Low-Code/No-Code Risk Management: Who’s Responsible?

New vulnerabilities and risks to enterprise data's accuracy, timeliness, and business value of enterprise data are multiplying rapidly. This is mainly because enterprise deployments of generative AI and other low-code/no-code technologies are growing explosively, often with little or no oversight by IT. The resulting transformations require new risk management approaches, including replacing traditional informational and operational silos with active, continuous collaboration. This is especially true for banks and financial institutions, given the criticality and personal nature of the data they employ daily.

Low-Code/No-Code: Why Risk Management Must Change

Gartner estimates that by 2024, at least 80 percent of those building applications with low-code/no-code technologies, such as generative AI, will come from departments outside of IT. This compares with 60 percent of such users in 2021. However, this robust growth presents significant risk management challenges, as many of these deployments also take place without being vetted by enterprise policies for data protection and security.

Gartner also predicts that by 2027, at least half of all investments in low-code/no-code technologies will focus on what the firm calls “packaged business capabilities,” or PBCs. However, this compares with only 5 percent of those investments used to create PBCs in 2021. PBCs are key elements of what Gartner calls “composable businesses,” digital enterprises that can adapt and reconfigure themselves as needed in response to market shifts or new business goals. The rise of branchless banking is a clear example of this trend.

All of this means the growth of generative AI and other low-code/no-code technologies will likely continue indefinitely and that those technologies will continue gaining new features. This means strategies and tactics for risk management must evolve almost continuously to keep pace with the data and resources being protected.

How Risk Management Must Change

At many banks and financial institutions, a chief risk officer (CRO) oversees risk management efforts. However, not all CRO roles are created equal. For example, some focus primarily or exclusively on financial or operational risk. But that leaves an important question unanswered: who is mainly responsible for protecting the data that drives the business?

Depending on the company, it could be a chief data officer (CDO), a chief security officer (CSO), a chief information security officer (CISO), or a chief information officer (CIO). Of course, it could also be someone who reports to one of these roles or even no one at all. And at some companies, a chief digital officer (a second CDO) is responsible for driving digital transformation, which includes at least partial responsibility for data trustworthiness.

Whatever specific roles and titles exist at your organization, the specifics of each role must be reevaluated given the changes being fomented by low-code/no-code technologies. This is because effective risk management will require cross-functional collaborations, some or all of which may be new to your organization or its leaders. For example, guardrails to protect enterprise data may be created by IT. Still, they must be vetted by HR and Legal to ensure the protection of both data and personal information, and privacy. In addition, requirements for compliance with relevant laws, regulations, and best practices must also inform those guardrails.

What You Need To Do Now

Foster collaboration. At many organizations, those in roles directly related to risk management often operate in silos, sharing information or collaborating only when required or commanded to do so. Strategies and policies must be implemented or modified as needed to change this. No individual person or department can deliver effective risk management in isolation. And while executive leadership support can be valuable here, edicts “from above” will not make collaboration happen. Depending on the organization, new technologies, meeting and reporting policies, and other operational changes must all be considered potential enablers of the collaboration needed to deliver effective risk management.

Create a collaborative, risk-averse culture. Low-code/no-code technologies are already proving to be at least as disruptive to the corporate status quo as the rise of hybrid workstyles. And those responsible for low-code/no-code risk management must improve collaboration to succeed, as their colleagues responsible for hybrid work management are trying to do.

In a 2022 survey, The Hackett Group asked hundreds of respondents across multiple business departments to cite the one change they saw as most likely to improve connections among colleagues and with the organization. The top five categories cited by respondents are shown in the figure below.

Strategy and policy, listening and communicating, and building a shared culture focused on risk mitigation are as essential to effective collaborative risk management at your bank as they are dealing with hybrid work.

Leverage automation to enhance collaboration. Your bank can only manage or mitigate the risks associated with low-code/no-code technologies if it knows everything about those deployments and the data they consume, manipulate, and produce. Risk management leaders and their teams must ensure technologies and processes are in place that automate this information collection and reporting as much as possible. Manual processes simply cannot keep pace with the rate of change instigated by low-code/no-code adoption. Automated tools and processes will allow all responsible for risk management to stay informed and current on deployments.

Banks and other financial institutions need technologies and processes that enable them to achieve these goals rapidly and to sustain them in the face of rapid and difficult-to-predict changes. This approach will help your bank to mitigate the risks and maximize the business benefits of its low-code/no-code deployments today and in the future.

Diane Robinette is President and CEO of Incisive Software Corp.