Beyond the profound health and economic uncertainty of our current moment, catastrophic events are expected to occur more frequently in the future. The digital revolution, climate change, stakeholder expectations, and geopolitical risk will play major roles.
The digital revolution has increased the availability of data, degree of connectivity, and speed at which decisions are made. Those changes offer transformational promise but also come with the potential for large-scale failure and security breaches, together with a rapid cascading of consequences. At the same time, fueled by digital connectivity and social media, reputational damage can spark and spread quickly.
The changing climate presents massive structural shifts to companies’ risk-return profiles, which will accelerate in a nonlinear fashion. Companies need to navigate concerns for their immediate bottom lines along with pressures from governments, investors, and society at large. All that, and natural disasters, too, are growing more frequent and severe.
Stakeholder expectations for corporate behavior are higher than ever. Firms are expected to act lawfully but also with a sense of social responsibility. Consumers expect companies to take a stand on social issues, such as those fueling the #MeToo and Black Lives Matter movements. Employees are increasingly vocal about company policies and actions. Regulator and government attention is reflecting societal concerns in areas ranging from data privacy to climate.
An uncertain geopolitical future provides the backdrop for such pressures. The world is more interconnected than ever before, from supply chains to travel to the flow of information. But those ties are under threat, and most companies have not designed robust roles within the global system that would allow them to keep functioning smoothly if connections were abruptly cut.
Companies require dynamic and flexible risk management to navigate an unpredictable future in which change comes quickly. The level of risk-management maturity varies across industries and across companies. In general, banks have the most mature approach, followed by companies in industries in which safety is paramount, including oil and gas, advanced manufacturing, and pharmaceuticals. However, we believe that nearly all organizations need to refresh and strengthen their approach to risk management to be better prepared for the next normal. The following discussion describes the core of dynamic risk management and outlines actions companies can take to build it.
Nearly all organizations need to refresh and strengthen their approach to risk management to be better prepared for the next normal.
The core of dynamic risk management
Dynamic risk management has three core component activities: detecting potential new risks and weaknesses in controls, determining the appetite for risk taking, and deciding on the appropriate risk-management approach (Exhibit 1).
Detecting risks and control weaknesses
Institutions need both to predict new threats and to detect changes in existing ones. Today, many companies maintain a static and formulaic view of risks, with limited linkages to business decision making. Some of these same companies were caught flat footed by the COVID-19 pandemic.
In the future, companies will require hyperdynamic identification and prioritization of risks to keep pace with the changing environment. They will need to anticipate, assess, and observe threats based on disparate internal and external data points. Dynamic risk management will require companies to answer the following three questions:
- How will the risk play out over time? Some risks are slow moving, while others can change and escalate rapidly. Independent of speed, risks can be either cyclical and mean reverting or structural and permanent. Historically, most firms have focused on managing cyclical, mean-reverting risks, like credit risk, that go up and down with macroeconomic cycles. Historically, the fundamental long-term economics of business lines have held firm, requiring only tweaks through the cycle. Credit risk in financial services is an example of such a risk. However, the traditional principles of trajectory and cyclicality of risks are increasingly becoming less relevant. The global economic shock caused by the COVID-19 pandemic has demonstrated that many companies were not prepared for events with profound and long-lasting impact that could fundamentally change how business is conducted.
- Are we prepared to respond to systemic risks? In today’s world, risk impact can go well beyond next quarter’s financial statements to have longer-term reputational or regulatory consequence. Institutions must also consider whether the event triggering the risk has broad implications for their industry, the economy, and society at large—and what that means to them. The COVID-19 pandemic has had direct impact on most companies but has also meaningfully shifted the global economy and societal terrain. Companies should consider whether they have the controls, mitigants, and response plans in place to account for worst-case-scenario, systemic risks. For example, as companies house more personal data, the risks associated with data breaches become more systemic, with the potential to impact millions of customers globally. These firms need to consider proactively how to protect against and react to such breaches, including by working with external stakeholders, such as customers, law-enforcement agencies, and regulators.
- What new risks lurk in the future? Companies will need to cast nets wide enough to detect new and emerging risks before they happen. Traditional risk-identification approaches based on ex post facto reviews and assessments will not suffice. Most institutions have not had historical losses linked to climate change, and many have not encountered significant reputational blowback from being on the wrong side of a social issue. Institutions will need to work across business and functional divisions to maintain forward-looking, comprehensive taxonomies of the fundamental drivers of their risks. To get a real-time view of those drivers, companies should look to internal performance metrics, external indicators, and qualitative views of what business leaders see in their day-to-day work. Scenario-based approaches and premortems also play a critical role by letting leaders play out what might go wrong before it does.
Determining risk appetite
Companies need a systematic way to decide which risks to take and which to avoid. Today, many institutions think about their appetite for risk in purely static, financial terms. They can fall into the simultaneous traps of being both inflexible and imprudent. For example, companies that do not take sufficient risk in innovating can lose out to more nimble competitors. But at the same time, companies that focus on purely financial metrics can unwittingly take risks—for example, with their reputation by continuing a profitable business process that runs counter to societal expectation.
In the future, companies will need to set appetites for risk that align with values, strategies, capabilities, and the competitive environment at any given time. Effective enterprise risk management will help them dynamically delimit risk taking, directly translating financial and nonfinancial principles and metrics into a concrete view of what the firm will and will not do at any given time. Companies will need to be able to answer the following three questions:
- How much risk should we take? Rapid changes can quickly uproot companies’ risk profiles. They will need to adjust their risk appetites to accommodate shifting customer behaviors, digital capabilities, competitive landscapes, and global trends. For example, many companies that categorically refused to use the cloud five years ago are migrating to cloud-based storage and software solutions today, driven by improved technology and security. Geopolitical instability has the potential to increase counterparty and currency risk considerations for the travel and infrastructure industries when considering engineering, procurement, and construction contracts for megaprojects lasting several years. The COVID-19 pandemic has sparked pharmaceutical companies to consider afresh which risks they are willing to take to develop and produce treatments quickly.
- Should we avoid any risks entirely? Companies will want to draw some clear lines in the sand: no criminality; no sexual harassment of employees. But for many risks, the lines are not clear, and each company will need a nuanced perspective built on a strong, objective fact base. For example, will risk drivers such as climate change render risks in certain businesses fully untenable (for example, developing real estate in certain coastal regions)? Or should the reputational risk of being caught in the middle of highly charged environmental and social-responsibility issues drive a company out of certain business segments altogether (for example, in the way some retailers made the decision to stop selling guns)? Companies will need to develop views on such questions and update them continuously as their environments and corresponding fact bases evolves.
- Does our risk appetite adequately reflect our control effectiveness? Companies are more comfortable taking the risks for which they have strong controls. But the increased threat of new and severe nonfinancial risks challenges status quo assumptions about control effectiveness. For example, many businesses have relied on automation to speed up processes, lower costs, and reduce manual errors. At the same time, the risks of large-scale breaches and violations of data privacy have increased dramatically, heightening during the COVID-19 crisis as digitization accelerates substantially across many industries. With less risk of manual errors but greater risk of large-scale failures, institutions will need to adjust their risk appetites and associated controls to reflect evolving risk profiles.
Deciding on a risk-management approach
Firms need to decide on how to respond as they detect new risks or control weaknesses. Today many rely on linear, committee-based governance processes to make decisions about risk taking, slowing their ability to act.
In the next normal, however, institutions will need to make risk decisions rapidly and flexibly, laying out and executing responses, whether immediate or prolonged, about how to avoid, control, or accept each risk. The decisions should actively engage leaders from across an organization to determine the mitigation and response efforts that have worked well in the past, as well as those that have not. In that way, the organization can develop the ways it manages risks in today’s world. Companies will have to be able to answer the following questions:
- How should we mitigate the risks we are taking? Historically, many companies have relied heavily on manual controls and on human assessments of control effectiveness. That approach can generate excess, costly layers of controls in some areas while leaving gaps or insufficient controls in others. Today, the art of the possible in defending against adverse outcomes is rapidly evolving. Automated control systems are built into processes and detect anomalies in real time. Behavioral nudges influence people to act in the right ways. Controls guided by advanced analytics simultaneously guard against risks and minimize false-positive results.
- How would we respond if a risk event or control breakdown occurs? In the event of a major control breakdown, companies need to be able to switch quickly to crisis-response mode, guided by an established playbook of actions. Most companies have done little to prepare for crises, seemingly taking an attitude that “it won’t happen here.” However, in the evolving world, firms will need to build crisis-preparedness capabilities systematically. As the COVID-19 crisis has demonstrated, companies with well-rehearsed approaches to managing through a crisis will be more resilient to shocks. Preparation should involve identifying the possible negative scenarios unique to an organization and the mitigating strategies to adopt before a crisis hits. That includes periodic simulations involving both senior management and the board. Companies should maintain and periodically update detailed crisis playbooks. Their strategies should include details on when and how to escalate issues, preselected crisis-leadership teams, resource plans, and road maps for communications and broader stakeholder stabilization.
- How can we build true resilience? Resilient companies not only withstand threats, but they emerge stronger. Companies can learn from every actual risk event and control breakdown, honing risk processes and controls through a dynamic feedback loop. On a grander scale, firms also have the chance to turn the fall-out from true crises into competitive advantage, as the COVID-19 crisis is demonstrating. For example, some companies providing vacation rentals realized that they would need to do more than provide amenities and hygiene measures. They have started offering tailored customer experiences, including games, virtual cooking classes, and remote nature tours, built on an understanding of customer microsegments. These companies have started to differentiate themselves from their competitors and are positioned to emerge more resilient, even within a very hard-hit sector. Companies should prepare to ensure five types of resilience: financial, operational, organizational, reputational, and business-model resilience. Business-continuity, financial, and other plans can provide buffers against shock. But true resilience also stems from a diversity of skills and experience, innovation, creative problem solving, and the basic psychological safety that enables peak performance. Those characteristics are helpful in good times and indispensable when quick, collaborative adaptation is needed for an institution to thrive.
Five actions to build dynamic risk management
Today, many firms see enterprise risk management as a dreary necessity but hardly a source of dynamism or competitive advantage. It can suffer from being static, siloed, and separate from the business. But dynamic and integrated risk management, which includes the ability to detect risks, determine appetite, and decide on action in real time, is growing ever more critical. Leaders can take five actions to establish the necessary capabilities (Exhibit 2).
Dynamic and integrated risk management, which includes the ability to detect risks, determine appetite, and decide on action in real time, is growing ever more critical.
1. Reset the aspiration for risk management
To meet the needs of the future, companies need to elevate risk management from mere prevention and mitigation to dynamic strategic enablement and value creation. This requires clear objectives, such as ensuring that efforts are focused on the risks that matter most, providing clarity about risk levels and risk appetite in a way that facilitates effective business decisions, and making sure that the organization is prepared to manage risks and adverse events.
In practice, risk managers should engage in a productive dialogue with business leaders to gain an in-depth understanding of how the business thinks about risk day to day and to share the risk capabilities they can bring. Businesses typically approach decisions with a reasonable risk-versus-return mindset but lack key information to do this effectively alone. For example, business units often do not have a full systematic understanding of the full range of risk drivers or a clear view of how a stressed environment could affect the company.
More broadly, businesses typically also lack an enterprise-wide view of how a risk might unfold. For example, climate risk may affect most aspects of some companies’ businesses, from the impact of physical climate risk on operational facilities and supply chains to market repricing of carbon emissions to shifts in market demand and competitive landscape. The COVID-19 pandemic has had a similarly cross-enterprise impact on nearly every company. It should be an objective of dynamic risk management to provide an enterprise view.
2. Establish agile risk-management practices
The increasingly volatile, uncertain, and dynamic risk environment will demand more agile risk management. Companies will need to tap into people with the right skills and knowledge in real time, convening cross-functional teams and authorizing them to make rapid decisions in running the business, innovating, and managing risk.
Building teams and decision bodies dynamically requires the ability to understand quickly the nature of the risk at hand, including its significance and how quickly it may play out. This helps determine who needs to be involved and how people should work together. One fintech company, for example, runs daily huddles to discuss customers, bringing together a cross-functional team of business and risk leaders and other subject-matter experts to review new customer complaints. This enables executives to review funnel metrics for the day side by side with customer complaints and helps them triage and remediate those complaints promptly, avoiding larger issues down the road.
Decisions themselves should receive appropriate transparency, but managers should not get bogged down in excessive bureaucracy. Companies can formulate a clear, principled view of what sorts of decisions require committee review versus execution by single responsible parties. In some cases, previously unforeseen issues and risks that have the potential to evolve rapidly may require special, fast-track decision-making mechanisms. One organization does regular crisis-preparedness exercises and has developed relevant playbooks that assign decision-making power if needed, depending on the type of issue.
3. Harness the power of data and analytics
Companies can embrace the digital revolution to improve risk management. Automation technologies can digitize transaction workflows end to end, reducing human error. Rich data streams from traditional sources, such as ratings agencies, and nontraditional sources, such as social media, provide an expanding and increasingly granular view of risk characteristics. Sophisticated algorithms enable better error detection, more accurate predictions, and microlevel segmentation.
One global pharmaceutical company adopted advanced analytics to help it prioritize clinical-trial sites for quality audits. The company used a model to identify higher-risk sites and the specific type of risk most likely to occur at each site. The company is now tightly integrating its analytics with its core risk-management processes, including risk-remediation and monitoring activities of its clinical operations and quality teams. The new approach identifies issues that would have gone undetected under its old manual process while also freeing 30 percent of its quality resources.
Another area in which advanced analytics can capture significant value is in the predictive detection of risk. One railway operator applied advanced analytics to predict major component failures. The company improved safety and reduced its total failure cost for rolling stock by 20 percent. Companies can also use natural-language processing to build real-time, digital dashboards of internal and market intelligence, enabling more effective risk detection, including in customer complaints, employee allegations, internal communications, and suspicious-activity reports.
4. Develop risk talent for the future
To meet the demands of the future, risk managers will need to develop new capabilities and expanded domain knowledge. Strong knowledge of how the business operates provides a critical foundation by supporting true understanding of the landscape of risk. This enables risk professionals to provide better oversight and more effective challenge while also acting as effective counselors and partners as their company navigates the risk landscape.
Risk managers will also need strong understanding of data, analytics, and technology, which are driving shifts in how most companies operate—a trend only accelerated by the COVID-19 crisis. This is true for how data and digital interfaces are affecting firm processes, how companies are employing artificial intelligence to support day-to-day decisions, and how the digital revolution is shaping risk management itself.
To put this all together, risk managers will need to develop agile capabilities and mindsets, allowing them to identify opportunities to convene stakeholders and contributors across functions rapidly and generate quick solutions. People will need the leadership and personal capabilities to tap into colleagues with the right skills and knowledge in real time.
5. Fortify risk culture
Risk culture refers to the mindsets and behavioral norms that determine how an organization identifies and manages risk. In moments of high uncertainty—such as those we are living through during the COVID-19 pandemic—risk culture is of exceptional importance. Companies cannot rely on reflexive muscles for predicting and controlling for risks. A good risk culture allows an organization to move with speed without breaking things. It is an organization’s best cross-cutting defense.
Beyond today’s travails, a strong risk culture is a critical element to institutional resilience in the face of any challenge. In our experience, those organizations that have developed a mature risk culture outperform peers through economic cycles and in the face of challenging external shocks. At the same time, companies with strong risk cultures are less likely to suffer from self-inflicted wounds in the form of operational mistakes or reputational difficulties and have more engaged and satisfied customers and employees.
Companies with strong risk cultures share several essential characteristics. Most important, true ownership and responsibility for risk culture sits with the front line, with executive-level accountability for cultural failings. To be truly lived, culture must be linked with the day-to-day business activities and outcomes of an institution. At the same time, someone needs to be responsible for coordinating the definition, measurement, reporting, and reinforcement of risk culture—for example, within a risk function, a COO organization, or HR. Without an enterprise-wide view and vocabulary, it is not possible to effect true, coordinated cultural change. Finally, attention to risk culture must be ongoing. Strong culture takes maintenance and requires reinforcement.
One fast-growing technology company announced a culture transformation as the CEO’s top priority. It selected 30 culture leaders from across the company to lead the effort. The initiative mobilized around one-fifth of its staff through workshops aimed at helping managers make risk-informed decisions and creating a new risk culture and mindset.
The world is facing both uncertainty and rapid change. For companies, risk levels are rising—as are the expectations of employees, customers, shareholders, governments, and society at large. Against this backdrop, we believe companies need to rethink their approach to risk management, to make it a dynamic source of competitive advantage.