A better approach to risk

Surprisingly, most countries do not have federal risk and compliance laws. A few have them, such as the Working Environment Act in Norway and the Occupational Health and Safety Act in Germany. Yet, the US and many other countries have no universal federal law requiring companies to perform cybersecurity risk assessments.  

This isn’t to say businesses based in these countries without these federal laws are off the hook on risk assessment. Plenty of regulatory bodies, both US-based and international, require, or at least strongly recommend, risk assessments as part of their cybersecurity compliance requirements. 

Even if they didn't, risk assessments are an important part of running a sustainable, profitable business. They can:  

• Identify potential threats and vulnerabilities and prescribe how to manage them  

• Help you comply with risk and compliance requirements to prevent financial penalties 

• Provide information to assist in enterprise risk analysis, such as high-risk areas that may require additional resources or controls. 

In fact, the business world has become increasingly risky in recent years, and organizations would be wise to leverage the proper controls to help.

Risk in the recent past 

Before we talk about the present and how the world of risk has evolved, let’s take a quick look at the recent past when risk management practices were often less taxing.  

Just ten years ago, risk management was primarily reactive as opposed to proactive, with many companies housing separate risk management departments who operated independently from other business functions. Manual processes, such as interviews and spreadsheet inputting, reigned supreme, and technology’s role in risk was limited.  

Overall, risk management was more siloed, reactive and less integrated compared to today’s practices. In short, it was a simpler time that called for simpler risk processes. 

A super-brief history of risk

Risk management has been around for centuries, with early examples of maritime insurance appearing in the 14th century to cover risk associated with the “perils of the sea,” a term still used in maritime insurance today. 

Risk management evolved with the establishment of Lloyd's of London in the 18th century, which started as a coffee house where underwriters and merchants gathered to negotiate insurance contracts.

Today, Lloyd’s describes itself as an insurance market providing specialist insurance services to businesses in over 200 countries and territories. 

The formal discipline of risk management as we know it began taking shape in 1960 with the establishment of the Society for Risk Analysis (SRA). It promoted the study and understanding of risk analysis and risk management across various fields, including finance, engineering, health and the environment. This marked a significant step in the development of risk management as a recognized and organized discipline. 

The state of risk today 

An array of events and innovations shifted the governance, risk and compliance industry. One primary event: The global financial crisis of 2008 highlighted risk’s interconnectedness across financial institutions and the need for more integrated risk programs. Technological advancements have also introduced new and complex risks, while also providing the means to better handle them.  

The result: Organizations now face a dynamic risk landscape that is constantly changing. Technology, geopolitical events, economic conditions, societal shifts and regulatory changes can all impact the risk landscape. The speed and breadth of these changes has led to struggles in risk assessment — from the burden of manual processes to understanding regulation changes and how they affect your organization. Using manual systems of the past to combat complex modern-day challenges has left businesses more vulnerable to risk. 

Risk influencers over the last ten years

How to manage today’s risk management challenges  

Many organizations have outgrown their current risk and compliance programs. Here are just some of the challenges that crop up by relying on outdated risk practices: 

• Data insufficiency, where organizations have difficulty analyzing the appropriate amount of data to accurately assess risk  

• Manual processes that are inefficient and prone to errors  

• Inflexible approaches to risk management, making it difficult for organizations to adapt to changes in the risk landscape   

• Stakeholder disconnect, i.e., lack of understanding or buy-in from stakeholders about the importance of risk assessment. 

To navigate this unique risk landscape, organizations need modern tools built to manage modern challenges. Ready Assess, a PwC product, helps organizations evaluate and enhance their ability to address potential risks. This risk assessment tool can: 

• Assist in validating data and providing insights 

• Reporting templates can streamline previously manual processes, reducing the time and effort required to conduct risk assessments 

• Provide a structured framework and methodology to assess risk management processes, identify gaps or inefficiencies, and highlight areas that may require improvement or modernization 

• Assess “what if” scenarios. Organizations can input and assess potential new products, services or data points. You can even input less concrete info, like possible market volatility or regulatory requirements. Then Ready Assess can explain how these changes may impact your organization’s overall risk profile, empowering leaders to make more informed decisions. 

Since risk itself isn’t static, our approach to mitigating it shouldn’t be either. Leveraging a dynamic risk management tool to assist your governance, risk and compliance program simply makes sense.  

How exactly can you automate risk processes? 

PwC’s Hal Crawford mentions three components that can be automated: 

1. Data 

2. Pushing risk control questions to the business 

3. Establishing a risk assessment framework for the future to avoid redesigning the process every year. 

Helpful hint 

When pulling risk assessment data, have your third party or second party — such as someone from compliance or internal audit — help you with the qualitative validation and verification of data in a risk assessment. 

It’s reassuring to have somebody else look at the totality and accuracy of the data set. 

The future of risk 

Managing risk may be complicated now — and will likely grow more complicated in the future. Generative AI (GenAI), which creates new content as opposed to regurgitating old content, may become more integrated into business operations to improve processes and pinpoint opportunities. But along with the benefits of GenAI comes increased risk.  

The good news is that as GenAI use in business ticks up alongside its correlating risk, risk tools leveraging GenAI should become more available. Certainly, the best way to fight modern-day challenges is with modern-day tools.  

Technology, including artificial intelligence, is the future of risk management. The more you embrace that now, the better off both you and your organization will be.