Professional Documents
Culture Documents
Meeting The Future Dynamic Risk Management For Uncertain Times
Meeting The Future Dynamic Risk Management For Uncertain Times
© Cokada/Getty Images
November 2020
Beyond the profound health and economic would allow them to keep functioning smoothly if
uncertainty of our current moment, catastrophic connections were abruptly cut.
events are expected to occur more frequently in
the future. The digital revolution, climate change, Companies require dynamic and flexible risk
stakeholder expectations, and geopolitical risk will management to navigate an unpredictable future
play major roles. in which change comes quickly. The level of risk-
management maturity varies across industries
The digital revolution has increased the availability and across companies. In general, banks have the
of data, degree of connectivity, and speed at most mature approach, followed by companies in
which decisions are made. Those changes offer industries in which safety is paramount, including
transformational promise but also come with oil and gas, advanced manufacturing, and
the potential for large-scale failure and security pharmaceuticals. However, we believe that nearly all
breaches, together with a rapid cascading of organizations need to refresh and strengthen their
consequences. At the same time, fueled by digital approach to risk management to be better prepared
connectivity and social media, reputational damage for the next normal. The following discussion
can spark and spread quickly. describes the core of dynamic risk management and
outlines actions companies can take to build it.
The changing climate presents massive structural
shifts to companies’ risk-return profiles, which will
accelerate in a nonlinear fashion. Companies need to The core of dynamic risk management
navigate concerns for their immediate bottom lines Dynamic risk management has three core
along with pressures from governments, investors, component activities: detecting potential new
and society at large. All that, and natural disasters, risks and weaknesses in controls, determining
too, are growing more frequent and severe. the appetite for risk taking, and deciding on the
appropriate risk-management approach (Exhibit 1).
Stakeholder expectations for corporate behavior
are higher than ever. Firms are expected to act Detecting risks and control weaknesses
lawfully but also with a sense of social responsibility. Institutions need both to predict new threats and
Consumers expect companies to take a stand on to detect changes in existing ones. Today, many
social issues, such as those fueling the #MeToo companies maintain a static and formulaic view of
and Black Lives Matter movements. Employees risks, with limited linkages to business decision
are increasingly vocal about company policies and making. Some of these same companies were
actions. Regulator and government attention is caught flat footed by the COVID-19 pandemic.
reflecting societal concerns in areas ranging from
data privacy to climate. In the future, companies will require hyperdynamic
identification and prioritization of risks to keep pace
An uncertain geopolitical future provides the with the changing environment. They will need to
backdrop for such pressures. The world is more anticipate, assess, and observe threats based on
interconnected than ever before, from supply chains disparate internal and external data points. Dynamic
to travel to the flow of information. But those ties risk management will require companies to answer
are under threat, and most companies have not the following three questions:
designed robust roles within the global system that
3 core components of
dynamic risk management
— How will the risk play out over time? Some risks by the COVID-19 pandemic has demonstrated
are slow moving, while others can change and that many companies were not prepared for
escalate rapidly. Independent of speed, risks events with profound and long-lasting impact
can be either cyclical and mean reverting or that could fundamentally change how business
structural and permanent. Historically, most is conducted.
firms have focused on managing cyclical, mean-
reverting risks, like credit risk, that go up and — Are we prepared to respond to systemic
down with macroeconomic cycles. Historically, risks? In today’s world, risk impact can go well
the fundamental long-term economics of beyond next quarter’s financial statements to
business lines have held firm, requiring only have longer-term reputational or regulatory
tweaks through the cycle. Credit risk in financial consequence. Institutions must also consider
services is an example of such a risk. However, whether the event triggering the risk has broad
the traditional principles of trajectory and implications for their industry, the economy,
cyclicality of risks are increasingly becoming and society at large—and what that means
less relevant. The global economic shock caused to them. The COVID-19 pandemic has had
direct impact on most companies but has also approaches and premortems also play a critical
meaningfully shifted the global economy and role by letting leaders play out what might go
societal terrain. Companies should consider wrong before it does.
whether they have the controls, mitigants, and
response plans in place to account for worst- Determining risk appetite
case-scenario, systemic risks. For example, as Companies need a systematic way to decide which
companies house more personal data, the risks risks to take and which to avoid. Today, many
associated with data breaches become more institutions think about their appetite for risk in
systemic, with the potential to impact millions of purely static, financial terms. They can fall into the
customers globally. These firms need to consider simultaneous traps of being both inflexible and
proactively how to protect against and react imprudent. For example, companies that do not
to such breaches, including by working with take sufficient risk in innovating can lose out to
external stakeholders, such as customers, law- more nimble competitors. But at the same time,
enforcement agencies, and regulators. companies that focus on purely financial metrics
can unwittingly take risks—for example, with their
— What new risks lurk in the future? Companies will reputation by continuing a profitable business
need to cast nets wide enough to detect new and process that runs counter to societal expectation.
emerging risks before they happen. Traditional
risk-identification approaches based on ex post In the future, companies will need to set appetites
facto reviews and assessments will not suffice. for risk that align with values, strategies, capabilities,
Most institutions have not had historical losses and the competitive environment at any given time.
linked to climate change, and many have not Effective enterprise risk management will help them
encountered significant reputational blowback dynamically delimit risk taking, directly translating
from being on the wrong side of a social issue. financial and nonfinancial principles and metrics into
Institutions will need to work across business and a concrete view of what the firm will and will not do
functional divisions to maintain forward-looking, at any given time. Companies will need to be able to
comprehensive taxonomies of the fundamental answer the following three questions:
drivers of their risks. To get a real-time view of
those drivers, companies should look to internal — How much risk should we take? Rapid changes
performance metrics, external indicators, and can quickly uproot companies’ risk profiles.
qualitative views of what business leaders They will need to adjust their risk appetites to
see in their day-to-day work. Scenario-based accommodate shifting customer behaviors,
Web <2020>
<RiskManagement>
Exhibit 2
Exhibit <2> of <2>
Dynamicand
Dynamic andintegrated
integrated risk
riskmanagement,
management, which
which includes
includes the
the ability
ability to
to detect
detect
risks, determine appetite,
risks, determine appetite, and decide on action, is growing ever more critical.
decide on action, is growing ever more critical.
Reset aspiration Establish agile Harness power of Develop risk Fortify risk culture
for risk risk-management data and analytics talent for future
management practices
Move risk from Authorize cross- Digitize transaction Develop new Build true risk-culture
prevention and functional teams workflows; use data to capabilities and ownership in front
mitigation to to make rapid expand view of risk expanded domain line; hold executives
dynamic strategic decisions in characteristics; deploy knowledge to accountable for
enablement and business, algorithms to enable support full cultural failings; link
value creation innovation, and better error detection, understanding of risk culture with daily
risk management more accurate risk landscape business activities
predictions, and and outcomes
microsegmentation
Ritesh Jain is an associate partner in McKinsey’s New York office, Fritz Nauck is a senior partner in the Charlotte office,
Thomas Poppensieker is a senior partner in the Munich office, and Olivia White is a partner in the San Francisco office.