This is 3 of 3 in this 2017 Risk Series
2016 has been an interesting year for GRC and risk management; new risk themes arose while some subsided. 2017 promises to be no less exciting. In lieu of a crystal ball, our team of GRC experts has identified nine different topics that will take center stage in the GRC space in 2017, comprising the following (in no particular order):
- Integrated Risk Management
- Political Change
- Digital Strategy
- Big Data and Analytics
- Conduct Risk
- Reputation Management
- Succession, Retention, and Recruitment
- Cyber Risk
- Third party/vendor risk
Succession, Retention and Recruitment
A company is as good as its people. A truism we’ve heard many times before. Still the recruitment process is often flawed: succession planning is poorly managed and not kept up date, some organizations focus more on newcomers, potentially leaving existing employees behind and leading to poor retention. Hiring the wrong person is one of the worst things that can happen to a company, especially higher up the ranks. There is the financial issue of recruitment fees, severance packages and salaries. Moreover, there is the time lost before the right person is on board, and the bad decisions that have been taken and the good decisions that weren’t.
Again, not a new risk. Ever since the first business employed the first employee, this is a known issue. So, why would this be different in 2017? Well, there are several reasons. In general the economy is doing well, depending on the industry or region of course. With economic optimism increasing, the likelihood of people looking around is increasing. This may lead to increased salary demands, which may lead to tension. It may lead to churn, and replacements may well be more expensive, and less experienced.
Secondly, an increasing number of young people are looking for truly impactful jobs. This may not be what one has to offer (in the first years), which may result in people looking for other opportunities. The ability to attract and keep talent is increasingly difficult.
Thirdly, related to the previous, the start-up scene is booming. Start-ups may impact bigger companies, by offering them additional products and services or in some cases by bringing them down on their knees. The aspect of the talent war is not to be underestimated. In regions known for their vibrant start-up scene, it will become ever more difficult to attract talent.
Whatever the reason is, the war on talent is increasing and 2017 will see new challenges. And therefore, this should be on your key risk list.
Cyber risk by now is on every front page, so likely also a key topic on every board agenda. If this is not the case in 2017, you are either in a very specific niche with very little automation, or in a place you should probably consider leaving.
So it is clear that cyber risk should be on the agenda. Hackers, organized crime, nation states, all are hunting for the low-hanging fruit. At this stage, it is probably good to be higher in the tree. Be sure to protect yourself better than your competitors, be sure that financial transactions are hyper safe, that employees are trained (and retrained), and that all privacy sensitive information is triple checked.
When somebody is really after the crown jewels of your firm, it will probably be very hard to have a 100% guaranteed protection. This means that not all of your controls should be preventive controls, you should also have detective controls, and definitely also have corrective controls. Detective because you know it will happen to you, and you want to know if and when it happens, and corrective controls to ensure the issue is as small as possible and is properly mitigated.
For the majority of cyber risk issues, in 2017, it is probably good to protect yourself better than your peers, so when somebody gets hit, it’s not you. Still, if that happens, it may very well still impact you. It may be one of your business partners, or it may be one of your industry peers, and your stock price will go down by anticipation. So, preparing for cyber risk in 2017 is quite a bit more than setting up the firewalls and changing your password regularly (but please don’t forget those!)
Third Party/Vendor Risk
So what will 2017 bring for third party risks? In a global economy, this risk has been around for quite some time. You may have thought about questionnaires you’re sending to all vendors to ask for compliance against a whole set of your policies. Third party risk is the probably one of the most rapidly growing areas of risk management as a result. It is driven by Know Your Customer (KYC) and Anti-Money Laundering (AML) regulations, compliance with applicable regulations like Conflict Minerals, anti-child labor, equal rights and so on. The general concern of companies of reputation damage plays a major role, as well as the exposure to supply chain risk as a result of increasing outsourcing.
So, in other words, third party risk is top of mind for a whole set of very good reasons. What’s different in 2017? For one, maybe not that much. On the other hand, politically there seems to be a tendency away from globalization, looking at local benefits. We’ve seen this in the UK with the Brexit, and with the election of Trump in the US, but on a local level there are many more signs. And most likely 2017 will continue to show this trend. This may very well influence foreign policy; it may influence tax rules and influence foreign trade, which could potentially lead to very different supply chains.
This is a very different type of third party risk. Typically, third party risk is seen as the risk that you have as a result of working with this particular third party. In certain cases, as a result of the latest political developments, your reputation may go down in one country because you do business with a supplier in another country. More importantly, you may have to re-think your entire supply chain. And that may require long-term investments, asking you to predict the future. Good luck with that.
The views and opinions expressed herein are the views and opinions of the author and do not necessarily reflect those of Nasdaq, Inc.