The conversation around risk management is often framed around familiar risks, such as operational, market, credit and so on. But today’s businesses and regulators are zeroing in on other risks, such as supply chain, regulatory, cybersecurity, climate and artificial intelligence (AI) risk. It is also clear that to effectively address any of these risks, it is critical to not only invest in technology and governance, but also build a culture of risk.

Each risk is qualitatively different and deals with different processes. How you address them is often specific to the context.

Traditional risks

If you’re dealing with financial crime or money laundering, you’re looking at trading transactions. You need complete control over all the data and a three-dimensional view to do a full reconstruction and understand the trade.

If you’re looking at balance sheet risk, then you’re pulling together information from multiple systems into a complex model and doing sophisticated analysis on it.

You’re not just trying to find out what happened and what’s involved, but all the different ways you can view it. What are the future scenarios, and how do you weigh the risks? It’s enormously complex.

Newer risk focus

Supply chain risk is getting intense attention recently, particularly since it has direct financial and operational impact and presents a risk to operational integrity for information and communication technology, especially third-party suppliers.

Looking across these big operational landscapes, understanding what is going on and getting that data into a coherent view – and being able to manage it – is tricky.

Another serious consideration is regulatory risk. Regulatory risk involves the range of compliance issues that a company needs to deal with.

It is an interesting category because regulations are often there to drive risk, such as fraud or bad behavior in trading, out of the system. Regulators are looking to create a more stable and predictable world, and a lot of that is related to minimizing and mitigating risk.

How do you address regulatory risk? Start by asking yourself some questions. What are all the mandates that affect you? How do they affect your business, profitability and your risk of fines and sanctions? And in aggregate, what carries the most risk?

Armed with these answers, you can decide where to focus your operation and technology spending, as well as your risk management communications to stakeholders, regulators, your board of directors and customers. While you’re at it, don’t neglect the related internal risk of contract management in alignment with regulation, including how to identify and uplift or remediate contracts throughout the organization.

Another risk that is not always widely understood or managed is sustainability risk. This is a broad term that encompasses environmental, social and governance (ESG), climate risk and other dimensions of sustainability.

The U.S. has its own sustainability regulations at the state and federal levels. In Europe and many other regions, there are a host of regulations at local and national levels as well. But some near-global consistency will come into place through the International Sustainability Standards Board.

No matter where you are in the world, investors and boards are thinking about sustainability. So, you should be considering your approach to risk around this, too.

AI regulations are likely the most persistent risks on everyone’s mind right now. They remain unclear or inconsistent, though they are moving quickly. The proposed EU framework is risk-based, providing different levels of scrutiny and remediation based on the potential levels of threat that AI could pose to the market.

In the U.S., the White House has issued guidelines that are a little more precise, but they aren’t law. So, managing compliance and regulatory risk around AI means keeping very close track of how the technology and the regulations trying to govern them are evolving.

You can start with the standard practices for IT management and governance that already exist. However, all the dimensions of governance of technology have stepped into a new space when it comes to AI – especially large language models and generative AI.

That has a corollary: Where you’re using AI in a process that’s subject to regulatory scrutiny, you need to be sure the regulator agrees that your process is explainable. You can’t just say the AI told me the process is low risk. You have to understand the factors involved.

Building a culture of risk management

Remember your people in all of this, too. Cybersecurity risk is a great case study. It is continually evolving, so you should continually educate your employees. But don’t just run the same training programs; you also have to evolve your training. Employees need to be vigilant. As the saying goes, they’re the first line of defense, meaning they need to know how to recognize new threats.

Pandemic risk is another example where complacency can heighten the risk and where your people can make a big impact. We shouldn’t assume that the last pandemic is what a future pandemic could be. It could be very different in how it evolves and how it impacts people. Assess your supply chain on a regular basis, as well as remote working practices, security procedures and more to make sure you have a risk plan in place.

The final consideration when it comes to newer and more people-oriented risks is reputational. The way firms have been managed historically has been all about focusing on the impact on financial performance. Businesses have been monitoring growth and return to shareholders, but things are changing. ESG shines a spotlight on values that should have always been part of how companies are regarded. But only with regulations will they be disclosed, and scrutiny will follow. Consider your impact on the environment, from greenhouse gas emissions to water consumption. These can be key ways that your reputational risk is impacted.

On the “social” side of ESG, what are you doing for local communities? Does your senior management truly represent your community? How do you treat your employees?

Finally, there’s governance. Risk leaders should be thinking about governance of operations, contracts, third-party relationships and technology to manage regulatory and operational risk.

The impact on reputation will take time; consumers don’t necessarily think about the climate impact when we refuel our cars. But the day is coming, and ESG and sustainability are already having a major impact on how firms are run, their reputations and the bottom line – just like today’s other risks.