Enterprises are making massive changes to their business models and strategies at a faster rate than ever before because of the COVID-19 pandemic, supply chain disruptions and new environmental mandates. The pace of change has introduced new business risks for enterprises, making it imperative that companies take a close look at their risk management programs.
Risk management failures are often depicted as the result of unfortunate events, reckless behavior or bad judgment. But a deeper analysis shows that many risks are due to systemic problems that could have been addressed with a more proactive and ongoing enterprise risk management (ERM) program. Here are nine common risk management failures to avoid.
1. Poor governance
Citibank made headlines in a negative way when it mistakenly wired a $900 million loan payoff to cosmetics company Revlon's lenders in August 2020. A federal judge later ruled that Citibank wasn't entitled to refunds from 10 lenders that had refused to return about $500 million, although an appeals court overturned the ruling, and the bank eventually got all the money back.
Like all financial services institutions, Citibank had policies and technologies in place, such as dedicated terminals for wiring large amounts of money and multiple controls that were revised after the migration of its workforce to remote locations during the pandemic. Compromised banking controls were first suspected to have caused the costly error, said Chris Matlock, vice president and advisory team manager for the corporate strategy and risk practice at Gartner.
This article is part of
But the problem was traced to a recently installed software package that had UI issues and didn't have the appropriate controls, which led to human error. "This was a case where the human side of the equation can overwhelm any amount of good technology that has been installed," Matlock added.
Two months after the erroneous payment was made, Citibank was fined $400 million by U.S. regulators for what the government called its "longstanding failure to establish effective risk management and data governance programs and internal controls." The order also required the bank to overhaul its practices and controls.
2. Toxic work culture
Known for decades as the hub of technical innovation, Silicon Valley has now become a bastion of toxic "bro culture," according to Alla Valente, an analyst at Forrester Research. She also cited other forms of toxic work culture created when companies fail to mitigate risks that can alienate employees and customers, often resulting in negative business consequences.
For example, Facebook's lukewarm response to the Cambridge Analytica data usage scandal that came to light in 2018 significantly eroded its trustworthiness and market potential, Valente said. Wells Fargo's executives turning a blind eye to warning signs of the bank's predatory lending practices with customers "was a strategic decision," she added. "It could have been fixed, but fixing culture is never easy." It was a costly failure in managing risk: In 2022, Wells Fargo agreed to pay $2 billion to affected customers and a $1.7 billion federal fine.
3. Overemphasis on efficiency vs. resiliency
Efficiency and resiliency sit at opposite ends of the business spectrum, Matlock said. Greater efficiency can lead to greater profits when things go well. The auto industry realized significant savings by creating a supply chain of thousands of third-party suppliers spread across multiple tiers. But early in the pandemic, there were massive disruptions in supply chains that lacked resiliency. A chip shortage ensued, and the bottom lines of automakers suffered when chip suppliers took advantage of the resulting higher margins in the consumer electronics industry.
Conversely, Matlock said interactive fitness equipment maker Peloton moved its entire supply chain and manufacturing process from Asia to Ohio to meet the heightened demand for its exercise bikes during the COVID-19 lockdowns. That kind of resiliency in its supply chain helped insulate the company from disruptions, bottlenecks and trade wars, although Peloton later ran into financial problems after the lockdowns ended, leading to layoffs and the departure of its CEO in 2022.
4. Meaningless ESG statements
Until recently, companies often would release environmental, social and governance impact statements that only paid lip service to their ESG initiatives and weren't tied to measurable results or meaningful outcomes. But especially since the United Nations issued a "code red for humanity" on climate change in 2021, regulators, customers, employees and shareholders alike are pushing for more meaningful ESG impact reports.
Starting in 2025, the EU will require about 50,000 companies to report annually on business risks and opportunities related to social and environmental issues as well as the impact of their business operations. Securities regulators in the U.S. are also considering new climate risk disclosure rules. In 2021, ExxonMobil lost a proxy battle for three board seats after activist investors demanded greater ESG accountability from the oil and gas company.
"There was an underestimation of the importance ESG would have," Matlock said. "Up until now, we've known that being environmentally conscious and being socially conscious was important. But now suddenly, it seems like we all have to take this seriously. And if we get it wrong, there may be a penalty in terms of capital flow and opportunities."
5. Reckless risk-taking
In 2021, a wildfire during unusually high summer temperatures approaching 122 degrees destroyed the village of Lytton, British Columbia, in less than two hours and led to a class-action lawsuit claiming the fire was triggered by heat or sparks emanating from a freight train operating nearby. The suit alleged reckless behavior against the Canadian Pacific and Canadian National railways because they should have known conditions were unsafe to operate the train and failed to protect the town.
"But it's often not that simple," said Josh Tessaro, director of security and risk at Thirdera, a ServiceNow global services provider. "When you see one of these news articles that looks like reckless risk-taking, it is almost always due to lack of risk data, process definition and governance."
6. Lack of transparency
During the height of the pandemic, national attention was focused on the underreporting and misreporting of COVID-19 deaths in several states. New York's nursing home scandal showed a systematic lack of transparency about the actual number of deaths related to COVID-19 among the elderly as well as the wide discrepancy between the understated figures released to the public and the state attorney general's ultimate findings.
Withheld data, siloed data or a lack of data within organizations can create transparency issues and result in untold consequences. "Many processes and systems were not designed with risk in mind and are often disconnected across the enterprise and owned by different leaders," Tessaro explained. "Risk managers often then settle for the data they have that is easily accessible, ignoring critical processes because the data is hard to get."
A transparent risk management approach requires a consistent company-wide strategy that includes senior management and other business leaders. The strategy should also clearly define the role of risk management; encourage risk awareness; institute a common risk language; and encompass the various interests, objectives and critical risk concerns of all departments. A centralized system of record for risk profiles and risk-related events should also be established to collect, manage and report on key risk data, and the risk management process should be documented.
7. Immature ERM programs
Large mergers and acquisitions that go well, as well as successful IPOs, are big news in the business world. Buried among the success stories are many less-publicized M&A, IPO and product launch failures.
"Many of these failures can be attributed to organizations' immature risk programs," said Clifford Huntington, senior vice president and general manager of governance, risk and compliance (GRC) tools at software vendor OneTrust. Enterprises often don't recognize that a complete risk assessment as part of an ERM program to identify potential and inherent risks is needed in preparation for making deals, as well as engaging in various other business activities.
8. Supply chain oversights
The rise in mass cyber incidents highlights the need to assess security risks up and down the partner supply chain. "Organizations are increasingly focused on the risk from their vendors as it relates to sensitive data breaches," said Mark O'Hara, a managing director at consultancy AArete.
New contractual terms need to address cyber insurance requirements, data destruction practices and destruction verification, O'Hara said. But many organizations, he acknowledged, don't regularly review existing agreements or consistently communicate new requirements across their business units, resulting in noncompliant contractual agreements and potential supply chain risk management problems.
9. Lagging security controls
While companies have been accelerating deployments of new technologies and workflow procedures to accommodate their increasingly hybrid workforces, the controls needed to ensure security, availability, processing integrity, confidentiality and privacy -- as well as the documentation of those characteristics -- haven't kept pace.
"We rapidly pushed everyone to remote work where possible, yet controls around user access and physical security did not change as quickly," said Dan Zitting, a former executive at several GRC and risk management software vendors who is now president and COO of e-commerce platform provider MikMak.
As a result, many organizations are encountering control failures and compliance issues, leading to risk exposure and security breaches. For example, controls specified in the SOC 2, Sarbanes-Oxley Act and ISO/IEC 27001 compliance standards and regulations changed as workflow processes increasingly became remote-friendly. But some companies are still struggling to update their documentation to pass these types of security audits.