Why risk management requires a transformed perspective for 2022 and beyond

In 2022, as businesses face the challenges of evolving disruptive forces - societal, technological, environmental and regulatory – it has become clear that a paradigm shift in risk management is urgently needed. This change must mitigate the risks to organisations and consumers, in addition to allowing businesses to take the right risks – a fine, yet achievable balance.

As such, businesses find themselves grappling with an increasingly complex array of risk exposures. A fresh approach is needed that places “Risk Management by Design” and therefore business resilience at the core of enterprise-wide decision making. 

The critical risk exposures facing businesses today are in constant flux. They encompass:

• The ever-changing regulatory landscape: Regulatory readiness is non-negotiable and proven to drive tangible commercial value. How firms proactively manage and reactively respond to regulatory requirements is pivotal.
• Technology and data risks:
  • Data quality, privacy and ethics: The criticality of data is underscored by the multitude of regulatory requirements applied to processing it. Equally, when robustly governed, data can be leveraged to drive operational effectiveness, good customer outcomes and commercial benefit.
  • Technology risks: These risks, including the resilience of technology infrastructure, technical debt, unsupported systems and project delivery risk fundamentally threaten firms’ ability to operate.
  • Cybersecurity: A risk area accelerated during the pandemic, organisations must understand their inherent risks and vulnerabilities here and strengthen their cyber prevention, detection and readiness for incident response and recovery. Cybersecurity is a risk that becomes ever more important as firms continue to push their digital boundaries in response to competition and customer trends.
• Operational resilience: Firms’ ability to prevent, adapt, respond to, recover and learn from previous operational failures will mitigate any future impact on consumers and their own reputational standing.
• Supplier risk management (SRM): Vulnerabilities can be far-reaching and compounded by unknown supplier risks. Knowing your suppliers and ensuring appropriate mitigations are applied when things go wrong are crucial to protecting a firm and its customers.
• Fraud and financial crime: Firms must meet requirements to have effective systems and controls to detect and reduce the risk of fraud and financial crime.
• The emergence of ESG in a firm’s strategic battleground: A topic at the top of the boardroom agenda, spanning multiple areas that present a new set of risk challenges with unique characteristics.

Each of these risk areas (which we will explore in more detail in future articles) has the potential to materially impact organisations if not proportionately managed – from inviting unwanted scrutiny from regulators, to distracting a business from its strategic objectives. Moreover, businesses with international interests will also need to keep one eye on the inherent associated risks, such as the global regulatory landscape.

To successfully negotiate the myriad risks we see today, organisations should consider three key practical points in 2022:

1. The traditional risk toolkit – controls, limits, measurement tools – is inadequate to manage all of the concurrent disruptive forces a business will face. While these tools are still essential, companies must also develop an adaptive, enterprise-wide culture of risk awareness and mitigation. Managing risk isn’t just about response and recovery and it is not a matter of defending a company against each and every risk that could come its way. It is more about building insight into risk and long-term resilience to risk through constant adaptation and evolution.

2. Risk cannot be ring-fenced, or simply left to a CRO or the ExCo to handle. There must be an enterprise-wide understanding of the need to generate practical solutions to risk mitigation in order to deliver successful outcomes for the business. Risk-mitigated outcomes, if developed with a “Risk Management by Design” approach, can safeguard organisational value in addition to delivering operational and commercial benefits. There are signs that a wider range of senior leaders – from COOs to CIOs – are increasingly open to embracing and owning the need to integrate a pragmatic risk mindset and subsequent approaches into their functions. Ultimately, this is a matter of survival, facilitating the growth of consumer trust, operational effectiveness and delivery of commercial value if implemented effectively and efficiently. Risk mitigation is not simply a 2nd line control function seeking to mitigate the risk taking of a 1st line focused on top line growth – it is a responsibility and duty of the whole organisation to address. When faced with so many rapidly evolving disruptions, only those businesses that are agile enough to adapt will survive and go on to thrive.

3. Risk should not be seen as something to be minimised. In our experience, many businesses make the mistake of seeing risk as inherently separate from innovation and driving value. Where the management of risk is aligned with the delivery of strategic objectives, significant value can be achieved – be it through removing the threat of punitive fines from regulators, innovating with new offerings and processes, strengthening consumer trust and driving good customer outcomes, or taking actions that can help the business succeed in new markets. For example, misuse of data is clearly a major risk for businesses, but when data is captured and used correctly and compliantly, it can be a source of huge competitive advantage.

Effectively managing risk and building greater organisational resilience in 2022 is an imperative. It is about embedding “risk management by design”, irrespective of the industry or geographical market you may operate in. If siloes can be broken down to help every function understand the risks it is exposed to, including honing-in on the enterprise-wide aggregation of risks, the commonalities in operational controls and develop operating structures to foster ownership and effective governance, then a true culture of resilience can be embedded within an organisation’s DNA to successfully manage the challenges ahead.