Post-Pandemic Trends in Risk Management & Compliance

The transition from working daily in the office to working remotely at home created an appetite for global digitalization of business processes and operations, regardless of business type or size. However, the COVID-19 pandemic impacted not only business automation but also the scope of risk management. The pandemic facilitated agile digital response to crisis, but it was not without complications.  

As many employees and clients have been forced to operate remotely, the lack of experience in that working environment and the lack of necessary tools caused failures and downtimes, unforeseen by current risk management functions. Risk management was put under pressure to include learnings from the pandemic to deliver more accurate scenarios for the future. Consequently, the risk management function has been forced to focus on future business resilience and agility.

Risk Management Evolution

Risk management is a multi-faceted process in organizations. It applies to operational processes, strategic development, the IT environment and beyond. Routine risks necessitate management to provide transparency to compliance regulators, but recent events have compounded existing risk and exposed new vulnerabilities. 

In response, a new category, summarized as a “Novel Risks,” ^[1]  has been analyzed into three subcategories:

1. Black Swan events: Previously not considered threats that escalate to unexpected levels. Consistent scenario analysis is a good approach to mitigate Black Swan event impacts, at least partially. 
2. Perfect Storm: A combination of two, three or more events (often technology-driven events) happening at the same time. An example of this is the Boeing 737—while simultaneously implementing many technology changes, a new flight control software immobilized the pilots’ ability to react responsively.
3. Mega events: Can happen with unprecedent speed and force, generating situations which are difficult to prepare for. Consider the earthquake in March 2011 that caused a tsunami and led to the Fukushima nuclear powerplant explosion.

The COVID pandemic brought with it a combination of Black Swan and Mega events, overwhelming the structure of health organizations in many countries, with disastrous economic and social impact worldwide. To manage these Novel Risks, companies will have to detect and respond rapidly, while continual programs run by crisis management handle the worst consequences.

Compliance Regulations & Integration

To cope with development trends in business and IT, while taking emerging threats and risks into consideration, new regulations and laws are being issued. The resulting combination of laws, regulations, standards and frameworks hinders clear understanding of management and implementation by IT and Business operations. 

From an IT perspective, the ISO2700x Standards for Security and ISO22301 for Business Continuity both contain similar business continuity procedures. 

Business and legal regulatory requirements often overlap. Regulators either issue circulars for both insurance providers and banks, or the regulatory guidelines are specific for either insurances providers or banks. Furthermore, due to similarity of regulations on IT level, these separately issued guidelines align in content, but still contain specific requirements for governance or operational risks. An example of this is the insurance regulator EIOPA (European Insurance and Occupational Pensions Authority). EIOPA issued “Guidelines for Outsourcing for Public Cloud Service Providers” ^[2]  which was derived from the EBA (European Banking Authority) guidelines, knowing that the main risks associated with public cloud practice are similar across these sectors. The complexity of compliance regulations is further compounded by the fact that within each country further requirements are specified by local regulators, impacting both IT and business levels. 

The disparities between complexity of regulations, guidelines, locally issued circulars and internationally globalized market has been recognized. In the EU, a legislative proposal called DORA (Digital Operation Resilience Act) ^[3]  was published in September 2020 as a single regulation, establishing a foundation for EU regulators and supervisors to ensure organizations’ financial and operational resilience. Built on existing information and communications technology (ICT) risk management requirements, DORA covers following:

• ICT (Information Communication Technology) risk management
• ICT related incident reporting
• Digital operational resilience reporting 
• Monitoring ICT third-party risk
• Information sharing
• An oversight framework of ICT third-party service providers

Analyzing risk controls of the IT environment is dependent upon five factors: confidentiality, integrity of data, availability of data, authorization and access control and data classification. If an organization can manage and control these five factors consistently and transparently, the problem of complex compliance regulations can be processed in a logical way.

Market Reaction & Trends

Considering current events and the resulting market turbulence, the question is: How are companies reacting—in risk scope, technology, business development and compliance regulations? 

The early adapters are innovative companies who start building resilience programs to run in parallel to daily “business as usual” (BaU) operations, strengthening the agility of business response to economic and environmental uncertainty. These companies strive for rapid, agile response to unexpected events in the future while increasing the robustness of their business model. 

The mindset shift from business resilience as “tick the box” exercise to comprehensive business resilience framework include systems and processes well integrated with other frameworks, such as cybersecurity, business continuity management (BCM), data resilience and protection. These resilience programs integrate solutions to manage a wide spectrum of threats, including business continuity interruption, cyber threats or data privacy loss.

These new initiatives require not only a spectrum of different expertise, but also a culture shift within organization. It’s not enough to have buy-in from the c-level executives, there must be advocates within multiple areas of the business that can work together to support the change in mindset that resilience initiatives require. 

A comprehensive team of specialists should be assembled, possessing “soft skills” that enable staff to understand and manage the complexity of relations between business- & IT processes, data and IT environment. Consequently, the resilience program built on business resilience framework includes the following cultural traits and skills:

• Optimism—an attitude that crises are temporarily and can be overcome 
• Acceptance—the capacity to recognize the present challenge and to specify next steps
• Solution Orientation—a focus on solution, separate from problem
• Taking Responsibility—a willingness to address issues and define decisions for resolution 
• Network Orientations—a premium on valuing teamwork and collaboration   
• Shaping the Future—a mindset unintimidated by the unplannable future 

These factors enable an organization to manage and run resilience programs effectively into the future.

Future Expectation

Digitalization is here to stay and will remain the main driver for the automatization of business processes. However, our recent digitalization wave, characterized by developing tailor-made, expensive solutions in large projects, will likely be eclipsed by tight financial controls. The emergence of Novel Risks will require implementation of new solutions and risk management methods.

Furthermore, automation will enable ready-made modules, segments and platforms, similar to the introduction of SAP modules in the 1990’s for business processes. In addition, risk management, in its growing complexity, will become automatized, and the risk management platforms will enable continuous oversight and control. Resilience programs will become part of a company’s business operations, parallel to BaU, continuously maintained and updated. 

The progress of technology will further drive digitalization in a way we can hardly predict. It is reasonable to expect that in 20 years’ time, today’s technology will appear as antiquated as the technology of the mid-1990s looks now. In the same way, the character of risk management and resulting resilience programs will evolve correspondingly.

[1] ”Novel Risks”, Harvard Business School, Working Paper 20-094, Robert S. Kaplan, Herman B. Leonard, Anette Mikes, May 2020  https://www.hbs.edu/faculty/Pages/item.aspx?num=57892

[2] EIOPA “Guidelines on outsourcing to cloud service providers”, https://www.eiopa.europa.eu/content/guidelines-outsourcing-cloud-service-providers_en, 31 01 2020

[3] https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A52020PC0595