In such unprecedented times, businesses are facing different kinds of risk, which has made the onboarding of a Chief Risk Officer very important. Covid-19 pandemic has proven to be a financial health check-up of organisations which many failed, hence, Reserve Bank of India (RBI) has revised audit norms for banks, to improve risk management. RBI has issued a directive to Non-banking Financial Institutions (NBFCs) with assets valued at greater than INR 50 million, to appoint independent CROs with clearly-defined roles and responsibilities. The year 2020 has indicated that businesses and senior leadership need to be prepared for an uncertain, risky and volatile future that includes climate change, technological disruption, geopolitical risk, threats to the global supply chain, and cybercrime issues data protection and privacy. 

Santosh Kumar, Partner, Deloitte India in conversation with Praggya Guptaa talks about how the roles and responsibilities of Chief Risk Officers will be changed in times to come. How do these organisation can prepare for any unprecedented risks ranging from cyber to financial to tech?

With revised norms, how do you see the emerging role of Chief Risk Officers and the importance of this function in today's dynamic environment? Are these new organisations (which came under new directive) taking the role seriously?

Rapid digitisation, pervasive adoption of technology and fast-changing business models characterise today’s business environment. This has resulted in the risk landscape becoming very dynamic with newer threat scenarios emerging every day. The pandemic has compounded this situation by adding a significant level of uncertainty to the mix of existing risks. All of this has turned the spotlight on the risk management function in enterprises, turning up both, the level of engagement and expectations.

Regulators are already considering extending the scope and coverage of risk management. SEBI is proposing to extend the mandatory constitution of the Risk Management Committee (RMC) of the Board to the top 1000 listed companies from the current top 500 companies, giving powers to the RMC to review the appointment, removal and remuneration of CROs jointly with the Nomination and Remuneration Committee. The intention is to institutionalise the CRO's role along similar lines as that of the Chief Financial Officer (CFO) and Chief Internal Auditor (CIA) where the Audit Committee oversees their appointments and defines their roles and responsibilities. The proposed amendment is also seeking to enhance the ambit and roles and responsibilities of the CRO and risk management function.  

Chief Risk Officers will increasingly be expected to play a more strategic role to enable enterprises becoming more Vigilant and Resilient. This requirement has never been more pronounced than in the current environment that we all call the “New Normal”. Risk Management functions and frameworks will necessarily have to become Vigilant to provide early warning signals to CXOs on the emerging threats, the velocity with which it could hit the enterprise and the impact that these events could have. 

It is reasonably well understood and accepted that all threats cannot be prevented from manifesting. Still, Resilient Risk Management frameworks can increase the level of preparedness and reduce the risk response time. Opportunities and Risks are two sides of the same coin. Vigilant and Resilient Risk Management Frameworks will help enterprises tap into risks's upside and enable them to establish a sustainable competitive advantage in the market place. For this to happen, the CRO role must go beyond the traditional risk areas of Finance, Operations, and Compliance and should extend to Strategic Risks. The “Risks of Strategy” and the “Risks to Strategy” must be identified. Every emerging risk scenario must be modelled to assess the impact on the enterprise, which will be key to getting the right mitigation plans and crises management play-books implemented. This pandemic has demonstrated, like never before, the interconnectedness of risks and how critical it is for risk management to function as a strategic tool for planning and decision making.

A survey carried out by Deloitte covering CROs and Risk Management leaders in India in November 2020 to assess the changing landscape of enterprise risk management indicated that Enterprise Risk Management is now getting more attention at the Board Level. 82% of the respondents said that there is an increase in the oversight by Boards in defining the risk appetite, reviewing the process of risk identification, prioritisation and in assessing the adequacy of mitigating measures. 

Needless to say that the case for effective risk management is becoming stronger than ever and with all these changes in the business and regulatory landscape, it is now incumbent upon enterprises, CROs and risk management professionals to step up and build the capabilities and capacities that will be required to discharge these responsibilities effectively.

Do we have enough skilled professionals for the role?

For the role that they are expected to play, the CROs need to gain the confidence of the CXOs to become their trusted advisors. The role is in equal part strategic as it is tactical and CROs need to find the right balance.

For wearing the strategic hat, the CRO should have a good understanding of the business and its strategies. She should be able to break down the strategy into key initiatives, identify the associated risks and define the risk appetite that will serve as a beacon during risk and reward tradeoffs. The strategic play will require integration of risk-based decision making with business planning and will necessitate risk quantification, determination of value at risk, risk-adjusted returns etc. using scenario-based risk modelling. 

The tactical role is not any less important and would require attention to risk management processes, overall compliances, routine operational and process-level risks

The CRO needs to be an excellent communicator and critical thinker to be able to challenge the assumptions, articulate the risk scenarios and their impact on enterprise value. The Board and the CXOs should be able to visualise how risk management practices protect and enhance enterprise value.

The dominant skills and attributes that a CRO should possess would also depend on the sector, for e.g. Banking and Financial Services sector would need the CRO to be highly proficient in regulatory matters and aspects on market, credit risk etc. Industry experience and business understanding is hence vital along with prior experience in risk management with a fair exposure to finance. Ability and experience in interacting with CXOs and Boards will be key for this role to effective

All these skills may always not be available in one person but basis the dominant skill required, the other aspects can be developed through training and certifications. It is also about how Risk Management organisations in enterprises leverage the internal and external ecosystem in getting the right perspective and inputs in their risk management processes.

What would be your critical pieces of advice for organisations appointing Chief Risk Officers? How do these organisation can prepare for any unprecedented risks ranging from cyber to financial to tech?

CROs and Risk functions have traditionally been focused on operational and compliance risk matters to fulfil the regulatory requirements. But the past decade has thrown up a wider range of geopolitical, regulatory, cyber and technology risks necessitating a wider and more empowered role for the CRO.

The question is not just about hiring the right CRO or staffing the Risk Management function with the right skills, organisational support is equally important for the risk management function to be effective. There are a few critical success factors in this regard. 

The CRO should be a C-level appointment and should have direct reporting to the Risk Management Committee of the Board with a dotted line reporting to the CEO. This will ensure that the CRO has a seat at the table and is an active participant in all key management discussions. The survey of CROs and Risk Leaders in India conducted during November 2020 had 95% of the CROs concurring that risk management is at a critical juncture in its evolution to becoming a true strategic business partner with long-term stature and respect within the organisation

The reporting structure will also demonstrate sponsorship for risk management from the highest levels in the organisations, which goes a long way in active engagement by Business and Enabling Units

Risk Management functions do not own the risk and the mitigation plans, they only implement and institutionalise the risk management framework and facilitate risk identification, assessment and management. The risks and the corresponding mitigation plans are the responsibility of the respective business and enabling units. Risk management will only be optimal if the risk management organisation has adequate engagement from Business and Enabling Units. 

There has to be adequate and ongoing training and communication of risk management objectives, policies, processes to the organisation at large for the Risk Culture to be established and for risk management to become of the part of the DNA in operations and decision making.

To become a trusted adviser to the business, risk leaders need to offer real-time or near real-time intelligence. This includes access to risk and performance data. Scenario planning and scenario modelling are important means to describe the potential impact of risk events on specific parts of the business and their interconnectedness. Technology has a key role to play here and organisation should invest in tools for risk sensing, risk analytics, dynamic scenario planning and visualisation, which will aid in sensing changing risk trends, developing associated action plans, monitoring the risk drivers and also in reporting on the risk profile.

Banks are the most targeted sector when it comes to cybercrime. What makes their digital transformation vulnerable to these threats and how BFSI can address these?

The banking sector has under attack from ages. First, it was the physical theft, then when computerisation began it turns into computer fraud and now it is cyber-attacks. Digitisation of voluminous confidential data and digitalisation of banking processes have been foremost on the agenda in the boardrooms of Indian banks. This urgency has put the spotlight on digital technologies such as Cloud, Artificial Intelligence (AI), Internet of Things (IoT) and Machine Learning (ML). At the onset of the COVID-19 crisis, banking operations were severely disrupted and banks struggled to provide uninterrupted services to their clients. This interruption also forced banks to accelerate their digital transformation programs to ensure contactless operations.

During the pandemic, banks and financial institutions accelerated their digital transformation to ensure contactless business operations. Higher digitalisation and remote operations increase vulnerabilities. Banks also witnessed a spike in cyberattacks as cyber criminals found and exploited new vulnerabilities. What makes the challenge acute is that different banks are at varying stages of digital transformation and cybersecurity maturity levels which is determined by their past investments, budget allocation, and size in terms of customer outreach and service offerings. With online banking becoming increasingly popular, some of the common cyber-attacks are Phishing and Vishing, Distributed Denial of service (DDoS), Man in the Middle (MiTM), Malware contagion, cloning of digital identities, advance persistent threats and social engineering

Considering how cybercriminals are finding new vulnerabilities to target customer banking credentials when carrying out attacks, Risk Management in Banks will have to embrace advanced cybersecurity norms to meet business requirements, irrespective of where they are on their digital transformation journey. They will need to understand the importance of individual cyberattacks, comprehend patterns, sophistication, and life cycle of such threats they face on a daily basis in order to protect their businesses. Cyber Risk Management programs need to prioritise cybersecurity assessment, securing remote access control, tightening access to third-party services, adopt advanced technology solutions and tools for 24/7 threat monitoring and response. 

Robust Cybersecurity assessments should also extend to third parties who are now an integral part of most banks operating ecosystem. All these need to supplemented with continuous training for creating awareness within the organisation as well as with customers

To address these challenges, banks need to appoint experienced Chief Risk Officers and Cyber Security teams, who can take the responsibility of skilling the employees and lead investment in military-grade cybersecurity solutions to detect the most advanced attacks

There is another level of digital transformation in organisations we have seen during the pandemic to support a remote workforce, deliver critical services be it health or education, and leverage hyper-automation to ensure pandemic-driven demands are met. What are the key trends in the risk landscape? 

The pandemic situation has led organisations to rediscover new fluid workplace models, prominent amongst them being Remote Working Environment (RWE) and Work from Home (WFH). While this model has gained popularity and employers have given their employees choices to set their own work hours and locations to operate under this new normal, this has also exposed the organisation to new challenges and risks emanating from these evolving models.

Top of mind risk, in this environment, for most people are the ones associated with Information Technology and Cyber Security. We have witnessed increased cyber-attacks owing to unsecured networks for accessing business data. This is compounded by a large number of new devices and the use of Personal Devices by a remote workforce, which have inadequate security controls and can be compromised through social engineering. What has contributed to the risk landscape becoming alarming is also the lack of awareness amongst employees about cyber, data privacy, security-related aspects and the risks posed by the use of unapproved and unmanaged collaboration tools.

The other risk group emanates from work environment and infrastructure issues. Key amongst these are the ones which impact confidentiality on account of potential eavesdropping, shoulder surfing and unauthorised access to data and information in work from home and shared accommodation environment. There could be a risk to physical health because of work stations at home, not meetings appropriate work standards such as chairs not meeting ergonomics standards. In addition, productivity could get impacted due to infrastructure constraints like as poor WIFI speeds, connectivity issues, power interruptions, call drops, etc.

In my view, a very important risk category, which probably needs more proactive attention from organisations, is the mental well-being of the workforce. Work from home and the lone working environment can result in a feeling of isolation due to limited employee engagements, which in turn could result in mental stress and health issues due to lifestyle changes, erratic work schedules, extended hours of calls etc. Most organisations have a reactive approach to this aspect and this is something that needs to be addressed in a proactive manner to eliminate/prevent the distress inducing situations/practices.

CROs need to assess whether adequate governance mechanisms, operating policies/procedures exist, and the requisite awareness is created within the organisation to recognise this new set of risks and to be able to manage them effectively.