CFOs warn risk management capabilities have not kept pace with changing landscape

New research from Accenture has painted a worrying picture for senior business leaders.

The consultancy giant gathered insight from 700 corporate risk professionals to understand how recent global volatility had impacted their businesses, with a specific lens over whether the management of these risks was in safe hands.

A staggering 83$ said that complex, interconnected risks were emerging more rapidly. More worryingly, 77% admitted these risks were more difficult to detect and manage, and a further 72% said their risk management capabilities have not kept pace with the changing landscape.

As companies embrace reinvention to create opportunity from all this disruption and volatility, businesses need to think differently about mitigating and navigating risk. In part, this means modernising the risk function’s skills and technologies.

But it also means establishing a “risk mindset” across the entire organisation, so that every function and employee has the tools and capabilities to detect and mitigate threats. This is critical for turning threats into opportunities for growth.

Where have the risks grown?

Similar to Accenture’s 2021 report, risk professionals report that operational and financial risks have increased the most. However, technology and regulatory risks are becoming more critical issues on the agenda.

Compared to 2021, significantly more respondents now view each of these risks as growing concerns. Some differences exist across sectors. For example, 40% of pharmaceutical respondents state that the impact of regulatory and compliance risks has risen the most since 2021 – the highest percentage of any industry. As expected, software and platforms respondents (49%) led all sectors in identifying technology disruption risks as having grown most in importance.

Regulatory risks have grown due to new laws being introduced across various areas, from appropriate use of artificial intelligence and ESG disclosures, to new sanctions and trade restrictions. New industry-specific regulations have also emerged.

In banking, for instance, new regulations are being considered and implemented in response to bank failures and increasing operational complexity.

Technology risks have also become more prominent because the nature of the threats has evolved. While businesses have been aware of technology risks for some time, the landscape has changed significantly with the emergence of new issues like AI-enabled deepfakes.

For example, fraudsters are now using AI to create fake IDs from social media photos or mimic executives’ voices for scams. In one case, a UK energy firm lost £220,000 when criminals used AI to imitate the CEO’s voice and request an urgent vendor payment. Many companies are unaware these tactics are being used and lack preventative measures.

In contrast, risk functions can employ AI to help identify and mitigate this new form of risk. Data risk perspectives have also shifted. Instead of focusing narrowly on privacy regulation compliance, businesses now better understand how data misuse can severely damage stakeholder trust and finances.

Enter the new risks

Since 2021, some risk categories have become more impactful. Societal risks like increased cost of living and mental health problems became more prevalent among our clients, especially in countries like Japan and France. I

n the US alone, poor mental health is estimated to cost the economy $47.6 billion annually. Another societal risk component is that corporate stances on controversial social issues increasingly expose them to reputational damage.

“You can’t assess risks in isolation,” says Riccardo Roscini, Head of Group Enterprise Risk Management at UniCredit. “A geopolitical crisis can spur sanctions as well as severe supply chain issues in key sectors, causing inflation – which then lifts interest rates.”

The interconnectedness of risks confounds businesses. Most risk professionals (83%) report that complex, interrelated risks are arising faster than ever. The prolonged Russia-Ukraine war and growing US-China tensions demonstrate how discrete events can quickly exacerbate other risks:

• Supply chain disruptions affect facilities and supply routes
• Market risk grows if a business has a large consumer base in an impacted area
• Operational risk increases if a business has outsourced to a third party in an affected jurisdiction
• Regulatory complexity grows with new sanctions
• Reputational risk can increase if a business continues operating in a “blacklisted” country

“Risk is ubiquitous,” agrees Richard Treagus, Chief Risk Officer at Old Mutual. “The consequences of inadequate risk management have grown enormously. Interconnected risks make them harder to grasp. Something seemingly minor can actually become a systemic risk.”

Pulling back?

Accenture’s study shows 72% of respondents report their risk management abilities have not kept pace with the rapidly evolving landscape. For example, only 45% are “very confident” in managing disruptive technology risks.

While the swift pace of change may seem to outstrip risk organizations’ capacity to act, some encouraging survey findings emerged. For instance, 42% are now “very satisfied” with proactively identifying and defining new risks, up from 29% in 2021. This progress would benefit from more collaborative, enterprise-wide risk management and greater use of new technologies like AI.

Yet our research also reveals risk teams are pulling back critical investments that could enable a more robust, company-wide response:

• Only 37% of risk teams are employing new technologies, down from 49% in 2021
• Just 37% are expanding the risks and scenarios they evaluate, compared to 44% in 2021

Risk teams must keep up with the changing nature and impact of risks, investing continuously to enhance resilience. This apparent complacency in strengthening risk management undermines businesses’ ability to capitalize on strong capabilities.

Strategies for safety

According to Accenture’s report, risk professionals can enhance organizational resilience and competitiveness by emulating risk-leading companies in four key ways:

1. Invest in emerging technologies

57% of risk leaders designate new risk function technology as a top-three priority, versus just 24% of less mature groups. Meanwhile, 96% of leaders urgently aim to amass enterprise-wide data, compared to 59% of less advanced peers.

2. Cultivate future leaders

51% of risk leaders highlight importing new skills into the function as critical, compared to 24% of less mature groups.

3. Maximize agility

Risk leaders are nearly 4X more likely to be “very agile” in leveraging cloud platforms, tools and services to swiftly execute risk processes compared to less mature groups.

4. Make risk everyone’s business

57% of risk leaders are “very satisfied” with their company’s ability to build risk detection and mitigation skills, versus just 27% of less mature groups.