FutureRisk spotlights emerging risk areas and unique approaches to risk treatment with risk leaders from the world’s most prominent organizations.
In this episode of FutureRisk, John Wheeler, former Gartner IRM Analyst and AuditBoard’s Senior Advisor, Risk and Technology, sits down with Ernst and Young‘s Scott McCowan, Americas Risk Management Leader, Consulting, and Megan Duggan, Senior Manager, Risk Consulting to discuss how organizations can effectively respond to emerging risks guided by EY’s connected risk approach across risk taxonomy, risk assessment, coordinated response, and risk insights, including:
- The importance of starting out by understanding your organization’s risk ecosystem and developing an integrated risk taxonomy.
- Evaluating your team’s risk management activities and access to expertise to keep pace with risks stemming from technology innovation such as Artificial Intelligence (AI).
- Diversifying your risk assessment inputs beyond qualitative and quantitative to include external data as a “bias buster.”
- Turning single-use point analytics into continuous monitoring, continuous analytics, or risk assessment quantitative data that provides lasting value to the organization.
Watch the full conversation, and read the can’t-miss highlights below.
Elevating IRM With the Connected Risk Approach
John Wheeler: My colleagues here from EY have a very complimentary view of bringing risks together in what they call the connected risk approach. Can you tell me a little bit more about that?
Scott McCowan: The connected risk approach — we call it the wheel, which I think makes a lot of sense — really stems from four main quadrants around risk taxonomy, risk assessment, coordinated response, and then risk insights or risk reporting. It’s trying to elevate the concept of integrated risk management and the imperative of having a very clear and concise message around those emerging risks. We had done the Global Board Risk Survey back in 2021 where we surveyed boards of directors and executives, and found that only 20% felt that, they had a good handle on their risk. So, there is a huge imperative to really put risk management on its head and think about it differently — how do you infuse technology and coordination amongst these siloed organizations with a connected risk approach.
John Wheeler: When you have organizations trying to build out this connected risk approach, where do they begin?
Megan Duggan: It’s a wheel, it’s continuous, but we like to say to start with the risk ecosystem and integrated taxonomy. Who are the players and what are the risks that we’re facing as an organization? We start with that risk taxonomy to really say, here’s our landscape of risk and here’s the detail behind it so that it’s not just at the macro level — the old school ERM level where you’ve got ten risks that you’re managing. You’re really getting down to that detailed level so that you can identify the indicators of risk and you can coordinate your response and provide your insights so that everybody understands what you’re talking about — we’re all speaking the same language.
John Wheeler: I couldn’t agree with you more that having a common language really supports the communication. In my view, without constant, continuous, ongoing dialogue, a risk management program is doomed to fail. How in this connected risk approach do you weave in the communication element using this common language?
Megan Duggan: It really starts with identifying the players and being proactive about it. The reason we started down this connected risk approach is because too often organizations are operating in silos. You’ve got folks out in various areas of the business attacking risk in different ways or not attacking risks in different ways. They’re doing it in a way that’s redundant or duplicative — or perhaps you have gaps.
Creating this common language to start from and making sure you’re bringing the right players to the table in some cadence that makes sense for your organization is absolutely critical. We like to talk about the risk steward driving this ecosystem and integrated taxonomy approach. It doesn’t have to be the third line, but identifying that person who’s got the stature in the organization and can really bring the right parties together to drive the conversation. And then, of course, layering in technology provides the platform for all of your various functions operating together. Then, you’ve got the insights coming out of the back end to say, here’s what we’re talking about, here’s what it looks like, and here’s what our performance has been. It helps to drive that communication immensely.
Getting in Front of Strategic Risks Like Artificial Intelligence
John Wheeler: Given that this is FutureRisk, we are talking about how organizations can better anticipate some of these risks that they may not know much about. As risk professionals look to better understand the strategic objectives, where do you see opportunities for them to engage with business leaders in understanding how they’re looking to change the business? What are examples of some new products or services that organizations are launching and creating these new risks?
Scott McCowan: When you think about being a strategic advisor, whether you’re in internal audit or you’re sitting within the second line, the business needs to feel that they’re getting value from you. Trying to figure out how you quite literally get that seat at the table for those risk management committee discussions or the strategic directional conversations for the company is critical. You want to be in front of the emerging risks as you had mentioned.
One that we had a dialogue on just the other day was AI. There is the concept of organizations adopting AI at a rapid pace right now. What should risk management’s mandate be around AI? Can we trust the AI? It’s different from traditionally how we thought about RPA because now you’re introducing this concept of decision-making. It’s really important as you think about the construct of your risk management activities to also ask who has the expertise to keep pace with the change of technology innovation. Never before have you had to think about having someone like an AI systems engineer as part of an internal audit response or as part of your risk management team. But now, you should! You really need to think about how do you differ your operating model to bring in that concept of a guest auditor or a subject matter expert so that not only are you identifying what those top risks are, but you’re intelligently responding to them as well.
Effective Risk Assessments Require Diverse Inputs
John Wheeler: It sounds like by having that expertise within an internal audit or risk management function, you can also engage earlier on in the process of, say, product design and have those either controls or risk management mitigation strategies built into the product. As opposed to, as we see time and time again, something happening on the very end and being very ineffective.
Scott McCowan: Right, and some of that is just focusing on the second part of our quadrant, which is the risk assessment process. We’ve spent a lot of time within the past year really doubling down on what it means to have an effective risk assessment approach.
You need to diversify your inputs. When we look at a risk assessment, it’s across qualitative — what keeps you up at night — and the quantitative — transactional continuous monitoring, leveraging the data that’s coming out of your ERPs. You also have risk performance, which by its very nature is working with the other risk and compliance organizations to understand what activities are they undertaking aligned to particular risks, what were their conclusions, and how should that define what your risk assessment process looks like?
Then, external data and what we call the “bias buster.” So, if you’re bringing to your organization a risk assessment process that’s heavy on qualitative or maybe you’re even using some analytics and continuous monitoring, that’s still an inward view of your organization. You need to be able to stand up with confidence to say, these are the top risks that are impacting my company and here’s why. The infusion of external information could be doing social media scanning or leveraging the commercially available data sources out there to identify risk and map that back to your risk ecosystem. Now, that allows you to say, here are my internal indicators of risk overlaid with my external risk indicators and together this is our confident perspective on our total risk that we need to manage.
Turning Single-Use Point Analytics Into Continuous Analytics
John Wheeler: Megan, you were telling me before about the failure of single-use point analytics.
Megan Duggan: It’s my narrative these days! There’s been a huge push for data over the past 15 years. Regardless of where you sit in the organization, you are probably focused on developing data analytics. But what does that actually mean? A lot of times what it means is developing point solutions to go after a particular hypothesis. It’s that risk then data or data then risk conundrum. I have an idea, I think there’s a risk here. I’m going to go seek the data that validates this risk hypothesis. Then, what happens? It goes in a drawer, it doesn’t get used again. We see that a lot, for example, in internal audit where they develop an analytic for a specific audit and then it doesn’t get used again.
What we’re trying to help organizations with is turning that point analytic into continuous monitoring, continuous analytics, or risk assessment quantitative data. Taking those analytics, tagging them to your risk universe and taxonomy that we spoke about, developing thresholds to say when a performance indicator becomes a risk indicator. Then, having the intelligence right there in front of you so you’re no longer applying judgment on top of the data. The data is already telling you the story and what the risk is behind it.
Biggest Future Risks — and Risk Opportunities — for Organizations
John Wheeler: Given again this is FutureRisk. What do you see as the biggest future risk for organizations and how can EY help?
Scott McCowan: I was reflecting on being at this conference last year and all of the ships that were stuck outside of LA here because of all of the supply chain issues. One is the importance of supply chain not only on our US business, but as we fit into the global economy and all the pressures from China, what that may mean for the production of those products and goods. We’re really trying to look at the concept of supply chain risk management differently and what is the risk manager’s obligation in that equation. In a particular example. It’s the availability of those goods and the reliability of those suppliers. We’ve been working on a solution that helps us with that tiered mapping of suppliers, customers, alliances, to identify where your weaknesses are within that particular supply chain and tie that back to product risk and not just overall risk.
You could say that we have these 20,000 suppliers that are aligned to these products, they’re responsible for producing this particular widget that we rely on. Then, you can take a proactive response to that particular problem by having greater insight into the viability of that particular third party’s financials. How cyber secure are they? What is their geopolitical risk based off of where they are? Do they have any of their own operational risks? Really, that third-party risk management approach to supply chain.
Megan Duggan: I’m going to take your future risk question and talk about future opportunity. We talk a lot about digitization and technology introducing risk to an organization. What we’re trying to help organizations with is capitalizing on that technology opportunity especially in risk management and how we use data and technology to streamline our processes, be more efficient, and take a platform approach to risk management. So, I think that’s an area that really we’re starting to get a lot of momentum and help organizations with preparing for digitization of risk management and harnessing the value of it pretty immediately.
Tune in for more FutureRisk episodes with risk leaders discussing emerging risk areas, unique approaches to risk treatment, and how integrated risk management can help organizations turn risk into a competitive advantage.