Aon | Professional Services Practice
Release Date: March 2022
What Can We Learn From Risk Surveys?
The GRMS and Accountants and Consultants
An accountants and consultants perspective on the professional services firm results of the Aon Global Risk Management Survey
How are we to use the results of surveys to assess and prepare for the major risks affecting professional service firms? Three areas come quickly to mind:
- Learn more about the environment and other firms’ concerns.
- Peer group learning can complement one’s own risk identification and mitigation efforts.
- Changes in results may not tell us much, but emerging risks and trends can be revealed.
It is well known that risk registers can become static without monitoring and practical application. Surveys can provide external validation and useful insights for up-dates.
What does the latest set of Aon results tell us?
2021 results and commentary:
- Cyber risk and reputation damage again figure highly in the top risks.
- The failure to attract and retain talent appears at three.
- Business interruption is in at four but from what cause? We discuss this below.
- The business environment is volatile and economic slowdown appears at five. That is, of course, a large landscape.
- Failure to innovate is at six, connections to talent and economic slowdown risks are clear.
- Increasing competition, with inferences around new business models, in part at least to technology, appears at eight. For many firms this is a huge opportunity to exploit.
- Regulatory risks appear at nine, and at seven for data privacy.
- Number ten is technology or system failure, and this includes the cyber exposure and concerns over infrastructure.
Interconnections and Responses
Thinking more deeply about these results raises quite a few questions. The survey reveals large strategic issues for professional firms which may lay outside of the responsibility of conventional risk management but would fall within an enterprise approach.
We can group the results under three headings that might give us some clues as to where the responses might lie:
- Risks to business operations and reputation – the provinces of leadership, compliance, and risk management.
- Risks in a changing business environment – these are probably within a firm’s key decisions around strategy.
- Fundamental uncertainty – the areas of leadership, business strategy and business continuity.
Looking at the more strategic risks identified:
- For accountants, regulatory and legislative changes are numerous and well documented presenting a broad range from the minor to industry transforming, as summarized for 2020 in an excerpt from PSP’s Accountants’ Liability Risk: Global Trends and Issues (January 2021). The nature of competition and application of technology are dynamic factors.
- For consultants clearly technology, competition, disruption and “secondary perils” (the risks that clients face) are all important for future growth.
- For both professions, talent acquisition and retention and innovation are fundamental.
Changes and Omissions
Headline risk descriptions can cover a large field and therefore may need some enquiry and thought. Business interruption, for example, might be the result of a ransomware attack, a pandemic, or a flood.
Some risks are constant for professional services firms. Surveys do suffer from the effects of the proximity of contemporary events, recency bias, and may therefore ignore the future Grey Swan event.
- Third-party liability dropped out of the top 10 (9th in 2019) although it remains a key risk and potential existential threat.
- Compliance, quality and communication challenges arising from hybrid working might be contemplated under cyber and regulatory risks.
- Some noticeable omissions compared to other sectors surveyed are to be expected given the major risks in different sectors. Two that figure prominently in other results are pandemics and infrastructure failure.
- There is much more change to come in the whole area of ESG, and ESG reporting, with the potential for reputation damage and litigation.
- The risks bear some resemblance to the results in 2017, with the major difference perhaps being that Cyber was then only number six. WannaCry occurred in 2017 and NotPetya the year after. Subsequently ransomware concerns have exploded. This illustrates how underlying conditions change, although the risk title remains constant.
It is helpful to distinguish between the hazard or threat - the risk that manifests itself on the organization – and the consequences. That leads us to consider how manageable a risk may be. That might explain why third-party liability dropped out of the top 10. Firms may believe they have good plans in place in terms of quality measures, compliance, and core risk management. The residual risk is therefore within the organization’s risk tolerance.
Technology risks also contemplate considerable uncertainty arising from new forms of competition and the need for innovation, plus a host of other issues such as those associated with AI, for example. As with certain other risks in the list, however, considerable opportunities arise from this uncertainty and change.
Consequences for Risk Management
The question on how to manage some of these risks is therefore not straightforward. The answers lie in broader scoped risk identification, but also business continuity, crisis management and general resilience planning.
Why is this important?
- Future hazards may be outside of a conventional and narrow risk identification exercise and a fresh look with a wider set of tools may be required.
- There is now more attention to the interconnectivity of risks - pandemics, business interruption and cyber security, for example.
- There are parallels here with ESG, a very topical debate in financial and risk circles. It implies an ability to adapt to unexpected operational and people risks.
Future years’ results will clearly include cyber, digital, political and ESG related risks. It will be necessary to dig down and explore them in detail.
There is no one plan for dealing with uncertainty. In an upcoming article we will identify some practical steps that can be taken.