The 2021 Risk Management Trending Topics

2021 Risk Management Trending Topics and COVID-19 Impact

In this Strategy+ post, we will discuss the trending topics across six key domains. We will explore the key factors driving the popularity surge of these trending topics in 2021, and provide ideas to Risk Management professionals on potential projects to help address the most significant risks and to add value to their organizations.

It is expected that COVID-19 will continue to drive a negative impact across different businesses and sectors. It will continue to cause a reduction in business revenue, an increase in operating cost, and an increase of government mandated regulation on employee safety. All which will lead to a slow global economic recovery.

Because of COVID-19 and the disruption it caused, there are new risk areas that have started to emerge in 2020 and will continue into 2021. Unplanned working models, local (and global) shutdowns and increased social distancing pressures have all created the need for many businesses to shift their short-term and long-term strategies.

Business leaders will not have the luxury to suffer any resource or cost loss due to misalignment between Risk Management objectives and Business Strategy objectives throughout the upcoming year. Due to this increased pressure on the business, it is critical to have a Risk Management function as an enabler and supporter to the business. 

To help shape your risk management focus areas, we have highlighted the below trending Risk Management topics to consider:

1. Aligning Technology and Business Strategic Investments

Current Challenges

Strategic alignment explores how different business functions work together to achieve a common goal. Business and IT alignment, including their strategies & structures, is a key hot topic among the C-suite today. Strategic alignment, between IT and Business strategies, is never achieved by accident. To realize the new business objectives in the digital era, including benefits realizations and regulatory compliance, companies need to create an alignment between the different stakeholders. This alignment is a great challenge since different leaders and their departments often work in silo. 

With new technologies being on the rise (e.g. Blockchain, AI, and Machine Learning), Risk Management Leaders are on the hook to guide the business in the right direction and mitigate any point of failures with their independent, objective views.

How can Risk Management Leaders help?

Risk Management Leaders need to ensure organizations will not only deliver programs successfully, but to pick the right strategic programs that are most suited for the company’s success and best align with the company’s strategic objectives.

Risk Management functions need to play a key role to help increase the maturity of the program management capabilities including organizing tasks, tracking progress towards milestones, measuring gaps, and proactively reporting towards milestones with an independent objective view. Risk Management functions need to focus on:

• Evaluating the strategic investments governance approach: Evaluating the organization governance and program capabilities; including, providing a real-time independent view for failed or troubled projects to identify themes and patterns to be fixed to put the project on track.
• Independently assessing risks for major implementations and ERP technology transformations programs: Evaluating significant risks and assessing effectiveness of mitigation strategies for large transformation programs including ERP and Digital transformation programs. Conducting inflight reviews to assess the governance and stakeholder alignment, system agile development approach and testing, and methods for measuring program success.
• Assessing the intelligent automation governance program: Assessing and implementing adequate governance programs to integrate governance, risk, and controls (GRC) throughout the automation program life cycle (from planning to ongoing monitoring following implementation), including defining a unified oversight of key performance indicators (KPIs), key risk indicators (KRIs), risk mitigation, and control activities.

2. Enhancing Privacy and Data Protection Compliance Programs

Current Challenges

As data-driven applications are adapted at a high rate, compliance with data security and privacy laws needs to be addressed effectively and efficiently. With data protection laws on the rise (e.g. GDPR and CCPA), privacy assessments are critical to avoid high regulatory fines; in many cases, managing data risks will be new to many organizations, which will impact the design of the business processes.

Privacy-impact assessments have become integral, requiring organizations to carefully consider the impact on the business process design or the individual’s rights and freedoms. To support data confidentiality and privacy requirements, organizations must invest in leading technologies including encryption, data masking, and pseudo-anonymization.

The main challenge is to identify and provide clear oversight on data lifecycle (collection, storage, and data lineage and data deletion) to adequately comply with data subjects requests. Foundational to all these regulations is the required documentation of the record of processing activities, which forces companies to identify all their business processes that use personal data and identify the relevant systems and storage locations.

How can Risk Management Leaders help?

Risk management professionals, along with the business owners, will need to establish and monitor their data protection & privacy programs. Identifying the Critical Data Elements (CDEs) is one of the key steps to create a path for increasing the maturity level of the organization's data governance capabilities. This data identification process can help the business understand the current data flow and usage to map the laws applicable to each data asset.

• Performing an in-depth review of the organization’s privacy program: Evaluating the scope and effectiveness of the privacy program to help provide a point of view on how the organization’s privacy program is equipped to effectively respond to existing and new regulations and effectively sustain compliance on an ongoing basis.
• Conducting a regulation-focused gap assessment: Conduct an in-depth assessment on the company’s privacy implementation process and test the effectiveness of new programs implemented for specific privacy laws such as GDPR or CCPA.
• Identifying Critical Data Elements (CDEs) and Data Lineage requirements: Help Data Office teams in identifying organization’s critical and key data elements and their alignment with the current enterprise data objectives supporting business and regulatory objectives, including identifying data flow and transformation conditions.

3. Embracing an Intelligent and Agile Risk Management (Agile Assurance)

Current Challenges

In 2020, many Risk Management and Internal Audit functions tried to change how they work by embracing a more agile way of working, however, COVID-19 may have disrupted that plan for many organizations. The need for an agile Internal Audit and Risk Management function is a critical success factor in 2021. This will enable management to respond to a demanding compliance requirement quickly and with high quality delivery.

Risk Management agility is about the ability to keep up in the digital age by responding to market changes and emerging opportunities with creative ways to deliver intelligent & compliant solutions, while partnering with business & IT stakeholders effectively.

How can Risk Management Leaders help?

Risk Management functions should always look to partner with the different stakeholders to push the business forward. A key objective is to provide high quality and timely feedback that increases operational excellence and compliance with different regulations. To limit the impact of compliance activities on the business operations, risk professionals will need to start investing and leveraging technologies to improve assessments’ quality, reduce compliance costs, and expand risk scope & coverage. Risk Management functions need to start:

• Embracing the agile principles for a new way of working: Risk Management professionals need to embrace a new way of working by applying the agile principles. Applying agile principles will focus on generating faster, high-quality, and focused value through short sprints throughout the year; letting go of a stringent audit plan and focusing on creating the highest value through the prioritization activity.
• Utilizing an intelligent compliance management solution: Investing in compliance solutions needs to be on the 2021 agenda to better drive operative and cost-effective compliance activities. Building and deploying an integrated & complete GRC suite, with continuous monitoring & testing capabilities, will be in high demand in 2021.
• Expanding the use of new and emerging testing technologies: By applying the new technologies in daily work (e.g. data analytics, RPA and AI assurance technologies), risk management and compliance functions will have the capability to identify the real-time associated risks and the remediation measures for any control weaknesses against high risk compliance or operational requirement.

4. Protecting Organizations against Cybersecurity Threats

Current Challenges

Companies face cyberattacks every day and the frequency of such incidents will continue to rise. Due to the significant impact of these attacks, cybersecurity will continue to be a critical area to address. be on the critical list for the business board and executives to address.

Cybersecurity is an extraordinarily complex area that includes many domains, such as threat management, identity access management (IAM), third party vendor management, cloud solutions, information protection, incident response and many others. To develop and appropriate countermeasure activities, risk management professionals will need to holistically review the company’s cybersecurity programs and help establish effective solutions.

Due to COVID-19 amplifying the remote workforce, there has been an increase in security vulnerabilities and gaps in security and has consequently left many employees more susceptible to cybersecurity attacks.

How can Risk Management Leaders help?

Many risk management professionals will need to continually test, tweak and be a leader in developing and executing disaster recovery plans and business continuity procedures to assess the effectiveness and organization’s knowledge of crisis response plans (e.g. ransomware attacks). Risk Management Leaders need to focus on:

• Defining the best practices for an optimized security management program: Assessing operational gaps related to the security governance practices, measurement and reporting on security effectiveness, communication & training for end users, and cost management associated with security operations.
• Assessing the Identify & Access Management governance practices and implemented tech-solutions: Assessing, designing, and testing the various components related to a successful IAM program including governance and management activities related to SaaS and cloud solutions. This includes management’s overall IAM governance program, assessing IAM policies and procedures, access lifecycle management, access control, asset management and procedures in place for monitoring and logging of access/activity.
• Integrating security best practices with cloud implementation: Conducting enterprise-wide cloud governance assessments, cloud cyber assessments, cloud-first adoption roadmap, and cloud architecture reviews with the objective of integrating cybersecurity best practices with cloud implementations.

5. Building an Effective Disaster Recovery Plan and Business Operation Resilience

Current Challenges

In today’s highly connected and global organizations and the global adoption of remote work, business resilience and disaster recovery plans need to be updated and assessed for their effectiveness. While some risks can be monitored and mitigated, high impact, hard-to-predict events are occurring more often than ever.

Without a comprehensive disaster recovery and business continuity plan, organizations will not be able to timely provide services and products to their clients in the case of unfavorable or disaster events. This could lead to significantly damaging the reputation of the organization or losing clients and revenue. Plans should be tested on an on-going basis to ensure an appropriate and coordinated response and recovery is in place. In addition, employees should receive sufficient training to ensure that they can respond in the proper manner in the event of a disaster or major disruption.

Many risk management professionals will need to continually test, tweak and be a leader in developing and executing disaster recovery plan and business continuity procedures to assess the effectiveness and organization knowledge of crisis response plans (e.g. ransomware attacks).

How can Risk Management Leaders help?

Risk Management Leaders need to consider and report on the disaster recovery capabilities to meet business requirements given a range of agreed-to disruption scenarios including but not limited to: loss of key site(s) housing technology equipment/services, loss of key third-party IT service providers, or loss of key IT service personnel. To support a resilient business operation, Risk Leaders needs to consider:

• Assessing the Disaster recovery system architecture design: Identifying any gaps in the IT disaster recovery plan’s ability to meet stated business requirements (e.g., identification of technical single points of failure and assessment of recovery times vs. business needs).
• Measuring the Business Continuity project plan effectiveness: Assessing the maturity of business-continuity governance plans and processes against maturity measurement criteria from, for example, NIST, ISO 22301, or as agreed to with business requirements.
• Evaluating vendor cyber resiliency operations: Independently analyzing and inspecting third-party vendors’ capacity to mitigate against large scale disruptive events, cyber resiliency preparedness, recovery capability, including inspecting vendor RPO and RTOs, data confidentiality agreements against management requirements.

6. Improving Talent Management and Well-Being Programs

Current Challenges

The workforce is now composed of disparate employment models and working locations, requiring organizations to manage increased complexities and adapt traditional human resource processes. The workforce today consists not of three or four, but five generations. Employee diversity and inclusion is one of the highest priority items that will continue to help organizations get better in creating innovative ideas and solutions in the market.

Identifying the go-to trusted employees who others turn to in an emergency or for guidance is not only difficult to spot, but difficult to keep in a fierce hiring market. These employees have some common characteristics that make them essential to your business success. These employees are achievers, generous, coachable, well-connected, and futuristic.

Due to COVID-19, talent flexibility is critical for current and future operations. However, employees are under significant physical and mental stress, and many lack the digital skills needed in a virtual work environment.

How can Risk Management Leaders help?

Risk Management professionals will need to assess and mitigate the risks around the deterioration of employees’ mental health, lack of the digital skills to navigate and support new & emerging technologies and increased social & corporate responsibility pressures to respond to the global protests surrounding police brutality, income inequality, social & gender discrimination, racial injustice and climate change. Risk Management leaders need to:

• Independently assess employee engagement and well-being: Risk Management Leaders need to implement assessment plans to identify and respond to employee disengagement and mental health deterioration. Leaders can start by evaluating the frequency of engagement surveys independently and ensuring results are documented and action plans exist to address signs of employee disengagement.
• Assess organization’s effectiveness of the dedicated digital upskilling development plans: Risk Management leaders need to perform an appropriate diagnostic benchmark to compare the organization talent-management capabilities. The focus should be to validate whether development plans are adequately updated and effective per an independent review of the career and learning development program.

Bringing it all together,

A well-involved oversight by the risk management and compliance teams help ensure that the intelligent enterprise initiatives (e.g. RPA, AI, IoT and Blockchain) are designed and implemented securely. Without involving risk management professionals upfront, projects might not achieve their desired objectives due to downplaying the impact of these large-scale transformations on the entire organization components: technology, process, data & people.

Risk Management professionals need to play an active role in reviewing the alignment of intelligent initiatives with the organization’s strategic compliance goals, including reviewing the identification and resolution of the inherent risks introduced by these emerging technologies.

A blast from the past: Last year, we discussed the different areas Risk Management Leaders needed to put on their 2020 agenda, including the heightened focus on business continuity and disaster recovery plans (check it out here); an area that is critical to maintain business operation resilience.

__________________________

Strategy+ Series: At Signify Solution, we believe in providing advisory and assurance services that help our clients better plan and solve their business problems. Strategy+ gives insight into our framework and our solutions that we implement at our clients. Strategy+ posts are our way to share our knowledge, allowing us to have a bigger reach and impact at our clients.

Please contact me directly at [email protected] to connect, chat and see how we can help you out.

We help companies create a total view of the different projects they need to pursue as well as challenge the impact of each of these projects against the business objectives established by the leadership.

The views, information or opinions expressed in this article are the views of my own. All information in this article is provided “as is”, with no guarantee of completeness, accuracy, timeliness or of the results obtained from the use of this information.