounting professionals, and other consultants should be vetted, contracted with, and know the business beforehand to be ready to take action at a moment’s notice.
5) Data security – Since companies are more connected to more organizations than ever before, CROs need to monitor those connections if they are to better understand how trusted third parties are using and protecting company information. It is also important for CROs to provide their trusted business partners with greater insight into their own control and security environments.
6) Achieving compliance program effectiveness – Companies should have a mechanism in place to capture an updated inventory of global regulations; employ a methodology to help prioritize regulatory obligations and manage regulatory change; evaluate compliance program effectiveness with regard to monitoring, testing, and reporting; and ensure that they have an enterprise-wide view of regulatory risk and are able to collaborate internally to present a comprehensive report to the board.
7) Improving risk data aggregation and reporting – As regulatory requirements become more stringent and the demand for risk data aggregation and improved data quality increases, it is essential that CROs concentrate on improving risk reporting, particularly within the financial services sector.