Only 25 percent of companies are evaluating or modeling the longer-term impact of emerging risks on their business, leaving a cascading scenario that can also harm their customers, according to a new Marsh report.
“Responses suggest that organizations are placing too much emphasis on certain perils – primarily those that pose an imminent threat – while other risks that are perceived as slower to evolve, but have similarly persuasive impacts, are largely overlooked,” Marsh’s “Risk Resilience Report” notes.
Marsh said that a business’s customers would be most heavily impacted by five of six perils, but organizations aren’t putting effective processes in place “to adapt, learn and avoid disruption for this critical audience.”
As a result, an event spreads its impact and causes wider damage.
Marsh conducted its global survey with nearly 1,000 organizations representing more than 30 industries. It explored organizations’ practice of and attitude toward risk management, the company explained.
Good News/Bad News
The good news is that most respondents agreed on the importance of various risk. Large majorities ranked cyber/technology, emerging technology, climate, geopolitical, pandemic and regulatory emerging risks as either most important or important.
At the same time, however, they aren’t necessarily preparing for longer-term impact of those risks, Marsh said.
Consider cyber/technology risks. While 46 percent of respondents said their organizations could withstand the financial impact of a big cyber attack, less than a third were making efforts to forecast and model those risks. Only 18 percent of companies said they were highly prepared for cyber risk, even as 45 percent rated it as the most important risk.
But, companies that measure risk in financial terms were 20 percent more likely to have an integrated risk team focused on strategizing and developing resiliency strategies.
Another good example is the dissonant reaction to climate/environmental, social and corporate governance risks. Marsh found that 85 percent of respondents rated these risks as either important or very important. But 45 percent said they either have an ineffective or non-existent process for identifying, responding to and implementing changes based on these risks. What’s more, 40 percent said they don’t stress test financial impacts at their organizations from these risks. Also, 20 percent said climate/ESG risks didn’t affect any of their core business areas.
The key, Marsh said, is for companies to develop anti-risk strategies focused on expecting the unexpected.
Marsh found just 25 percent of respondents used “scenario-based” modeling across their companies to evaluate emerging risks, while 45 percent used the concept “somewhat” on only certain exposures in a narrow way.
Wider more expansive modeling can make a difference, Marsh said.
Marsh said stress-testing metrics can help, along with early-warning crisis-event metrics, which can help guide early decisions during a crisis event’s initial days.
Another recommendation: measurement of risk aggregation and interdependencies across the value chain. This practice can “help show the degree of contingent business interruption risk present,” Marsh said.
The full report is “Risk Resilience Report: Keys to Building a More Resilient Business: Anticipation, Forecasting, and Agility.”