2021 was a year of many extremes, including record-breaking natural catastrophe losses, COVID-19 infections and deaths, political unrest, and worker resignations. In today’s climate of heightened risks, having a well-organized risk program could spell a world of difference for businesses.
Risk management software provider Origami Risk recently conducted a survey of over 220 risk professionals, 60% of which said they held director-level or higher roles in their organization. The firm also conducted follow-up interviews with respondents to probe deeper into their responses.
The survey showed a significant split among leaders, or those with self-identified managed or optimized risk programs, and laggards, or those with ad hoc programs.
According to the survey, leaders had more proactive, strategic approaches to risk. This included enhanced uses of risk technology and related resourcing and managing emerging risks via environmental, social and governance (ESG), diversity, equity and inclusion (DEI), and supply chain management programs. Leaders were more likely to have set aside budget for additional technology in 2022 and have made changes to their supply chains in 2021, in response to the disruption caused by COVID-19.
On the other hand, laggards said they were struggling with budgeting, integrating systems, and responding to emerging risks. They also faced challenges around strategic organizational priorities and did not have major tech purchases in their budgets.
With regard to DEI matters, laggards also took a “wait and see” attitude rather than being proactive in making changes to their organizations. This attitude could lead to exposures for organizations, as activists, shareholders and regulators are increasingly focusing on DEI issues, such as gender and ethnicity wage gaps, lack of diversity in management and sexism in the workplace. Among leaders, 80% had at least a foundational DEI program in place, compared to 48% of laggards.
Leaders and laggards also expressed different concerns, strategies, and priorities in risk management. Around 15% of leaders said protecting consumers and employees was their top risk management priority. Other top concerns among leaders were operational disruption, regulatory compliance, cybersecurity and data privacy, and brand reputation.
Among laggards, financial impact and adapting to change were their top concerns, with the latter being named by almost 30% of laggards.
According to Origami Risk, this observation was consistent with additional data showing that leaders were actively investing in technology, and also connecting disparate systems in order to gain a more holistic view of risk.
While talent acquisition was the number one organizational challenge across all respondents, leaders were less likely to list it, compared to laggards.
Leaders placed larger importance on cybersecurity risk, with close to 60% identifying it as a third-party risk concern, versus around 42% of laggards. Roughly six in 10 laggards did not include cyber security risk among their top three concerns.
As the supply chain crisis continues due to the pandemic and the Russia-Ukraine conflict, Origami Risk said that the four in 10 laggards that made no changes to their supply chains in 2021 have a huge supply chain blind spot that could severely affect their businesses. On the other hand, around 50% of leaders said they diversified their supplier network to come with the increased level of risk.
There was also a significant divide between leaders and laggards with regard to having a risk management information system (RMIS). Laggards were 2.5 times more likely to not have an RMIS compared to leaders. A majority (51%) of leaders said they plans to expand their RMIS’ connections, while 81% of laggards had no plans to connect their RMIS to other technology platforms. Most of them said they lacked resources and budget to implement such connections.
“The Origami Risk State of Risk Report reinforces and confirms the findings of OCEG research, which demonstrates, year over year, the value of GRC program maturity and use of purpose-built GRC technology,” said Carole Stern Switzer, co-founder and president of non-profit risk think tank OCEG. “Movement from siloed, manual processes to more integrated, technology-supported processes is no longer an option. It is a necessity.
“Even as the State of Risk Report was being finalized, the massive geopolitical and financial market upheaval caused by the Russian invasion of Ukraine was taking place. These events presented many businesses and governmental entities with an urgent and sudden need to change policies, alter supply chains, and develop/approve/distribute communications to managers, workers, and external stakeholders. Some, with operations based in Ukraine or Russia (or both), had the added concern of how to help secure the safety and well-being of their employees in the region. Those with mature GRC capabilities and technology were far better situated to respond with agility and display resilience.”