The following is an opinion piece written by Paul DeCoster, head of practice – risk, legal, compliance & security, Marlin Hawk. The views expressed within the article are not necessarily those of Corporate Risk and Insurance.
In the last two-three years a large number of non-financial services institutions, led by other regulated industries such as Telco and healthcare, have been building out and empowering stand-alone, independent risk oversight functions.
Often following on the financial services ‘three lines of defense model’, many of these organizations have begun building empowered risk management and compliance functions in order to get a holistic view on the risks facing these organisations. For many, this is the first time they are deploying some sort of Enterprise Risk Management.
The financial services sector has been creating robust, independent risk functions to ensure the safety of the company, and to allow it to grow in a risk-managed way. Much of this has been driven by the fallout of the financial crash which happened in 2007 in a bid to avoid another such catastrophic event.
This paradigm has been permeating into other industries as board members transition from the FS sector, bringing with them their appetite for managing risk in a certain way.
Telecoms and healthcare are two such industries which are seeing an increased awareness of risk, but any industry which is heavily regulated – including oil & gas, energy, transport, electricity and more – can benefit from a more robust risk oversight function.
In terms of what’s driving this change, there are a myriad of reasons, but two of the main ones are: the pervasive risk of cyberattacks and data breaches, and an increased focus on compliance.
The ever-evolving threat of attack
According to a recent survey, 76% of C-level executives believe that a security breach is inevitable at their organisation. However, managing this risk is difficult as bad actors are indiscriminate and will go after any weak link in a business that they can identify.
So, while CFOs and General Counsels may be experts in the risks that sit specifically within their lines of business, they lack the holistic view needed to protect the organisation as a whole.
Given this pervasive risk, it makes sense for there to be some sort of oversight functionality within businesses, especially those which are regulated due to the sensitivity of the data they hold.
As information security doesn’t sit cleanly elsewhere, it is more frequently becoming the responsibility of those responsible for managing enterprise risk, especially as a damaging cyberattack can now significantly affect company stocks. When viewed through a business lens, it makes total sense to put cybersecurity under the remit of the risk management function.
Compliance, regulation and beyond
One of the biggest risks facing businesses working in regulated industries is the danger of being non-compliant. Some of this is sector specific, such as in healthcare, where everything is regulated by the FDA.
However, some compliance is sector agnostic, such as the GDPR in the European Union. Failure to comply with GDPR can mean huge fines and reputational damage for businesses. GDPR is absolutely huge for businesses, and has become a huge risk, driving the growth of roles such as the chief data officer or chief privacy officer.
Given that infringement of the EU, GDPR can result in administrative fines of up to 4% of annual global turnover or €20 million (whichever is greater), it’s no surprise that organisations are concerned.
What does the future of risk management look like?
Taking into account the continued threat of cyberattacks and an increased focus on compliance and regulation, the role of risk management will continue to escalate – most likely all the way to the top. To that end, we’ll start to see more and more chief risk officers take strategic roles on company boards and more net-new chief risk officer roles being created and elevated within the telco, healthcare and technology organisations.
As more and more technology businesses grow and diversify, we’ll also see them adopt more robust risk strategies.
As recently as this month, Facebook announced that it was launching its own cryptocurrency, and Amazon has also been playing in the financial space. With this sort of diversification, and with the revelations that the Cambridge Analytica scandal brought to the surface, it won’t be long before the technology industries around the world see heavier regulation.
To meet those challenges, these big technology businesses will adopt the same sort of risk management practices as their counterparts in the financial services sector. Failure to do so will ultimately put consumers of their products, and ultimately the success of their business, at great risk. The time to act is now.