Mitigating business risk has always relied on knowledge of markets and counterparties, and of the forces that could disrupt a company’s agreements and assumptions. In the pre-digital, pre-global age, gaining such knowledge was made easier by implicit boundaries that governed the way most organizations conducted business.
Suppliers, lenders and business partners were drawn from fairly well-established pools of referrals and contacts. Clearer categories for industries and sectors meant that enterprises knew their place in the larger economic ecosystem, enabling them to adopt and conform to established business models and vocabularies. Growth was often predicated on increasing a product’s existing market share or on moving into markets adjacent to those where a solid presence already had been established.
Of course, even in that environment, plenty of risks existed, and naturally the ability of enterprises and their leaders to navigate those risks ranged widely. But it is also fair to say that many aspects of business operated incrementally, and that their incremental nature made navigating risk simpler. This is particularly evident viewed through the lens of the past decade, in which traditional boundaries and assumptions, already weakening, eroded further. Globalization is one example. Not so long ago, “globalization” often meant that enterprises from a handful of developed countries were setting up operations or joint ventures in developing markets. Now the planet has a truly distributed network of business relationships, in which Asia invests in Europe and the Middle East has business partnerships in Latin America. Meanwhile, mobile connectivity and social media have created a digital world in which information asymmetries have greatly lessened, giving rise to different consumer expectations and business models. Those new business models are scrambling the traditional definitions of industries and sectors. All of these developments dramatically increase the number of unknowns—and thus the risks—with which organizations must contend.
The broadening of the risk landscape is visible in the types of significant incidents our survey respondents report experiencing in the last 12 months and in the priority levels they assign to various risk mitigations. The most frequently cited incident is leaks of internal information, reported by 39 percent. But this perennial challenge now coexists with risks from relatively recent threats, such as data theft, and even newer threats, such as adversarial social media activity.
Risk management today is centered on responding to—and trying to stay ahead of—rising threats while continuing to battle long-established risks. Newer risks differ from old ones in their ubiquity. While money laundering and counterfeiting, for example, take the greatest toll on particular industries and countries, virtually every enterprise is potentially vulnerable to social media attacks or collateral damage from a business partner’s scandal. Adding urgency to the new risks is the need to establish appropriate systems and capabilities for combating them. So it is that every risk on our list is either a significant or high priority for more than half of our survey respondents.
