12 top enterprise risk management trends in 2023
The 2023 trends that are reshaping the risk management landscape include GRC platforms, maturity frameworks, risk appetite statements and the CIO's critical role in promoting ERM.
Enterprise risk management has taken center stage as organizations grapple with the lingering effects of the COVID-19 pandemic, the threat of a recession and the rapid pace of change.
Executives recognize that stronger ERM programs are required to remain competitive in this new era. One aspect of the current risk landscape that companies must contend with is the connectivity of risks.
Businesses are increasingly more interconnected to partners, vendors and suppliers across global markets, explained Alla Valente, senior analyst at Forrester Research.
"We find that when there is significantly more risk in one of those categories it can have a ripple effect that impacts other categories," Valente said. The impact, for example, of a local natural disaster, the ongoing war in the Ukraine or high interest rates can cascade across an entire global supply chain.
This article is part of
What is risk management and why is it important?
- Which also includes:
- governance, risk management and compliance (GRC)
- risk avoidance
- risk map (risk heat map)
Here are 12 security and risk management trends that are reshaping the risk landscape and influencing business continuity planning.
1. Risk maturity frameworks consolidate workflows
More enterprises are considering a risk maturity framework as a way to manage the growing interconnectedness of vulnerabilities in the risk landscape, Valente observed. This method mirrors other frameworks like the capability maturity model widely used in software development. Risk management maturity requires addressing processes and technologies.
On the process side, risk management leaders must put together a team of risk stakeholders. This team should combine the technical and business expertise necessary to make fast and intelligent risk-based decisions, establish policies and procedures, and implement the proper controls. Risk managers also need to ensure established processes for consolidating workflows across disparate agencies.
The technology side includes the IT infrastructure for centralizing and contextualizing information about risk management and automating risk policy enforcement.
2. ERM technology stacks expand into GRC
Enterprise risk management has expanded beyond simple financial governance, reaching into security, IT, third-party relationships and governance risk and compliance (GRC). A comprehensive GRC platform can be a critical integration tier for all types of risk management activities to create and manage policies, conduct risk assessments, understand risk posture, identify gaps in regulatory compliance, manage and respond to incidents and automate the internal audit process.
CIOs need to confirm that their risk technology stack is adequate for each task and used thoughtfully, proactively and not just reactively, Valente suggested. Consider integrating the following into a more comprehensive risk technology stack:
- intelligence analytics for geopolitical risks, natural disasters and other incidents;
- third-party risk assessment tools to track sanctions, security incidents and financial health;
- security systems to assess the potential impact of vulnerabilities, breaches and cyber attacks; and
- social media monitoring capabilities to track sudden changes in brand reputation.
3. ERM seen as a competitive advantage
Many companies view risk management as a way to increase their competitive advantage instead of simply avoiding bad situations -- especially since the onslaught of the COVID-19 pandemic.
"Although many companies suffered economic losses during the pandemic," Valente noted, "we also saw many companies pivoting to new opportunities that did not exist before."
Valente's research team has been exploring the differences between traditional chief risk officers (CROs) who are laser-focused on minimizing risk and so called transformational CROs who see risk management as a competitive advantage -- examining how risks can interfere with business strategy and limit revenue streams.
"Companies with a transformational approach to risk," Valente explained, "can mobilize their teams and business leaders quickly to jump on a new gap in the market." When, for example, Ikea's store traffic plummeted during the initial pandemic lockdown, the retail furniture company quickly implemented a new contactless pickup system that allowed customers to securely pick up their purchases, according to Valente.
4. Wider use of risk appetite statements
Risk appetite statements emerged in the financial industry to improve communication with employees, investors and regulators. Some risk is required to expand a pool of loans, but if too many customers default, a bank needs a program in place to trigger decisive action. So, for example, banks might establish a safety baseline for mortgage defaults or fraudulent transactions that still allows them to turn a profit.
Risk appetite statements are starting to gain popularity in other industries to replace rudimentary "check the box" exercises with a process that more definitely guides day-to-day risk management decisions, observed Chris Matlock, vice president, advisory -- corporate strategy and risk practice at Gartner. This risk management trend comes with a caveat: "It is difficult to do," Matlock warned, adding that "the payoff for organizations that do it is extremely high."
He explained that companies face numerous challenges in implementing an effective risk appetite statement. Some executives believe it could limit their ability to pursue new opportunities, while others are concerned that a poorly worded statement might be misinterpreted as condoning unacceptable practices.
5. Panels of subject matter experts expedite risk assessment and response
Bringing all the risk information together is important, but experts are also required to make sense of it. Enterprises are increasingly using the GRC platform to create an informed network of subject matter experts for critical projects, Matlock said. When issues emerge that span multiple departments, such as a security incident involving IT, legal and HR, an appropriate panel of experts in those areas can quickly and automatically be included to assess the risk and take action.
Risk assessment at the beginning of a new project is table stakes. Devising the best plan and finding a system that supports a timely risk response yields the best results. "It is the maintenance of risk and the timely response to risk throughout a project's lifespan that has the biggest impact on success," Matlock reasoned.
6. Risk mitigation and measurement tools multiply
Tools for actively measuring and mitigating risks are getting better, said Keri Calagna, principal at multinational professional services network Deloitte. Among the improvements are internal and external risk sensing tools that help generate the risk intelligence that detects trending and emerging risks.
In addition, Calagna reported that enterprises are turning to more integrated tools that do the following:
- present a holistic view of risks across the organization;
- capture leading indicators to show how a risk is trending;
- promote accountability for the actions taken to mitigate risk; and
- provide real-time risk reporting to aid in management decisions.
7. GRC meets ESG
Another enterprise risk management trend is connecting the dots between enterprise risk and environmental, social and governance (ESG) agendas. Expect a rise in scenario planning and assumption testing capabilities, Calagna said. Companies are also using simulations, war games, tabletops and other interactive workshops to promote more cross-functional thinking about risk to help assess the impact of different futures on corporate business planning and strategies.
"As companies begin their ESG risk planning, they should ensure that the actions they are taking are significant and genuine," cautioned Clifford Huntington, general manager, GRC, at OneTrust, a provider of privacy management software platforms. Organizations need to demonstrate that they're not greenwashing and instead making measurable progress. "Business leaders," Huntington said, "are realizing that ESG risk is a business risk and are taking steps to mitigate it in conjunction with their enterprise risk initiatives."
8. CIOs broker C-level ERM buy-in
Enterprises are prioritizing resilience beyond just risk management to handle the disruptions caused by the COVID-19 pandemic and economic uncertainty, said Huntington. Companies with established ERM strategies that tie in all departments can pivot quickly.
To solidify risk and resilience plans within the enterprise, CIOs need to bridge the divide among their C-suite executives. "CIOs are the perfect broker to open up these conversations," Huntington advised, "and help their peers solve this essential need since they are in charge of providing technology and services to many of their peers.
9. Extreme weather risks grow in importance
With crisis events like extreme weather growing in impact and frequencies, CEOs and boards will be called to implement risk management strategies to mitigate their impact on employees and assets. In 2021, weather-related disasters caused an estimated $145 billion in damages, the latest figures available.
"With extreme weather now a norm, in 2023 CEOs will need to learn about risk mitigation to protect their assets, employees and bottom line," said Mark Herrington, CEO at OnSolve, an AI event management platform.
10. Integrating risk management with digital transformation
According to PwC's Digital Trust Insights 2022 survey, 75% of executives report too much complexity in their organizations, particularly in their technology, data, and operating environments. The upshot is that enterprises are increasingly adopting an integrated governance, risk, and compliance (IGRC) program to simplify their risk management activities, said Elizabeth McNichol, principal, cyber, risk and regulatory at PwC U.S.
"Due to decentralized, overly complex systems, many companies are not aware of all the kinds of data they have, how it is organized, or even if it may be noncompliant with the law," she said. Rules for how organizations handle data and comply with regulations should be clear, straightforward, universal, and grounded in a risk-based approach.
IT plays a critical role as both a driver and enabler of IGRC. It is important for CIOs and other IT leaders to work with other management teams to identify and assess the impact in order to mitigate risks in accordance with the risk appetite of the company. An integrated governance model can help by coordinating strategy, people, process, and technology objectives across the end-to-end value chain. This ERM trend is critical for ensuring the risk component is integrated into broader digital transformation plans.
11. Cyber risk quantification
Kumar Avijit, practice director on the IT Services team at Everest Group, is seeing increased enterprise demand for risk quantification services, in particular, from boardroom executives. These services can range from customizing cybersecurity rules to complete risk quantification in terms of monetary value via an exhaustive risk assessment process.
12. Enhanced and contextualized risk monitoring
Avijit is also seeing increased demand for risk management monitoring tools tailored for various personas such as CIOs, chief information security officers and business managers. This is because various executives and business users are defining new risk management priorities and mandates. These tools enhance traditional risk management analytics with drill-down views that provide the right level of granularity.
Examples of some of the growing risk priorities for different roles include the following:
- CEOs want to drive secure business transformation.
- CFOs want to reduce business risks and the cost of breaches.
- COOs want to run resilient business operations.
- CIOs want to make security a foundational element of IT strategy.
Traditional vs. enterprise risk management: How do they differ?