Enterprise Risk Management (ERM) Trends in 2024
Welcoming participants to the first Tea Talk of 2024, speaker Ramesh Pillai said that despite the preoccupation with the pandemic over the past three years, it felt that COVID-19 had now been completely overshadowed as a reference point. It has been eclipsed, he said, by the volume of other challenges which have since arisen, that test the resilience of businesses and people, and the concurrent risks facing most organisations have increased markedly. Many of the current risks are not new but they have deepened in the past 12 months. It is crucial, therefore, for Chief Risk Officers (CROs) and risk professionals to stay ahead of the game.
Not just trends – megatrends
This can be done by identifying and addressing emerging risks; enhancing risk management strategies; aligning stakeholder expectations; driving business resilience; fostering innovation and opportunity; and adapting to regulatory changes. He identified nine risk management megatrends for 2024: Permacrisis; Cybersecurity; Increasing Complexity of Risks; Data-driven Risk Management; Operational Resilience and Business Continuity; Regulatory and Compliance Pressures; Emphasis on ESG risks; Digital Transformation; and Focus on Human Factors. “We are not in a boring profession,” Ramesh said, at the start of his presentation. “This profession is not for the fainthearted.”
It does, however, require the incorporation of insights from the megatrends he identified. “By incorporating insights from these megatrends into our risk practices, CROs can more effectively manage risk and contribute to the overall success and sustainability of their organisations,” he said, adding that geopolitical events have sharpened security implications for businesses, and climate change is increasingly manifesting in extreme weather; these events have acquired a new immediacy. A new risk to look out for was the release of public-facing artificial intelligence interfaces, which are contributing to misinformation and disinformation.He also introduced a new term: ‘phygital’ – which he described as the confluence of physical and digital, which may well be the way forward, as business and technology are converging at an unprecedented pace.
Risk professionals should keep a close eye on megatrends or overarching trends that are shaping risk management. The first of these, Permacrisis, describes the world we see today – a world in permanent crisis, grappling with profound, persistent, ongoing challenges. “This era is marked by a continuous stream of crises, non-stop, that transcend traditional boundaries, testing the resilience of businesses worldwide,” he said.
Economic downturns, geopolitical tensions, public health crises, environmental disasters – all these have given rise to sustained uncertainty. “We are seeing this…across the world,” he said. “The predictability of crises has become increasingly elusive, requiring a dynamic approach to risk management.” In an era of Permacrisis, crises are not isolated events but interconnected on a global scale. A disruption in any one region, anywhere in the world, can have cascading effects across industries and nations, emphasising the importance of a comprehensive understanding of the nature of risk. Traditional crisis management focusing on response and recovery is no longer sufficient.
Permacrisis demands continuous adaptation and proactive risk management strategies. “Organisations need to evolve their risk management frameworks to anticipate, assess and address their risks in real-time,” Ramesh said. “You cannot be doing your normal risk management. You need to be doing enterprise risk management. You have to look forward, and adopt objective-centric approaches in line with ISO 31000 or COSO 2017.” Technology has also been moving forward, and its rapid advancement has contributed to the complexity of Permacrisis because it introduces an array of risks – like cybersecurity threats and digital disruptions – while presenting opportunities.
Additionally, the global interconnectedness of economies and information flows amplifies the speed at which crisis unfurls. “In today’s environment, the most critical determinant of risk analysis is velocity: how quickly events come together and for you to be able to feel the impact of a risk event unfolding,” he explained, stressing that it was no longer sufficient to look at probability and impact alone. On the second megatrend, Cybersecurity, he pointed out that the cybersecurity risk landscape had undergone unprecedented transformations, with impacts from the Permacrisis as well. “There is a continuous threat evolution,” he warned.
“Cyber adversaries capitalise on the chaos and uncertainty inherent in Permacrisis and cause more damage. Organisations need to contend with an ever-shifting threat environment that demands constant vigilance.” Cybersecurity has always been a very dynamic threat, he said, but people need to accept the extent of its dynamism and prioritise it. “Heightened global interconnectivity accentuates the impact of cybersecurity breaches,” he said. “In today’s interconnected world, third or fourth parties, if they have any access to our systems, amplify the threats we face. Any cyber incident can ripple across industries and regions, and exacerbate the challenges already posed by the other crises.”
The rapid pace of technological innovation introduces threats as well as opportunities; organisations need to navigate the transformational landscape while simultaneously safeguarding against cyber threats that could complicate their resilience efforts. There are also human factor vulnerabilities to consider. “At the end of the day, the source of most cybersecurity vulnerabilities is the human factor,” Ramesh said. “The strain of prolonged uncertainty and evolving work environments may lead to lapses in cybersecurity hygiene. We get careless because we are tired, stressed and exhausted.” Organisations need to prioritise cybersecurity awareness and cybersecurity training programmes.These training programmes should show how smart cyber criminals are and the kind of schemes they apply. The training should also include new trends in cybersecurity, how organisations get hacked, and how social engineering takes place.
Increasing complexity of risks
The third megatrend, the increasing complexity of risks, has arisen due to globalisation, technological advancement and changing business models. Risk management needs to adapt to address complex risks through advanced risk assessment techniques. “Organisations must establish frameworks that allow for flexibility and adaptability,” Ramesh said. “This involves continuous monitoring, scenario planning and engagement with experts.”
He also advocated talking to people from different industries to allow for immersion into different possibilities, and to beef up scenario exercises. Risk management strategies need to incorporate scenario analyses that account for different policy directions; collaboration with governmental relations experts and policymakers can provide valuable insights to anticipate and respond to changes effectively. The polarisation of populations adds another layer of complexity to risk considerations. “Developing communications strategies that navigate polarised environments and foster inclusivity is a critical, integral component of risk management,” he added.
Data-driven risk management
Data-driven risk management, the fourth megatrend, has increased in criticality over the years as vast amounts of data, and advances in data analytics and artificial intelligence transform risk management. Organisations need to leverage such data and analytics to gain insight into risks, identify patterns, and make informed decisions. “Data-driven risk management approaches involve using predictive analytics, machine learning and other advanced technologies to assess risks, monitor risk indicators and enhance risk mitigation strategies,” Ramesh said. “Make sure you have sufficient information to do proper data analysis. If you have a system, make sure you use it wisely.”Organisations may need proper tools, such as appropriate software, business intelligence tools or spreadsheets but all require thorough think-throughs, forward planning and proper maintenance.
Operational resilience and business continuity
Operational resilience and business continuity, the fifth megatrend, become particularly important in the light of disruptions like natural disasters, pandemics or geopolitical events. It is also about diversifying supply chains and enhancing disaster recovery capabilities. “Risk management is evolving to incorporate resilience and business continuity as key components of business strategy,” he said. “But when you have made all these plans, be sure you test them.”
Regulatory and compliance pressures
Discussing the sixth megatrend, Regulatory and Compliance Pressures, he said that regulators are becoming more demanding, and more regulatory and compliance pressure is being applied, primarily to safeguard the public. “Regulators play a critical role, and the only thing they can do (to deal with the challenges) is increase the regulations required,” he explained, stressing that requirements were constantly evolving, and organisations needed to adapt their risk management practices to comply accordingly in areas which included financial regulations, data privacy regulations, environmental regulations and industry-specific regulations.
Risk management incorporates regulatory compliance as a critical aspect of risk mitigation strategy. “By focusing on this risk management megatrend, CROs can stay ahead of regulatory changes and proactively adapt risk management practices to comply with evolving regulations,” he said. “This can help organisations avoid compliance issues, regulatory penalties, reputational damage, and help them to maintain a strong risk and compliance posture.”
Emphasis on ESG risk
Regulators, investors and organisations are increasingly focusing on ESG risks – the seventh megatrend. ESG risks encompass diverse concerns, from climate change to social inequality, diversity and inclusion, and ethical governance.Risk management needs to undergo further evolution; this involves integrating ESG risks into comprehensive risk assessments, monitoring protocols and mitigation strategies. “This adaptive approach is crucial to addressing stakeholder expectations and aligning with sustainability goals,” Ramesh stated. The challenges posed by the Permacrisis; and the ramifications of changes from previously low to high interest rates, all have significant implications within the context of an evolving economic landscape. As interest rates rise, the real estate market becomes a focal point of the interconnectedness of economic, social and environmental factors.
High interest rates can influence the affordability of mortgages and financing which will impact real estate’s dynamics. This in turn has broader economic implications for housing demand, construction activities and the overall health of the real estate sector. Also, the social fabric is intricately linked to housing affordability. “As interest rates increase, the cost of borrowing rises, and this potentially affects the ability of the younger generation to enter the housing market,” he explained. “This exacerbates social inequalities and contributes to disparities in access to home ownership.” Additionally, real estate practices increasingly fall under ESG scrutiny.
This is because of the focus on sustainable development, energy efficiency and social inclusivity. The impact of the interest rate changes on the real estate market intersects with ESG concerns, emphasising the need for sustainable and socially responsible practices within the industry. “Higher interest rates may influence developers’ decisions on sustainable and environmentally friendly construction practices,” he said. “ESG-conscious real estate projects may face challenges or opportunities. Investors, particularly those incorporating ESG criteria into their decision making, may want to reassess their real estate portfolios because of interest rate changes.”
The eighth megatrend, Digital Transformation, is reshaping industries and organisations, and has implications for risk management, which must keep up with organisational digitisation initiatives, or it will become the bottleneck. “As organisations adopt new technologies, they will need to assess and manage risks such as data privacy, cybersecurity, and technology disruption, for instance,” Ramesh said. “Risk management strategies must encompass emerging trends like artificial intelligence, blockchain and robotic process automation (RPA). These technologies…necessitate an evolution in risk management functions to ensure effective controls in these swiftly evolving domains.”
Focus on Human Factors
Human factors like culture, behaviour and decision-making play a significant role in risk management, and organisations are increasingly recognising their importance in managing risk effectively. Noting that people were only now coming to grips with how critical these things were, he said, “Risk management is now, finally, incorporating human factor considerations by promoting risk-aware cultures, providing risk management training, incorporating behavioural insights into risk assessments and risk mitigation strategies, and trying to build de-biasing processes into risk management decision-making processes.”
Organisations were beginning to see the impact of human failure on the risk management process; this needed to be proactively mitigated, going forward. “Staying abreast of all these risk management megatrends is crucial to help organisations manage the risk management landscape, and to help organisations achieve their strategic objectives,” Ramesh said. “All businesses nowadays, regardless, are being held accountable for managing a wide range of risks and stakeholders have heightened their expectations in this regard. CROs, risk management professionals and their teams can leverage insights from these megatrends, to facilitate innovation and anticipate and address emerging risk.”
Adapting risk management approaches to incorporate relevant megatrends, can help organisations effectively manage risks and ensure alignment with stakeholder expectations, regulatory requirements and good corporate governance. A proactive stance can help businesses mitigate risks early, and prevent potential negative impacts on their operations, reputation and bottom line. “A tactical approach to problems that are not central to business activities is the traditional approach, and it has often worked in the past,” he said. “But that approach does not work now. You cannot use tactical approaches to solve strategic problems.”
Problems today are more complex; risks are highly interconnected, overlapping and influencing each other. For example, extreme weather and resource scarcity affect economies, which in turn influence political and social volatility. Crisis fatigue, caused by the challenges people have had to deal with all these years, from safeguarding workforces during COVID-19 to the supply chain issues associated with the Ukraine-Russia conflict to the issues of conflict in Palestine, has brought on stress and the risk of burnout, which influences their ability to rise to future tests. However, organisations should not try to manage everything simultaneously.
Instead, they should prioritise risks, recognise how they interrelate, and monitor changes in their urgency. “This is the only way to avoid being blindsided and retain a healthy defence,” he said. “Collaboration is essential to share the load. It also provides outside scrutiny of emergency plans, drawing on the expertise of organisations that filter information and risks and provide solutions. Trusted partners can help build defences and draw up plans against interconnected challenges. Then, you can stress-test the arrangements and help ensure your workforce is fit, well and ready to rise to the new challenges.”
There will be enormous opportunities for organisations that embrace the complexity of managing risks effectively in this new environment, he said, and resilience and adaptability will provide a competitive advantage over others who are constantly reeling from unexpected shocks because they have not tried to anticipate them. “You will flourish in a world where risk profiles have changed, and will keep changing,” he concluded, “because you have been preparing for, and anticipating all this.”