Risks have become increasingly connected and that makes the consequences much more difficult to predict and manage. It is no longer possible to do so applying only traditional risk management tools. Financial services firms as well as all other sectors of the economy will need to take a more dynamic approach if they aspire to manage the new world of risk.
Risk managers and oversight committees learnt a lot from the pandemic. Perhaps the most important lesson was that, again, risks are more interconnected than previously accepted. And that means the implications of individual risks are often more far reaching in terms of what they can trigger than current risk management approaches portend.
The pandemic was just one example of this at a global scale. Prior to 2020, most risk managers considered a pandemic to be a ‘high disruption, low probability’ risk. Planning for this risk (when it ranked high enough on the agenda) was often focused on the health and safety of employees. Few went on to consider how national lockdowns would impact the economy and fundamentals of the financial markets nor how it would drive digital disruption, an increase in cyber-attacks and a return to territorialism.
Yet when you look down the list of risks at the top of the financial services agenda, each one contains a level of interconnected risk. Cyber risk, for example, is deeply connected to operational risk, reputational risk, regulatory risk, and financial risk. Cyber risk is essentially at the centre of a ‘cluster’ of risks that are expected to have a contagion effect on the others. And, ultimately, this can make an event substantially more severe than risk managers would anticipate when looking at each risk in isolation. Thus, we like to consider risk in terms of networks rather than risks isolated to certain business areas.
Below you can read more about our services within cyber risk management & maturity assesment, IT & information security risk assessment, third party risk management and privacy risk management & assessments.
Predicting the unpredictable
Through our vast experience helping executives identify and assess their network risks, our conversations suggest that our clients and their asset managers are keen to start including this view into their risk management approach.
The appetite for networked risk modelling is increasing with the recent discovery that macro-economic data underpinning current risk profiles is non-stationary: it does not revert to a mean. Moreover, domestic risk data and economic risk profiles exhibit similar characteristics. This raises serious questions about the ability to put statistical distributions around risk modelling – for example Enterprise Risk Modelling and Operational Risk Modelling – unless there is an abundance of data pertaining to a milieu that is characterised by slow and manageable change: motor vehicle claims for example. However, modelling Probability of Default depends on economic cycles, and these are non-stationary. This has profound consequences for the accuracy of statistical tools (including VaR) in modelling potential future exposures. Common wisdom has always held that the pattern of variability in risk can be predicted. That is not the case; risks continue to evolve in unprecedented ways.
What that means is, that we will need to start going beyond the traditional statistically probabilistic methodologies used in the past to instead start incorporating new risk models that provide a more accurate view of future risks and their expected combinations.
An ever-changing environment
At the same time, executives and risk managers will need to be constantly re-assessing and adjusting their risk management approaches to ensure they are being proactive on issues that normally wouldn’t be on the risk register. Technology can help (KPMG has a platform that allows companies to dynamically map their network risks). But even with technology, the shift to more dynamic risk assessment models will take some work.
And that, perhaps, is the greatest barrier to improving a risk management perspective: time and resources. The reality is that many sectors, particularly financial services organisations, are already dealing with a massive range of regulatory requirements around risk management; finding the headspace and bandwidth to address the network dimension of risk can be difficult when you are already drinking from the firehose of current, mandatory risk requirements.
Yet this is no time for inertia. As the COVID-19 pandemic has taught us, networks can be quickly disrupted, and the implications can be far-reaching. Ignoring them or their interconnectedness doesn’t make them less of a risk.
Time for a more dynamic risk assessment
To be clear, we are not suggesting that risk managers upend the way they currently do their risk assessments. What we are advocating, however, is a more dynamic projection of those risks to include unprecedented ones and then to model their interdependencies and network relationships. The latter should include combinations beyond statistical correlations, which tend to underplay future risk permutations.
The first step is to acknowledge the need for network thinking in risk management. Then it comes down to identifying the risks, including future, unparalleled ones. This is to be followed by networking the risks and their expected contagion and questioning what the organisation can do to respond to the most severe combinations to emerge. Just going through that process as a table-top exercise with executives can be very helpful and eye-opening.
It is not enough, though. It requires a focused and continuous effort which KPMG can help you establish.
Contact us and read more here
Martin Povelsen
Partner, Digital Risk
KPMG in Denmark