Risk management in the age of polycrises

The risk landscape nowadays is more complex, interconnected, and dynamic than ever before. Risk management plays a key role by analyzing this complexity and identifying critical causal relationships at an early stage to protect the company and achieve goals more reliably. However, practice shows that this is an enormous challenge for risk management. “Silo-thinking”, fragmented risk management activities that are not linked to business goals and governance, a lack of integration of technological capabilities, and a lack of risk culture represent just a few of the present hurdles. Which success factors brace companies for the future?

We live in a world of multiple and interconnected crises in which suddenly emerging risks amplify already existing ones. The World Economic Forum speaks of the age of "polycrises" (Source: World Economic Forum) risks.

As part of this year's flagship event "Horváth Risk Perspectives", key success factors were developed to help risk managers overcome these hurdles and thus prepare for the future. The focus was on the fundamental question of which premises must be given to contribute to the resilience of companies in the age of polycrises.

Integrated risk management is a premise for resilience

Resilience is used to refer to the ability to withstand disruptions. Resilient organizations recognize disruptions at an early stage and are prepared for them, but at the same time can adapt to disruptions quickly and in a structured manner – at Horváth we define this as “Trusted Governance”. 

Trusted Governance is the ultimate form of integrated risk management that closely follows the original GRC (Governance, Risk, Compliance) definition of the OCEG (Source: OCEG). In particular, the concept of governance comes into focus. Governance forms the foundation of an organization by enabling, but also ensuring, that the organization can reliably achieve its purpose, its values, and its goals. 

However, this can be challenging as the risk landscape and associated uncertainties which can impact objectives are far more dynamic and interconnected than ever before. Especially as risk management activities are often practiced in silos. Risk management often acts at best as a "collector" of data, rather than a "connector". Information is collected and reported separately from risk management, business continuity, compliance, ISMS, and other functions.  

In addition, risks are often already implicitly managed by functions without explicitly labeling it as risk management. Such as quality management when countering rising scrap rates or HR when implementing measures to counteract declining employee satisfaction. This leads to blind spots. Interdependent risks are not identified or are identified too late, leaving less time to anticipate disruptions at an early stage. Such a risk landscape makes an integrated risk management approach essential. 

The idea of Trusted Governance goes beyond the integration of traditional GRC functions. As a connector between the company’s vision, strategy & business model and its corporate organization, it also integrates functional risk management activities. To this end, it considers how goals are operationalized, and uncertainties are managed from corporate values and objectives across different functions and levels of an organization.

This basic idea contributes directly to the resilience of a company, as:  

  • risk management is decentralized, allowing risks to be identified and managed more quickly  
  • the focus of risk management is clearly on controlling critical risks to protect an organization's values and goals 
  • stakeholders of risk management activities pull together and complement each other in a meaningful way, for example by combining the early risk detection mechanisms of risk management, the identification of vulnerable assets in business continuity and the targeted strengthening of response capabilities in crisis management

Combining risk and performance improves early risk detection

With a view to the past as well as the future, the main question discussed at "Horváth Risk Perspectives" was to what extent risk and performance management will ever really be combined and what is lacking in this respect today. 

It has become clear that in practice, risk management has often been very strongly focused on reporting risks on a reporting date basis over the past decades based on regulatory requirements.  

However, to combine both principles, risk management needs a good understanding of the company's management model. It needs to understand how uncertainties can affect the various KPIs and what consequences this would have for the management model. In this way, possible deviations from targets can be anticipated at an early stage.

AI supports but does not (yet) take over early risk detection

The question of the extent to which the use of AI in risk management can support the prediction of unknown risks and causal relationships has been controversially discussed. 

So far, however, use cases in risk management are still exceedingly rare. With recent technological developments, such as ChatGPT, typical risk data can soon be more easily pre-filled, completed and even validated.  

However, the question remains controversial whether AI will ever really support the early detection of unknown risks and critical causal chains, ideally in the sense of "cognitive analytics" even directly with targeted recommendations for the best possible countermeasures. On the one hand, this is due to technological hurdles, for example the underlying models, but also the paradox of missing historical data for unknown risks. On the methodological side, however, this would also require an immense effort not only to identify risk drivers, but also to understand how they affect the business model-specific goals of a particular company.

Risk culture as a premise for decentralized risk management

Under the credo "Everyone is a risk manager", it was discussed to what extent this ideal image makes the role of central risk management obsolete. 

Risks are already managed today in many places in day-to-day business, sometimes without explicitly calling it risk management. It is the daily task of everyone in an organization to strive to meet their objectives while dealing with uncertainty. HR is not there to "do HR" but to ensure that the right people are in the company at the right time. So, everyone is already a risk manager of sorts today. 

The role of the risk management function is to supply processes and methodologies that enable consistent reporting for transparency at the central level but adapt to the way risks are already managed on a day-to-day basis in a decentralized manner.

Cassel, D. / Butsch, N.