The risks that businesses face change all the time. Lately, however, the pace of change itself is accelerating, and this will only continue. This means that businesses need to do a better job of preparing themselves to face new kinds of risk.
Right now, for example, businesses are dealing with supply chain disruptions, large-scale and sophisticated cyber-attacks, significant geopolitical disruption and the multiple challenges posed by climate change. More and more frequently, we see risks that are both interconnected and complex. In our latest risk study, 77% of respondents said that such risks are emerging at a more rapid pace than ever before. And risk managers already have a difficult task in doing their “day job” of addressing financial, market and regulatory risk.
Our research indicates that risk teams have made incremental improvements – such as acquiring new skills and new technologies to identify new threats – and achieved success in some areas, but the pace of change is so fast that they are not making the progress required to manage the growing complexity of risk and the emergence of new threats. Time and resources are finite, and gaps are beginning to show. For example, fewer than half of the risk managers in the study have taken vital steps to fortify their stress testing, such as expanding the range of scenarios covered or involving more stakeholders.
Similarly, fewer than a third (31%) of risk leaders are “very satisfied” with their progress in bolstering operational resilience in the past two years. Resiliency is more important than ever, and, although the front line of the business is ultimately responsible for operational-resiliency testing, risk teams should provide independent scrutiny of the frequency and robustness of these tests. They should also make sure that the business tests its resilience against a broad set of severe but plausible scenarios.
Digital technologies are transforming businesses, but the risk function is not a major user of advanced technologies, again hampering its ability to keep pace with change. Digital transformation also presents risks of its own. Most businesses have accelerated their digital transformation plans in the past year, but risk managers’ ability to assess the risks associated with cloud, artificial intelligence (AI), blockchain, robotic process automation and other new technologies is still not where it needs to be. For instance, only 49% of our respondents said they are “fully capable” of assessing risks associated with their businesses’ adoption of cloud. This makes it difficult for the risk function to challenge or provide insight to the business/IT leaders around the risks of digital transformation.
Risk teams need to move faster. Using technology can both accelerate the pace of change and lead to faster execution. Technology can automate many activities now done manually and can free up risk teams to spend more time on preparation, while data-focused technologies can provide insights into new and emerging risks. Teams can head off some problems before they occur and to navigate others with minimal disruption to the course of business. For example, risk teams can harness AI to index, assess and alert the organization about new regulatory requirements, while analytics can be leveraged to unearth compliance bottlenecks.
To deal with fast-paced change, however, risk teams need a robust platform from which they can scale and operate with agility. The ultimate objective is to incorporate innovation, preparation and, finally, execution, supported by data and insight. Practically speaking, this means: 1) adopting and using new technology effectively within the risk function; 2) bringing new modeling, analytics, and technology skills into the team; and 3) forging deeper connections with the wider business while maintaining independence to challenge business assumptions and practices.
Risk executives have made progress in the last two years, whether it be their understanding of new threats or participating in growth initiatives, but it’s not enough given the increased complexity of risk. Unfortunately, there are no quick fixes; risk teams need to keep experimenting with new technology, while improving their understanding of digital threats, adding new skills and building stronger connections with the rest of the business along the way. The ones who prioritize preparation, resilience and going the extra mile will give their businesses more confidence in future growth and transformation initiatives.