Effective use of data and technology to manage and report on enterprise risks is a top priority that differentiates leading businesses. Despite its elevated importance, organizations’ risk monitoring and mitigation efforts currently fall short of boards’ expectations. This is the stark finding that emerges from EY’s new survey of more than 500 board directors around the world.
The EY Global Board Risk Survey 2021 identifies two key drivers of effective risk management: the extent to which technology is used to identify and manage risk and the breadth and depth of risk reporting to the board. In fact, 71% of risk management leaders – those organizations deemed highly effective at risk management based on the analysis of survey data – use data and technology effectively, compared with just 5% of risk management laggards, who might still be developing their approach.
However, despite their importance, fewer than one in five boards say their organization’s risk management is highly effective at leveraging data and technology or delivering timely, insight-driven reporting to the board. In parallel, just 49% of CEOs say their risk-assessment processes are adequately data-driven.
While it’s outside the board’s remit to decide which technologies are used for risk management and to monitor their use, directors can still catalyze change. Boards can and should require that management has adequate controls and processes in place to monitor and manage risks. As technology plays a critical part in this, encouraging risk-management functions to capitalize on newly available data and technology should be a priority.
Understanding and detecting risk: what tech can do
Which benefits can technology provide? For a start, automation technology can be used to process low-value manual tasks, such as risk-model verification and simple data processing, freeing up risk professionals’ time so they can focus on value-adding activities, such as evaluating new business models or assessing threats associated with their organization’s deployment of new technology. Even more importantly, data collection and monitoring can be automated, so that it occurs in real time, flagging potential issues to risk and business teams much sooner than would be achievable with a purely manual approach.
Artificial intelligence can also assist businesses in modeling and understanding connections between risks, for example, by using it to automate basic risk research; identify important risk statements in unstructured documentation; and undertake casual analysis to identify risk interdependencies. These insights are then presented in easy to comprehend formats via dashboards to senior management and boards. Importantly, an improved understanding of the intricacies of risk helps to develop more effective mitigation measures.
Finally, software platforms can also be utilized for risk-management tasks such as data collection and continuous monitoring. By housing key risk and compliance data from multiple parts of the business in a single source, the data can be made easily accessible for everyone, including boards.
Tech is a priority, but hurdles remain
Encouragingly, 69% of businesses plan to increase their level of investment in data and technology for risk management in the next 12 months. And, when presented with a series of initiatives that enhance enterprise resilience, boards identify the use of data and technology as their top priority.
As they ramp up investment in technology, businesses will have to address a number of challenges, which are dependent on their level of maturity. For those at the beginning of the journey, the research shows the main obstacle is a lack of the necessary skills to utilize data, technology and analytics effectively. Risk management teams must include data scientists and specialists to determine which technology is needed, implement it effectively and ensure it is used to its maximum potential. Depending on the ability to hire within, organizations may want to outsource this process to businesses with existing expertise in the area.
But recruiting for the right skills is just half the battle. Businesses will also need to upskill non-technical roles to help these workers take advantage of emerging tools and data. They will also need to think carefully about how humans and technologies, such as artificial intelligence, can work together effectively.
For more mature companies, who today already effectively leverage data and technology, one of the top challenges the research found is integrating multiple datasets from disparate sources, so that risk analytics and reporting form a cohesive and comprehensive picture.
Concerns and obstacles to being data-driven differ by company maturity
In fact, risk reporting to boards – identified by the analysis of over 20 factors as the second-most important determinant of effective risk management – also has much room for improvement. Fewer than 20% of boards are extremely confident in risk reporting on a number of specific areas.
According to the survey, boards’ top priorities are that reporting:
- is forward-looking and predictive
- covers emerging and atypical risks
- includes external and internal data
- covers risk-mitigation initiatives and processes
- includes competitive intelligence and peer benchmarks
Yet boards must resist the temptation simply to ask for more and more reporting. After all, if it is not properly ordered and prioritized, an abundance of information can sometimes muddy, rather than clarify, the picture.
Boards may think that they can leave management to develop a strategy for employing technology to monitor and mitigate risk; however, they do need to oversee that it’s used to its full potential. This may require boards themselves to move up the learning curve in terms of understanding all the benefits that technology can deliver.