Uncertainty surrounds the business world landscape, making the concept of “enterprise risk management” (ERM) more critical and valuable. With businesses becoming increasingly interconnected with partners, vendors and suppliers across global markets, risks across categories can have a ripple effect.
At the core of this journey is trust. Recognizing the importance of trust and taking steps to address trust issues in various areas — cybersecurity, privacy, fraud, compliance and ESG, among others — could strengthen risk management. A good example of this is EY’s Trust-by-Design service, launched in response to clients’ growing demands. This approach helps clients become digitally confident and trusted enterprises that have the intelligence and insights to drive growth, increase business value and maintain stakeholder trust.
Functioning within a rapidly changing, complex and highly at-risk environment, the 2022 Global State of Risk Oversight report found that the majority have insufficient approaches to risk management and immature ERM processes. In fact, over the last five years, approximately 60% of global finance and business leaders have witnessed a surge in the volume and complexity of corporate risk.
Geopolitical shifts, supply chain disruptions, talent competition, increased data volume and environmental concerns will continue to drive the complexity of risk challenges that senior business executives across the globe must learn how to navigate.
Moreover, the emergence of new or unseen risks, as evidenced by the COVID-19 pandemic, requires long-term and intensive focus on improving enterprise risk management. This can be accomplished by seeking ways to better identify, assess and manage risks.
ERM and the Risks Associated With It
Enterprise risk management (ERM) is defined as a strategic business discipline that supports the achievement of an organization’s objectives by addressing risks and managing the combined impact of those risks.
In modern times, ERM should consider risk impacts more holistically across all risk scenarios. ERM needs to look for new and better approaches by considering risk intelligence tools that deliver advanced analytics, big data and AI in order to have more integrated insights that can avoid unwanted surprises and potential impairments to working capital, customer engagement or the overall brand.
ERM typically embraces fundamental components that extend into the following common risk categories:
- Compliance risk. This is a threat posed to a company's financial, organizational or reputational standing caused by violations of laws, regulations or codes of conduct. This can result in customer loss or hefty fines. As per a 2022 compliance risk study, compliance leaders expect evolving business, regulatory and customer demands to increase compliance-related operating costs by up to 30%.
- Strategic risk. As a CEO and board-level priority, this threat is inflicted by internal and external events that may make it difficult — or even impossible — for an organization to achieve its goals or deploy its strategies. It can have severe consequences that could have a long-term or, in the worst cases, irreversible impact. Examples are changes in senior management and leadership, unsuccessful mergers and acquisitions and sudden market demand changes.
- Operational risk. This threat corresponds to losses caused by flawed or failed processes, policies, systems or events that disrupt business operations. IT disruption, data compromise, theft and fraud, third-party risk and employee well-being are some of the major targets of operational disturbance. By 2028, the size of the operational risk management solutions market is expected to grow to US$3 billion.
Enterprise Risk Management Benefits and Strategies
Today’s enterprise risk landscape has become more sophisticated, with new network access points, data privacy concerns, misuse of technology and compliance frameworks among the many risk factors. All these require enterprise risk managers to have a revamped ERM program with integrated technology that drives cross-team collaboration and provides a wider view of risk exposure.
Technology empowers the ability to consolidate and centralize data from various departments and understand the potential impact of all risks. Leveraging AI by identifying a cause-and-effect correlation between various risk events is an efficient enterprise-wide risk management approach.
Here are the benefits of having a proper ERM in place:
- Greater awareness of the organization’s risks and enhanced ability to respond
- Minimized risk of legal and regulatory compliance breaches
- Greater confidence in achieving strategic goals and better competence in mitigating possible curveballs
- Clearer oversight of risks and opportunities
- More systematic, productive and secure operations across an interconnected portfolio
- Daily business integration for continuous monitoring and evaluation
- Early and proactive risk detection, identification and action
With these in mind, there are five necessary steps to move forward with the risk-mitigation process: identify, assess, treat, monitor and report. The strategies below lay out the best framework for identifying all possible risks and executing informed decision-making.
- Embrace digital
Instilling the right risk mindset across the organization means embracing new digital thinking as well as involving a diversity of talent. In the current landscape, these could help broaden the perspectives to the enterprise risk management process. As per EY, it’s about flipping the thinking from “what could go wrong?” to “what must go right.”
- Utilize ICT technologies
ICT technologies could help filter an increased volume of data into decision-driving insights. Having more automation in capturing and acting upon risk information leads to a higher competitive advantage. Furthermore, technology can help ensure that the data is relevant, accurate, well-protected and easily accessible, while being applicable for predictive risk metrics, emerging risk trends and business context indicators.
- Modify cybersecurity strategy
Organizations need to reassess their cybersecurity to consider whether and where to implement new analysis, identity access management and tools, as well as processes like zero-trust. With trends like digital transformation, cloud migration and hybrid work, perimeter-driven defense is no longer adequate for protecting against rising attack vectors. More attention has been drawn to the zero-trust security model that assumes attackers are residing inside the enterprise environment, enforcing least-privilege access and verification.
- Evolve data quality and governance
Due to new customer demands, interfaces, business models, etc., organizations need to evolve their data quality and governance. Moving from a purely rule-based, reactive approach to a broader approach that integrates risk management and risk responses creates a culture of mitigating risks. Data systems must remain intact and precise. To cite an example, machine learning algorithms are applied to not only monitor but also improve data quality levels across the organization.
- Include third-party SOC reports
A service organization controls (SOC) report provides a means for organizations to gain insights into the control environment of their third-party providers. It involves an independent and objective assessment of the design and operating effectiveness of their controls. It is important to include the review of third-party SOC reports in an organization’s compliance function and ERM process to assess and monitor third-party risks.
ERM in Telecom Industry
In response to the specific needs for risk management in telecom and technology, companies should invest more in R&D and prioritize resource allocation with objective risk assessments. They should also improve collaboration and communication across departments with automated workflows and protect data by advancing cybersecurity procedures.
As telecom advances into 5G and network infrastructure, IoT, cloud computing and other high-connectivity models, identifying and mitigating risks is key to sustainable and profitable operations.
An Asian telecom operator implements its risk management policy across three pillars: structure, process and culture. It is important to carry out risk-taking responsibility and implement authority that facilitates ownership and accountability. At the enterprise and operational levels, telcos must continuously facilitate the identification, assessment, quantification, mitigation, management, monitoring and communication of risks. By aligning with industry and global best practices, having transparency and timeliness in sharing risk information helps enable risk-adjusted decisions and embed the right risk skills across the organization.
Clearly, an extensive spectrum of third-party risk is prevalent among telecom players, whether from the supplier, partner or end-user sides. There is a combination of risks with various degrees of severity, and if service providers lack appropriate visibility and monitoring of their third-party engagement, severe impact can occur.
Thus, telcos must adopt an enterprise risk management policy that covers the breadth of their segments. For B2B, it includes network services, software-defined network platforms, content delivery networks, connected and edge data centers and private lines, to name a few.
Likewise, a European telecom operator can adopt ERM in a cyclical process with the following stages: risk appetite and risk tolerance definition, risk assessment, risk response and risk performance evaluation.
In the finance sector, across Canada, a number of telcos use risk management techniques with instruments like interest rate swaps, forward contracts and money markets.
Enterprise risk management within the telecom industry is maturing in both the functional units and the project management processes. It has empowered executives to take appropriately calculated positive risks (rewarded risks) and accept, mitigate, avoid or transfer any negative risks (unrewarded risks).
