Security and risk management professionals understand that they must plan into the future to successfully manage business continuity and resiliency for a future-proof enterprise. According to the GRC Vision 2021 to 2026: Governance, Risk and Compliance playbook report from Forrester, many key trends will amplify strategic and digital risks and transform the core responsibilities of risk management for the enterprise. Understanding the trends and long-term implications of such trends, can help security leaders and risk managers better prepare for the potential impacts that may ensue.
One change that the Forrester report expects to see take flight is the change from oversight done by customers and employees turning back to government and industry regulators. “Customers and employees will continue to wield power as they use social media platforms to air their grievances or tout successes. However, the trend where government and industry regulators seemed to cede their role to customers and employees will turn,” according to the report.
The report says that although regulators ceded oversight in recent years, the repeal of regulatory rollbacks is imminent. Even though changes won’t come overnight, risk management leaders will need to balance the return of regulatory oversight with customer and employee demands and consider that investor demands for corporate sustainability will escalate; systems risks such as pandemics, recessions and natural disasters will emerge as the top threat to global business; and third-party risk will continue to broaden the threat landscape, becoming a source of strength or a major problems for enterprises.
In addition, another key change that risk professionals can expect is their jobs being reimagined due to the continued digital interconnectedness of business and the proliferation of big data—in both negative and positive ways.
“The aggressive collection and use of data, along with new technologies like IoT devices and machine learning, are creating new data integrity risks for companies in every industry. At the same time, these new analytic and automation capabilities will help risk management leaders better identify and manage risks across their organization,” said the report authors.
The authors say interconnections between physical and virtual data and systems across an organization allow for uninterrupted flow of risks throughout the entire system. “That means the impact of seemingly isolated events like adverse weather, natural disasters, or bankruptcy of a supplier isn’t limited or contained at operational risk. Supply chain interruptions can cause operational disruptions that impact customer experience, which results in revenue loss. Similarly, a cyberattack can leave systems inoperable, halt business processes, trigger regulatory fines, and tarnish a firm’s hard-won reputation.”
With this in mind, the report identifies several key trends that will disrupt the field of risk management and the jobs that security and risk management professionals perform over the next five years. We will talk about a few here:
Brand makes everyone within the organization a risk manager
An organization’s future depends on how the leaders manage the brand and its reputation, and this includes measuring and managing the intangible assists. In addition, the rise of values-based consumers, along with employees are, and will continue to be, risks to the reputation for an organization.
Data integrity risks as a mounting threat to the business
Data integrity is perhaps the number one systemic risk to the enterprise and if not managed, threat actors that manipulate a company’s data (rather than steal it) can cause disastrous losses, resulting in massive physical damages (Stuxnet), widespread political implications (voter manipulation), manipulation of data without hacking into your environment (process weaponization), and the potential for corporate fraud on a scale never seen before (deepfakes).
Third-party risk will continue to plague organizations
Companies may have a mature process to review a segment of their third-party relationships (e.g., vendors and suppliers) for a small scope of potential risk (e.g., financial viability). However, very few have comprehensive programs covering the broad range of categories of third-party risk such as information security, privacy, business continuity, sustainability, environmental health, and safety, among others.
In one example in the report, back in 2006, Walmart’s stock was excluded from Norway’s Government Pension Fund, the largest sovereign wealth fund in the world, after the fund’s ethics council cited reports of employee abuse, safety violations, and numerous issues at the retailer’s suppliers. After 13 years of loss of financial opportunity and a significant overhaul of supplier risk assessment and monitoring, Walmart was relisted in 2019.
It behooves risk leaders to be proactive when it comes to third-party risk management and allows organizations to get ahead of any problems and even sever relationships with other parties before their own brand is harmed.