Key themes for risk management in 2010

Every year brings it’s challenges - although I think it's fair to say that we enter 2010 with perhaps slightly more optimism than 2009.  Nevertheless, economic trends, political events, responses to the banking crisis and technology devlopments are beginning to shape the risk agenda for 2010.  Here’s my perspective on some of the issues that are on the radar for the next 12 months.

1. Understand potential exposures created by cost reduction initiatives

Many companies have been  forced into cost cutting exercises in response to deteriorating economic conditions.  But now the economy is showing signs of an upturn, senior management teams need to look at their company’s key operations and ensure that they are robust and that there are no murky corners where controls may have been compromised and could subsequently manifest themselves as major exposures.  

Cost cutting works for a while and works when volumes are reduced.  As volumes increase the capabilities of systems and processes are put under pressure and their effectiveness may be found wanting. 

2. Critically evaluate risk & oversight processes

A critical look at the functions that provide the “conscience” of the organisation and provide whistle blowing capabilities needs to be evaluated against several criteria:

• Do they have the expertise (and time) to understand and conduct meaningful evaluations of strategic, operational, and other risks facing the company?
• Are they focussed on the most important risks? For instance are your IT Auditors pre-occupied with systems access controls and ignoring the consequences of failures related to major investment new technology deployments?
• Are they are focussed on risks that both they and the senior management have agreed are the most relevant and critical to the business

3. Start preparing for economic, political and regulatory changes that are now on the horizon.

Significant events are already on the radar such as:

• There will be general election in 2010;
• Reward systems may change in the financial services sector;
• Bank structures may change with the UK perhaps aligining with the US President’s recent proposals;
• Currency fluctuations are making offshore outsourcing less attractive and some organisations are considering re-establishing onshore functions. This could be good for the employment market (but will put upward pressure on salaries), harden the commercial property market - but what of the political fall-out? Will the countries that decried protectionism become protectionist and create barriers to penalise foreign firms withdrawing operations?

 4. Closely examine “moral hazard” associated with reward systems

The banking crisis taught us a valuable lesson that “Greed is good – but not necessarily for everyone”.  Reward systems that are divorced from accountability for consequences have been the cause of many disasters. Commission and bonus systems will need a similar level of scrutiny and stress testing as those applied to other financial risks faced by the organisation.

5. Plan for the impact rather than the specific root cause of a business interruption “big one”.

The snow in early January showed us one thing – you don’t need a pandemic for staff to be unable to get to work. The weather remains the biggest cause of business disruption, and terrorism remains a spectre that could shut down city centres. All organisations that conduct critical operations should re-evaluate their business continuity plans to ensure that they properly cater for a widespread and sustained period of staff immobility. It’s not necessary for the office to be damaged for them to be inoperable – if no-one can get to them they are still unavailable.

6. Be circumspect and perform appropriate due dilgence with regard to technology’s NBT (Next Big Thing)

Virtualisation, “the cloud” etc. are offering RoI returns in spades These are both relatively new technologies and here are a couple of predictions:

• Someone is going to be publically embarrassed by either a major failure or vulnerability associated with one of these technologies (and some already have);
• There’s going to be a significant loss associated with the failed deployment of one of these technologies.  It will be related to a previously undiscovered issue relating to capacity, capability or security.

Initial deployments of these technologies should be performed conservatively before major commitments affecting critical services are made.  Most failed IT projects display several common attributes and one in particular - it's the things that you don't know you don't know that bite you "on the proverbial".  Follow the advise of Ronald Reagan - "trust, but verify" - and conduct due diligence on technology investments just as you would with any other major investment.

What are the big risk issues on your risk agenda this year?