researchHQ’s Key Takeaways:
- In an interconnected global cloud system that is constantly evolving and under threat, dynamic and flexible risk identification, prioritisation & management is essential.
- An organisation’s assessment of risk should be aligned with their current values, strategies, capabilities and competitiveness of their environment.
- Effective risk management ensures rapid, well-planned responses to today’s numerous threats.
- Building fortified enterprise-wide risk management and culture and establishing daily best practices will help organisations manage risk in today’s evolving threat environment.
The world is changing in fundamental ways, leading to dramatic shifts in the landscape of risks faced by businesses.
Beyond the profound health and economic uncertainty of our current moment, catastrophic events are expected to occur more frequently in the future. The digital revolution, climate change, stakeholder expectations, and geopolitical risk will play major roles.
The digital revolution has increased the availability of data, degree of connectivity, and speed at which decisions are made. Those changes offer transformational promise but also come with the potential for large-scale failure and security breaches, together with a rapid cascading of consequences. At the same time, fueled by digital connectivity and social media, reputational damage can spark and spread quickly.
The changing climate presents massive structural shifts to companies’ risk-return profiles, which will accelerate in a nonlinear fashion. Companies need to navigate concerns for their immediate bottom lines along with pressures from governments, investors, and society at large. All that, and natural disasters, too, are growing more frequent and severe.
Stakeholder expectations for corporate behavior are higher than ever. Firms are expected to act lawfully but also with a sense of social responsibility. Consumers expect companies to take a stand on social issues, such as those fueling the #MeToo and Black Lives Matter movements. Employees are increasingly vocal about company policies and actions. Regulator and government attention is reflecting societal concerns in areas ranging from data privacy to climate.
An uncertain geopolitical future provides the backdrop for such pressures. The world is more interconnected than ever before, from supply chains to travel to the flow of information. But those ties are under threat, and most companies have not designed robust roles within the global system that would allow them to keep functioning smoothly if connections were abruptly cut.
Companies require dynamic and flexible risk management to navigate an unpredictable future in which change comes quickly. The level of risk-management maturity varies across industries and across companies. In general, banks have the most mature approach, followed by companies in industries in which safety is paramount, including oil and gas, advanced manufacturing, and pharmaceuticals. However, we believe that nearly all organizations need to refresh and strengthen their approach to risk management to be better prepared for the next normal. The following discussion describes the core of dynamic risk management and outlines actions companies can take to build it.
The core of dynamic risk management
Dynamic risk management has three core component activities: detecting potential new risks and weaknesses in controls, determining the appetite for risk taking, and deciding on the appropriate risk-management approach (Exhibit 1).
Detecting risks and control weaknesses
Institutions need both to predict new threats and to detect changes in existing ones. Today, many companies maintain a static and formulaic view of risks, with limited linkages to business decision making. Some of these same companies were caught flat footed by the COVID-19 pandemic.
In the future, companies will require hyperdynamic identification and prioritization of risks to keep pace with the changing environment. They will need to anticipate, assess, and observe threats based on disparate internal and external data points. Dynamic risk management will require companies to answer the following three questions:
- How will the risk play out over time? Some risks are slow moving, while others can change and escalate rapidly. Independent of speed, risks can be either cyclical and mean reverting or structural and permanent. Historically, most firms have focused on managing cyclical, mean-reverting risks, like credit risk, that go up and down with macroeconomic cycles. Historically, the fundamental long-term economics of business lines have held firm, requiring only tweaks through the cycle. Credit risk in financial services is an example of such a risk. However, the traditional principles of trajectory and cyclicality of risks are increasingly becoming less relevant. The global economic shock caused by the COVID-19 pandemic has demonstrated that many companies were not prepared for events with profound and long-lasting impact that could fundamentally change how business is conducted.
- Are we prepared to respond to systemic risks? In today’s world, risk impact can go well beyond next quarter’s financial statements to have longer-term reputational or regulatory consequence. Institutions must also consider whether the event triggering the risk has broad implications for their industry, the economy, and society at large—and what that means to them. The COVID-19 pandemic has had direct impact on most companies but has also meaningfully shifted the global economy and societal terrain. Companies should consider whether they have the controls, mitigants, and response plans in place to account for worst-case-scenario, systemic risks. For example, as companies house more personal data, the risks associated with data breaches become more systemic, with the potential to impact millions of customers globally. These firms need to consider proactively how to protect against and react to such breaches, including by working with external stakeholders, such as customers, law-enforcement agencies, and regulators.
- What new risks lurk in the future? Companies will need to cast nets wide enough to detect new and emerging risks before they happen. Traditional risk-identification approaches based on ex post facto reviews and assessments will not suffice. Most institutions have not had historical losses linked to climate change, and many have not encountered significant reputational blowback from being on the wrong side of a social issue. Institutions will need to work across business and functional divisions to maintain forward-looking, comprehensive taxonomies of the fundamental drivers of their risks. To get a real-time view of those drivers, companies should look to internal performance metrics, external indicators, and qualitative views of what business leaders see in their day-to-day work. Scenario-based approaches and premortems also play a critical role by letting leaders play out what might go wrong before it does.
Determining risk appetite
Companies need a systematic way to decide which risks to take and which to avoid. Today, many institutions think about their appetite for risk in purely static, financial terms. They can fall into the simultaneous traps of being both inflexible and imprudent. For example, companies that do not take sufficient risk in innovating can lose out to more nimble competitors. But at the same time, companies that focus on purely financial metrics can unwittingly take risks—for example, with their reputation by continuing a profitable business process that runs counter to societal expectation.
In the future, companies will need to set appetites for risk that align with values, strategies, capabilities, and the competitive environment at any given time. Effective enterprise risk management will help them dynamically delimit risk taking, directly translating financial and nonfinancial principles and metrics into a concrete view of what the firm will and will not do at any given time. Companies will need to be able to answer the following three questions:
- How much risk should we take? Rapid changes can quickly uproot companies’ risk profiles. They will need to adjust their risk appetites to accommodate shifting customer behaviors, digital capabilities, competitive landscapes, and global trends. For example, many companies that categorically refused to use the cloud five years ago are migrating to cloud-based storage and software solutions today, driven by improved technology and security. Geopolitical instability has the potential to increase counterparty and currency risk considerations for the travel and infrastructure industries when considering engineering, procurement, and construction contracts for megaprojects lasting several years. The COVID-19 pandemic has sparked pharmaceutical companies to consider afresh which risks they are willing to take to develop and produce treatments quickly.
- Should we avoid any risks entirely? Companies will want to draw some clear lines in the sand: no criminality; no sexual harassment of employees. But for many risks, the lines are not clear, and each company will need a nuanced perspective built on a strong, objective fact base. For example, will risk drivers such as climate change render risks in certain businesses fully untenable (for example, developing real estate in certain coastal regions)? Or should the reputational risk of being caught in the middle of highly charged environmental and social-responsibility issues drive a company out of certain business segments altogether (for example, in the way some retailers made the decision to stop selling guns)? Companies will need to develop views on such questions and update them continuously as their environments and corresponding fact bases evolves.
- Does our risk appetite adequately reflect our control effectiveness? Companies are more comfortable taking the risks for which they have strong controls. But the increased threat of new and severe nonfinancial risks challenges status quo assumptions about control effectiveness. For example, many businesses have relied on automation to speed up processes, lower costs, and reduce manual errors. At the same time, the risks of large-scale breaches and violations of data privacy have increased dramatically, heightening during the COVID-19 crisis as digitization accelerates substantially across many industries. With less risk of manual errors but greater risk of large-scale failures, institutions will need to adjust their risk appetites and associated controls to reflect evolving risk profiles.
Deciding on a risk-management approach
Firms need to decide on how to respond as they detect new risks or control weaknesses. Today many rely on linear, committee-based governance processes to make decisions about risk taking, slowing their ability to act.
In the next normal, however, institutions will need to make risk decisions rapidly and flexibly, laying out and executing responses, whether immediate or prolonged, about how to avoid, control, or accept each risk. The decisions should actively engage leaders from across an organization to determine the mitigation and response efforts that have worked well in the past, as well as those that have not. In that way, the organization can develop the ways it manages risks in today’s world. Companies will have to be able to answer the following questions:
- How should we mitigate the risks we are taking? Historically, many companies have relied heavily on manual controls and on human assessments of control effectiveness. That approach can generate excess, costly layers of controls in some areas while leaving gaps or insufficient controls in others. Today, the art of the possible in defending against adverse outcomes is rapidly evolving. Automated control systems are built into processes and detect anomalies in real time. Behavioral nudges influence people to act in the right ways. Controls guided by advanced analytics simultaneously guard against risks and minimize false-positive results.
- How would we respond if a risk event or control breakdown occurs? In the event of a major control breakdown, companies need to be able to switch quickly to crisis-response mode, guided by an established playbook of actions. Most companies have done little to prepare for crises, seemingly taking an attitude that “it won’t happen here.” However, in the evolving world, firms will need to build crisis-preparedness capabilities systematically. As the COVID-19 crisis has demonstrated, companies with well-rehearsed approaches to managing through a crisis will be more resilient to shocks. Preparation should involve identifying the possible negative scenarios unique to an organization and the mitigating strategies to adopt before a crisis hits. That includes periodic simulations involving both senior management and the board. Companies should maintain and periodically update detailed crisis playbooks. Their strategies should include details on when and how to escalate issues, preselected crisis-leadership teams, resource plans, and road maps for communications and broader stakeholder stabilization.