Are complex organizations resilient and ready for the future?
Polycrisis[1]. Unprecedented. Historic. Extreme. These are just some of the headlines entering the inbox of every organizational leader. The world is changing at a rapid pace, regulators and shareholders are adding to the governance requirements, and you may be coordinating actions across multiple business models, markets and timezones.
With the world’s largest 100 companies responsible for $17.7 trillion[2] of revenue, the values at stake of the wrong action – or worse inaction – require shared understanding and a unified strategy. It is not surprising the world’s biggest companies are paying renewed attention to how they can identify the emerging trends driving the cascade of risks and opportunities, to explore how these will not only impact their risk framework, but also be forces for growth.
Artificial Intelligence (AI) stands as a current siren lure, with projections suggesting generative AI could create $13 trillion in economic value[3] with a clear call to businesses: Evolve with AI or risk falling behind. History is littered with examples ranging from organizations missing opportunities to pivot business models to the failure of boards to engage with important risks, such as risks to reputation and ’licence to operate‘, to the same degree that they engage with reward and opportunity. Nobody wants to be the next Blockbuster and experience the disruption of their business model. Something that could have been avoided by stretching the imagination to the plausible futures their rivals saw.
The urgency to respond to multiple internal and external stakeholders can prevent organizations from looking beyond and above their most immediate challenges. A comparison of the 2007 annual reports from today’s top 10 Fortune 500 companies will reveal that only one mentioned the word ’pandemic‘. In 2022, pandemic was in the top 10 risks of all 10, some with entire sections dedicated to it. What has changed since then? Experience. The return periods for a pandemic didn’t change. The data was always there that another pandemic could occur, but that data wasn’t personally available or recent.
And looking forward, the risk of pandemics hasn’t gone away just because we’ve experienced one recently. Researchers modeling future pandemic risk believe there is a 47% to 57% chance of another global pandemic as deadly as COVID-19 in the next 25 years.[4]
Reviewing emerging risks and being future-ready is about more than maintaining a risk register, or scoring acceleration, impact and severity. Harnessing the full potential of emerging risk thinking means adopting a risk maturity approach able to build partnerships across business functions to empower risk knowledge and ’buy in‘. Just as no risk operates in isolation, leaders increasingly need to have a wider understanding of impacts beyond their function.
Chief executive officers, chief risk officers, chief human resources officers, chief technology officers, chief operating officers, chief strategy officers and chief financial officers need a shared lexicon and approach that can bring risk management decision making and financial priorities together. For example, emerging risks around intellectual property (IP) could have touchpoints across the organization:
A collaborative approach enables you to provide a holistic view of risks, helping leaders and risk owners fuse qualitative appreciations of the future into modern approaches to quantitative risk management. When you embed risk management through working with other business functions, you’re more likely to address their risks and uncertainties proactively rather than reactively.
This evolving situation necessitates a pivot toward not just recognizing but actively preparing for a wider array of risks. Research suggests that organizations that have invested in building corporate foresight units outperform the average by 33% higher profitability and by 200% higher growth[5]. There is value in thinking backwards to learn from history, and forwards to embrace collective futures.
We asked our industry and risk leaders for their most interesting emerging and interconnected risks that leaders should take back into their organizations and ask “how are we understanding and taking action on this source of emerging risks?”:
$4.45 million to $5.2 trillion gap How are we preparing for current and future cyber risks?
The cyber landscape is shifting again. Today, IBM estimates the global average cost of a data breach in 2023 was $4.45 million, a 15% increase over three years[6].
Average figures hide a diverse range of impacts.
The World Bank estimated that globally, from 2019 to 2023, approximately $5.2 trillion in global value was at risk from cyberattacks. Every month 10.5 million records are lost or stolen, an estimated 438,000 every hour.[7]
These events can have very real impacts for complex organizations, with wide ranging risk sources, and complex causes and consequences that require a holistic framework and risk approach. A key example of these lessons over time includes the experience of a global hotel chain.
In 2018 they announced that hackers had stolen approximately 500 million customer records. The attackers had gained unauthorized access into a company acquired by the hotel chain in 2014 and remained in the system. The access was not discovered until 2018, and the hotel chain was fined £18.4 million for personal data breach by the U.K. Information Commissioner’s Office under the General Data Protection Regulation (reduced from £99.2 million). Wider impacts at the time included: recovery costs, reputational damages from the loss of customer confidence, and legal ramifications through class-action lawsuits raised by those impacted.
In 2022, a further 20 gigabytes of data were stolen through social engineering of an employee to gain access to his or her account — a different method of attack that enabled a different way in.
When organizations experience events, a need arises to think beyond single solutions and risk pathways to ensure resources can support wider resilience.
Key lesson
Those cyber risk numbers only consider today
There is a need to think forwards and with the influx of consumer generative AI programs, such as Google’s Bard and OpenAI’s ChatGPT, the generative AI market is poised to explode.
Bloomberg Intelligence suggests it will grow to $1.3 trillion over the next 10 years from a market size of just $40 billion in 2022[8].
As the technology evolves at a rapid pace, governance efforts will be critical, especially as AI developers are grappling with the risks inherent in their training data. Every part of your organization will also need to consider the knock-on effects – cyber risks being one of them.
28 $1 billion events in 2023. What range of losses are assets exposed to across geographies we operate in? How are we thinking about a year of compounding events?
In 2023, the National Oceanic and Atmospheric Administration calculated the U.S. alone had experienced 28 events with losses exceeding $1 billion, well above the average since 1980 of eight events per year and the average for the past five years of 18 events per year. In the U.S., insurers saw the costliest severe convective storms (SCS) year on record, with total claims exceeding $50 billion[9].
Secondary peril losses, primarily severe convective storms in the U.S. and Europe, contributed substantially to the year’s insurance claims, underscoring their growing influence by cumulative losses outstripping those caused by a season of hurricanes.
Other natural catastrophe perils also set new records, which have knock-on impacts for insurers challenging their own views of aggregations, as well as risk leaders who are taking a second look at the extent of their physical footprint. In 2023 Canada experienced its most extensive wildfire season on record, with 17.94 million hectares burned.
The scale of fires saw the Canadian government close several roads across Quebec, with many companies having to curtail their operations. As wildfire risk increases, a multifaceted approach will be needed that combines early forecasting and anticipation of wildfires with robust infrastructure, effective communication, adaptable policies and consideration of nature-based solutions.
Key lesson
Events once thought rare are becoming more likely or occurring at scales previously not seen …
The historical record alone does not capture the full range of potential risks. By examining what-if scenarios through scenario testing, organizations can gain insights into potential vulnerabilities and develop strategies for a more resilient future. Creating an accurate representation of risk requires a necessary bias check to ensure the impact of recently experienced risks does not shadow those on the horizon. This might include external partnerships — whether board advisors or links with academia — whose role is to challenge your assumptions and add to your knowledge pool.
$57 trillion or 4.1 billion geopolitical shifts. What insights are we using to shape our understanding of geopolitical risks?
The year 2024 is set to be what the Economist and Time has at the start of the year called “the biggest election year in history,” with national elections scheduled in at least 64 countries plus the European Union, representing 4.1 billion people — close to half the global population (49%) — and an estimated $57 trillion of global GDP. By April that number was 83 national elections in 78 countries.[10] Which is indicative of the way that politics can rapidly ebb and flow. Many will prove consequential for years to come with potential impacts including social stability, reshoring/offshoring, regulatory change and international investment shifts.
Recent research by WTW and Oxford Analytica, published in the WTW Political Risk Index, suggests that geopolitical alignments are shifting rapidly. Inevitably, changes of government are an opportunity for dramatic geopolitical realignments. Investors tend to abhor uncertainty; in some ways, predictable adverse developments are preferable to not knowing the future, which makes it hard to calculate future returns. And 2024’s elections will bring their fair share of uncertainties, raising the importance of organizations to question what sources of information they can call on to ensure they are informed of the wide-ranging impacts of geopolitical risks.
Key lesson
Effective leaders are factoring geopolitical trends into their intelligence monitoring to identify opportunities for growth, while preparing to act quickly and decisively when events occur.
WTW’s Geopolcast provides a thought-provoking discussion of the world’s most pressing geopolitical issues through expert interviews. When discussing risk and strategy, there is a strong role for different perspectives, from external views to considering your own workforce intelligence. Your people are often an untapped view of risk – often dealing with the operational realities of strategic decisions – and can very quickly point at risks and opportunities.
There is no shortage of approaches that large and complex organizations are using to tackle these challenges. However, there is no one-size-fits-all approach to identifying, analyzing, monitoring and responding to emerging risks. Organizations should remain aware of this and ensure they take account of their culture, experience, technological capability, and colleague attitudes when designing or refining an approach.
Addressing their risk portfolio and financial impact
Through sophisticated risk management strategies to address their risk portfolios and mitigate financial impacts while also considering emerging risks.
Optimizing risks and what levers/tools/resources
Adopting a proactive, data-driven, and integrated approach to optimizing risks, leveraging a combination of strategic, technological, and organizational levers to enhance their resilience and value creation potential.
Analyzing changes and influences of emerging risks
Leading with proactive and multi-faceted approach to analyzing changes and influences of emerging risks on their organizations, integrating insights from diverse sources, disciplines, and stakeholders to enhance their risk intelligence and resilience in an increasingly uncertain and dynamic business environment.
WTW believes that a truly effective approach should start with establishing and understanding your risk tolerance. This step allows you to identify those emerging risks that can breach this tolerance level and need mitigation, both financial and organizational.
Organizations use a range of different definitions for emerging risks, refined based on time horizons, risk tolerance thresholds, and strategy deliverables. The recent release of the ISO 31050 – guidance for managing emerging risks to enhance resilience – marks a pivotal moment in the management of these risks at a time when new regulatory standards and requirements are being implemented or considered.
If definitions can vary, what are emerging risks? To quote directly from ISO 31050 they can cover a series of characteristics:
Emerging risks can include, for example:
Source: ISO 31050
This is a useful starting point, but organizations may wish to simplify this further to make the language clearer and more accessible. An organization could choose to view emerging risks as:
In asking whether your existing approach deals with these risks and opportunities appropriately, an organisation may wish to consider three challenge questions:
01
The importance of building an emerging risk process and linking it to the business model probably cannot be emphasized enough. That includes the lens of opportunity. Reviewing emerging risks is also about considering your competitive advantage and, gathering insights into new market opportunities, customer needs, and technological advancements, as well as staying ahead of regulatory developments, compliance requirements, and industry standards that could impact your operations and reputation.
Action: Instigate a horizon scanning regime that extends beyond traditional boundaries, such as a focus on new legislation or financial reporting standards. By asking the question, “What’s new and what does it mean for us?” regularly, new risks and opportunities may become apparent far earlier. By examining what-if scenarios, organizations can stretch their imaginations to gain insights into potential vulnerabilities and develop strategies for a more resilient future. Wargaming is one way of bringing this to life, because the game will focus on risks, but also on actors playing on their competitive advantage - for a more realistic view.
02
Given the pace of change in our internal and external contexts, truly ‘new’ risks are increasingly likely. An important element of an effective emerging risk process is the ability to spot these risks in good time, and to plan and prioritize a response appropriately given the varied risk profile the organization is likely to have. For complex organizations made up of multiple industries and business models, being able to tap into those views is a way to harness a horizon scanning network, and create a holistic view of risk. But risk insight must drive decision-making and strategy. ISO 31050 now offers a standardized framework for translating foresight data into risk intelligence that can be integrated into existing risk management processes.
Action: Risk management is at the core of corporate governance as it is critical for creating a sustainable, resilient organization. Organizations that embed emerging risks thinking into their approaches can harness those values. That might mean taking a fresh look at existing data sources such as your claims; challenging the risk dimensions your organization tracks; or keeping pace with the latest thinking across science, academia, think tanks and the private sector. This is the approach our WTW Research Network uses to identify risks and improve their understanding and quantification for the benefit of our clients and society; we find that looking left and right and at what other industries are considering can bring fresh understanding to your challenges.
03
Traditional risk assessment frameworks frequently use statistical methods and techniques to identify and isolate historical trends in the trigger, magnitude or frequency of an individual hazard. While this captures the risk one hazard at a time, it does not adequately capture the risk associated with connectivity, whether that’s co-occurring, compound or cascading hazards. If something goes wrong and exceeds organizational resilience, it's rarely the tried and tested area of individual risk with numerous tightly defined controls and scenarios. It's usually either about interconnected risks or scenarios just beyond the imagination.
Action: A structured approach to consider interconnectivity between risks can provide a foundation for shared understanding between stakeholders. Registers have their place but additional value can be added through challenge perspectives, such as the view in Figure 1 of a list of top 25 risks, where respondents were asked for their top three combinations of risks of concern. This approach can be used to bring unseen/unappreciated risk dependencies to the surface, encouraging collaboration across business functions, and to enable an elevated risk governance regime that offers the business a repeatable, but necessarily flexible, means of outsmarting complex risk connections.
Consideration of emerging risks is essential for a truly effective strategic approach, which provides long-term value; accordingly, organizations should seek to ensure they give emerging risks in all their guises sufficient consideration and attention when building, enhancing, and implementing strategic frameworks and processes.
In the face of global change, there has never been a better time to challenge your emerging risk approach. Are you prepared against the risks and opportunities coming your way and ready to seize the advantage?
