Digital risk management and resiliency – part two

By Stefano Capodagli

The increasing use of Artificial Intelligence (AI) in risk management shifts the focus towards analytics and minimising losses in a proactive manner. Today, firms are developing risk platforms by scouring the internet for all-encompassing information about any risk-relevant matter with the help of machine learning and AI. As digital innovator and custodian of the data universe, the risk function has available to it relevant risk insights and intelligence. The predictive potential for such techniques regarding risk events and their severity, coupled with timely and accurate outcomes is just being discerned. The traditional backward-looking approaches of incident reporting to forecast future risks and impact seems outdated.

Traditional computing techniques of analysis cannot handle current volumes of data. Algorithmic and cognitive computing capabilities embodied, for example, in data mining, machine learning, and natural language processing, facilitate augmented and assistive intelligence – as well as predictive modelling whose scope is to accelerate and enhance decision making. Today’s digital risk management tools rely on automated data mining, scenario modelling, and forecasting capabilities that assist risk managers in their assessment of the types and likelihood of risk occurrence, and mitigation measures to maintain those risks within risk tolerance.

Doesn’t cut it

As highlighted by our IRM colleague Ipsita Pradhan in her article “Managing data the way you always have doesn’t cut it”: “The domain of risk management is a perfect fit to cognitive computing capabilities, as risk issues/events include unlikely and/or ambiguous events. A massive amount of internal and external data is used by both the private and public organisations to take a ‘proactive’ stance in Risk Management”.

Current generation IT solutions can easily be adapted across strategically relevant apps and smartphone devices, just as risk management processes can be seamlessly and deeply embraced by the corporate culture. The digital risk management function is additionally assisted in accomplishing their objectives by user-friendly and intuitive interfaces. Interactive reports, as well as hover cards and data explorers, offer the ability to slice, dice, and analyse risk data from various perspectives. This digital evolution of risk management generates a virtuous circle between business and risk functions: first- and second-line partnerships, potential risks remain under control, while “sailing” towards better business growth and performance.

Being strategic

Digital resiliency requires the involvement of multiple stakeholder groups, whereas board and senior management oversight and monitoring are crucial to ensure rigorous and effective information security programs. The tone at the top plays a determinant role as much as the digital risk management function assures that is scaled down and across the organisation.

In the digital world, the pace of change is too fast to anticipate and defend against every type of attack. We all acknowledge that compromise is inevitable, hence not only protection, but also detection and responsiveness are the right strategies.

In other words, while risk management had been traditionally focusing on preventing risk incidents, when it comes to digital risks, prevention does not seem to be always a fool-proof strategy. For example, cyberthreats are growing more sophisticated, and despite an organisation’s best efforts at defence, an attack or data breach could occur. Developing an advanced resilience strategy and robust business continuity process enables an organisation to face any worst-case scenarios and protect its business performance.

The risk-based approach, firstly, requires an understanding of the most vital information assets in the enterprise, and an assessment of how a disruption, such as a cybersecurity attack, could quantitatively impact on them. As second step entails ensuring that the second line of defence works effectively with its business counterparts to negotiate appropriate levels of security based on the overall risk appetite limits defined by the board. Accordingly, a business continuity plan can be developed with clearly-defined roles and responsibilities, as well including steps for communication and coordination. All plans and processes must be tested at regular intervals so that employees and stakeholders know exactly what they need to do if a disruption occurs.

Business performance resilience is the core objective, and the digital risk management function plays a leading role in these efforts, ensuring that the organisation is “well trained” with a holistic strategy that defends against threats and is able to bounce back swiftly from adverse incidents that do occur.

Digital resiliency is by no doubt the most important long-term assets of an organisation. All enterprises and their management are called to ensure they are fully prepared to face the digital present and future.  They shall embrace the modern strategic digital risk management culture, since the roots of the failure to build digital resilience capabilities lie not in technology but in corporate risk culture.

 

 

Stefano Capodagli, MBA, CPA, MCSI, SIRM – seasoned CRO, risk, finance and business executive and non-executive director of risk advisory firms in CEE, Africa, Asia and MENA region – is senior advisor on strategic and digital risk management to international financial institutions, UN agencies, financial services and microfinance organisations as well as certified professional trainer at IRM, academic lecturer and professional/team coach. The views expressed in this article are the author’s own and do not represent the views or position of IRM.

  • About Enterprise Risk Magazine

    Enterprise Risk Magazine is the leading quarterly title for risk managers and enterprise risk, with a print circulation of over 5,500.

    Enterprise Risk is published on behalf of the Institute of Risk Management (IRM). The majority of IRM members receive their copy of Enterprise Risk at their home address, meaning the title... Read more
  • Categories

  • Tags