With emerging risks in mind, boards and executives are motivated to strengthen their risk management programs in 2022. As businesses accelerate investments in new digital products and services, they require greater visibility into the connections between strategy, operations, and technology. This is because our increasing dependency on digital systems brings with it new digital risks — one of the major global risk categories according to the World Economic Forum’s 2022 Global Risks Report.
Companies that discover emerging risks early — and act on them effectively — will gain a competitive advantage through better performance and stronger resilience. Yet, the existing technologies, processes, and people to manage risks are not keeping pace to meet rising risk demands — a problem we refer to as the “business resilience gap.”
In the new guide, Bridging the Business Resilience Gap With the Connected Risk Model, authors John A. Wheeler and Anand Bhakta define the business resilience gap, explore its causes, and discuss how to fix it with a modern approach to integrated risk management. Download the full guide, and continue reading for an overview of the business resilience gap and its four core causes.
What Is the Business Resilience Gap?
EY’s Global Board Risk Survey reveals 83% of board members believe market disruptions have become increasingly impactful and 87% believe they have become increasingly frequent. Supply chain risk, talent and succession challenges, and cybersecurity threats loom as top risks while emerging risks — including digital as well as environmental, social, and governance (ESG) risk — are expected to become even more pronounced over the next decade.
Yet, the capabilities of most risk teams have not kept pace with rising risk demands. EY’s survey reveals that over half (55%) of board members believe risk management has difficulty keeping pace with changes in business strategy. Equally concerning is that 82% of boards do not believe their business has a highly effective disaster response and contingency plan. We define this shortfall in risk management capabilities as the business resilience gap.
As illustrated, the capacity to support rising risk demands falls below the curve of rising risk levels, representing what can happen if businesses fail to invest in their risk management capabilities.
What Causes the Business Resilience Gap?
The business resilience gap is caused by a combination of factors. While this combination is unique to each business, it generally consists of: flawed strategy, poor data infrastructure, lack of agility, and lack of integration.
1. Flawed Strategy
84% of boards do not believe their organizations have a highly effective risk management strategy. This is primarily due to ERM programs failing to go beyond strategic risks to understand the full impact of risk throughout the organization. A separate survey found 63% of organizations find it extremely challenging to define their strategic risk appetite, further highlighting that risk management strategies require revision at the highest level.
2. Poor Data Infrastructure
80% of board members say their organization’s risk teams struggle to leverage data and technology to deliver timely, insight-driven reporting to the board. A separate Deloitte survey finds almost 50% of respondents said they were “very” or “extremely concerned” about risk data quality and management. The lack of reliable data infrastructure creates further challenges, including inefficiency, lack of visibility into risk trends and threats, and limited visibility into the status of mitigating strategies.
3. Lack of Agility
74% of risk leaders believe their organization struggles to maintain reliable data to drive risk-based decisions. A separate survey reveals 55% of board members believe risk management has difficulty keeping pace with changes in business strategy. Risk teams that lack speed and agility, both in surfacing new risks and in managing risk management workflows, will hinder their businesses when responding to future crises on the scale of COVID-19.
4. Lack of Integration
Most businesses have risk oversight functions in areas like cybersecurity, information security, and regulatory/compliance. Despite this, 67% of organizations do not have risk controls embedded within their business units. An AuditBoard poll of over 1,000 risk professionals found nearly 60% of respondents have limited to no visibility into the issues identified by other groups, and nearly 70% do not have consistent reporting to executive management on risk and controls data across functions.
How to Bridge the Business Resilience Gap
The causes for the business gap are evidently interconnected, rendering a multi-pronged approach to bridging the business gap a safer path to success than a “band-aid” approach. To learn five tactics to close the business resilience gap — including the Connected Risk Model — download the full guide, Bridging the Business Resilience Gap With the Connected Risk Model.
John A. Wheeler is the Senior Advisor, Risk and Technology for AuditBoard, and the founder and CEO of Wheelhouse Advisors. He is a former Gartner analyst and senior risk management executive with companies including Truist Financial (formerly SunTrust), Turner Broadcasting, Emory Healthcare, EY, and Accenture. Connect with John on LinkedIn.
Anand Bhakta is Sr. Director of Risk Solutions at AuditBoard and a cofounder and Principal of SAS. He has over twenty years of audit and advisory experience. Anand spent 8 years at Ernst & Young prior to SAS, and has served as a trusted advisor for numerous internal audit and management executives. Connect with Anand on LinkedIn.