Gone are the days when a business was relatively insulated from distant external circumstances or when it had a clearly defined set of internal issues to manage. Now complex enterprise risk management is a must for surviving a raft of dangers.
Global risks, affecting societies and wider economies, are of major concern to businesses, particularly to those operating in multiple markets. In recent months, continued economic stagnation and the challenging job market, extreme weather and the Ukraine-Russia dispute have all weighed heavily on companies’ outlook.
The knock-on effect of some of these problems can be serious, says Harry Gaskell, an advisory managing partner at consultancy EY. “They are being discussed and prepared for within businesses,” he says. According to consultancy KPMG, 47 per cent of companies see enterprise risk management as a vital function.
Wider economic concerns top the list of risks and will continue to do so, a study by insurer Aon concludes. “The awareness of these external risks is definitely heightening,” says David Croft, Aon’s UK managing director of global risk consultancy.
The World Economic Forum (WEF), which hosts an annual meeting of world and business leaders in Davos, Switzerland, shares this perspective. Margareta Drzeniek, a director, explains that businesses are “genuinely concerned” about what will happen next, “and are often withholding spending”. The body, which ranks risks based on the results of high-level surveys, lists structurally high unemployment as another major peril.
The WEF and Aon are far from being the only organisations to cite wide economic factors so highly. In their annual risk reports, PwC, KPMG and EY all highlight this threat.
Natural crises are also high on the agenda. A shortage of water is third on the WEF’s list, and within the top ten are the potential failure of climate change mitigation, a greater incidence of extreme weather and food shortages.
Businesses equally fear the effect of these natural events on their increasingly lean supply chains. “Natural disasters, such as earthquakes and floods in Asia for example, can prevent critical components, parts and raw materials from arriving in Europe or the US,” says Razat Gaurav, a senior vice president at supply chain software firm JDA. In addition to this, currency fluctuation can affect both fuel prices and the cost of raw materials for manufacturing.
Third-party business behaviour presents a further risk. According to Qadir Marikar, head of commercial assurance at PwC: “Companies regularly outsource other highly sensitive functions such as drilling for oil and handling data.” Disastrous examples involving distributed risk going wrong include BP’s Gulf of Mexico oil accident and the London 2012 Olympics security fiasco.
Reputational problems can easily follow risk-taking. “Most are the outcome of a failure to plan for and handle risk successfully,” says Jeremy Harrison, chief executive at the Institute of Risk Management.
On social media, bad reputation can develop in minutes and it is the company doing the outsourcing, rather than the third party, that has the worst risk profile. “When something goes wrong, it tends to involve a number of companies,” says Mr Marikar, “but what the public really comprehends is the main name, such as BP in the oil spill.”
The breadth of oversight is widening all the time and there are around 100 new items of regulation daily
Failure to comply with regulation is another danger and finance is one industry facing a particularly complex set of rules, after the reckless behaviour leading up to the 2008 crash. Chris Perry, managing director of risk at market data business Thomson Reuters, says businesses need to take regulation seriously. “The financial risk is immense and there is a chance of going to jail. The cost of compliance is very high, but the cost of non-compliance is far worse,” he says.
In this environment, Thomson Reuters runs a significant business to assist firms in monitoring trader behaviour and meeting regulation. “The breadth of oversight is widening all the time and there are around 100 new items of regulation daily,” Mr Perry warns.
Meanwhile, information security is a fast-growing area of concern and is a topic everybody underestimates, according to Mr Gaskell. “The question is not only how to keep people out, but how to accept the ongoing risk and protect data,” he says. Dangers abound. Cyber attackers could shut down a business’s operations, switch off an energy grid or access a military network. Monitoring the resilience of infrastructure has never been more important.
Businesses also face a serious threat around their continued ability to meet customer needs and Aon cites this as the sixth most important risk, potentially rising to fourth in two years. Grant Foster, Aon’s head of UK enterprise risk management, says: “In tough economic times, many businesses have not been able to spend money on innovation. They are also bogged down in processes and can miss trends.”
The search for human capital to fuel this innovation is becoming evermore difficult. This is a paradox, Mr Marikar notes: “The number of people unemployed is particularly high, but companies are under strain and have real problems recruiting talent.”
The risks seem almost limitless and many companies make a serious effort to address them. But enterprise risk management is rarely as comprehensive as it needs to be. Businesses often take a tick-box approach, particularly with corporate governance, Mr Marikar says, adding that whether or not they have a chief risk officer, they need to make sure the risk culture is truly embedded throughout the organisation.
There is significant room for improvement in risk management, even though many of the more successful business leaders inherently appreciate the need to balance caution and ambition, says the Institute of Risk Management’s Mr Harrison. “Companies must constantly have risk on the agenda by encouraging dialogue.”
One way to begin understanding the level of risk is to outline the costs involved. Mr Foster at Aon explains that businesses can start by looking at the worst-case scenario and quantifying the maximum foreseeable loss, as an insurer would. They can then consider smaller, but more probable risks.
Companies are increasingly turning to software to help predict the dangers and to monitor suppliers. JDA’s Mr Gaurav explains: “These tools enable people to model risk scenarios in depth, understand the end result of these risks and have early notification of any problems.”
But the softer side of risk often eludes businesses. “There is a real psychology to why people do things and how risks emerge,” says Mr Harrison. “Companies need to understand the way that their incentives and team structures affect risk-taking.”
The WEF encourages business and government leaders to talk more about the hazards and solutions. But there is not enough being done by businesses in this area, Ms Drzeniek says, adding that there has to be “discussion for real change”.
Bad scenarios are guaranteed to happen from time to time, so risk consultancies, insurers and industry bodies all encourage businesses to document and try out their risk response plans in practice. As Mr Gaskell concludes: “The key is that businesses accept risk and are truly ready to act.”