Companies Face Evolving and Escalating Risk Areas in 2016, KPMG's Kelly Watson Says

Stay current on changes and developments in corporate law with a wide variety of resources and tools.

KPMG has identified seven key strategic risks that companies and chief risk officers (CROs) face this year. KPMG partner Kelly Watson recently responded to questions from Bloomberg BNA's Yin Wilczek on the most pressing risks that companies must tackle, including risks arising from technology and third parties.

Kelly Watson is a partner and the National Service Group Leader of KPMG's Risk Consulting Services for the U.S. and the Americas, leading a team of partners and professionals who provide the risk and compliance insights organizations need to protect themselves and grow by helping them transform risk and regulatory compliance into competitive advantage. Kelly previously served as Office Managing Partner of KPMG's Short Hills, N.J., office where she was responsible for leading market development efforts across all functions in New Jersey. She has over 27 years of global auditing and advisory experience serving the pharmaceutical, biotechnology and industrial product industries.

Bloomberg BNA:

What do you see as the most pressing risks this year that companies must address?


The key risks that we have identified are consistent with what has been top of mind for CROs, the C-suite, general counsel and the board in recent years. However, some more complex and evolving risk areas including data security, technology risk management and crisis management have been recently escalated. Companies are connected to more organizations than ever and must have a clearer understanding of how their partners and third parties are using and protecting their information, which has driven the heightened data security focus. Greater emphasis is also being placed on data security as attackers become more sophisticated and discover new ways to infiltrate networks, along with recent increased concerns around insider threats. The focus on technology risk management has increased as companies face new risks from adopting emerging technologies such as mobility, social media, connected devices, and cloud computing.

Regarding the elevation of crisis management on the CRO's agenda, while organizations have always faced the possibility of critical or catastrophic events in some form, as companies are now more connected and global, they face even greater threats of disruption to business operations from man-made or natural disasters ranging from cyber-attacks to supply chain disruptions stemming from geopolitical turmoil. And, because organizations are more interconnected, complexities can occur now in a more widespread and rapid fashion in the aftermath of a crisis.


What do you see as the most important step risk officers must take to protect their companies from risk this year?


Companies operate in a complex and increasingly global marketplace and the risks that exist within this environment are equally complex and many cannot always be predicted. To survive and thrive in this environment, it is essential to have an integrated and proactive risk management program in place that reaches across the organization. This entails having a well-established risk management process dictated by a defined risk appetite that is understood and agreed upon across the organization. It is also critical that strong oversight and controls are in place. The CRO should help the company identify all risk areas, formulate a strategy and plan to mitigate them to the greatest extent possible and monitor the company's progress against those plans.


As regulators continue to promulgate new requirements, how do companies ensure they effectively are keeping track of the mounting requirements?


Faced with ever-changing regulatory challenges, some organizations see a strategic opportunity to not only focus on how to comply with existing regulations, but on how to reassess and transform their compliance functions in anticipation of future regulatory developments. This starts with a strong compliance culture with the tone at the top of the organization that reaches across the three lines of defense (the first line is responsible for business monitoring, the second line is responsible for oversight monitoring and the third line is responsible for internal audit).

With clearly defined roles and responsibilities, each line of defense plays an important role within the organization's overall compliance program and activities. An organization also needs to ensure that it has the ability to quickly understand the impact of changing regulations on it, as well as the impact that evolving business processes in an increasingly digital world may have on its continued ability to comply with existing regulations.

One emerging area of risk that we are seeing is in the area of insider threats.


What do you see as the hallmarks of a good corporate compliance program?


To develop “good corporate compliance programs,” organizations should, and are, first taking a thoughtful step back to judge the effectiveness, efficiency and sustainability of their compliance practices within their business, risk and internal audit areas. They are increasingly taking inventory of compliance obligations and requirements and making sure that they have the processes and controls in place to effectively comply with these requirements. They are then aligning these requirements with their risk assessments as well as ensuring that they have the proper personnel and skills to handle them. Furthermore, they are working to ensure that their policies and procedures, communication and training, and regulatory monitoring and testing are designed to proactively manage and effectively comply with these obligations. It is crucial that organizations move beyond what is required of their compliance programs to what is expected based on their size and complexity.


Do you see any emerging issues this year that could introduce new risks for companies?


One emerging area of risk that we are seeing is in the area of insider threats. While the U.S. government has been focused on this for some time, companies now appear to be waking up to the reality that insiders within their organization can also pose a tremendous risk to their corporate assets. Many forward thinking clients of ours are now starting to build-out insider threat programs to more proactively manage and monitor this risk.

We are also seeing emerging issues within certain industries that are creating new risks for companies including:

  • Health Care & Life Sciences:
  •  Data security has emerged as a significant matter for health-care and life sciences organizations, since the depth of information generated during medical care makes it a ripe target for hackers. Health-care providers have traditionally underinvested in data protection since their priority is to invest in equipment that saves lives. When there is an instance of a breach, health-care managers need to shift into crisis response mode. Scenario planning for a data breach is an important element to ensure you contain the problem and properly address each of the stakeholders—patients, clinicians, employees, trustees, regulators, media and the community at large.
  •  Among life sciences companies, regulatory compliance continues to be one of the most complex fields. Drug and medical device makers have stringent rules that run the gamut from the development of drugs and clinical trials through the marketing to physicians and the public. Globalization of the drug industry has added a layer of complexity here since international rules need to be considered in the supply chain of manufacturing drugs as well as how they are marketed.
  • Energy:
  •  As oil prices hover near multiyear lows, the energy industry is challenged to control their spending and still achieve appropriate levels of IT risk management (ITRM), governance, and assurance. Security concerns from corporate espionage and state-led attacks have increased. At the same time, IT is becoming more complex, IT investment projects run afoul, IT third parties require more oversight, and pressure from regulators, investors, and auditors is on the rise. These concerns should prompt the industry to consider making strategic investments in ITRM models to help define a company's risk appetite and properly manage risk.
  •  Today, the dominating regulatory forces at work in the energy industry are regulatory changes related to environmental issues, national and state regulatory matters, criticality of infrastructure protection and cybersecurity. In particular, regulation will play a larger role as the construct of the U.S. generation infrastructure evolves. Energy executives must consider how their business models and regulatory departments will be affected as regulations are tightened and the industry continues to shift. 
  •  While some progress has been made by financial institutions in developing more robust, effective, and efficient risk and regulatory reporting, the process of complying with Risk Data Aggregation and Reporting principles is still unfinished and the application of Basel Committee on Banking Supervision (BCBS) 239 remains inconsistent among financial institutions. Increasingly, regulators are expecting the first and second lines of defense to take ownership of risk data and closely align with their underlying IT and/or operations infrastructure.

    Request Corporate on Bloomberg Law