You know about death and taxes. What about risk? Yes, risk is just as much a part of life as the other two inevitabilities. This became all the more apparent during COVID-19, as each of us had to assess and reassess our personal risk calculations as each new wave of the pandemic—and pandemic-related disruptions—washed over us. It’s the same in business: executives and organizations have different comfort levels with risk and ways to prepare against it.
Where does business risk come from? To start with, external factors can wreak havoc on an organization’s best-laid plans. These can include things like inflation, supply chain disruptions, geopolitical upheavals, unpredictable force majeure events like a global pandemic or climate disaster, competitors, reputational issues, or even cyberattacks.
But sometimes, the call is coming from inside the house. Companies can be imperiled by their own executives’ decisions or by leaks of privileged information, but most damaging of all, perhaps, is the risk of missed opportunities. We’ve seen it often: when companies choose not to adopt disruptive innovation, they risk losing out to more nimble competitors.
The modern era is rife with increasingly frequent sociopolitical, economic, and climate-related shocks. In 2019 alone, for example, 40 weather disasters caused damages exceeding $1 billion each. To stay competitive, organizations should develop dynamic approaches to risk and resilience. That means predicting new threats, perceiving changes in existing threats, and developing comprehensive response plans. There’s no magic formula that can guarantee safe passage through a crisis. But in situations of threat, sometimes only a robust risk-management plan can protect an organization from interruptions to critical business processes. For more on how to assess and prepare for the inevitability of risk, read on.
Learn more about McKinsey’s Risk and Resilience Practice.
What is risk control?
Risk controls are measures taken to identify, manage, and eliminate threats. Companies can create these controls through a range of risk management strategies and exercises. Once a risk is identified and analyzed, risk controls can be designed to reduce the potential consequences. Eliminating a risk—always the preferable solution—is one method of risk control. Loss prevention and reduction are other risk controls that accept the risk but seek to minimize the potential loss (insurance is one method of loss prevention). A final method of risk control is duplication (also called redundancy). Backup servers or generators are a common example of duplication, ensuring that if a power outage occurs no data or productivity is lost.
But in order to develop appropriate risk controls, an organization should first understand the potential threats.
What are the three components to a robust risk management strategy?
A dynamic risk management plan can be broken down into three components: detecting potential new risks and weaknesses in existing risk controls, determining the organization’s appetite for risk taking, and deciding on the appropriate risk management approach. Here’s more information about each step and how to undertake them.
1. Detecting risks and controlling weaknesses
A static approach to risk is not an option, since an organization can be caught unprepared when an unlikely event, like a pandemic, strikes. So it pays to always be proactive. To keep pace with changing environments, companies should answer the following three questions for each of the risks that are relevant to their business.
- How will a risk play out over time? Risks can be slow moving or fast moving. They can be cyclical or permanent. Companies should analyze how known risks are likely to play out and reevaluate them on a regular basis.
- Are we prepared to respond to systemic risks? Increasingly, risks have longer-term reputational or regulatory consequences, with broad implications for an industry, the economy, or society at large. A risk management strategy should incorporate all risks, including systemic ones.
- What new risks lurk in the future? Organizations should develop new methods of identifying future risks. Traditional approaches that rely on reviews and assessments of historical realities are no longer sufficient.
2. Assessing risk appetite
How can companies develop a systematic way of deciding which risks to accept and which to avoid? Companies should set appetites for risk that align with their own values, strategies, capabilities, and competitive environments—as well as those of society as a whole. To that end, here are three questions companies should consider.
- How much risk should we take on? Companies should reevaluate their risk profiles frequently according to shifting customer behaviors, digital capabilities, competitive landscapes, and global trends.
- Are there any risks we should avoid entirely? Some risks are clear: companies should not tolerate criminal activity or sexual harassment. Others are murkier. How companies respond to risks like economic turmoil and climate change depend on their particular business, industry, and levels of risk tolerance.
- Does our risk appetite adequately reflect the effectiveness of our controls? Companies are typically more comfortable taking risks for which they have strong controls in place. But the increased threat of severe risks challenges traditional assumptions about risk control effectiveness. For instance, many businesses have relied on automation to increase speed and reduce manual error. But increased data breaches and privacy concerns can increase the risk of large-scale failures. Organizations, therefore, should evolve their risk profiles accordingly.
3. Deciding on a risk management approach
Finally, organizations should decide how they will respond when a new risk is identified. This decision-making process should be flexible and fast, actively engaging leaders from across the organization and honestly assessing what has and hasn’t worked in past scenarios. Here are three questions organizations should be able to answer.
- How should we mitigate the risks we are taking? Ultimately, people need to make these decisions and assess how their controls are working. But automated control systems should buttress human efforts. Controls guided, for example, by advanced analytics can help guard against quantifiable risks and minimize false positives.
- How would we respond if a risk event or control breakdown happens? If (or more likely, when) a threat occurs, companies should be able to switch to crisis management mode quickly, guided by an established playbook. Companies with well-rehearsed crisis management capabilities weather shocks better, as we saw with the COVID-19 pandemic.
- How can we build true resilience? Resilient companies not only better withstand threats—they emerge stronger. The most resilient firms can turn fallout from crises into a competitive advantage. True resilience stems from a diversity of skills and experience, innovation, creative problem solving, and the basic psychological safety that enables peak performance.
Change is constant. Just because a risk control plan made sense last year doesn’t mean it will next year. In addition to the above points, a good risk management strategy involves not only developing plans based on potential risk scenarios but also evaluating those plans on a regular basis.
Learn more about McKinsey’s Risk and Resilience Practice.
What are five actions organizations can take to build dynamic risk management?
In the past, some organizations have viewed risk management as a dull, dreary topic, uninteresting for the executive looking to create competitive advantage. But when the risk is particularly severe or sudden, a good risk strategy is about more than competitiveness—it can mean survival. Here are five actions leaders can take to establish risk management capabilities.
- Reset the aspiration for risk management. This requires clear objectives and clarity on risk levels and appetite. Risk managers should establish dialogues with business leaders to understand how people across the business think about risk, and share possible strategies to nurture informed risk-versus-return decision making—as well as the capabilities available for implementation.
- Establish agile risk management practices. As the risk environment becomes more unpredictable, the need for agile risk management grows. In practice, that means putting in place cross-functional teams empowered to make quick decisions about innovating and managing risk.
- Harness the power of data and analytics. The tools of the digital revolution can help companies improve risk management. Data streams from traditional and nontraditional sources can broaden and deepen companies’ understandings of risk, and algorithms can boost error detection and drive more accurate predictions.
- Develop risk talent for the future. Risk managers who are equipped to meet the challenges of the future will need new capabilities and expanded domain knowledge in model risk management, data, analytics, and technology. This will help support a true understanding of the changing risk landscape, which risk leaders can use to effectively counsel their organizations.
- Fortify risk culture. Risk culture includes the mindsets and behavioral norms that determine an organization’s relationship with risk. A good risk culture allows an organization to respond quickly when threats emerge.
How do scenarios help business leaders understand uncertainty?
Done properly, scenario planning prompts business leaders to convert abstract hypotheses about uncertainties into narratives about realistic visions of the future. Good scenario planning can help decision makers experience new realities in ways that are intellectual and sensory, as well as rational and emotional. Scenarios have four main features that can help organizations navigate uncertain times.
- Scenarios expand your thinking. By developing a range of possible outcomes, each backed with a sequence of events that could lead to them, it’s possible to broaden our thinking. This helps us become ready for the range of possibilities the future might hold—and accept the possibility that change might come more quickly than we expect.
- Scenarios uncover inevitable or likely futures. A broad scenario-building effort can also point to powerful drivers of change, which can help to predict potential outcomes. In other words, by illuminating critical events from the past, scenario building can point to outcomes that are very likely to happen in the future.
- Scenarios protect against groupthink. In some large corporations, employees can feel unsafe offering contrarian points of view for fear that they’ll be penalized by management. Scenarios can help companies break out of this trap by providing a “safe haven” for opinions that differ from those of senior leadership and that may run counter to established strategy.
- Scenarios allow people to challenge conventional wisdom. In large corporations in particular, there’s frequently a strong bias toward the status quo. Scenarios are a nonthreatening way to lay out alternative futures in which assumptions underpinning today’s strategy can be challenged.
Learn more about McKinsey’s Strategy & Corporate Finance Practice.
What’s the latest thinking on risk for financial institutions?
In late 2021, McKinsey conducted survey-based research with more than 30 chief risk officers (CROs), asking about the current banking environment, risk management practices, and priorities for the future.
According to CROs, banks in the current environment are especially exposed to accelerating market dynamics, climate change, and cybercrime. Sixty-seven percent of CROs surveyed cited the pandemic as having significant impact on employees and in the area of nonfinancial risk. Most believed that these effects would diminish in three years’ time.
Climate change, on the other hand, is expected to become a larger issue over time. Nearly all respondents cited climate regulation as one of the five most important forces in the financial industry in the coming three years. And 75 percent were concerned about climate-related transition risk: financial and other risks arising from the transformation away from carbon-based energy systems.
And finally, cybercrime was assessed as one of the top risks by most executives, both now and in the future.
Learn more about the risk priorities of banking CROs here.
What is cyber risk?
Cyber risk is a form of business risk. More specifically, it’s the potential for business losses of all kinds in the digital domain—financial, reputational, operational, productivity related, and regulatory related. While cyber risk originates from threats in the digital realm, it can also cause losses in the physical world, such as damage to operational equipment.
Cyber risk is not the same as a cyberthreat. Cyberthreats are the particular dangers that create the potential for cyber risk. These include privilege escalation (the exploitation of a flaw in a system for the purpose of gaining unauthorized access to resources), vulnerability exploitation (an attack that uses detected vulnerabilities to exploit the host system), or phishing. The risk impact of cyberthreats includes loss of confidentiality, integrity, and availability of digital assets, as well as fraud, financial crime, data loss, or loss of system availability.
In the past, organizations have relied on maturity-based cybersecurity approaches to manage cyber risk. These approaches focus on achieving a particular level of cybersecurity maturity by building capabilities, like establishing a security operations center or implementing multifactor authentication across the organization. A maturity-based approach can still be helpful in some situations, such as for brand-new organizations. But for most institutions, a maturity-based approach can turn into an unmanageably large project, demanding that all aspects of an organization be monitored and analyzed. The reality is that, since some applications are more vulnerable than others, organizations would do better to measure and manage only their most critical vulnerabilities.
Learn more about McKinsey’s Risk and Resilience Practice.
What is a risk-based cybersecurity approach?
A risk-based approach is a distinct evolution from a maturity-based approach. For one thing, a risk-based approach identifies risk reduction as the primary goal. This means an organization prioritizes investment based on a cybersecurity program’s effectiveness in reducing risk. Also, a risk-based approach breaks down risk-reduction targets into precise implementation programs with clear alignment all the way up and down an organization. Rather than building controls everywhere, a company can focus on building controls for the worst vulnerabilities.
Here are eight actions that comprise a best practice for developing a risk-based cybersecurity approach:
- fully embed cybersecurity in the enterprise-risk-management framework
- define the sources of enterprise value across teams, processes, and technologies
- understand the organization’s enterprise-wide vulnerabilities—among people, processes, and technology—internally and for third parties
- understand the relevant “threat actors,” their capabilities, and their intent
- link the controls in “run” activities and “change” programs to the vulnerabilities that they address and determine what new efforts are needed
- map the enterprise risks from the enterprise-risk-management framework, accounting for the threat actors and their capabilities, the enterprise vulnerabilities they seek to exploit, and the security controls of the organization’s cybersecurity run activities and change program
- plot risks against the enterprise-risk appetite; report on how cyber efforts have reduced enterprise risk
- monitor risks and cyber efforts against risk appetite, key cyber risk indicators, and key performance indicators
How can leaders make the right investments in risk management?
Ignoring high-consequence, low-likelihood risks can be catastrophic to an organization—but preparing for everything is too costly. In the case of the COVID-19 crisis, the danger of a global pandemic on this scale was foreseeable, if unexpected. Nevertheless, the vast majority of companies were unprepared: among billion-dollar companies in the United States, more than 50 filed for bankruptcy in 2020.
McKinsey has described the decisions to act on these high-consequence, low-likelihood risks as “big bets.” The number of these risks is far too large for decision makers to make big bets on all of them. To narrow the list down, the first thing a company can do is to determine which risks could hurt the business versus the risks that could destroy the company. Decision makers should prioritize the potential threats that would cause an existential crisis for their organization.
To identify these risks, McKinsey recommends using a two-by-two risk grid, situating the potential impact of an event on the whole company against the level of certainty about the impact. This way, risks can be measured against each other, rather than on an absolute scale.
Organizations sometimes survive existential crises. But it can’t be ignored that crises—and missed opportunities—can cause organizations to fail. By measuring the impact of high-impact, low-likelihood risks on core business, leaders can identify and mitigate risks that could imperil the company. What’s more, investing in protecting their value propositions can improve an organization’s overall resilience.
Learn more about McKinsey’s Risk and Resilience Practice.
- “Seizing the momentum to build resilience for a future of sustainable inclusive growth,” February 23, 2023, Børge Brende and Bob Sternfels
- “Data and analytics innovations to address emerging challenges in credit portfolio management,” December 23, 2022, Abhishek Anand, Arvind Govindarajan, Luis Nario and Kirtiman Pathak
- “Risk and resilience priorities, as told by chief risk officers,” December 8, 2022, Marc Chiapolino, Filippo Mazzetto, Thomas Poppensieker, Cécile Prinsen, and Dan Williams
- “What matters most? Six priorities for CEOs in turbulent times,” November 17, 2022, Homayoun Hatami and Liz Hilton Segel
- “Model risk management 2.0 evolves to address continued uncertainty of risk-related events,” March 9, 2022, Pankaj Kumar, Marie-Paule Laurent, Christophe Rougeaux, and Maribel Tejada
- “The disaster you could have stopped: Preparing for extraordinary risks,” December 15, 2020, Fritz Nauck, Ophelia Usher, and Leigh Weiss
- “Meeting the future: Dynamic risk management for uncertain times,” November 17, 2020, Ritesh Jain, Fritz Nauck, Thomas Poppensieker, and Olivia White
- “Risk, resilience, and rebalancing in global value chains,” August 6, 2020, Susan Lund, James Manyika, Jonathan Woetzel, Edward Barriball, Mekala Krishnan, Knut Alicke, Michael Birshan, Katy George, Sven Smit, Daniel Swan, and Kyle Hutzler
- “The risk-based approach to cybersecurity,” October 8, 2019, Jim Boehm, Nick Curcio, Peter Merrath, Lucy Shenton, and Tobias Stähle
- “Value and resilience through better risk management,” October 1, 2018, Daniela Gius, Jean-Christophe Mieszala, Ernestos Panayiotou, and Thomas Poppensieker