Brian Sims

Institute of Risk Management experts outline global risk predictions for 2021

THE COVID-19 pandemic, increased geopolitical risk and Brexit are just some of the areas that have been highlighted by the Institute of Risk Management (IRM) asking senior members from its Special Interest Groups about their views on the outlook for the risk management landscape in 2021.

Iain Wright CFIRM, chair of the IRM (and a guest on Episode 14 of the Security Matters Podcast), explained to Security Matters: “2021 has already been characterised by a difficult, but not entirely unexpected start to the year. Sadly, but necessarily, many nations are back in lockdown measures due to the pandemic, but with the vaccine roll-out underway, we’re very much hoping for a light at the end of the proverbial tunnel. Undoubtedly, though, the world as we know it has now changed.”

Wright continued: “Organisations have had to adapt to survive, while ways of working are now more reliant on technology than ever before as many members of staff work from home. Companies are facing increased and increasing risks from both internal and external factors that have only been exacerbated by COVID-19, including people risk (ie the mental health, well-being and physical health of staff), cyber attacks, supply chain disruption and ongoing market confidence or volatility across particular sectors.”

Operational risk

Paul Saunders, chair of the Operational Risk Special Interest Group at the IRM and managing partner at GD Financial Markets LLP, has focused his attentions on the operational risk landscape.

Saunders stated: “Operational risk professionals are preparing to deal with a multitude of possible risks and events. 2020 was an extraordinary year for a multitude of reasons. For many industries, including financial services, this past year saw a long-term planned for, yet unexpected business continuity event unfold plus the determination of Brexit in the final moments of the year.”

How, though, have such events changed risk considerations and organisation’s readiness and response? “Resilience was absolutely key during 2020, while enhancing the operational resilience of the financial services sector remains a strategic priority,” explained Saunders. “COVID-19 has only served to reinforce its importance and, although firms successfully responded to the pandemic to ensure that their operations could continue, in some instances risk appetites were adjusted in order to accommodate deficiencies in controls.”

As we move into 2021, Saunders feels that regulators will continue to challenge how firms are ensuring that risk and control frameworks are operating effectively under the current working environment. This includes the capabilities of the accepted ‘three lines of defence’ and the monitoring of material residual risks against risk appetites.

“Additionally, and following on from policy consultations, the industry will be expected to meet formalised standards for operational resilience and also outsourcing during 2021. Firms will need actionable plans in place that enable them to achieve these standards.”

In the coming year, Saunders believes firms should address the lessons learned from the pandemic and review how these experiences might impact the development of operational resilience as a continuing discipline. “The regulatory agenda continued and progressed during 2020 despite the challenging conditions that the pandemic brought,” he asserted.

This year, firms should continue to recognise that regulatory health and readiness involves not just focusing on the macro picture such as Brexit or COVID-19, or conversely only on micro risks in the ‘business as usual’ domain. “Preparing to manage future regulatory risks means adequately covering all bases and, in particular, somewhat all-encompassing regulations designed to ensure responsibility and governance, customer protection and market integrity,” explained Saunders.

During 2020, the industry heard from regulators that regulatory conformance should not be lessened as a by-product of dispersed working. For the year ahead, firms should take this steer and leverage the structure that regulation offers to ensure robust, practical and pragmatic governance and control. “With regulation more important than ever in its contribution towards market stability and continued penalties being levied, regulatory risk in a new working environment must be adequately managed.”

Focus on cyber crime

Cyber crime continues to grow exponentially, with 2020 witnessing many firms more greatly exposed to cyber risk as a result of dispersed working. The situation remains amplified by a shortage of skilled cyber professionals, a lack of understanding of the threat and its delivery mechanisms, the continued development and availability of Cyber Crime-as-a-Service and the firm stance adopted by the Information Commissioner’s Office.

“The prevalent 2020 risk of a ransomware attack will continue to be faced by firms as we head into 2021,” continued Saunders. The impact of such an attack can be devastating and highly disruptive to business. This growing trend has expanded to criminals copying data prior to encrypting systems, limiting a firm’s ability to offset risk through the availability of back-up data. Firms therefore face the risk of blackmail to recover data or the exposure of data by dint of it being offered for sale in criminal forums. This activity acts as both an industry and individual firm-level macro risk.”

Financial criminality

Many companies continue to refine the implementation of the 2017 Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations. The impending regulatory updates which expand the scope and responsibilities here could expose individuals to the risk of criminal proceedings if the situation isn’t adequately managed.

“This year,” asserted Saunders, “firms must ensure they’re well positioned to comply with requirements designed to protect their business and clients and to mitigate this newly introduced personal risk. Under pandemic conditions, there have been some limitations on the traditional processing approach introduced through dispersed working. With the continuation of remote working at present, firms should mitigate any risk by ensuring that it’s addressed on a more permanent and robust basis to alleviate inadvertent and undue exposure in the money laundering regulations and customer due diligence space, which is a fundamental requirement when it comes to business operations.”

While the pandemic has introduced a blanket operating risk for firms, business operations have continued and firms have adapted, rising to the challenges presented in these areas.

“They ought to remain vigilant, agile, objective and alert in their management of risk,” affirmed Saunders. “That should put them in a good position to continue to mitigate the risks of an ever-changing environment, increased regulatory obligations, the growing sophistication of cyber criminality and the real life testing of operational resilience, including as a result of greater supplier reliance that an environment of dispersed working brings.”

Chief risk officers and the Board

Aileen Wallace CIRM and Socrates Coudounaris CFIRM co-chair the Non-Executive Directors/Chief Risk Officers Special Interest Group at the IRM. This was formed in February last year to provide a ‘vertical specialism’ promoting Best Practice and discussing Board governance as well as risk-related matters.

With COVID-19 being the most topical Board risk agenda item at present, Board expectations are changing fast and relationships between chief risk officers and the Board have perhaps never been tested to such an extent.

Special Interest Group discussions have highlighted the importance of having strong and effective relationships between Boards, Risk Committees and the chief risk officer. “As the first wave of COVID-19 set in,” said Wallace, “we saw the willingness of people to roll up their sleeves and make instant decisions, demonstrating a strong and collaborative risk culture. We found that Boards were genuinely enquiring about the health and well-being of employees. Communication, both internally and externally, with the appropriate speed and clarity was key to explaining to clients, regulators and the media alike how companies remained in an effective operational mode during the pandemic.”

Risk management teams have continued to be a consistent critical friend, adapting and innovating their approach due to thousands of staff having been largely working on a remote basis since March of last year.

“Considerations around appropriate and effective risk controls formed part of such discussions as well as checking-in with colleagues on their well-being,” stated Coudounaris. “As organisations adapted to new ways of working, it followed that their operational resilience was being tested.”

At the end of November, the Special Interest Group held a virtual round table discussion on operational resilience. “It was agreed that COVID-19 has been the mother of all stress tests,” confirmed Wallace. “Indeed, it has acted as a valuable stress test on both organisational culture and operational resilience.”

Culture maturity scale

Looking ahead, COVID-19 has put companies through a real-life test. It has been the moment when actual organisational culture crystalises and staff can see through company actions and assess where they stand on the culture maturity scale. Companies have recognised the strength of their human capital and their ability to carry on operating via remote connectivity.

“The ‘people agenda’ and mental health and well-being have never been of greater importance,” said Wallace. “Organisations are revisiting their people agendas which were designed for a different paradigm. If 2021 allows for some return to the office environment with social distancing, it would be under a ‘new normal’ offering a physical location for colleagues to meet and interact in person with remote working remaining the norm.”

The importance of risk management and operational resilience strategy is front and centre on any Board agenda. Risk professionals are presented with the opportunity to engage with the Board and steer in a dynamic manner towards a truly resilient organisation fashioned by design.

“Key risk areas of focus are new technologies, data protection, cyber security and outsourcing arrangements,” concluded Coudounaris, “while always keeping an eye on horizon scanning. For those companies who are taking into consideration the lessons learned from 2020, it will give the Board, the senior leadership team and members of staff the confidence needed for dealing with any future demands that may come their way.”

Company Info

FSM Editor

Dorset House
64 High Street
East Grinstead
RH19 3DE

01342 314300

Related Topics

Login / Sign up