The Inevitability of Business Risk
A company is vulnerable to business risk when circumstances arise that could diminish profits or even lead to insolvency. We’re all familiar with the certainties of death and taxes, but what about risk? Indeed, risk is as much a part of our lives as these other constants. This was vividly highlighted during the COVID-19 pandemic, as we all had to continually re-evaluate our personal risk profiles in response to each new wave of the virus and the disruptions it caused. The business world is no different: corporate leaders and organisations have varying degrees of risk tolerance and strategies to mitigate it.
The Origins of Business Risk
So, where does business risk originate? Initially, external elements can severely disrupt a company’s well-thought-out strategies. These external factors can range from inflation and supply chain issues to geopolitical instability and unforeseen ‘act of God’ events like pandemics or environmental catastrophes. Other risks include competition, reputational damage, and even cyber threats.
Internal Risks and the Importance of Preparedness
However, sometimes the danger lies within the organisation itself. Poor decision-making by executives, leaks of sensitive information, and most critically, missed opportunities can all jeopardise a company. We’ve seen it time and again: companies that fail to embrace disruptive technologies risk falling behind more agile competitors. In our modern world, marked by increasingly frequent social, economic, and environmental upheavals, it’s crucial for organisations to adopt dynamic risk management strategies. This involves anticipating new risks, recognising shifts in existing risks, and formulating thorough action plans. While there’s no one-size-fits-all solution for navigating crises, a robust risk management plan is often the only safeguard against disruptions to vital business operations.
The Three Pillars of a Comprehensive Risk Management Strategy
A resilient risk management strategy can be distilled into three core elements: identifying emerging risks and evaluating existing safeguards, gauging the organisation’s willingness to take on risk, and selecting the most suitable risk management tactics. Below is a detailed look at each of these steps and how to execute them.
Identifying Risks and Evaluating Safeguards
A static risk strategy is a recipe for disaster, especially when unforeseen events, such as pandemics, occur. It’s crucial to adopt a proactive stance. To adapt to evolving circumstances, organisations should address these three key questions for each risk pertinent to their operations:
How Will Risks Evolve? Risks can either be fast or slow-moving and may be cyclical or enduring. Regularly re-assess how existing risks are likely to develop.
Are We Equipped for Systemic Risks? Risks are increasingly having long-term reputational or regulatory impacts, affecting not just individual companies but entire industries and societies. Your risk strategy should encompass these systemic risks.
What Future Risks Are on the Horizon? Traditional methods based on past data are no longer adequate for identifying future risks. Companies need to innovate their risk identification processes.
Gauging Risk Tolerance
How can organisations systematically decide which risks to embrace and which to sidestep? The appetite for risk should align with the organisation’s values, capabilities, and the broader societal context. Consider these three questions:
What Level of Risk is Acceptable? Regularly update your risk profile in line with changing customer behaviours, technological advancements, competitive dynamics, and global trends.
Which Risks Should We Completely Avoid? Some risks, like criminal activities or harassment, are non-negotiable. Others, like economic instability or environmental concerns, will vary based on the organisation’s specific risk tolerance.
Do Our Safeguards Reflect Our Risk Tolerance? While companies may be more willing to take risks they feel they can control, the growing prevalence of severe risks like data breaches challenges traditional notions of control effectiveness.
Selecting a Risk Management Tactic
Lastly, organisations must determine their course of action upon identifying a new risk. This decision-making should be agile and involve leadership from across the organisation. Here are three guiding questions:
How Do We Mitigate Risks? Human judgement should be the cornerstone, but automated systems can supplement these efforts. For instance, analytics can help in quantifying risks and reducing false alarms.
What’s Our Crisis Response Plan? Companies should have a well-practiced crisis management playbook to swiftly switch gears when threats materialise.
How Can We Foster Resilience? Truly resilient organisations not only survive threats but thrive through them. This resilience is built on a foundation of diverse skills, innovation, and a culture that encourages peak performance.
Change is the only constant. A robust risk management strategy not only prepares for potential risks but also undergoes regular evaluations to remain effective.
Learn more about New World Norm’s Risk and Resilience Practice.
Five Steps to Building a Dynamic Risk Management Strategy
Gone are the days when risk management was seen as a mundane topic, irrelevant to competitive edge. In times of acute or sudden risk, a robust risk strategy is not just about staying competitive—it’s about survival. Here are five proactive measures leaders can adopt to bolster their risk management capabilities.
Re-Envision Risk Management Goals
Start by setting clear objectives and defining your organisation’s risk tolerance. Risk managers should engage in meaningful conversations with business leaders to gain insights into how various departments perceive risk. This dialogue can help in crafting informed decisions on risk versus reward, as well as identifying the resources available for effective implementation.
Adopt Agile Risk Management Approaches
As risks become increasingly unpredictable, agility in risk management is paramount. This involves creating cross-disciplinary teams that are authorised to make swift decisions on risk innovation and management.
Leverage Data and Analytics
The digital age offers a plethora of tools to enhance risk management. Utilising data from both traditional and unconventional sources can enrich an organisation’s risk understanding. Algorithms can further improve error detection and provide more precise forecasts.
Cultivate Future-Ready Risk Talent
Risk managers of the future will require a new set of skills, including expertise in data analytics, technology, and model risk management. These skills will enable them to better understand the evolving risk landscape and offer effective guidance to their organisations.
Strengthen Risk Culture
Risk culture encompasses the attitudes and behavioural norms that shape an organisation’s approach to risk. A strong risk culture enables quick and effective responses to emerging threats.
The Role of Scenarios in Understanding Uncertainty
Effective scenario planning allows leaders to transform abstract theories about uncertainties into tangible future visions. Scenarios offer four key benefits:
Expand Your Mindset: Scenarios help in envisioning a variety of possible outcomes, preparing us for a range of future possibilities.
Illuminate Likely Futures: Comprehensive scenario planning can highlight key change drivers, aiding in the prediction of likely future events.
Counteract Groupthink: Scenarios offer a ‘safe space’ for divergent opinions, breaking the cycle of conformist thinking that can plague large organisations.
Challenge the Status Quo: Scenarios provide a non-threatening platform to question existing assumptions and strategies.
Current Risk Trends in Financial Institutions
A 2021 survey involving over 30 Chief Risk Officers revealed that banks are particularly vulnerable to fast-paced market changes, environmental issues, and cyber threats. A significant 67% of respondents noted the pandemic’s impact on non-financial risks and employee well-being, although most expect these effects to wane in the next three years.
Conversely, climate change is anticipated to grow in significance. Almost every respondent identified climate regulations as one of the top five driving factors in the financial sector for the next three years. Additionally, three-quarters expressed concerns over the financial and other risks associated with the shift away from carbon-dependent energy systems.
Lastly, cybercrime is consistently ranked as a leading risk by the majority of executives, both for the present and looking ahead.
Understanding Cyber Risk: More Than Just Cyber Threats
Cyber risk is a specific category of business risk, encompassing potential losses in the digital sphere—be it financial, reputational, operational, productivity-related, or regulatory. While originating in the digital domain, cyber risk can also manifest in the physical world, such as causing harm to operational machinery.
It’s crucial to differentiate between cyber risk and cyber threats. The latter are specific hazards that contribute to the broader potential for cyber risk. These threats range from privilege escalation and vulnerability exploitation to phishing attacks. The consequences of these threats can include compromised confidentiality, integrity, and availability of digital assets, as well as financial fraud and data loss.
Historically, organisations have employed maturity-based cybersecurity models to manage cyber risk. While useful for fledgeling organisations, this approach can become unwieldy for established institutions, requiring exhaustive monitoring and analysis. Given that some applications are more susceptible to threats than others, a more targeted approach focusing on critical vulnerabilities is advisable.
Adopting a Risk-Based Cybersecurity Strategy
A risk-based cybersecurity approach marks a significant shift from maturity-based models. It prioritises risk reduction as the ultimate objective, enabling organisations to allocate resources more effectively. This approach allows for a more focused investment in controls aimed at mitigating the most severe vulnerabilities.
Here are eight key steps for implementing a risk-based cybersecurity strategy:
- Integrate cybersecurity into the broader enterprise risk management framework.
- Identify value sources across teams, processes, and technologies.
- Assess vulnerabilities within the organisation and third parties.
- Understand the capabilities and intentions of relevant threat actors.
- Align controls with identified vulnerabilities and assess the need for new initiatives.
- Map enterprise risks, considering threat actors, vulnerabilities, and existing security controls.
- Evaluate risks against the organisation’s risk appetite and report on risk reduction efforts.
- Continuously monitor risks, key risk indicators, and performance metrics.
Making Informed Investments in Risk Management
Ignoring high-impact, low-probability risks can be disastrous, yet preparing for every possible scenario is financially impractical. The COVID-19 crisis serves as a case in point; despite its predictability, most companies were unprepared, leading to numerous bankruptcies among billion-dollar firms in the U.S.
To navigate such complex risk landscapes, organisations should focus on existential threats. McKinsey suggests using a two-by-two risk grid to compare the potential impact and likelihood of various risks. This enables leaders to prioritise risks that could jeopardise the organisation’s very existence. By safeguarding their core value propositions, organisations can enhance their overall resilience.
Learn more about New World Norm’s Risk and Resilience Practice.