Chapter 1
Refocus on the upside
By identifying the risks that double as opportunities, risk teams can play an important part in helping their businesses to grow.
Risk teams can help their business’s growth and transformation plans by thinking more strategically about risk. Practically speaking, this means spotting emerging risks early and communicating the potential upside to senior management.
“The role of the risk team is to constructively challenge ideas and push people to see both sides of the coin, that of opportunity and of the potential downside,” says Christian Okholm, Manager of Group Reporting & Insights at Novo Nordisk.
Take the example of changing customer expectations and preferences, which risk leaders rank as the greatest strategic opportunity for their business. As part of their risk mitigation efforts, risk teams should already be trying to predict how customer preferences might evolve to determine the potential negative impact on their existing set of products or services. But if detected and communicated to senior management early enough, the business may be able to innovate its offerings to better meet customers’ new preferences and therefore capture market share.
This is exactly what the ERM team at US convenience store chain Wawa is working to achieve. Wawa’s risk around customer experience, trends and preferences centers “around effectively understanding, connecting and providing consumers with the products, services and experiences they need and expect in an ever-changing competitive landscape,” explains Michael Eckhardt, SVP, Chief Legal and Risk Officer at Wawa. “We are focused on ensuring the ERM process helps the business to understand how changing consumer preferences create opportunities by enabling us to bring products to market, advertise more effectively and build better customer focused experience.”
The role of the risk team is to constructively challenge ideas and push people to see both sides of the coin, that of opportunity and of the potential downside.
As another example, risk teams across various industries will likely already monitor potential new market entrants to gauge competition risk. If an emerging competitor is identified early enough –perhaps one that is venture-backed and has particularly disruptive technology – it could also represent an acquisition target and potential strategic opportunity for the business.
Aside from alerting the business to looming threats that can be converted into opportunities, the risk team can contribute to growth and transformation by refocusing on more growth-orientated tasks. This may mean deploying the risk team’s analytical and modeling capabilities to evaluate new business models or growth markets, or conducting risk assessments to identify and measure potential issues when implementing new technology or launching a new product.
Business alignment and connection is crucial
Risk managers can only support their business’s growth and transformation plans if senior risk professionals and senior management outside the risk team are aligned on strategy. But our survey data shows that when it comes to aligning risk and business strategy, 57% of CROs are, at best, moderately effective at it.
The survey data also reveals a disconnect between senior business leadership and risk managers when it comes to their view of their business’s top strategic opportunities. For example, board directors and CEOs rank technology disruption as the number one strategic opportunity for their business. In contrast, risk managers rank this as their business’s least important strategic opportunity. Risk leaders are also much more likely than boards to consider changing consumer expectations as a major strategic opportunity. This may be because boards focus on opportunities that they can proactively seize by, for example, investing in new technology. In contrast, risk leaders may be more focused on opportunities associated with trends outside of their control that they have to react to, such as changing customer expectations. Whatever the reason, risk teams stand little chance of assisting the business with its strategic priorities with this disconnect.
Senior risk personnel also need to have a strong connection with the wider business to convey their views on potential opportunities. Eckhardt believes that regular meetings between the CRO or equivalent and other senior management can help achieve this. “We have an ERM internal steering committee that includes our CFO, our chief strategy officer, the chief risk officer and our director of internal audit,” he says. “We meet quarterly, and that ensures that we’ve tied strategy to risk and risk to strategy.”
Their relationship with the wider business aside, risk teams also need to have access to the internal and external data – and the technology that helps them to process and analyze it – in order to spot distant risks (see Chapter 3).
Chapter 2
Unearth risk interdependencies
Gain insight into the true consequences of risk.
Major risk events can completely disrupt a business’s growth and transformation plans. The added challenge today is that risks are increasingly connected and can cascade quickly. A seemingly unlikely and low-probability risk event has the potential to rapidly snowball into an existential crisis. As Gautam Jaggi, an Insights Director at EYQ, argues, “We are at risk of underestimating ticking time bombs not just because they are correlated with time, but also because they are correlated with each other.” Understanding these correlations is critical because risks that appear unrelated to one’s business (and are therefore often dismissed) could set off other seemingly unlikely risks that do directly threaten the business.
46% of risk leaders are, at best, moderately effective at understanding how different risks are interconnected.
The global pandemic is the most obvious example, with COVID-19 exacerbating multiple financial and operational risk categories. In addition, climate change risk has the potential to impact not only operations should an adverse weather event cause a power outage or flood, but also disrupt supply chains and displace customer bases. It also creates reputational risk if businesses are not perceived to address this issue.
It’s therefore vital for businesses to understand how risks are connected: a full appreciation of risk interdependencies provides businesses with a more accurate picture of the true potential impact of threats. However, the survey data reveals that risk leaders currently struggle in this area: almost half (46%) are, at best, only moderately effective at understanding how different risks are interconnected. Despite this shortcoming, the survey data shows that improving this capability is not a top priority.
This may not be high on risk managers’ agenda because they are unaware of the tools that are available to help them. Illustrating this, despite the majority (65%) of risk leaders being satisfied with their use of data and technology to identify and understand risk interdependencies, we know from our work with clients that many do not use the latest new technologies that provide completely new insights into risk interdependencies. Board directors certainly identify this as an area of improvement: compared with risk leaders, far fewer (45%) are satisfied with their organization’s use of data and technology to understand how risks are connected.
How can technology help? Advanced technology, such as artificial intelligence (AI), can be deployed to assist businesses in modeling and understanding connections between risks. For example, AI can be used to discover risk interdependencies through internet research. It can automate basic risk research, identify important risk statements in unstructured external documentation, compare this with internal data, and then undertake causal analysis to identify risk interdependencies.
Chapter 3
Technology and data can help see around corners
Despite new technology’s vast potential, budget is unavailable.
The power of technology
New technology and data have immense potential to assist risk teams. As a starting point, automation technology can be used to process low-value manual tasks, including simple data processing or risk model verification. This frees up risk professionals’ time to focus on some of the growth-orientated initiatives described earlier.
Risk management platforms, which risk, non-risk professionals and even third parties can use to input and view key risk metrics across the business, can also be highly valuable in enabling risk teams to spot emerging risks. By creating standards about how key risk information needs to be entered by different teams across the business, analyzing risk trends becomes much easier.
Besides the risk team, I see much more importance on how the business as a whole uses technology to mitigate risks.
Software aside, cloud infrastructure can also be leveraged to give risk teams the data storage capacity and analytics firepower needed to conduct horizon scanning, scenario planning and stress testing based on multiple variables. This type of analysis enables risk teams to more effectively detect weak signals of an atypical and distant threat before it materializes into a major risk.
Technology can also be used to identify threats. Jeanne Cheng, Chief Risk Officer at energy company SP Group, provides an example. “Besides the risk team, I see much more importance on how the business as a whole uses technology to mitigate risks,” she says. “For example, we use technology to monitor and analyze the condition of gas pipes in our network for timely detection of anomalies, as this can be a precursor to an outage. This enables us to take a pre-emptive response. We also use new equipment like in-pipe CCTV cameras to locate weakness in the pipes, which enables us to do corrective maintenance more efficiently and effectively.”
Although the risk team won’t use these technologies directly, it can still play a role in overseeing how frequently they are being deployed and that the insights provided are acted upon.
Overcoming investment hurdles
Despite its vast potential, risk leaders currently do not fully utilize technology and data: almost half (48%) say they are, at best, only moderately effective at leveraging data and technology to be predictive, detect risks and opportunities early, and improve decision-making.
Although there appears to be a capability gap in this key area, risk leaders appear reluctant or unable to make the investment that is required. The survey reveals that less than half (47%) of risk managers intend to increase their level of investment in data and technology for risk management in the next 12 months, compared with 69% of board directors and CEOs. Risk leaders are hesitant to invest despite the willingness of board directors and CEOs to do so.
This may be because risk leaders are not aware of the value that technology can add, or because they have been unsuccessful in securing budget for technology investment in the past.
Either way, bringing new skills into the risk team can help (see Chapter 4). Data scientists will improve the risk team’s data and technology expertise, and open their eyes to the benefits that technology can deliver. Individuals with previous business experience outside of audit and risk functions can also help to make the case for technology investment because they will likely be better at articulating the business benefits.
It’s also vital to start small. Risk teams stand the best chance of securing budget for technology if they can demonstrate the benefits of a pilot technology implementation.
Chapter 4
Augment and diversify skillsets
Risk teams will have to upskill rapidly and strategically if they want to help their businesses transform and build value.
Even if they possess the most “bleeding-edge” technology, risk teams will fall short in their efforts to support the business’s growth and transformation plans if they don’t have the necessary diverse range of skills. Although risk leaders do not consider a lack of the necessary skills to effectively utilize data, technology and analytics to be important, board directors and CEOs identify this as the top obstacle.
According to the survey data, many risk teams struggle to raise the skills profile of their teams. Almost half (48%) are, at best, only moderately effective at upskilling the risk function. Despite this obvious capability gap, risk leaders rank upskilling the risk function as one of their lowest priorities in the next two years. Perhaps they are not sure which skills they will need in the future or lack the budget to obtain them. They may also simply be focused on other priorities. Whatever the reason, the apparent lack of focus on skills needs urgent reassessment.
Plugging the skills gap
How can risk leaders augment and diversify skillsets? The first step is to carefully consider which capabilities will be needed in the future. This depends on the characteristics of the individual company and existing strengths and weaknesses, but technologists, data scientists and individuals with business analytics expertise will almost certainly be required.
In addition, risk leaders need to ensure that their teams possess a diverse array of hard and soft skillsets. This includes communication and collaboration capabilities and the ability to adapt and be agile so that the team can pivot to focus on new priorities as needed.
Being able to speak the language of business is also a must. Individuals who can understand business problems and translate often-complex risk metrics into business insights that are understandable by people outside of the risk function will be in high demand. “Rather than having employees skilled in a particular risk category, it is valuable to have a combined range of experience in different areas of the business and from other industries as well,” confirms Jeanne Cheng of SP Group. “Diversity of risk experience is helpful.”
Risk leaders also need to think through how to recruit these individuals, since many data scientists may not consider the risk function an obvious career destination. One practical way to achieve this is to establish secondments or placements so that data scientists recruited to the wider business are placed within the risk team on a short-term basis. This not only ensures that risk teams get access to the capabilities they need but also helps to establish connections between risk and the wider business.
Sometimes, the risk team may not need all of these capabilities within the function itself. For example, there is no need for risk teams to run supply chain scenario planning if the supply chain team already does so. In this case, the risk team has the opportunity to become a center of excellence, monitoring and overseeing that risk analysis is conducted effectively within the business. In addition, the risk team will need to evaluate potential correlations between risks being monitored by individual functions to ensure that weak signals of emerging threats are not missed.
Conclusion
New business models and technological disruption. Risk cascades created by COVID-19. Inescapably urgent climate change crises. This is a time of rapid change and escalating risks. To succeed, businesses need a fundamentally different approach to risk: moving from risk management to risk strategy that is an integral part of business strategy. Risk leaders will thrive by exploring risk interdependencies. They will invest in AI and data capabilities to develop early warning systems and free their time for higher-order activities. Get this right, and you can transform your risk function from managing downside to becoming an engine of growth and innovation.
Summary
To succeed, CROs must shift from risk management to creating a risk strategy by focusing on upside opportunities and risk interdependencies. The way forward will be through new technology and data and a more diverse set of skills within their teams.