Risk management overload: crisis everywhere

The coming year will likely see a high-water mark in crisis complexity and disruptiveness, continuing a trend that companies have faced for the past few years.

The feedback loop between drivers of disruption and the disruption they cause will intensify. Expect to see economic pressure and extreme weather feeding into more disruptive elections, state fragility, conflict, mutating cyber, digital and physical risks, geopolitical realignment and mushrooming regulation.

Risk management functions face overload. They are under pressure to perform due to increased expectations. This pressure comes not only from boards but also partners, customers and even employees, all while organisations are focused on reducing costs.

At the same time, the interdependency of risks will continue to complicate the process of assessing and managing risk. For example, geopolitics (see Acting Globally, Surviving Locally) are driving a multitude of political, regulatory, operational and security risks, all with the potential of reputational overspill. But ownership for managing geopolitical risk may not be clearly identified and recognised in an organisation. For example, when energy insecurity is linked to infrastructure deficiencies, corruption or conflict, with a range of threat actors, who owns management of the risk?

Technology is proving invaluable to those managing risk, in the realm of threat monitoring and effective risk mitigation. However, the rapid adoption of tech advances among threat actors may be making it harder to identity sources of threat, assess intent and identify perpetrators - a dynamic well-established in the cyber domain. Technological innovation is enhancing the capacities of the risk management function while at the same time increasing the complexity of the task.

The solution? A right-sizing of risk management for a digitalised, fragmented and fast-evolving world in which risks do not fit neat boxes. Companies which recognise that 2024 demands a holistic and dynamic approach to risk will be the best-placed to thrive through complexity and change. There is greater consensus on the value of risk management than there has been for decades.

Now is the time to make that count. Risk management functions must harness data and technology to most efficiently and effectively source intelligence, process, assess and monitor threats, to present and communicate information, to track management and mitigation efforts. Data and technology should also be used to track the performance of risk management, to report it upwards or onwards. 

But any risk management re-boot must also have an analogue core – a revisiting of risk management fundamentals linked to a reassertion of company values and culture, to ownership, responsibility and accountability. Consistency and clarity on matters of methodology is essential. In many organisations, these building blocks of risk management were dislodged by the demands of the pandemic and, subsequently, of responding to the various crises they’ve faced over the past few years.

Risk management and key resilience departments (e.g., crisis management) must improve integration if they want to be successful in this environment, including partnering in war-gaming, scenario-forecasting, crisis management and contingency planning, and crisis exercises. These initiatives should be engaging, realistic, and perhaps (rightly) sobering.

Perhaps most critically, the world of 2024 demands a multi-disciplinary approach to risk management. In a world where single risks may have a multitude of sources and/or impacts, identifying, assessing and treating risk must be shared across functions in order to be successful. Risk management overload is not inevitable.