All businesses and their associated systems such as processes, technologies and data are exposed to risk all the time because risk is inherent not only in action, but also in inaction.
PwC’s Global Economic and Crime Survey 2018 indicated an increase in the percentage of companies that fall prey to fraud or economic crimes. The percentage has gone up from 36 percent in 2016 to 49 percent in 2018. A business is exposed to risk with each action it takes. This makes it essential for companies to put management strategies in place to deal with economic fraud, resource wastage and process misuse as these can have an adverse impact, both directly and indirectly.
Proactive risk management includes practices that increase a company’s risk awareness and reduce its vulnerability and exposure. The following are the top five must-dos for organisations:
Keep an eye out for risks
The rate of change that affects businesses is no longer linear. We are witnessing an exponential change in technology, business model, human interface, processes and work culture. While this change brings opportunities, it also exposes business to newer risks and regulations. Only when an organisation has greater visibility on the spectrum of risks, will it be possible to balance opportunities with risks and exploit new opportunities. Continuous monitoring through advanced, customised analytics helps clearly single out early warnings of impending risks. Proactive risk management involves timely identification to chalk out an effective response to unfolding risks.
As the business environment thrives on greater connectivity, enterprises are increasingly required to interact with third parties. This in turn exposes the businesses to their actions and a new set of risks. Best practises for third-party risks involve monitoring of transactions that help flag the identified risks and help an organisation remain vigilant.
Chalk out a risk management strategy
Risk management is necessary for effectual business processes. However, management of risk is not limited to ceasing a transaction or action midway; it involves formulating a strategy and frameworks that handle risk in the best possible manner. Strategy is the pivot around which the entire risk management cycle works. Proper management of threats involves identification of risk-prone areas, assessment of the scale of risk to which an organisation is exposed, crafting of a risk response strategy, and implementation, monitoring and iterative repetition.
Implement risk analytics
Steps to identify, assess and manage risks remain crucial. An organisation should catalogue the known and predictable risks to which it is exposed by carefully evaluating its metrics and past experiences. To achieve this, putting in place a risk analytical framework will help to continuously monitor and identify irregularities in its business processes, e.g. procurement, sales, HR and regulatory compliance. Organisations also need to devise protocols that will trigger alerts in time and help them fully monetise their assets and actions. The use of advanced technologies such as Artificial Intelligence and Machine Learning will help them detect unmapped risks and clearly predict possible risks. Our survey revealed that more than three of our ten respondent organisations rely on advanced technologies to proactively detect anomalies.
Instil data protection
Assets may be broadly classified into two categories — replaceable and irreplaceable. A physical asset, although expensive, can be replaced. But if it is lost, data is irreplaceable, which makes it priceless. PwC’s 2018 Global State of Information Security Survey (GSISS) saw 39 percent citing the compromise of sensitive data as the biggest potential loss of a cyberattack
. . With decisions being data-driven, the success of businesses depends on data, making it necessary to evaluate digital risk and focus on building resilience. Data protection also involves the identification of known and predictable risks associated with the data. To create a risk adverse environment a strategy has to be formulated to handle unknown risks, by putting in place a series of controls that will protect the data.  Invest in culture
Risk-aversion practices are part of a collective effort that contributes to intra-organisational risk mitigation. While the effort that needs to be made to manage risk is high, implementing the right culture at the workplace is relatively cost-free. An organisation that focuses on risk management by adopting right practices experiences the associated benefits. Effective practices include taking a top-down and bottom-up approaches to risk management, and making training on ethics and compliance mandatory for all employees. Moreover, creating a threat management culture includes pre-emptive options such as initiation of a whistle blower policy and a risk management hotline to resolve issues and share confidential information for quick intervention.
So what is clear is that an organisation needs to have a strategy in place that co-ordinates various actions to identify, assess and prioritise risks to pre-empt, mitigate and monitor the impact of identified risks on itself. Interventions need to work in tandem with risk analytics to eliminate risks in time without their adversely affecting an organisation.
Dhritimaan Shukla is partner, Forensics, PwC India.