Building resilience using a forward-looking view of risk

Hayley-Beth Peters Director - Enterprise Risk Management Lead, Non-Financial Services, PwC United Kingdom 18 Oct 2021

These are turbulent times for organisations and their boards. Few anticipated a global pandemic, but in general, organisations have adapted extraordinarily well. We should ensure we take positive lessons from how we adapted during this period, including a proactive and agile approach to risk, because big challenges lie ahead – not all of which we will be able to predict.

For example, climate change and digitisation, and the accompanying cyber security risks, are high on the agenda. Our economics team has modelled how these global trends will likely manifest in the UK economy, but these models do have uncertainty – what’s certain is that businesses and their boards need to prepare for a period of transformation and volatility.

To succeed in this environment, organisations need to change the way they predict and manage risk, so they can build resilience and confidently act on new opportunities.

Rethinking risk

The shock of the pandemic put risk centre stage, creating an appetite for a fresh approach. We see genuine recognition among boards that risk must be a key part of strategic decision making. However, we are in uncharted territory – there are no lessons we can take from recent history about how to successfully manage the risks that emerge from a global pandemic.

As a result, business leaders need to adapt the way they analyse data to get a forward-looking view of risk and alternative paths of action.

Through our economic modelling, we’ve combined long term scenarios with shorter term economic data signals, to create a list of overarching risks that society will have to respond to over the coming years. These are:

Overcoming the global talent shortage to deliver on the promise of technology advances and economic growth
Harnessing changing behaviours and expectations to drive sustainable growth
Rebuilding resilient global supply chains, which provide competitive advantage
Accelerating economic recovery while reducing inequalities
Responding to increasing cyber threats and building a secure digital society

The scale and complexity of these challenges should dispel any ideas that risk management is a tick box exercise to be completed by the board once a year. Instead, risk needs to become integral to business strategy. All employees should understand and be comfortable with risk, so they are empowered to make confident decisions.

Many clients I speak to are already changing the way they discuss risk. For example, by viewing risk as something that’s neutral or even an enabler of business strategy, you can move away from a culture that treats risk as something negative that needs to be avoided.

Organisations also need to embed greater rigour when balancing risk and reward. This comes from having a forward-looking, quantifiable view of threats and risks, so boards can determine their priorities and act on them, for example by adjusting strategy or making contingency plans.

A forward-looking view of risk

Advanced risk modelling and quantification is a critical part of building resilience and creating a strategic advantage. It moves us away from static risk registers to a dynamic, real-time view of the risks facing an organisation.

Those firms that are more advanced are able to pull data from across an organisation, apply tailored modelling, and create actionable insights through risk and performance dashboards. These might be used to create risk alerts for the board, set and monitor risk appetite, or to identify the key high-risk areas requiring attention and remediation.

If we take cyber security as an example, we are seeing an increasing focus on data-driven and forward-looking risk metrics as a key tool for monitoring cyber risk and spending decisions. We are already working with clients across different industries, including financial services, FMCG and telecommunications, to help them quantify cyber risk in financial terms, and to set up an appropriate suite of risk metrics.

It works by benchmarking the strength of their security capabilities, before using threat intelligence data to model how their organisations might be affected by changes in the cyber threat landscape. Historical data on previous cyber incidents can then be used to understand the potential impact in terms of data losses, operational disruption and financial penalties.

Supply chain risk can be quantified using similar techniques. To measure resilience, organisations should model the impact of different scenarios to identify pinch points, dependencies and the probability of their supply chain failing.

By building this type of analysis into continuous risk monitoring, organisations can understand risk in financial terms and make better decisions about how they should respond. For example, the CISO can show the board that every £1 spent on a particular cyber security control will likely result in £7 of risk reduction. The ultimate outcome is that organisations are better prepared for future disruption and ensure they are making the right investments to build long-term resilience.

The ultimate outcome is that organisations are better prepared for future disruption and ensure they are making the right investments to build long-term resilience.

A new era of risk

In an era of rapid transformation and growth, organisations need to think differently. We need to seize the momentum and ensure organisations continue to rethink how risk can drive their business strategy.

This starts at the top. Board members need to be comfortable taking a proactive, forward-thinking approach to risk, so it becomes a natural part of strategic decision making. This then sets the tone for everyone else.

And if people are empowered with the tools and autonomy to make confident risk-based decisions, an organisation becomes more agile and able to adapt to evolving challenges and, crucially, harness opportunities that lie ahead.