Rethinking Risk – Strategies for Today’s Changing Business Climate
In the aftermath of the financial crash, many firms have taken a fresh look at their risk management approach. The formal Enterprise Risk Management (ERM) systems in the financial services industry were considered the most sophisticated in the world, but it is clear that these systems failed spectacularly. What is less clear is what these failures mean for the evolution of risk management across a broad range of non-financial industry sectors. More recently, the huge oil spill in the Gulf of Mexico has raised additional fears about the risks of using advanced technologies in complex environments such as deep-water drilling. These two major disasters have raised many questions about the ability of both business and government to manage complex economic and technological risk.
Yet even before these dramatic events, forward-thinking companies were already feeling the need to rethink their risk management approach in order to respond more effectively to changing business conditions. Whereas many companies used to manufacture standalone products or provide discrete services, today they must deliver constantly changing technology-enabled offerings that are closely integrated into complex global supply chains and ecosystems. This emerging business climate demands the co-evolution of business and IT, and is creating very different risks and opportunities.
From a traditional IT perspective, the need to rethink risk management has also been growing for some time. Even before the financial crash, notions of IT risk were beginning to shift away from the traditional focus on system reliability and integrity, toward safely supporting emerging business requirements such as smart products, global collaboration and employee empowerment. IT’s role used to be providing data processing to support business processes; now it is more and more likely that IT functionality is the business process. Additionally, IT – and particularly the internet – continues to generate a new set of dangerous threats in areas such as malware, customer data loss and, increasingly, cyber warfare.
These emerging business and technological challenges have made the topic of risk management both complex and pervasive, and often nearly impossible to address comprehensively. In this report, we will first identify the lessons of the financial and oil spill disasters, as well as the new challenges coming from the internet. We will then show how companies are responding to these challenges, and how we see the topic of risk management evolving as business and IT become ever more inseparable. The report concludes with a glimpse of some of the frontiers of advanced risk analysis research, and some of the thinkers whose work we most admire.
Figure 1 – Risk can be thought of in many different ways
The word risk has many different nuances and connotations. To some, the associations are primarily negative: liability, loss, failure, embarrassment, etc. From this perspective, the overall message is one of caution. But for others, especially entrepreneurs, risk is inseparable from business and capitalism itself, and thus the strongest connotations are much more positive in nature: reward, gain, winning and so on. But as suggested by the colour-coded figure, the downside worries (red) tend to outnumber both the upside opportunities (green) and more neutral language (blue) associations. It’s one reason why entrepreneurs are only a small percentage of the overall population.
One thing all of our clients agreed with is that the word risk is being used with increasing frequency inside their organizations, and that because of the financial and oil spill disasters, societal tolerance for business risk and trust in business values have been seriously shaken. A decade ago, the dot.com crash and the scandals at Enron, Worldcom and others led directly to Sarbanes-Oxley. The net effect was more burdensome, but not transformative, regulation. Exactly what will come of today’s debacles remains to be seen, but the consequences will likely be much more significant. Companies are already preparing for a more regulated and punitive world. With the exception of China and other fast-growing markets, the cautionary side of risk management is clearly on the rise, with potentially significant economic implications. How long this cautionary cycle will last is anyone’s guess.
Figure 2 – Business and IT often see risk very differently
This gap between those who see risk mostly in terms of fear and those who see it primarily in terms of potential gain is particularly striking when we compare the traditional business and IT perspectives. Partly by inclination and partly by necessity, IT staff have historically tended to be on the cautionary side of the fence, often preferring detailed systems, rules and procedures that can often give outsiders the impression that the Enterprise IT function is a land of “no”. over the years, this has meant no PCs, no lAns, no mobile phones, no Internet access – and today no iPhone, no Facebook, no cloud, etc.
In contrast, business leaders generally prefer to see themselves as coming from the land of “Yes”, frequently using slogans such as “let’s try it”, “nothing ventured, nothing gained” and “Go for it”. leadership, innovation and competitive advantage, among other areas, are largely dependent upon the willingness to take calculated business risks. To the entrepreneurially inclined, business and risk are inseparable. If you don’t want to take risks, don’t go into business. It really is that simple.
Recent events appear to be narrowing this gap. on the one hand, the financial and oil spill disasters have seriously dented business confidence and appetite for risk, making many business leaders much more likely to say “no”. At the same time, accelerating technological progress and related business pressures for smarter, more connected and more mobile organizations are making it necessary for Enterprise IT to learn to say “Yes” more often. Taken together, these changes suggest that the traditional separation between the lands of “Yes” and “no” may well shrink considerably and perhaps permanently – an important step toward the true co-evolution of business and IT.
Figure 3 – There are a number of formal ERM models
As with information security, governance and other IT management issues, there is no shortage of comprehensive risk management frameworks available. Many are similar to the ISo model shown above, and at first glance they appear to be on target. Identifying, evaluating, accepting, communicating and monitoring business/IT risks seems entirely logical, and encourages rigorous actions and processes. Many firms naturally start their risk management initiatives with one of these frameworks.
However, implementing such comprehensive risk management processes is much easier said than done. once companies start to systematically identify their risks, they quickly discover the extent to which business and risk really are inseparable, and that virtually every facet of company activity can spawn its own web of risks and rewards. The process is effectively unbounded, which is why some company risk initiatives become sprawling and unfocused, and lose management attention over time. If risk and business are essentially one and the same, risk management initiatives not only can but in many cases should become hard to distinguish from strategic and operational reviews. It’s a good way to align risk management with today’s rapidly changing business environment.