Transcription

Robert Bateman:

Hello, thanks so much for joining us again at PrivSec Focus Enterprise Risk. I’m Robert Bateman, head of content here at GRC World Forums and introducing the last session of the day. We’ve had a fantastic set of panels, and I’m sure this one will deliver too. 

Please ask questions using the chat function on the platform. And I’ll hand over now to the host of this final session, the future of ERM, technologies and frameworks. This is moderated by Wajahat Raja, who is Global GRC and GDPR Solutions at the Saudi Stock Exchange. Wajahat, over to you.

Wajahat Raja:

Well, Robert, thank you so much for such a wonderful session and handover. I really want to congratulate GRC World for such an amazing event today. And along with me, I’m accompanied by two of very honorable panelists Mr. Riccardo, and Ms. Geethy. Very soon when I give the introduction, oh we got our panelists with us. Hi Riccardo. Hi Geethy.

Riccardo Bua:

Hello everybody.

Wajahat Raja:

Excellent. So let me give you a little bit of introduction. I already got introduced by Robert. Mr. Riccardo is representing DigiTribe. He’s an expert in enterprise risk management along with a lot of other skills which he bring because of his numerous exposure and experience in tools and technologies.

We have Geethy over here from HSBC. She’s going to be very much discussing about enterprise risk management frameworks, but that will not stop her in actually responding to certain technological questions about the future of the enterprise risk management.

I’ll hand over to Riccardo. If you would like to start so that we can have our question answer sessions at the end of this basic introduction of enterprise management from the future perspective. We will take five minutes of basic discussion and then we will be very much welcoming all the questions from our panelists as well as our audience.

Riccardo Bua:

Hello, thanks for that. So, from my perspective, I’ve been working the past year on the challenges of bringing together under the same umbrella, different silos. When we talk about enterprise risk, we are looking at different risk domains that eventually will need somehow to be aggregated and evaluated in terms of how we cope, mitigate, and define what the enterprise risk appetite is and what sort of risk we are going to be able to assess or eventually transfer.

The companies that work here within the financial sector here in Europe are the largest one and basically on both sides, it’s difficult to transfer such risks. So it means that results need to be put to eventually tackle it. So the more precise you are on to the evaluation of your enterprise risk, the easier it is to eventually cope with such challenges and scenarios. 

And my work has been into defining what sort of information you need to collect from the different group and silos that are operating, how to structure it, what sort of governance you are going to put in place. And with such data governance, what sort of analytics and extrapolation you can do so that you would augment the report and capabilities that the risk analyst eventually will bring into the picture with their assessment and with their evaluations.

And some of those challenges are indeed into the way that the data is structured, into the way that the data is collected, into the way that the data is processed. And eventually finally, into the way that the data is reported and monitored in terms of risk. And for that point, I would like to introduce Geethy because I think that from her perspective, she has some interesting approaches in terms of how to cope with dealing with such challenges in reporting risk.

Geethy Panicker:

Yeah. So good evening, good afternoon, depending upon the location where each of the participants are joining, and hello to my fellow participants. I’m really glad to meet all of you to talk about the future of ERM and the technologies, which are going to be deployed to enhance the quality and effectiveness of our ERM management.

I would say as a practitioner, I have been a practitioner for over more than a decade now for ERM across different banks in India and Singapore. And in that life, we have seen how the frameworks evolve, tools evolve and how the risk itself evolve and manifest in different ways. So one of the basic fundamental lesson that we have all learned over the last decade is that traditional risk have remained the same. 

We have seen some new facets of risk introduced by technology de-globalization or globalization. So some of the new forms of risk are manifesting and the traditional risk have become more interconnected with a globalized world and technology digitalized world. So these are some underlying shift and theme, and we are seeing single risk now touching multiple taxonomies at single time, be it pandemic or geopolitical. 

You will see it touching almost all parts of the different taxon. There is taxonomy that each one of you have defined for your organization. So the key challenge for an ERM professional hence is the risk congregation for trigger events, or even an ongoing risk profiling basis. How do you really know which are the taxonomy? What is interrelatedness and interconnections and the aggregated exposure? 

And usually this happen particularly for trigger events. This is very manual in nature even today going back to the experts, whenever we have triggered events. Quantitatively, we can do some amount using systems available, but qualitatively, if you really want to arrive, I don’t think any organization is so sophisticated yet to have complete… For example, the moment you see about Ukraine issue, you suddenly have automated, advanced digital report that the CRO can look at its fingertips.

So that’s an ideal vision for the future. And I think some of the technologies that we will discuss today will work towards that goal, even better dashboards insights for the board and the CROs and the risks stewards. So that’s my number one key challenge today, and that is accentuated by the quality ensuring adequate as well as good data quality to deploy this technology, which is the second challenge. 

And third is ensuring that the people that we have in risk functional governance, DRC functions, are equipped with the right skillset to apply and make use of these technology for enhancing risk management, as well as their risk stewardship for managing the technology risk which are coming up. 

So these are the three forms of different challenges we are addressing. And this is a great opportunity. So I’ll talk about the opportunity maybe in the next question, but yeah, I just wanted to give that intro context before we move to the second question.

Wajahat Raja:

Excellent. Thank you Geethy. I’ll add definitely into bit of my part that these all challenges, which has been identified by Riccardo as well as Geethy or the situations actually give a whole new level of trends. I mean, if you see the futuristic approach towards the ERM, there are some emerging trends which we must observe. 

For example we can see that the risk maturity frameworks are coming in a very mature format. They were not being able to cope with the large amount of frameworks we had, and now they are consolidating the workflows, which are existing in the environment. We have seen the convergence or emergence of ERM technology stacks with the GRC, and I believe [inaudible 00:09:20] have a good discussion on this thing based on his personal experience in next year. 

We have also seen that there is a strong highlight in the market about treating ERM as a competitive advantage. This has been quite an enormous discussion after the pandemic, as well as some wars we have seen in the region as well. Then there are GRC level integrations with the emergent ESG factor. ESG has been quite an important subject nowadays. 

And how ERM and GRC can coexist with ESG is something really going to change the paradigm in next coming years. That’s something which we need to also discuss. The roles of chiefs is very vital as Geethy said, that the people part is quite significant, but among them, keeping the risk at the C level. We have seen a tremendous improvement in the role of CIO, acting as a broker between C level to sell the ERM or the buy-in of the ERM. 

That’s something very much debatable. We have seen tremendous reliance of cyber and physical risk coverage on overall ERM now because of the total digital shift happening. Digital audits has been quite a new thing. Now it’ a new normal, I would say rather than new thing. Integrated risk management with the digital transformation, very vital and important area to consider because the digital transformation space is happening like it never happened before. 

I think these are the few areas which we also need to observe and discuss. And during the session, we do expect our panelists will contribute in it. And from the question and answer session, we really welcome now anybody who really want to ask. We will be definitely answering it. We have started receiving few answers as well, and I would love to answer these things during the session. So over to you, Riccardo.

Riccardo Bua:

Yeah. So I’ll start from one of the points that was raised by Wajahat earlier in terms of being able to be more of a business partner and empower the business to take the right risk-based approach and decisions and focus on opportunities rather than managing risk when it comes to the question then on how to further integrate AI and machine learning into the framework. 

The perspective from our Western side is for sure that we are right now just on the edge of being able to collect a lot of data and analytics from the activities and the different part of the business that is is performing those activities, and how they eventually expand to risk earlier.

And try to assess the impact of such transitions on to the overall status of the enterprise where IE and ML might come into play is to model such risks so that it can be digested and processed at the sea level, and eventually understood where the bigger opportunities might be. 

And as it was mentioned earlier, potentially some of those areas might lie into how to align to controls, like on the ESG side, but how also to exploit the ESG opportunity and how to expand some of that evaluation of the data in terms of how that might become an opportunity to eventually capture latent request coming from the market and coming from the different players in terms of where to position the company in terms of ESG and how risk will make a play into it. Geethy do you want to add something on to it? You’re on mute Geethy.

Geethy Panicker:

Yeah, I wanted to pick one point Wajahat had mentioned about new trends in risk management and how can ERM be a competitive edge to the organization. For this question, I want to draw a parallel to the Formula One business and the Formula One race. 

So if you look at the history of Formula One race in the 1950s when it started, the cars used to go to the pit crew, which is a very much akin to a pit stop, which is very much akin to a risk management or a compliance department in an organization. The car is something similar to a first line of business. So the pit stop time used to be 72 seconds. 

So manually, they had to remove the tire, replace the tire, do the minor repairs during the drive, and then the car will zoom away to its poll position. And over the time, the car companies or the sponsor companies invested heavily into this advanced technology. And the best time in history is under two seconds. So from 72 seconds, this has come down to two seconds as for the most recent. 

And I’m sure in future, they might be even doing this activity completely remotely sitting somewhere else inside the pit stop. So what technology enable them this business to improve the pit stop time? Any improvement in the pit stop time will show and reduce improvement in the business performance for the cars, for example, it’s success, or it acts as a winning edge. 

And same way, if you look at it, the competitiveness in the market is really high. There is extreme pressure on margin. These models are changing. So in that context there is a limitation to which the first line can contribute to the profitability. And it is in that space where as risk and compliance or the governance teams can look at innovation as a means to reduce the compliance cost and add to the bottom line, rather than continuously increasing the manual requirement or a resource requirement. 

And that’s a place where ERM technologies can add a winning edge. I will talk about two, three examples of how we can use any of these technologies to improve our ERM process and be for a winning edge. I’ll start from the top, which is risk governance. So risk governance involves oversight forums or discussions, meetings, minutes, a lot of documentation of all that got discussed in meetings. And that is where one place where artificial intelligence can help in two, three ways. 

One, for example, there are humongous number of risk reports which go to the risk committees. So artificial intelligence can of course help to summarize them. NLP is a good technology which can help in summarizing and giving crisp report to the board rather than a human being sitting and writing. Of course, human oversight and review will be required, but the number of cumulative man hours can definitely be reduced by an NLP and related technologies. 

Similarly, the dashboards, we now have periodical, let’s say a quarterly, monthly, fortnightly kind of reporting. It can move into a dynamic report and need to know basis rather than the standard template. What is it that CRO or the board member want to see in their view rather than standard template? So that is where the advanced data analytics and BI capability with AI can provide.

And the whole process of preparing those templates standard report every month is done away with. The third angle is a lot of note taking, minute taking can be completely automated using AI. So I think in one area of risk governance if I give an example of three important activity which can save resources.

And same is the case with ESG. ESG, I think a lot of vendors are offering AI based ESG scoring, wherein AI actually sources these external, internal information aggregates and reduces the ESG score of company. So that’s one good example in ESG. It is also used in making disclosure. So a lot of advanced technologies are used in preparing the disclosures automatically. 

So it aggregates the information and then puts into standard templates just the way a human would do and produce very nice reports. [inaudible 00:18:21], another area where you can use a lot of artificial intelligence. Risk assessment, so we are already seeing a lot of application in fraud, credit crime screening, financial crime screening, credit approval process where credit scoring is done by artificial intelligence. 

Blockchain is used for lot of reconciliation related control process. So with these technologies, of course, these are great opportunity and they will need to mature over time. So we shouldn’t expect that tomorrow when AI comes, my governance work will reduce. It is that you have to constantly refine to suit the requirement of the organization. 

Some products are very much so. Some products will still require a lot of inputs from the GRC professionals. But I think over time, you will feel that these technologies can really aid helping you to reduce cost, reduce time and focus on what is material for your risk and diligence to focus, which is the most precious part. And that’s the future which I think, Riccardo, where ERM will be the winning edge for the organization.

Riccardo Bua:

Wajahat, do you have any [inaudible 00:19:32]

Wajahat Raja:

Yes. Thank you, Riccardo. Actually, there is a question. Yeah, can you listen me?

Riccardo Bua:

Yes.

Wajahat Raja:

Yes. So there is a question about how we can take the leverage of ML and AI for our ESG integration with ERM and there’s a lot of good points which Geethy has raised about the output side or the presentation layer of our audience for the ERM. The root or the heart of this whole data will be the data residing in humanness form. 

Like she was referring to reports and then the score charts and the graphics, as well as some external outputs. But the real concern is that, how much is it possible for automation? And what sort of options do we have when it comes to the ERM? AI definitely is a good, big buzz word, but if we go in deep in AI, there’s a tremendous understanding to be developed about the machine learning and deep learning. 

So we might be lucky if we have a good large amount of data. That by itself is an issue. We need to structure that data in a specific format that can be used through our, let’s say top 10 or top five algorithms, then another aspect come that how we can sort this thing and how we can come up with a presentable format. 

So in the layer, which actually needs to interact with the machines is something very much dependent on existing algorithms which we have. Now, I really want to go with a little bit of introduction for a few of the algorithms which are available in the market. And to be honest, they are providing a great value, not just from research perspective, but we can see the potential of such algorithms in near future if they are not been in production.

For example, we can cherry pick linear regression. It’s one of the best fitted algorithms to give a combination of Y and X as a relationship. Now, if we have a data and there is no relationship over there, there is a tremendous issue. Now, if you have a large amount of data and you have to find the relationship manually or based on the queries, again, it’ll be a serious issue. Now, these algorithm, you must understand they need two main things. 

One is the training of the data and the other is the modeling. They both have been quite a challenge up till now, but with this expectation that we have a well trained data, and we have a well model data. We are going to be using these few of algorithms, which I proposed in certain situations. Obviously not all the algorithms are usable in certain specific algorithm situation. The sea and trees, it’s amazing algorithm. A

And I think it is one of the largest usable algorithms which you can use when it comes to presentability. Because if we can somehow train our data that at this particular point you go for these qualifications criteria and then make the [inaudible 00:23:12] and then produce a report for us. Now, ironically, we are not clear about these decian points.

So there is, as Geethy said, that it’s not a magic bullet or silver bullet that everything will be perfectly fine. There is a framework to be developed in order to align and gel with the AI. So the future of the ERM resides in the emergence of AI and AI practices. So it’s not about the algorithm or the smartness of the algorithm.

It is about how we can perfectly merge them. Similarly, there is another important algorithm which is quite usable for us, is random forecast algorithm. This algorithm is very, very much helpful when it comes to forecasting or predictability. As we can see that the risk is the uncertainty in the future. And we right now in this session, we are talking about the future of overall ERM. 

So my gut feeling is that in upcoming times, random forecast algorithm will have a significant value because there’s multiple situation when we need the voting, which is quite a smart technique for us to make a decision based on certain criterias on behalf of maybe your chiefs or maybe your managerial layer and all that, right? 

So once you are quite comprehensive in understanding for the decians and before that you have this forecasting algorithm with you. Now, it is a good time to go for certain artificial neural networks based algorithms, which are quite helpful in integration and mimicking the human brain side. So neural behavior is something which is very much aligned with what human side of the equation is, or the complex problem which humans solve. 

And I think that this ANN like Geethy was saying, we cannot be 100% machine based, and we have a huge dependency of humans. So if we can come up with large data of human behaviors, I think ANN will be a great support for us. Similarly, I see a tremendous value of certain risk categorization from AI perspective. 

Now, once we have our AI data related risk listing, which oftenly can come because of the data quality issues as well, which can also come because of the learning limitations. Now, if we have our good understanding about the learning limitations and the comprehensive framework of the data quality is in place, our AI related risks will be in a different posture. 

Now, there are some attacks which we can predict and propose because of the AI integration with the ERM. We must not forget that AI is not just a blessing. It is as weak as our efforts. So in a near future, because AI will be in evolving stage instead of a mature form for the ERM, we can expect that there will be a smart guy who is definitely going to attack on our data because data is the heart, right? 

So when we are training the data, we can expect somebody’s going to poison that thing. It is called the data poisoning. So it’s not just about achieving the perfection. When there are cost savings, when there are financial gains, there will always be expectation that somebody’s going to come up with some dark side of the equation. And I think that we can predict that training data poisoning will be very much happening. 

Similarly, there is a serious issue with the extraction or theft of the models. Now, imagine you have trained your data for… As you know that the data requires humongous amount of time. We can think of 15 days to 20 days, or maybe 30 days of training in one session, and these are the quantum based equipment, which is going to help us. 

Now after so much effort and time, obviously it’ll be quite a time saving for somebody if we can just steal the model from us. So the straightforward attacks can be expected, predicted on the modeling of the AI based, ERM as well. And similarly, it goes to trust issues about the testing because of the lack of the transparency or inaccurate outputs, or maybe certain other BS. So we may also expect some policy non-compliance. 

So with these categorization and these algorithms, I think that there is both sides which we need to take good care, the productivity or the beneficial side of the AI integration with the ERM and the risks, which will come because of the AI into the ERM side. So I hope I answered the question based on the expectation. Any other point would you like to add Geethy or Riccardo?

Riccardo Bua:

No, I think that you covered really well the opportunities and the challenges with AI and ML are bringing into the picture. I don’t know you want to expand a bit on that Geethy, or should we tackle over the next question that is coming from the forum?

Geethy Panicker:

I would also like to move on to the next question, and maybe we can add on, yea.

Wajahat Raja:

Yes, please. I think there is question number three, which is supposed to be taken, or question number four. I think question number four will be.

Riccardo Bua:

There is question two and three that I would like to sort of merge and tackle if you don’t mind Wajahat.

Wajahat Raja:

Yes, please.

Riccardo Bua:

So I think that there is an ongoing tension into the market. We are shifting from closed system to open system. And that basically means from a technology and framework perspective that we are slowly building an ecosystem of financial institutions that eventually will share similar information, like know your customer scenarios, or potentially even have some sort of information and session sharing with third party, fourth party and fifth party. 

Which inadeptly will drag some challenges in control of the data and how it gets shared in process and was sort of a risk evaluation we can make from the relationship that are established with all those parties. And given the recent geopolitical implication, we fully understand that identifying who our end customer is and why certain operations are performed is critical for the enterprise risk management organization and for the second and third line.

Best set technology can help us there, and that’s where I see also a potential reply to question number three. All those information historically were stored into large mainframes of entry. Now, we are moving into a sort of on premise large data center, as it was mentioned, that have huge requirements in terms of storage and also of processing activities. 

But when it comes to the most advanced options nowadays, we are seeing cloud being adopted and potentially the elasticity of the cloud allow for different purpose and utilization of the same information within the cloud. And also potentially sharing the same cloud structures among different players would allow yet again some sort of redistribution to the load that is coming from storing such information on to the overall footprint of the organization and over potential resources that are available to tackle the specific pick of activities and so on.

So in that sense, I think that the cloud adoption will surely move us towards that kind of scenario, and it would implicitly also expand the reach of technology like the distributed ledger and the entire blockchain scenario where we would move away from storing information into some sort of multiple formats by having a distributed way of processing them, and eventually being reconciled at a ledger. 

So all of that should reduce the manual interaction between the different actors, should allow as well a better monitoring in terms of how the data will flow across the different parties where sort of validation will be done on to those operation. 

And eventually, allow over time us to perform a risk assessment on to the different parties that would eventually participate into such activities, hence sort of blurring the line between third and fourth, fifth, and more end part relationship towards a distributed ecosystem with multiple actors that eventually will participate into a so-called smart transaction or smart contract to perform an operation that will be validated for its compliancy across the system, and eventually bring the easiness of doing a testation for certain activities.

And I do see the potential of such scenarios for digital currencies and what sort of systems that eventually will still involve a large amount of transitions that can be all machine based and validated rather than having an immediate human interaction. I don’t know if you have any additional points that you want to raise on this Geethy.

Geethy Panicker:

I want add to the last point, which was any thoughts on additional burden with respect to ESG goals and regulatory compliance. So over the last two, three years, the global regulators have issued ESG, enhanced ESG guidelines, or write the mandatory optional, but with an extended timeline over these to 2022, 23, some going even beyond. 

Some are in the draft state, some are in consultation phase. But globally, the trend is that most of the major regulators have announced ESG regulation for the financial industry, both banks, insurers, and others as [inaudible 00:34:31] companies, at least. And there are global correlations and alliances, which also demand voluntary enhanced disclosure standards, compliance standards, et cetera.

So whether it’s coming from the regulator or self-imposed or because of imposed governmental or other alliance imposed, the ESG as a core purpose of, or core strategy is going to be there in every bank or every financial institution, because ultimately it’s a matter of survival for the mankind and bank financial institutions, such as part of the overall global citizens in that sense. So it’s going to be a core purpose and strategy. 

And to that extent, many organizations don’t view it as a regulatory compliance cost. They are also viewing it as an opportunity because on one side when we have to comply, the corporations are also end up tremendous pressure or the borrowers or customers are also under tremendous pressure to transition to a net zero or a improved carbon footprint position for their own business survival competition, as well as the typical risk that they might be facing in their different geographical location. 

So there are tremendous opportunity to finance and support them in the transition, which will partly offset the reductions that we need to do on those high risk sectors where financed exposures are there. In addition to that, banks and FIs will have to enhance a lot of internal aspects, like one, the governance requirement to focus on the ESG transition implementation of the guideline. 

The second is setting risk appetite and key rise to monitor current exposures with future exposures [inaudible 00:36:18] different risk types, the wholesale, the retail, the resilience risk exposures, our own performance of impact assessment, et cetera, and client assessment. So there’s a lot of technology required and AI is tremendously helping in that space. 

Again, ESG being relatively new, particularly their climate risk, all banks are not same level of maturity. Hence there is a tremendous amount of data challenges on clients’ exposure to these risk and in a structured manner. So that’s where vendor strategy comes into play, and which is also added cost in that angle.

But in the long run, banks and FIs will build this data through questionnaires and additional submissions. And that’s where you can aid the client, use AI to give their enhanced their disclosures and thereby aid us in our data, enriching our data. And on top of which AI can aid in improving our ESG scores, which will eventually be integrated with credit scores, and you might even see a combined score for credit assessment. 

All of this will require technology to aggregate various information sources, internal, external, and including unstructured and bring in meaning to the analyzer or the risk to what that clean profiles are these, portfolio profiles are these, and you aggregate entity wide profile are this. And ESG is one key area where most of the technology, be it blockchain, AI, are aiding in all facets.

Wajahat Raja:

Absolutely, excellent. I think Geethy, there are a few more challenges which we need to consider apart from the emergence of it. Now, we have realized that there is ERM data, which has been quite significantly large in size. And at the very same time, there will be new data born because of ESG. Like you have a tremendous scope. 

Now, this having this whole chunk of data in the cloud requires a tremendous amount of cloud native services. It requires processing huge amount of data at very costly services. That means it’ll be an expensive venture. So it also has a privacy side of the equation which requires an attention. So this will be a tremendous challenge, how we are going to protect this data about the encryption, about the transitional security, about the tokenization, [inaudible 00:38:54].

And then there are data companies which are acting as a broker in between. So a huge ecosystem is there. Now this adds into the complexity. So not just the financial side or the privacy, there is a complexity as well, which is supposed to be handled well and managed. Complexity, not just in integration of the technologies, but also from the customer’s perspective, how we can bring it into ease.

And then there is a serious lack of legal aspect about the adoption of AI when it comes to ERM. So that ethics side of the AI and the governance side of the AI and AI assurance services is going to be a tremendous value over here. 

After the challenges, I feel there is a role of AI assurance services in AI governance for ERM and ESG, which is not quite significantly understood because there are lots and lots of authorities in every countries and the regulators which are there to ensure the governance side and particularly adoption of the AI. 

So assuming that there are regulation in the development countries, like there was a question about comparative study between Western and non-Western, this is a major differentiation factor. This is a major issue to overcome. That the highly regulated countries have also certain legislative issues. And that’s where the assurance services can add value so that we can support those regulations and compliance issues. 

Self-assessment for example, certification rating systems, audit nonconformities and certification and the confirmative assessments. And then there are some audits and options certification. They can assure that whether we are compliant with these governance requirements or regulatory requirements or not. 

But above all, what I realized is that adoption of AI requires a very systematic way of life cycles. For example, it all starts with ideation stage. I think this is the fundamental issue where we all lose track of that we actually have a very vague sort of requirement when it comes to adoption of technologies for ERM or for the native ERM.

And if we can handle this ideation on the filtering stage, well, based on some project management methodologies like prioritization and the portfolio management, it leads us towards the data scoring because that’s where the real meat is. The data by itself, there’s so much in, and if not unstructured from it, it is coming from multiple channels and multiple sources.

So we not only need to sort that and to make it qualitative, but we also need to score it. So I feel the scoring is a lifeline when it comes to the adoption of such technologies for the data. Then it comes through the model development. Now, as we have discussed, there are lots and lots of algorithms available, but upon which model are they going to be useful?

So ML is a new way of handling these things and it’ll help us big time. AI operations is going to help us in handling regulatory limitations as well as certain business process adoption in it. Monitoring after the development of the model and the scoring of the data and ideation stage passing, monitoring is the key essence towards the risk management tools, which we can ensure in integration of the AI.

I personally see a lot of use cases of this process which we can adopt. For example in security side or the privacy side, there is a very straightforward requirement of tracked analysis and management to be enhanced and enriched because of the AI adoption, ML ops adoption, deep learning adoption or algorithm adoption. 

Once you have a good understanding of threat analysis, then you can be satisfied about risk reduction part of it. Risk reduction, it will totally, if not totally, highly relying on the input we are getting because of these algorithm through the data. An excellent use case is about the fraud deduction and the fraud reduction, but that’s the ultimate objective or outcome which we should be targeting. 

You have a comprehensive ERM risk registers already established in your organizations. And I believe the anti-fraud management systems are one of the most expensive systems despite that they are not using any anomaly behavior as of today. So I call them first generation of fraud management systems. And it’s the frauds which are happening in financial sector and touching nearly a trillion. 

That’s a huge amount. I believe that in near future, the ERM and the use cases for the ERM and the adaptability of the AI will be pushed or motivated because of the fraud management, fraud detection as a use case. Data classification, serious nightmare even as of today and the data which has been scored previously, how we are going merge it with our new use cases. 

I think with these notes, I would try to sum up this session by saying thank you to everybody who has contributed. And at the very same time, I would welcome one or two questions, if we can quickly reply to them, or we will just summarize.

Riccardo Bua:

Wajahat, I like to expand on your last point about the algorithm and try to tackle the question five that came from the forum. When it comes to practical business perspective and academia world, I think a lot of the academia activity and research is focused on finding the so-called perfect algorithm.

And that’s part of the challenge that we find as at least practitioner where we would focus on eventually identify the real risk that is exposed to the enterprise and try to understand what is the most cost effective way of tackling it, rather than finding the perfect response, the perfect identification and the perfect assessment. 

If we are striving for that kind of profession in our daily activity, that’s going to be a challenge. And for sure, for somebody coming from the academic world, sometimes it might be a bit of a challenge to adapt to the request of the business. 

All the kind of ongoing and overlapping requests that you get while processing all those different risks, especially at times when you have all those black strong events like pandemic, war and so on, that might impact onto the overall risk appetite of the organization or some scenarios like the one that we recently saw with crypto sell off. 

I mean, there are potentially a lot of situation where you need to tackle it with a bit of a pinch of salt and some understanding of what is happening to a broader view rather than focusing so much onto the algorithm. 

At the same time, the rigor and the analysis that we need to perform in our daily activities should be similar to the one that we would find into an academic world. And that’s my last comment on the session. It was a pleasure working with you all. Geethy, do you have anything to add?

Geethy Panicker:

Just two quick points. One on the question number five again. What is a disconnect with respect to academy and practitioners? Or what you will actually see live in our real life? There’s a lot of relationships assumed in our research and about interconnectedness between various risk. Or if this scenario happens, this is a likely outcome. If the inflation goes up, this is likely. 

Or if economy goes down, this is likely, yeah. So while some of those assumptions will hold true, the developments in the new world which you all are seeing, the geopolitical issues or pandemic, we saw a lot of such traditional established relationship between risk breakdown, a new forms of correlation or not at all, no correlation happening.

In fact, the reverse were observed in modeling or outputs of model. Best example is credit. Whereas the default rates were supposed to go down, go up substantially in the pandemic because of the response of the regulators and the scheme, support schemes. We didn’t see a spike in those default relationships. 

And hence it was a huge challenge for modelers who were much more focused on the theoretical, and they developed these models with the theoretical background. So that’s where you must keep an open mind to understand and think a little forward rather than drawing conclusions from the backward and the history and connect the dots which are emerging theme, et cetera, which are not quite done during the research, which is mostly focused on backward information, available information. 

So that’s the first point. And last point I wanted to say, ERM will definitely evolve with all these technologies. And you will see in the enterprise multiple technologies co-existing with the legacy system, which itself is a change management risk for the ERM professionals. So what can professionals like us do? First of all, understand each of these technologies in standalone basis and in aggregations. 

So you will see a lot of solutions where AI, blockchain and IOT coexist, and sometimes doing future banking surveys or financial service will be on metaverse, which is like a cocktail of all these solutions. So how do you manage risk in that? First of all, you should have a broad understanding of this as a risk, as well as an ERM professional. 

And then you’ll be able to connect the dots of technology risk and make the risk profile more meaningful for your organization. So that’s where you should focus upskill and also share your knowledge that you are developing and look forward and connect the dot backwards. So that’s my last word. I think we have lost Wajahat.

Riccardo Bua:

So I want to thank the audience for the relevant and interesting questions. And it was a pleasure attending this one. I hope that we brought you some perspective and some greater visibility into the challenges that we are facing day by day, and that there was some sharing that was useful to you into your day by day practice. 

I definitely welcome this conversation with Geethy and Wajahat. It was a pleasure discussing and interviewing this topic with you. And I’d like to thank GRC Work Forums for giving us this opportunity and organizing such an interesting session with those kind of topics. Geethy, from your side?

Geethy Panicker:

Thank you. Thanks to my fellow panelist, Riccardo and Wajahat. And thanks a lot to the audience who were patiently listening to us. I would like to hand back to Rob.

Robert Bateman:

Thanks so much both of you and to Wajahat as well who we lost at the end there, but a very insightful discussion there and a great way to wrap up what has been an excellent day of content. Thanks so much to the audience for joining us here at PrivSec Focus Enterprise Risk Management. Just a few words now to close the conference. 

I hope you found these sessions helpful. Throughout the day, we’ve seen debates covering a wide range of perspectives on enterprise risk. We’ve also had the opportunity to seek answers to the burning questions we’ve had from thought leaders in this space. If you want to attend more events like this, we’ve got plenty coming up.

So here’s a quick reminder of some of the events we’re highlighting now at GRC World Forums. PrivSec Focus, GDPR four years on, that’s the 25th of May. So this time next week. That’s a one day virtual event. Digital Trust Europe, which is taking place in London, Dublin, and Amsterdam in June and July respectively. 

And then we should be in Stockholm and Brussels in September. PrivSec Global, which is our premier online event taking place on June 29th and 30th this year. And #RiskInLondon on November 16th and 17th at the Excel. That’s an in-person expo, which will have a lot of content on risk data protection and other related areas. 

So thank you again for attending today everyone. Go to our website for information about all those other events. A big, big thank you to our sponsors, OneTrust and ServiceNow for helping us make this event happen. And of course, to all our panelists, moderators.

PrivSec World Forum   
Park Plaza Westminster Bridge, London: 7-8 June 2022

PrivSec World Forum is a two-day, in-person event taking place as part of the Digital Trust Europe  series. 

PrivSec World Forum will bring together a range of speakers from world-renowned companies and industries—plus thought leaders and experts sharing case studies and their experiences—so that professionals from across all fields can listen, learn and debate.

The event is a must-attend for data protection, privacy and security professionals who are keen to network, learn more, discuss and add expertise to how these sectors are interconnected.

FIND OUT MORE & REGISTER TODAY!

PrivSec World Forum

The Future of ERM: Technologies and Frameworks