In my previous piece, I looked at how value and risk are entwined along all parts of an organization’s value chain.
The simple truth is, you can’t generate value if you don’t take risks. Similarly, if you can’t properly manage risks, organizations will stumble into catastrophe. However, it’s not just about finding a Goldilocks zone of the right amount of risks to take, but understanding the difference between the kind of risks you should and should not be taking.
The stakes couldn’t be higher. Business today moves at a breathtaking pace: according to one recent study, in 1964 the average life of a company in the S&P 500 was 33 years. That is predicted to drop to 12 years by 2027.
In such a fast-moving environment, understanding the nature and scale of different kinds of risk becomes a vital first step for any company serious about capitalizing on the volatility of the era of mass digital transformation.
Organizations that will succeed in this new transformative age will be the ones that can discern the differences between these three varieties of risk and chart a course between them that leads to real value. But to do this will require a more holistic and more nuanced understanding of how different types of risk are affecting not just your organization and its component parts, but your entire value chain. The risks come in these three distinct forms:
- Downside risks: which only represent a negative outcome for a company. There is no value in taking these risks, only the potential to preserve value (or reduce harm) by eliminating, controlling, mitigating or transferring them. They have little or no potential to be seized as an opportunity (without some clever PR to showcase how well the organization has responded to them). These risks include things like information security and cybercrime (pdf), employee fraud (pdf) and regulatory compliance (pdf). These risks must be well-understood and mitigated.
- Upside risks: directly relate to an organization’s ability to execute its business strategy and objectives, and provide organizations with a positive opportunity for value creation and growth — using risk to identify the best ways to allocate capital to grow the business. These include the potential for innovations to grow consumer bases, increasing market share, or acquiring, managing and deriving value from new assets and talent. These upside risks should be considered hand-in-hand with an organization’s strategy — the organization should ask itself, “with which risk do we create the most value?”
- Outside risks: can have positive and negative impacts but are unpredictable, as they are beyond the organization’s control. These could include the actions of existing and emerging competitors, and geopolitical, economic, demographic and environmental megatrends that can impact your organization either directly or indirectly. Organizations must be well-aware of the upside or downside implications of these risks and be ready to respond more quickly and effectively than their peers to add value to the bottom line.
To effectively deal with these risks will require a change in both risk management tactics and cultural mindset.
In the past, risks have been evaluated on two dimensions, potential impact and likelihood. But in today’s transformative age, a third dimension — velocity — is critical. Velocity is the speed and rate at which downside risks you fail to prevent can cause damage/loss, or upside risks that you seize can drive rapid growth.
From a mindset perspective, this means risk professionals must evolve their culture from a focus on complete risk avoidance to one of identifying upside strategic risks — combining looking for ways to learn from the past while enabling progress toward the future. And they will need to do this in real time to ensure their agility can help their organizations move fast enough to intercept opportunities no matter their velocity. This is where we see the greatest level of disruption coming to risk functions, with technology helping risk functions themselves transform for the transformative age.
For example, through the adoption of robotic process automation, internal audit and compliance functions will be able to become more efficient and examine more data in a much shorter period of time. Better data management will allow for better and more real-time reporting that will support better leadership decision-making. Artificial intelligence will be used to predict where things go wrong before they go wrong.
Through this disruption, organizations will be able to have greater confidence in their ability to at worst identify issues quickly, and ideally prevent them from happening in the first place. With this, the risk professionals of the future will have more time to focus on outside and upside risks, enabling their organizations to make better decisions to help achieve long-term strategic objectives.