Enterprise risk management is important to professional service firms in building resilience. However, even firms with well-established and monitored risk controls will experience losses. This article will examine some reasons these losses are occurring.

We will explore three propositions and their consequences.

• The traditional root causes of incidents and claims are still current.
• New risk factors exist or are emerging.
• Risk management protections may not function as intended.

1) The traditional root causes of incidents and claims are still current

Failures in delivery that lead to claims tend to fall into familiar categories such as straightforward errors, failure of supervision or judgment, and values or ethical lapses. Leadership failure is often in the mix, as are psychological bias and missed red flags. Cover-ups are always bad news. Add to that, the failure to learn from the past. Many recently reported issues reveal examples of these familiar failings in corporate life.

Some reasons may be:

• Operational or ethical lapses will occur from time to time. There are lots of recent and instructive examples in the pharma, automobile, and financial services industries.
• Regulatory failure. This can occur from a mix of mistakes or failure of values, often associated with aggressive risk taking.
• Bias. Optimism or denial biases often exist, particularly when applied to complex, emerging or new risks.

The risk framework should address these, although of course bias and poor judgment can intervene, particularly as crises develop, and independent voices need to be at the table.

2) New risk factors exist and are emerging

In the current Polycrisis there is a distinct movement towards concerns about external factors and away from traditional risks. Apart from the dramatic effects of a pandemic and war, several prominent risk areas have emerged:

• The adoption of technology and cyber threats.
• Generative AI has quickly become a very hot risk topic.
• Litigation, regulatory and reputational ESG concerns.

In this respect, past data may be less valuable, thus making the response more challenging. A mix of expertise and divergent views are required to broaden the risk horizon being considered. Cyber incident response is a good model for a multidisciplinary approach.

3) Risk management protections may not function as intended

• Psychological or organizational failures can lead to a failure to recognise, understand or prioritise risks.
• Checks and balances may be absent and risk appetite poorly defined.
• Warning signs might be ignored, resulting in poor response and communication.

How has risk management failed in the past? There is a long history, but often cited failures include a failure to see the bigger context and warning voices being ignored. Postmortems on incidents and monitoring publicly known failures could help to prevent such failings.

Does Insurance Have a Role to Play?

Insurance is of course a useful risk transfer mechanism and plays a part in the risk management response.

New risks and new risk profiles can however create uncertainties about insurance response.

The risk landscape for all organizations is evolving; data breaches and the Internet of Things are two sources of uncertainty. Technology’s influence on professional service delivery may raise questions about who is liable, when, for example, software solutions or artificial intelligence are applied to problems previously addressed by humans. Risk treatment and transfer need to be aligned.

Insurance can be a positive risk influence. In the cyber field, insurers drove systemic improvement by moving to a list of minimum security standards for the purchase of cover. This raised the bar for all. Insurance can deal with the unexpected, such as the consequences of incidents such as NotPetya and WannaCry.

Summary Thoughts

In the near-term activity could be related to the downturn in economies and familiar patterns will emerge. In some areas, however, we may be moving from uncertainty to unpredictability and greater longer term challenges. Universal lessons remain to guide us:

• Old risk assumptions may be wrong. Risk identification and prioritization may require a new approach, but a rigorous framework should allow for that. Learn from the experiences of others including those in other industry sectors.
• Behavioral, cognitive, and cultural dynamics can undermine decision making. Communicating risk appetite and what constitutes an acceptable risk culture are good protective responses.
• Resilient organisations are good at handling crises. There is a period to get things under control. The mechanisms and people must be in place beforehand.
• Insurance can address significant adverse events.