What are some of the biggest challenges to risk management?

1. Poor governance

Citibank made headlines when it mistakenly wired a $900-million loan payoff to cosmetics company Revlon's lenders in August 2020. A federal judge later ruled that Citibank was entitled to less than half of the $900 million.

Like all financial services institutions, Citibank had policies in place, such as dedicated terminals for wiring large amounts of money and multiple controls that were rejiggered after the migration of its workforce to remote locations during the pandemic. Compromised banking controls were first suspected to have caused the costly error, said Chris Matlock, vice president, advisory -- corporate strategy and risk practice at Gartner. But the problem was traced to a recently installed software package that had UI issues, didn't have the appropriate controls and led to human error.

"This was a case where the human side of the equation can overwhelm any amount of good technology that has been installed," Matlock added. Citibank was eventually fined $400 million by U.S. regulators and agreed to overhaul its internal risk management, data governance and compliance controls.

2. Toxic work culture

Known for decades as the hub of technical innovation, Silicon Valley has evolved into a bastion of toxic "bro culture," according to Alla Valente, senior analyst at Forrester Research. She also cited other forms of toxic work culture when companies fail to mitigate risks that can alienate employees and customers.

Facebook's lukewarm response to the Cambridge Analytica scandal, Valente argued, has significantly eroded its trustworthiness and market potential. Wells Fargo's executives turning a blind eye to the warning signs of the bank's predatory selling practices with their customers "was a strategic decision," Valente said. "It could have been fixed, but fixing culture is never easy."

3. Overemphasis on efficiency vs. resiliency

Efficiency and resiliency sit at opposite ends of the spectrum, Matlock said. Greater efficiency can lead to greater profits when things go well. The auto industry realized significant savings by creating a supply chain of thousands of third-party suppliers spread across multiple tiers. But during the pandemic, there were massive disruptions in supply chains that lacked resiliency. A chip shortage ensued, and automakers' bottom lines suffered when chip suppliers took advantage of the resulting higher margins in the consumer electronics industry.

Conversely, interactive fitness platform maker Peloton, Matlock said, moved its entire supply chain and manufacturing process from Asia to Ohio to meet the heightened demand for its exercise bikes during the COVID-19 lockdowns. That kind of resiliency in its supply chain helped insulate the company from disruptions, bottlenecks and trade wars.

4. Toothless ESG statements

Until recently, companies would release impact statements that only paid lip service to their environmental, sustainability and governance (ESG) initiatives and weren't tied to measurable results or meaningful outcomes. Since the United Nations issued "code red for humanity," regulators, customers, employees and even shareholders are pushing for more meaningful impact statements.

Securities regulators in the U.S. and U.K. are considering new ESG impact disclosure rules. ExxonMobil lost a proxy battle for a board seat because activists demanded greater ESG accountability. "There was an underestimation of the importance ESG would have," Matlock said. "Up until now, we've known that being environmentally conscious and being socially conscious was important. But now suddenly, it seems like we all have to take this seriously. And if we get it wrong, there may be a penalty in terms of capital flow and opportunities."

5. Reckless risk-taking

A wildfire during unusually high summer temperatures approaching 122 degrees destroyed the village of Lytton, British Columbia, in less than two hours and touched off a class-action lawsuit claiming the fire was triggered by heat or sparks emanating from a freight train operating nearby. The suit alleged reckless behavior against the Canadian Pacific and Canadian National railways because they should have known conditions were unsafe to operate the train and failed to protect the town.

"But it's often not that simple," said Josh Tessaro, practice manager at Thirdera, a ServiceNow global services provider. "When you see one of these news articles that looks like reckless risk-taking, it is almost always due to lack of risk data, process definition and governance."

6. Lack of transparency

National attention has been focused for some time on the underreporting and misreporting of COVID-19 deaths in several states. New York's nursing home scandal, in particular, showed a systematic lack of transparency about the actual number of COVID-19-related deaths among the elderly and the wide discrepancy between the understated figures released to the public and the state attorney general's ultimate findings.

Withholding of data, lack of data or siloed data within organizations can create transparency issues and result in untold consequences. "Many processes and systems were not designed with risk in mind and are often disconnected across the enterprise and owned by different leaders," Tessaro explained. "Risk managers often then settle for the data they have that is easily accessible, ignoring critical processes because the data is hard to get."

A transparent risk management approach requires a consistent company-wide strategy that includes senior management, clearly defines the role of risk management, encourages risk awareness, institutes a common risk language and encompasses the various interests, objectives and critical risk concerns of all departments. A centralized system of record for risk profiles and events should also be established to collect, manage and report on key risk data.

7. Immature ERM programs

A combination of low interest rates and a surging stock market have spurred record numbers of global mergers and acquisitions during the first half of 2021, according to financial markets data and infrastructure provider Refinitiv. Buried among the success stories are many less-publicized M&A, IPO and product launch failures.

"Many of these failures can be attributed to organizations' immature risk programs," said Clifford Huntington, global assistant vice president, sales, for risk products at ServiceNow. Enterprises often don't recognize that a complete risk assessment as part of an ERM program to identify potential and inherent risks is needed in preparation for making deals.

8. Supply chain oversights

The rise in mass cyber incidents highlights the need to assess security risks up and down the partner supply chain. "Organizations are increasingly focused on the risk from their vendors as it relates to sensitive data breaches," said Mark O'Hara, managing director at consultancy AArete.

New contractual terms need to address cyber insurance requirements, data destruction practices and destruction verification. But organizations, O'Hara acknowledged, don't regularly review existing agreements or consistently communicate new requirements across their business units, resulting in noncompliant contractual agreements.

9. Lagging security controls

While companies have been accelerating deployments of workflow procedures and technologies to accommodate their new hybrid workforces, the controls necessary to ensure security, availability, processing integrity, confidentiality and privacy, as well as their documentation, have not kept pace.

"We rapidly pushed everyone to remote work where possible," said Dan Zitting, CEO at governance, risk and compliance software provider Galvanize, "yet controls around user access and physical security did not change as quickly."

As a result, many organizations are encountering control failures and compliance issues, leading to risk exposure and security breaches. Controls specified in SOC 2, Sarbanes-Oxley Act and ISO 27001 compliance standards and regulations, for example, changed as workflow processes increasingly became remote-friendly. One year later, companies are struggling to update their documentation to pass these types of security audits.