From digital disruption to environmental upheaval, the rapidly shifting risk management landscape demands board-level attention. Leaders who embrace the new landscape have much to gain.
As digital innovation becomes a top priority across industries, it is also generating a growing list of concerns for risk managers. Uncertainty is a fundamental part of risk management—and more than ever today, when technological advances, coupled with economic, environmental, political and social changes, continue to create new opportunities and challenges for the sector.
Once largely associated with insurance, compliance and loss avoidance, risk management is no longer a box-ticking exercise. Ownership is now a C-suite and board-level priority that requires cultivating a strong risk culture and integrating risk management into other business processes.
“The risk landscape is transforming beneath our feet,” says Daniel Wagner, founder and CEO of Country Risk Solutions and author of six books, including the soon to be released China Vision. “There’s this nexus between all things cyber and artificial intelligence that is having a profound impact on the landscape. It will govern a large chunk of risk management going forward.”
Linking risk to performance
Technologies such as artificial intelligence (AI), data analytics, smart devices and the Internet of Things (IoT) are transforming almost every commercial enterprise into a digital business and creating fresh opportunities for risk management. Such disruptive technologies are the “known unknowns”, but many companies don’t know how to react appropriately in terms of mitigating the risk or seizing the opportunity, says James Lam, risk consultant and author of Implementing Enterprise Risk Management.
“Think about risk in the context of a bell curve,” Mr Lam says. “Every risk is a bell curve, whether it’s strategic, financial, operational, regulatory, compliance, or even reputational. A bell curve, as we know, has the median expected outcome, but there’s an upside and a downside. If you understand the key performance and risk drivers that are going to influence business performance on the upside and downside, then you can better manage the business.”
Research and advisory firm Gartner advises companies to tie its key risk indicators to its key performance indicators to enable “integrated risk management”. For instance, even patch management (which involves applying security patches to a given software product) can have a direct impact on the performance of a company, according to John A Wheeler, global research leader for risk management technology at Gartner. Not applying the patches can lead to a data breach, as was the case in 2017 for credit-reporting firm Equifax. By linking that key risk indicator of not keeping up with the patches to the potential for lost revenue, and ultimately senior leaders’ compensation, it can greatly improve accountability for cyber risk, Mr Wheeler says.
Raising the bar
At a fundamental level, technologies such as AI reduce the cost of prediction, much like the telephone and the internet have reduced the cost of communication. They can also enhance the user experience, but if left unchecked they can potentially destroy consumer trust. Instagram in February faced an outcry among users who suddenly lost followers due to a glitch.
“Technology in many ways is a double-edged sword,” says Robert E Hoyt, professor of risk management and insurance in the Terry College of Business at the University of Georgia. “It’s an enabler of capabilities but also raises the bar in terms of an expectation that organisations will manage risk in a more proactive and aggressive way. It means that we have more information that we can utilise to identify risk. But it also means that a company has exposures, and there’s an expectation from the public and other stakeholders that it will manage that risk.”
For now, though, only one-quarter of companies view risk management as an important strategic tool, according to a 2017 survey conducted by the American Institute of Certified Public Accountants (AICPA). More than one-third (34%) of the 432 organisations that completed the AICPA survey said they did not conduct any formal assessments of emerging strategic, market or industry risks.
But that’s not to say that executives are not concerned: 58% of those surveyed by the AICPA said they had a risk committee, with 67% of boards calling for more involvement. The problem, however, is that companies’ integrated risk management strategies aren’t fully thought out or developed, Mr Wheeler says. “There’s this knee-jerk reaction of throwing money at it and giving it to the technical folks to figure out,” he notes. “But now that technology is becoming a greater part of the core business, senior executives and board members can’t take that approach.”
A matter for the board
Corporate board members can actually help to drive the overall strategy, because they have experience across different organisations and industries. Instead of rubber-stamping or asking a few questions, board directors should be involved in the strategy development process, providing management with questions and scenarios to address, says Mr Lam, who sits on the boards of financial services company E*TRADE and cyber-security software firm RiskLens.
“The traditional risk management process is rigid and static, where someone does a qualitative assessment and identifies the top ten risks,” he says. “But that doesn’t capture the dynamic trends we see in the marketplace today. You have to think not just outside the box but well beyond it. You have to quantify the risks and then set up tolerance levels, monitor exposure and make decisions to mitigate the risk.”
In its 2018 Global Risks Report the World Economic Forum (WEF) organised dozens of risks into five categories: economic, environmental, geopolitical, societal and technological. “Humanity has become remarkably adept at understanding how to mitigate conventional risks that can be relatively easily isolated and managed with standard risk-management approaches,” according to the report. “But we are much less competent when it comes to dealing with complex risks in the interconnected systems that underpin our world, such as organisations, economies, societies and the environment.”
Given the complexity and speed of change, risk managers cannot afford to ignore the impact of these increasingly interconnected systems. Indeed, daily headlines bring fresh reminders of just how powerful these global forces can be. In January California’s largest utility, PG&E, filed for bankruptcy protection, citing billions of dollars in liability claims from wildfires. The Wall Street Journal dubbed it “the first major corporate casualty of climate change”.
Issues such as climate change and cyber security are likely to be around for years to come. Companies may not be able to reduce their probability, but they will need to manage their severity and enhance their organisation’s resilience to better address these trends. That means shifting the scope and frequency of risk management to make it more strategic and technology-oriented.
“Risk managers today need to think broadly about the world and analyse it in the context of a project or organisation,” says Mr Wagner. “They need to take responsibility for educating themselves and staying ahead of the curve. And those in the C-suite and on the board need to be responsive, adaptive and compliant.”