"The majority of our responsibilities have shifted to looking at the entire organization and designing the IT risk program that balances acceptable risks against the unacceptable," Alexander says.
For instance, consider the case of transactions coming through an online banking application. Here, the risk manager needs to decide whether to block or review some transactions. Blocking could result in loss in revenues, depending on the volume of business. But letting suspicious transactions in could result in higher potential of fraud.
The risk manager has to decide what the threshold of risk is in comparison to the fraud potential, then set the rules accordingly.
The Evolution of RiskCarol Fox, a veteran risk professional with over 20 years experience, is director of the strategic and enterprise risk practice at the Risk and Insurance Management Society Risk. She sees the role's evolution from "Do we have insurance to cover the fraud?" to one of an internal advisor and consultant who plays an active part in detecting and preventing fraud.
In the past, when fraud or a security incident occurred within an organization, the initial response from risk professionals was "How could that have happened?" Typically, they stuck to their traditional approach of reducing and managing a predetermined set of risk exposures and mitigating known risks.
Today risk management is exclusively tied to business performance and is a top-down approach aligned centrally with business objectives.
"Strategic decision-making, analysis and leading to the root cause of fraud are what risk managers do now," Fox says.
When fraud occurs, it is the risk manager who has to analyze the occurrence whether it is policy, systemic or by electronic means. Which systems are affected? What loss did the organization incur in terms of monetary and reputation risk?
Additionally, the drive toward emerging technologies such as mobile, social media and cloud computing has resulted in multiple channels of delivering products and services, thereby increasing the potential risk.
"As such, the risk manager now is driving organizational behavior and looking at issues outside their control," says Kenneth Newman, VP at Central Pacific Bank and a risk specialist with over a decade's experience.
Newman cites the general category of account takeover fraud. This is one of the most challenging fraud types for a risk manager to detect, simply because the controls are way beyond their perimeter.
"How do you identify and analyze behavior to know that it's not actually the customer accessing their account, but a third party?" Newman says. "How do we know what controls the customers have in their environment?"
Internal threats also create new challenges, Fox says. A risk professional, for example, may need to work with human resources to ensure that an incentive program at an organization is not leading to fraudulent behavior by people in order to meet their performance targets.
At the same time they need to make sure that employee credentials and their work access is verified frequently to avoid insider crimes.
"It is not protection of IT risks alone, but risk of enterprise reputation which is far more pressing today," Fox says.
Career OpportunitiesThere are an array of career opportunities for today's risk professionals in all risk-related functions, including legal, audit, compliance, physical, information security, fraud prevention and business continuity.
For entry-level professionals, the best start is a risk analyst role that involves data analysis and operational support for the business information security group, including assistance in risk management function and processes.
The career path for mid-to-senior-level risk professionals may lead to management positions such as chief risk officer and chief compliance officer. Also, risk leaders are in demand by major consulting firms to play the role of business and risk advisors to their clients in developing IT governance, risk and compliance strategy and solutions.
However, the role demands new skills. "Today's risk management professionals really need to take a strategic view of managing risk to be relevant in achieving the organization's expected outcome," says Wells Fargo's Alexander. Among the key skills:
- Strategic Decision Making: The risk practitioners need to change the way they think about risk by understanding how emerging technologies and uncertainties affect the strategic risk management capability. "They have to now start thinking like a business owner and uncover new opportunities to protect the enterprise value," Fox says.
- Understand Risk Tolerance and Methodology: Risk professionals need to understand how much of a fraud risk the organization will tolerate and articulate this effectively, says Alexander. For example, many organizations tend to establish a risk tolerance for fraud at zero, and that increases the risk manager's function in terms of establishing effective controls and implementing robust risk models to monitor and address fraud. Also, they need to be adept in implementing risk methodology including risk identification, risk assessments, metrics, convergence and adopting an effective risk response.
- Knowledge of Regulatory Compliance: Including The Control Objectives for Information and related Technology, ISO27002, The Information Technology Infrastructure Library and applicable national standards.
- Strong Interpersonal Skills: Risk managers need to translate risk management concepts, practices and processes into language understood and appreciated by their team, management and board personnel. In many cases, risk managers are called upon to summarize the myriad of risks that the organization faces, and to translate these into actionable concepts that can be addressed at the executive committee level. Strong interpersonal, general business and communication skills are imperative for risk managers to be successful, Newman says.
- Behavioral Analysis: Take the case of insider threat. Here the risk manager need the skills to measure the fraud type in terms of likelihood and significance, and then map data and systems that are most sensitive to the organization with behavior patterns of employees having access to this information. "Behavioral analysis will play a significant role," says Newman. "The skills that will ultimately distinguish risk practitioners will continue to shift toward understanding behaviors, attitudes and culture of the human stakeholders of the enterprise."