Risk management today. How to approach it and which applications to use in 2023

Risk management is one of the main challenges facing companies today. In any business, planning is the key not only to grow, but also to sustainability and, in many cases, to survival.

Understanding risks as a measure of the magnitude of damage in any specific circumstance will help us to prevent mishaps or, if they are unavoidable, to be able to react to them in order to mitigate their effects. Approaching risk management from a professionalized perspective will provide both our organization and our clients with security and guarantees.

Establishing structured business processes based on professional and tested standards is the only way to ensure the achievement of the proposed objectives. In this way, thanks to appropriate risk management, we will be able to guarantee the operation of the business, its operations and, therefore, its sustainability.

What is risk management?

Risk management is a set of procedures, standards and methodologies implemented in the operations of an organization or business to deal with possible threats and eventualities arising from the development of its activities.

Regardless of the activity in which a business is engaged, as well as regardless of its size or industry, any company is exposed to risks in carrying out the operations that allow it to be active. Risk management is about identifying risks in order to monitor and evaluate them. 

Also known as Enterprise Risk Management (ERM), this area is already in many companies an individual department or a sub-department integrated within the compliance/legal or operations departments.

Objectives and steps

Approaching this task from a professionalized perspective requires the establishment of specific and defined risk guidelines. In risk management systems, as a general rule, there are the following basic phases:

1. Context definition: Risk management strategies should be developed according to the type of context and operation. The best way to approach risk management is from a first phase that fully analyzes the organization and its processes, without forgetting crucial aspects such as external sources of risk.
2. Policies and objectives: When creating a risk management system, we should not embark on designing models that we will not be able to manage later due to lack of time, resources or capacity. Establishing clear objectives and setting general lines of action for risk policies will guarantee an effective, sustainable system that really does what it sets out to do. At this stage, it is crucial to analyze the technology and digital tools available for the creation of risk prevention and management systems. Currently, the situation we have just described does not occur in those companies that decide to use digital tools designed and adapted to risk management, being able to establish more ambitious policies and strategies and thanks to the best technology without the need to invest large sums of resources or allocate large amounts of equipment. In this way, if it is decided to have innovative and updated tools, there are no limitations in terms of the objectives set, for example, fraud prevention capacity and complete mitigation of certain types of risks.
3. Definition and Detection: One of the main parts, if not the most important of these phases, is the identification of the risks likely to occur. Knowing and categorizing the different potential risks that the company will face is the basis for working on risk management.
4. Analysis and classification: Once the risks have been detected, they must be analyzed and classified. This classification can be done from various points of view or perspectives, although the most common is usually by operational area of the business. However, the most recommended at present is the one that categorizes risks according to the phase of the customer journey in which the company's activity flow is. Similarly, other moments must be taken into account, such as all corporate and after-sales operations, as well as all previous work, such as relations with suppliers.
5. Assessment and evaluation: Once defined, analyzed and classified, it is time to assess the scale that will determine the achievement of the objectives and compliance with the policies designed in phase 2. Here, a risk map must be created, assessing importance and impact (low, high, medium) and the probability of the risk occurring (possible, occasional, constant). After this, a prioritization guide can be drawn up to mark the policies.
6. Establishment of prevention systems: The best risk management strategy is one that mitigates risks before they happen. Although there are certain types of risks that cannot be avoided (although they can be foreseen), the vast majority of risks in almost all sectors can be mitigated without having consequences. In this sense, as we have already mentioned, having the best technology and the most modern risk prevention systems will ensure a better defense against potential undesired events.
7. Monitoring: Ongoing monitoring of the risk management process involves reviewing all previous phases again periodically to identify new potential events, reassess probabilities and scope, learn about new tools to help prevent existing or new ones, as well as the readjustment of policies and objectives based on regulatory and normative changes. Those businesses that count on a RegTech partner to provide them with risk management and prevention tools are usually relieved of this last task in monitoring as they update their solutions according to the evolution of legislation or market dynamics.
8. Treatment: Providing a solution to the risks that have become a reality with speed and responsiveness is crucial to mitigate the damaging consequences at many levels: legal, operational, security or even continuity. At this stage, it is crucial to have established specific action guidelines to be carried out in each case and according to the nature of the offense committed, and to have the relevant tools to implement them.

Although in each company, and according to the different professionals who develop risk management, a different number of phases are established or some are eliminated, we consider that these eight are those that result in a complete system with an integral perspective. 

Using the right tools and agile optimization methodologies will make a more comprehensive and all-encompassing risk management strategy even simpler than a more traditional one with fewer phases. The fact that this management model includes a larger number of steps is not indicative of a more complex and burdensome outcome for the organization - on the contrary. Establishing these eight steps in the right way will help to achieve more agile and concrete management on a day-to-day basis thanks to the detailing of the processes.

Risk management in the financial, banking and insurance sector

Enterprise risk management in the BFSI (Banking, Financial Services and Insurance) industry must be even more comprehensive than in other sectors. While all areas of activity must establish controls and decisive risk policies, this industry is more sensitive given the amount of fraud and attempted wrongdoing by users.

If we talk about financial risk, many will associate this term with fluctuating economic value due to uncertainties in investment performance or asset and savings management. The most prominent in this regard are credit risk and market risk. The former, as mentioned above, is due to fluctuations in the markets in relation to exchange rates or interest rates, while the latter is due to the non-assumption of liabilities and obligations with regard to, for example, the payment of a mortgage.

Types of risk in the financial sector

However, in risk management, what we are really talking about is operational risk. This refers to losses or damages caused by inaction, failure to adapt or errors in processes, safety tasks performed by employees or internal systems and the way they are used in the face of external events. In other words, risks caused by non-compliance with the required safety standards and arising from the nature of the sector's operations and its way of being (dynamics of interaction with customers or relations with suppliers, for example).

The following are some of the risks that are most prevalent in the financial industry and banking today due to poor overall operational risk management of the various financial companies and institutions:

• Identity fraud: Verifying that the customer is who they say they are at the time of onboarding or opening a new account is not only a method to prevent fraud and mitigate risk but a legal obligation in virtually all markets and countries. The risk occurs when the identification of these customers is not done properly and when powerful technology is not used to prevent potential fraudsters from becoming customers.
• SIM Swapping and account theft: While SIM Swapping is not really a risk in the financial sector, this fraud committed through tele-operator process failures puts the BFSI industry at risk due to 2FA strategies to comply with PSD2 and SCA standards when transacting from customer portals. The use of OTPs to authenticate users and sign online transactions is a meaningful security addition, but it is no longer useful when fraudsters can access these codes having performed this type of fraud. Authenticating with facial biometrics and creating more comprehensive MFA strategies with inherent factors solves this problem.
• Money laundering: Money laundering is one of the biggest challenges facing the industry. Thus, regulations in this area and the financing of terrorism are forcing companies in the financial sector to establish exhaustive anti-fraud controls to avoid this type of practice.

Thus, this type of financial risk is becoming a major part of companies' prevention strategies. The area of banking, finance and insurance is exposed to fraud attempts by those who use their products and services, something that has increased exponentially as these companies have moved into the digital environment. In any case, FinTech, WealthTech and InsurTech leaders are taking advantage of technology to mitigate them without complications and in an agile and simpler way than it might seem.

Risk-related regulations

Regulations such as AML6 are responding to the risks of money laundering in the financial sector. In this sense, anti-money laundering directives are implemented in most states and oblige companies in the financial sector to establish risk management systems that mitigate or completely eliminate the possibility of committing this type of crime.

On the other hand, in relation to identity fraud, the eIDAS framework is protecting both users and companies from risks such as account theft and identity theft.

ISO 31000/2018 standards are standards intended to teach companies what general principles should be established to perform minimum risk management. This standard, together with the ERM Framework issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) has brought standardization to risk management successfully. The latter proposes integrated control frameworks and corporate responsibility in relation to risk management.

Projects

Risk management associated with projects is a recurring theme in any master's degree or specialized training in project management. Project risk management is not very different from the traditional conception we have defined of how companies approach it globally in terms of their activity and operations.

While it is true that in project management the objective is to prevent, mitigate and avoid events that may affect the company's activity, in project management risk is associated with everything that may affect the success and completion of the project. 

The eight proposed phases can be perfectly applied and a risk management strategy for projects can be developed based on these steps, although adapting the analysis and context to the nature and characteristics of a project. Some examples of issues to be taken into account in projects and in which certain risks are involved may be:

• Identity issues when dealing with suppliers (can be mitigated with Know Your Business controls) or data management in connection with
• Problems of non-compliance (can be prevented with the use of electronic signatures) of conditions or agreements between parties.
• Communication problems with suppliers, project teams or the customer (can be solved by using certified communication).
• Financial risks in projects where funding is conditional on progress or results.
• IT security threats that jeopardize the project.
• Risk of delays due to bottlenecks in certain processes. In this sense, the use of RPA (Robot Process Automation) is proving to drive rapid project delivery by relieving teams of mechanical and repetitive tasks to focus on higher-value tasks.
• Risk that another company will launch, for example, a similar product earlier.

Fraud Prevention

As we have seen, fraud prevention is one of the main issues facing risk managers today. In the United States alone, between 2008 and 2020, eleven billion data thefts occurred, a figure that continues to rise. Identity fraud nearly doubled from 2019 to 2020 with losses approaching seventeen billion dollars that year alone according to a study by Javelin Strategy.

On the other hand, we can see how to account thefts increased by more than 72% in 2019 compared to 2018. With this data, we can dare to say without a doubt that identity fraud is the most pressing risk that companies must respond to through updated and powerful risk management systems.

In this sense, we can see how some companies are implementing fraud detection systems instead of those aimed at prevention. Thus, fraud prevention must be addressed before the illicit act is committed, not before or during, since the risk of the attempt becoming a reality is, in many cases, high.

Technology for risk management

Thanks to machine learning tools and best practices in their application, certain technology providers are offering companies solvent and scalable anti-fraud control systems that place the number of frauds and penalties derived from their commission at zero without the need for investment in large projects and with agile integration into business processes and operations.

Now, thanks to the best technology and innovation, the management of certain types of fraud, as we have seen, can be done with digital tools that take mitigation to the extreme, achieving the goal of zero risk, zero fraud. The important thing when choosing an application is to ensure that it is scalable and that it adapts to the use case of our business that presents an associated risk. Similarly, confirming that the supplier of this technology is specialized in our industry is crucial for this adaptation to happen without having to involve other teams or incur costly and time-consuming process transformations that slow down the pace of our business.

Occupational risk prevention (ORP)

Occupational risk prevention (ORP) or job safety analysis (JSA) often appears alongside the overall risk management of companies. Although this area is usually led by human resources and talent management teams and departments, some companies choose to give this responsibility to those in charge of compliance or operations.

Just as the risks that can affect a company and its activity are important, those factors that can damage the safety or health of workers are equally monitored and must have a defined strategy and system to prevent them. However, the idiosyncrasy of the workers and the different ways of approaching business operations versus their tasks, make the methods different.

This area is heavily regulated and occupational risk prevention professionals must attend to and manage them in accordance with the laws that the states and regions have developed and implemented. For example, in Spain, Law 31/1995 on the prevention of occupational risks aims to promote the safety and health of workers by applying measures and implementing specific activities to prevent the risks associated with different jobs. 

This ORP law was later modified and extended by Law 54/2003, which, however, urges companies to consider occupational risk prevention as a key point in the general risk management systems of the entire company. As a result, global risk management and ORP have converged in many circumstances, making use of similar tools for certain very specific cases.