Predicting Risk Management Challenges in 2019

Steve Schlarman


February 4, 2019

Predicting the future can be both fun and nerve-wracking. On one hand, you can never truly know what the future holds, and if you are wrong you can always chalk it up to chance or unforeseen events. On the other hand, forward-looking thinking is crucial in risk management in order to be prepared for what might be thrown your way. Not all of your predictions will be spot on, but keeping your eyes on the horizon—with brief glimpses in the past to reflect—is key to successful risk management.

If we take a look at how the landscape evolved in 2018, we can get a sense of how organizations should approach risk management going forward. The following are some of the forthcoming challenges facing risk management in 2019:

Prediction #1:
Forward-leaning organizations will use risk management as a competitive advantage.

While hard to measure, using risk as a competitive advantage continues to swirl within risk management circles. Every industry today is facing some disruptive force from digital transformation or the “new economy”—whether it is a “born in the cloud” digital entry into their market or a digitally-driven shift in products or services. As such, organizations must take risks on new business opportunities and models—especially when it comes to digital initiatives. Today’s market is not for the faint hearted and therefore, taking risks is part of the game.

What this means for 2019: We will continue to see organizations engage in risk management conversations and the discussion will shift from operational to strategic risk management. Whether this represents an expansion of operational risk management or a shift to an extensive enterprise risk management strategy depends on the organization. However, those mandated to keep an eye on risk in an organization—CROs, CISOs, COOs, CCOs and others—will continue to be asked tough questions about quantifying risks. At the heart of this discussion is how every organization’s risk management strategy can accelerate their business and be used as a competitive advantage.

Prediction #2:
Compliance regulation and added scrutiny from non-regulators will disrupt long-term strategic planning.

Regulators upped their game in 2018 and we also saw a rise in data privacy scandals and issues—some triggered by public outcry—that have subjected companies to new levels of scrutiny. However, the topic of third party risk remains a major discussion point for all organizations.

What this means for 2019: The winds of political change will persist, and organizations and regulators will adjust as necessary. Look out for talk of trade wars, supply chain disruptions, and other shifts that could derail long-term strategic plans. Simultaneously, regulators and consumers alike will continue their press on organization’s risk and compliance practices. Social movements, investigative journalists and a host of external (and internal) watchdogs add additional layers of scrutiny.

Prediction #3:
Data will be at the crux of risk management.

Data continues to be the new business x-factor as organizations consider “What can we do with the data we have? Can we drive revenue? Can we lower costs?” However, the opportunity of what data can hold for an organization also adds to the risks posed to—or by—that data. Data breaches and data misuse continue to put a damper on unlocking the full potential of this new “currency.”

What this means for 2019: According to PricewaterhouseCooper’s 21st Annual Global CEO Survey, cyber threats have surpassed regulation as the main concern for those C-suite executives surveyed, and data is the main target of cyberattacks. The inherent nature of digital business involves understanding the data and cyber threats. Privacy requirements, such as GDPR, should add more momentum on the path toward data-centric risk management.

Prediction #4:
Coordinated incident response will become a business priority.

2018 had its share of self-imposed, headline-grabbing disasters like data breaches and corporate failures. Unfortunately for the companies involved, the pain of those events impacted not only their reputations but reverberated across their culture. The jury is still out on how well those companies bounced back, but it became clear that every organization should have a strong crisis management plan in place.

What this means for 2019: These situations highlight the need for coordinated incident response, regardless of the source of the incident, across organizational functions. Managing an incident from initial identification through the PR blitz will become a fundamental need. Aligning functions and working through a very broad range of scenarios—from a security incident to an executive slip-up—will require risk professionals to stretch their imaginations to help their organization prepare for the next crisis.

Prediction #5:
Traditional security and risk protocols will fail to keep up. 

As an industry, one of the new challenges we are facing is that the security and risk functions within our organizations are struggling to keep up with accelerated business operations. Even more, the lines that used to separate traditional cybersecurity and core risk functions are becoming increasingly blurred.

What this means for 2019: Agile development is not just for IT anymore, but a core business strategy. An annual risk assessment will no longer cut it because a security review designed for a waterfall product lifecycle will not mesh with these new DevOps methodologies. These shifts will place strains on traditional approaches to security and risk, and cause ripple effects in skills gaps, process inefficiencies and data gaps.

In short, 2019 should be the year of retooling for your risk and security program. That does not mean throwing away all your old tools, but rather sharpening the tools you have and preparing them for the future. It also means retooling your skills and resources, and redefining how you see, talk about and decide which risks to take.
Steve Schlarman is a risk management strategist at RSA Security.