As we work our way through the first quarter of 2022, many CEOs may think about the famous Charles Dickens quote from The Tale of Two Cities: “It was the best of times, it was the worst of times.” Those with a rosy outlook see their businesses growing rapidly and benefiting from innovations in digital technology. On the flip side, the ongoing pandemic, supply chain issues, and talent shortages may be plaguing those who see it as a time of hardship. In reality, both the best and worst scenarios are impacting all CEOs to some degree.
However, the complicating factor is the unprecedented level of risk we face today and the necessary amount of change around the corner. EY just published results from their 2022 CEO survey highlighting risk management as the area where CEOs expect to make the most changes in the next three years. The planned changes center on the need for an integrated risk management approach for better, more risk-informed decision making. As CEOs and their business leaders look to integrate risk management activities, they need to consider four integrated risk drivers that are particularly important in 2022.
Sustainability: ESG Risk and Reporting
Sustainability has gained prominence in business strategy as increased levels of investment targeted at improvements in environment, social, and governance (ESG) practices have become too big to ignore. A recent survey of institutional investors discovered that 77% increased ESG investments in response to COVID-19, with the number jumping to 90% of large investors (over $200 billion in assets) increasing ESG investments. So, having a solid ESG risk profile will contribute significant value to businesses through greater investor attractiveness. However, what is reported to potential investors in the form of ESG risk metrics must pass muster with more standards and regulations looming on the horizon. Countries across the globe plus reporting standard setters such as the IFRS Foundation are gearing up to provide greater transparency into ESG reporting and related disclosures.
Soundness: Business Resiliency
The soundness of business infrastructure is being tested in ways that were not readily anticipated before the pandemic. Supply chains are collapsing as global distribution channels are disrupted, technology networks are succumbing to a never-ending wave of cyber attacks, and talent shortages are severely impacting the quality and availability of products and services. 49% of CEOs in the EY survey stated that they plan to increase focus on enterprise resilience. Unfortunately, board members have a decidedly negative view of the current state of resiliency in their businesses. AuditBoard’s recent Ebook, Bridging the Business Resilience Gap shares a recent EY finding that over half (55%) of board members believe risk management has difficulty keeping pace with changes in business strategy. Equally concerning is that 82% of boards do not believe their business has a highly effective disaster response and contingency plan.
Safety: Risk Assurance
Safety is at the forefront of every company’s operations priorities due to the pandemic. While it is a high priority today, over time the focus will wane. It is simply human nature to develop a sense of complacency once a crisis abates. However, CEOs must look to risk management professionals for continued assurance not only on the health and safety of key stakeholders like employees and customers, but also the health and safety of the business itself. That’s why 61% of CEOs in the EY survey who selected Risk Management as a top area for change see the need for more data-driven risk analytics to quickly identify areas of concern. Integrated risk management technology (IRM) utilizes a unified data core to effectuate advanced risk quantification and analytics desired by business leaders.
Security: IT and Cybersecurity Compliance
Complying with the latest set of IT and cybersecurity regulations is an ongoing challenge for all businesses. Complicating matters is the need to understand and assess not only your own level of compliance, but also that of your strategic partners, suppliers, and vendors. It is no surprise that in a recent Deloitte global risk management survey, only 61% of respondents considered their institutions to be extremely or very effective at managing cybersecurity risk. IRM works to simplify and streamline the complex compliance requirements while providing key risk insights into areas of needed remediation.
So, what can CEOs expect from incorporating these four integrated risk drivers into their business strategies? Well, a recent AuditBoard poll found that while nearly 80% of survey respondents redirected strategy or made significant changes to their risk management program since the pandemic began, only 16% report having a “robust enterprise risk management program” that impacts daily decision-making. One of the best ways to quickly realize the benefits of a robust program is to take an integrated approach fueled by IRM technologies. My next article will explore how IRM not only bolsters program maturity, but also addresses the primary objectives every business seeks to achieve.
John A. Wheeler is the Senior Advisor, Risk and Technology for AuditBoard, and the founder and CEO of Wheelhouse Advisors. He is a former Gartner analyst and senior risk management executive with companies including Truist Financial (formerly SunTrust), Turner Broadcasting, Emory Healthcare, EY, and Accenture. Connect with John on LinkedIn.