Technology promises to alter the practice of risk management. Will these advances simply change how risk professionals work or create new, more strategic roles?
As organizations rely more heavily on advances in areas like artificial intelligence, data analytics and machine learning, the nature and focus of many professions will begin to shift. Risk management is no exception. As technology takes on more of the basic, process-driven work that makes up a large part of a risk professional’s current workload, practitioners may be free to concentrate on more “value-adding” work and explore new or underdeveloped areas of risk management that have—until now—been relatively untapped. In this way, rather than posing a threat, artificial intelligence and machine learning may actually enable more sophisticated risk management, if used well.
According to Tom Bigham, risk advisory partner at Deloitte, the risk professional’s role has already been undeniably impacted by new technologies, and it will continue to be molded as emerging technologies mature further. In fact, there is little other choice—evidence suggests that risk managers need to embrace artificial intelligence, machine learning and other technologies as a matter of course. In Deloitte’s recent Digital Risk Survey, 60% of senior executives across over 160 global organizations rated the effective ness of current risk management tools as five (or less) out of 10—hardly a ringing endorsement of current capabilities.
Bigham said that the risk management departments “leading the way” are moving towards using technology to perform more basic, repetitive tasks. At the same time, they are also looking to improve these processes—for example, by ensuring that tasks are being completed with a greater level of accuracy, while also challenging existing processes to remove duplications and unnecessary layers of governance. In the near future, he believes, tasks such as manual controls testing (used to gain assurance on an annual basis) will become automated, and risk managers will use live dashboards to monitor to ensure tests are configured correctly.
However, over the longer-term, Bigham said, new technologies will help the role of the risk manager evolve into two camps: “engineers” and “thinkers.” As one would expect, the “engineers” are tech savvy. “Understanding the technologies allows these risk managers to ensure they are providing the right service to the organization and are aligned to their risk appetite,” he said. “Integrating the risk managers earlier in the development process (otherwise known as ‘shift to the left’) will ensure controls are considered at the right point in time, avoiding unnecessary delays later in the process.”
Meanwhile, “thinkers” will analyze their organization’s data by identifying patterns and rules, creating insights from which senior management can make decisions based on external events happening to their organization. “This allows risk managers to inform senior management of the potential impact of these events, and to introduce safeguards to prevent negative impact,” he said. “In addition, the risk manager’s expertise is required to ensure information and data collected from newly introduced tools is mapped to a common framework and combined to provide an overarching view to senior management.”
Many believe that new technology will not only change the future of risk management—it will also drive it. According to Arvind Govindarajan, partner at McKinsey & Company, a number of “structural trends” will impact the future of the risk function, including big data, analytics and digitization, and the growth of a number of emerging risk types, like cybersecurity. However, other factors will also play a defining role. For example, expectations from external customers and internal stakeholders for real-time, more granular and customized insights will affect the focus and work of risk managers, as will a continuous expansion in the breadth and depth of regulations. This is amplified by increased pressure on costs and competitive intensity, often from non-traditional players such as technology companies.
Govindarajan believes that the risk departments of the future will be “a high-intellect, highly automated nerve center.” In the future, advanced models and artificial intelligence will help assess emerging risks, early-warning signals and potential responses. “There will also be increased integration of risk management with other disciplines,” like business strategy, portfolio management and operations, he said. However, this movement will also create new risks that risk managers must address—namely, the risk from increased use of models and digitization, and ensuring that risk professionals fully understand how these models work and what their capabilities (and limitations) are. Additionally, the increased reliance on data will require more focus on managing data risk, including data privacy, access and quality.
In the immediate term, “risk managers are going to have to check that the technologies they are relying on to enhance risk and management information actually work and deliver the assurance that they are supposed to,” said Fergus Allan, head of regulation and compliance at management consultancy TORI Global. Risk professionals will need to meet these new expectations, which means investing now in upskilling, training and recruitment.
In the long run, as technology takes on more of the analytical and processing tasks, risk professionals will be able to take a longer-term view of risks to the business, with the opportunity to focus more heavily on “horizon-scanning” for emerging risks that may impact the business in two or three years. “This will allow risk managers to think more strategically,” he said.
Allan believes that risk management will become more about “managing resilience”—ensuring that the business can cope with immediate shocks, such as natural catastrophes, power outages and supply chain failures, as well as more long-term disruptive risks, like those caused by new and more nimble challengers entering the market, new technologies, more stringent regulation and changing consumer sentiment.
“As technology takes on more of a risk manager’s current workload, risk managers will need to focus on more value-adding activities, and that includes the issues underpinning business strategy and the organization’s resilience,” Allan said. “The business environment is changing much more rapidly now, and companies can only rely on brand loyalty if their products and services are better than their rivals and affordably priced—not necessarily because they are the most established or dominant in the market. Risk managers need to concentrate on how the organization can sustain itself in an environment that is more competitive, more highly regulated, and where ‘shocks’ can take place more frequently than before. As a result, it is obvious that risk managers need to be more engaged in reviewing risks around strategy and organizational resilience.”
Rob Clyde, immediate past chair of ISACA and director at data protection software firm Titus, agreed that there is a real need for risk managers to be more strategic. Indeed, he believes increased automation of the risk function will allow risk professionals more time and resources to engage in other activities where they could make a positive impact, and provide an opportunity for the profession to develop further.
“Risk functions need to move on from simply alerting management to risks, and they need to steer the organization toward getting the rewards from effective governance rather than just focusing on managing risks,” Clyde said. “They need to show that they understand the business, show how these risks will impact the bottom line, and show how opportunities can be leveraged from better risk management. Risk managers need to think about how they can make the strategy work even more effectively and drive more profitability. They need to think about how they can help the organization ‘win.’”
Clyde believes that risk managers will move away from some traditional priorities, such as crunching data, and will instead focus on new and emerging risk areas where artificial intelligence and other new technologies have not yet made the same degree of impact as data analytics. These include reviewing cyberrisk, data protection and data privacy risks, macroeconomic risks, and even the impact that misinformation on social media might have on the company’s reputation and bottom line.
Other experts, however, are less convinced that adoption of new technologies will change the underlying focus or approach of risk management. While they accept that the growth and accessibility of new technologies will have a positive impact on risk management, they say it does not necessarily follow that the profession’s priorities or usual tasks will change much. Instead, they believe that new technologies merely represent new risk tools that enable different ways of working on the same traditional areas, rather than revolutionizing what the function does.
Increased automation largely means that risk functions can concentrate more effectively on what is typically their primary focus—operational risks. “We’re seeing from our member organizations that operational risk is increasingly becoming a concern for boards,” said Dr. Luke Carrivick, head of analytics and research at ORX, an operational risk association for banks, insurers and asset managers. “Whereas 10 years ago credit and market risk dominated institutional risk profiles, boards today are far more focused on their operational risk exposure—for example, their highly valuable digital assets and how resilient they really are to events such as cyberattacks.”
According to Carrivick, “Boards don’t want to see endless reports showing what has happened previously. Instead, they want to know how their operational risk profile is changing as their strategy advances. Good data analytics is central to providing this forward-looking view.”
Michael Harris, director of financial crime compliance and regulation risk at LexisNexis Risk Solutions, is skeptical about technology’s role in shaping the future of the profession, particularly the idea that risk managers will somehow become more involved in corporate strategy. While technology may take a lot of the basic tasks away from risk management, it does not mean that risk professionals will take a more strategic role and become “risk leaders.” “Executives will still be ultimately responsible for strategy and risk—not risk managers,” he said.
The extent to which risk managers take on a more strategic role may depend on the industry vertical. “In heavily regulated industries such as financial services and pharmaceuticals, for example, there is still going to be a strong focus on compliance, despite what new technology can—and can’t—do,” Harris said. “As a result, boards in those industries will primarily want reassurance from risk management that operational risks are still being managed appropriately.”
As decision-making becomes more automated, Harris believes firms will face a greater need for assurance that the technology underpinning decision-making is working in the best interests of the company and its customers, and that it is compliant. “It will fall to risk managers to check that the processes that determine decision-making and produce management information are working properly,” he said. “This will mean that risk managers will need to understand the technology and its associated risks, and that will probably require retraining and upskilling. Over the past few years, risk, compliance and internal audit departments in financial services firms especially have grown due to increased regulatory demands and scrutiny. While these functions will likely cut staff as technology adoption becomes more prevalent, it is probably fair to say that their roles will stay largely the same.”
Mike Hampson, CEO at Bishopsgate Financial Consulting, believes that “machines should do the ordinary so that the risk management function can do the extraordinary.” But the reality may be that “technology will simply free up risk managers to look at new areas of risk rather than change their role or the way the function works,” he said.
This may be because regulators shape risk management’s role more than technology or executives do. “Risk managers may want to play a more strategic and consultative role in their organizations, but more often than not, it is regulators that largely define what their areas of focus are going to be,” he said. “For example, in recent years, regulators—particularly in areas like financial services—have asked organizations to move away from just looking at financial risk and market risk to examine areas like operational resilience, systemic risk, macro-economic risk, climate risk and data protection. Consequently, risk management functions have had to follow that lead, providing assurance on other, new risk areas rather than trying to turn themselves into some kind of management consultancy.”
Despite the influence of new technology and compliance requirements, risk managers generally will need to become more commercially-minded and business savvy, Hampson said. This means being much more conscious about cost, competition and the wider macroeconomic environment—in effect, looking at external, market-driven risks to the business.
“At some level, risk managers need to think about rewards and not just risks,” he said. “Despite the cliché that there is no reward without risk, it is still true that most risk managers look at the risks inherent in business strategies, rather than look at the predicted rewards associated with them. This needs to change. Risk managers need to be more prepared to question whether the strategy is the best option and, if so, whether it can be tweaked or improved to deliver even better returns.”
There is little doubt that technology will impact the future role and work of risk professionals, but how this technology is ultimately implemented will still depend on what the board—and regulators—deem to be priority areas. Even if developments like artificial intelligence prove merely to be tools to enable risk managers to do their current work more effectively, rather than empowering them to explore new areas to add value, expectations about what the risk function can and should deliver are also changing. Regardless of technology’s potential uses, risk professionals will need to be more sensitive to how the business operates and where the organization can take advantage of commercial opportunities.
Neil Hodge is a U.K.-based journalist who often covers risk management.