Aon | Professional Services Practice
Release Date: April 2022
Uncertainty Isn’t New but the Response May Be - Further Thoughts on the Aon Global Risk Management Survey
We previously discussed what learning can be taken from Aon’s risk survey.
Now we will discuss the response and consider if COVID has changed risk management.
The question as to how to manage some of the risks identified is not straightforward. General uncertainty is prominent in the results and traditional risk management may not be enough. The answers may lie in broader scoped risk identification, but also in business continuity preparation, crisis management and general resilience planning.
For example, increasing competition (No. 8 in the survey) appears to be a fundamental commercial reality, representing opportunity and risk. In the world of professional service firms there is clearly a convergence occurring and in part it is being enabled by the application of technology. Increasing competition is therefore a strategic issue and arises from fundamental issues around purpose, strategy, resources and changing client demands.
It seems that a new awareness is emerging of the Grey Swan type of threat that is changing the approach to risk management. In the Risk Frontiers Europe 2021 Risk Survey, 50% of respondents said that COVID had changed the approach to RM in their organizations.
Why is this important?
- Future hazards may be outside of a conventional and narrow risk identification exercise, and a fresh look with a wider set of tools may be required.
- Even if risks are identified, can probability usefully be assigned? How does one plan for a 1 in 50-year event? In fact, professional service firms tended generally to have rigorous business continuity plans and with the assistance of technology were able to continue to function with risks to revenues arising from client demand rather than internal operational risks. In fact, of course client demand in some areas increased to deal with challenges being presented.
- There is now more attention being paid to the interconnectivity of risks; links between pandemics, business interruption and cyber security, being one clear example. Risk management is therefore ideally on an enterprise basis and includes a degree of systems thinking where interdependencies and externalities are considered, mapped, and assessed.
- There are parallels here with ESG, a very topical debate in financial and risk circles. The links between governance, societal risks and environmental concerns are strong and, in many cases, complex and require an organizational response that transcends internal boundaries.
Dealing with Uncertainty
There is no one plan for uncertainty, and insurance is often not the answer since there are limits to insurability where risks need to be defined and quantified. Low probability but severe risks have uncertain features for wide range of reasons, and the complexity is magnified by lack of recognition or prioritization and preparedness.
This happens due to psychological and organizational barriers often resulting from internal bias around optimism, the status quo or loyalty to long held beliefs.
An important factor is the degree to which a risk can be mitigated, and if the residual risk then falls within an organization’s risk tolerance.
Some Practical Steps
The lessons being repeated are about taking a broad approach and being wary of silos.
- Improve the quality and scope of risk identification – use bottom-up assessments, interviews and seek broad inputs. Use new tools, such as scenarios, horizon scanning and root cause analysis.
- Use each risk in Aon survey’s top 10 as a heading and conduct a roundtable; work back to root causes and forward to consequences.
- Build a matrix; the risk, what is changing, what effects follow and the responses.
- Look for dependencies. Economic slowdown (5) is a cause, but the risk lies presumably in the areas of financial risk or perhaps it puts pressure elsewhere, loss of innovation, or competitiveness due to reductions in investment.
- Formulate action plans and do tabletops. Look at ransomware response plans for a good model for coordination and stakeholder identification.
- Set a risk appetite, challenging current assumptions and possible biases. Be conscious of others’ historic reasons for failure, being wary of,
- “It won’t happen”
- “We have a plan for that”
- “We have insufficient information to do anything”
- Beware uncoordinated and unpracticed responses. There is a communication and coordination role for risk management. Cyber resilience is a good model here where IT, IS, risk management, public relations, legal and HR must work in unison.
The final lesson is resilience. We have seen that effective use of technology and the value of Business Continuity Management plans, which did not necessarily have a pandemic in mind but served to avoid disruption. Resilience implies an ability to adapt to the unexpected for operational and people risks.
Future risk headings clearly include cyber, digital, political and ESG. It will be necessary to explore them with detailed risk identification and mitigation planning. What will I do differently in the next pandemic? To end with Dwight Eisenhower’s advice, “I have always found that plans are useless, but planning is indispensable.”