Last month, we looked back 30 years and reported some of the powerful lessons learned from that period with respect to risk management (with a particular focus on the last 15 years). During the last three decades, we have seen risk management evolve to a more holistic view that portrays an enterprise risk profile to help management and directors understand the full array of risks facing the organization. Access to data necessary to better understand and manage risk has never been greater. Both internal and external data sources can be combined to create more insights than ever before. While the processes used to update risk profiles certainly help executives answer the question, “Are we riskier today than we were yesterday?”, progress has been curtailed by continued emphasis on fragmented silos, ineffective measurement and monitoring of risks, subordinating risk to an afterthought to strategy setting and positioning risk management as an appendage of performance management.
The good news is that today, largely because of the financial crisis, risk management has made its way onto the agendas of executive management and Boards of Directors as a critical discipline and a necessary part of good governance. This is a base upon which we can build as we go forward. The heightened level of importance at the highest levels of organizations will accelerate improvements in risk management in the future.
The next 30 years will produce three broad trends, or themes, in the pursuit of answers to the question, “Will we be riskier tomorrow than we are today?” The first will be greater integration of risk management into an organization’s fundamental management practices (the “integration theme”). The second will be recognition that the primary purpose of risk management is to position the organization to face change with confidence as an early mover on emerging opportunities and threats (the “early mover theme”). The third will be significant advances in techniques for measuring and monitoring risk (the “capability advancement theme”).
The integration theme is all about integrating risk and risk management with what matters in running the business. Several developments will make this happen:
- Explicit recognition of the vital importance of effective, principles-based risk governance – To be effective, risk management requires several conditions to be present. These conditions include a fully engaged Board, a bought-in CEO, an open and transparent risk culture, a compensation structure that balances short- and long-term interests, an organizational commitment to responsible business behavior and, most importantly, an organizational will and discipline to act in a contrarian manner when the warning signs signal a market opportunity or emerging threat is at hand.
- Integration of risk with core management processes – Over the next 30 years, the ad hoc “art form” of integrating risk with strategy development, business planning, sustainability and other core activities will evolve into a seamless, mature process. The most successful companies will differentiate themselves through this integration, as they will elevate risk to a strategic level to manage uncertainty during management’s long-term planning horizon, increase accountability for achieving business plans and increase the robustness of corporate sustainability initiatives.
- An ongoing, explicit and impactful risk appetite dialogue – Once the critical risks are identified, successful companies in the future will have a more formal process in place for defining the amount of risk the enterprise is willing to accept in pursuing its strategy for creating enterprise value. These companies will use the risk appetite statement as a benchmark for an ongoing dialogue between management and the Board AND drive it down into the organization to impact decision making and provide strategic, operational and financial boundaries around risk-taking behavior.
- More effective intersection between risk management and crisis management – More companies will consider velocity and persistence of impact and response readiness when evaluating “high impact, low likelihood” risks in the risk assessment process to provide greater insights to management on where to improve preparedness. This connection will drive updates in response plans and creation of rapid-response teams.
- Recognition that an end-to-end, extended enterprise view of the value chain is vital to managing risk, requiring consideration of upstream and downstream relationships – The past 30 years have blurred boundaries between organizations such that an enterprise is almost always boundaryless in a global marketplace. During the next 30 years, the companies that manage risk using an end-to-end enterprise view of the value chain will be far more successful than companies that do not. This means obtaining greater visibility in the full chain by looking upstream to supplier relationships, including the suppliers of critical suppliers, as well as downstream to distribution channels, customer relationships and all the way to the ultimate end user to identify the most critical risks and exposures to changing conditions. This perspective focuses on all intermediaries between producers and end users, including which ones are vulnerable and which ones are not (both at the present time and looking forward). The objective is to solidify the organization’s position within the value chain as well as reduce the risk of losing strategic partners or becoming disintermediated.
- Continued expansion of risk-management disclosures, with the market rewarding companies able to deploy risk management as a differentiating skill – The risk factor, financial reporting footnote, proxy and other disclosures that exist today are likely to expand further in the future. Savvy investors will recognize that protecting enterprise value is as important as creating it and will facilitate the flow of capital to those companies with the best track record for making the best bets in the global marketplace. The market will reward those companies able to increase the transparency and communication of risk within their extended value chain and quickly identify and respond to environment changes that alter their risk profile.
The early mover theme emerges out of widespread recognition that rapid and disruptive change is a constant business reality rather than an occasional thing. During the next 30 years, we will see profound changes in the world as we know it – the rise of emerging markets, continued impact of technology innovation (including technologies we can’t even imagine today), continued expansion of information access to consumers and businesses, an aging population and changing demographics and increasing inter-connectedness across the globe creating exposure to competition from anywhere.[1] With life cycles of business models continuing to compress, those organizations that are able to quickly discern the opportunities and risks that matter and act on that knowledge are likely to be the ones that survive and prosper.
Several developments will facilitate this theme:
- The dynamics of future change virtually ensure a few “mainstays” on the risk profile of most organizations – In the future, there are certain risks we can almost always expect to see in most risk profiles due to the uncertainty they will create over planning horizons. These risks include: regulatory change, economic conditions, cyber threats, attracting and retaining top talent, succession challenges and compressing product life cycles.
- Formal monitoring of the environment for changes in critical assumptions underlying the strategy – In the future, strategy setting and risk assessment will increase an organization’s sensitivity to change by (1) facilitating a more explicit articulation of critical strategic assumptions, (2) applying scenario analysis to evaluate situations arising from an event or combination of events that could invalidate one or more of the critical assumptions and (3) monitoring relevant key factors and trending metrics to ascertain whether the critical assumptions remain valid over time.
- Competitive intelligence will be aligned with key drivers evidencing whether high-impact scenarios are either developing or have occurred – Successful companies will insist that information and insights around strategic assumptions, scenario analyses and intelligence gathering be distilled and communicated to decision makers and the Board of Directors on a timely basis so that the impact of changing market realities on critical strategic assumptions is considered.
- Ability and discipline to act decisively in response to changing market realities will be critical to success – Managerial intuition and ingenuity in translating information regarding the reality of altered strategic assumptions into appropriate revisions to strategic, business and product plans will mark the difference between winners and losers. It will be an established principle that having knowledge of an emerging opportunity or risk without undertaking a process to convert that knowledge into hard choices and actionable plans is as useless (and lethal) as having no knowledge at all.
- An early mover is committed to continuous improvement – The speed and complexities of business will lead to occasional errors in judgment, resulting from failure to either recognize an emerging opportunity/threat or react to that knowledge. Early mover companies will (1) encourage admission and sharing of errors and learning from them and (2) internalize lessons learned by converting them into effective process and product improvements.
The capability advancement theme is about advancing risk measurement and monitoring. The following are examples of developments that will facilitate this theme:
- Integration of risk management with performance measurement and reporting – In the future, the most successful companies will effectively intersect risk management with performance management by considering an understanding of the risks inherent in the strategy, along with the company’s risk appetite in setting key metrics and targets.
- More effective cascading of risk tolerances into the business using a scorecard of lead and lag indicators – The most successful companies will define actionable risk tolerances that fall within the scope of their established risk appetite and use them to establish stronger accountability and discipline in the organization.
- Continued evolution of risk quantification techniques by leveraging enterprise data availability and increasingly sophisticated measurement tools made possible by leaps in computing speed and data storage – In the future, simulations like Monte Carlo will be applied in a systematic, comprehensive risk assessment and fully supported by senior management as the volatility of an ever-changing business environment makes a single-point (or deterministic) view of the future useless in the planning process. Decision makers will be better armed with inputs on probabilities when evaluating options.
- Progress in monitoring risk – We envision progress in using more technology capabilities in monitoring risk, mining data and establishing automated escalation triggers and early-warning capability.
- The emphasis will be increasingly forward-looking – We expect further improvements on definitively measuring risk, simplifying views of the risk profile and making it more concise, transparent, practical, cost-effective, scalable, flexible and decision-useful. This will be the focus of the next decades at all levels – executive management, the Board of Directors, unit management, key stakeholders, etc.
- Progress in measuring the value of risk management – We envision progress on the aspirational objective of measuring losses prevented so that the true “value” of effective risk management can be separated from “luck” or good fortune.
- Everyone becomes a risk manager – There will always be multiple lines of defense providing checks and balances in managing complex, volatile risks; however, in the future, responsibilities and accountabilities for managing risks will be clarified more crisply for operating units and process owners so that management of the tension between creating enterprise value and protecting enterprise value will be more seamless and provide a focal point for everyone.
As the financial crisis taught us, speed is what matters. In the future, disruptive change will be the norm. The ability of investors to transfer capital rapidly across borders will make a catastrophic loss of market confidence, reputation and brand image truly lethal. The metaphor of “light speed” sets the context in which 100-year old companies evaporate or become near-extinct in a relatively short period of time if they are not agile and adaptive to sudden, unanticipated change in the competitive landscape, whereas in the past it may have taken a decade or more.
Over the last 30 years, we’ve learned that speed is what enables companies to gain competitive advantage by adopting “early mover” status. Looking forward over the next 30 years, early movers will be the ones that survive and thrive. To that end, we can expect risk management to (a) become more integrated with strategy setting, business planning, performance management and sustainability; (b) provide more insights around identifying and responding to rapid change; and (c) offer information for decision making at all levels of the organization that is more timely, iterative and actionable.
[1] No Ordinary Disruption: The Four Global Forces Breaking All Trends, Richard Dobbs, James Manyika and Jonathan Woetzel, PublicAffairs, New York, 2015.