Risk management frameworks are failing: Here’s what you can do

Old risk management frameworks are failing boards and other corporate leaders to the point where they become a risk themselves. 

The simple fact is that managing risk in the 2020s needs unparalleled levels of dynamic adaptation, quick thinking and experienced leadership. Models that may have worked ten years ago aren’t suited to this environment.

If you haven’t realised this or taken steps to update your frameworks, the very thing your stakeholders trust to ensure the company’s survival may be a ticking time bomb, which would only reveal itself in times of severe corporate crisis. 

Here are the details:

Risk management frameworks are what businesses use to follow all aspects of risk that they’re exposed to. Frameworks will always provide blueprints for how companies will identify risk, measure it, how they’ll mitigate it and who has responsibility for doing so, as well as how they’ll report on these efforts.

Boards, in particular, must ensure the business has an effective risk framework in place, one that aligns with their duty to protect the company and stakeholder interests. In the modern day, good boards are always expected to ask questions and challenge basic practices like risk management if they see gaps.

You may have adapted to the more chaotic world order of the 2020s – essentially everything that happened since the pandemic – but any risk management frameworks written before then have not. 

Sometimes, they’re not even remotely sufficient to deal with today’s challenges. 

The fact is that older frameworks were initially designed for linear, predictable environments, which suffered less from sudden market shocks that we’re so used to learning about nowadays. Think trade wars, tariffs, supply chain crises, boycotts, increased reporting requirements, game-changing tech and changes to ways of working.  

Businesses are exposed to threats that defy any kind of calm, measured categorisation. Things can change rapidly in modern business, meaning boards that rely on outdated models may be flying blind.

Here are the three principal ways your risk management framework might be failing, and what you can do about it.

Frameworks written before the 2020s were designed on a very different, more open, and less tense world order that simply doesn’t exist anymore. 

While no framework will make this explicit, their structure will take into account certain guarantees, implying that the business can bank on norms such as open trade policies, functioning supply chains, major economies that co-operate geopolitically (even if there’s friction), and a lack of stakeholder anger resulting in boycotts, protest, cancel culture, etc. 

These things are hallmarks of the decade we live in. There’s no running from them. The only realistic chance your company has is to plan for them, and this starts at the bottom with adequate frameworks. 

When it comes to geopolitics, directors can craft adequate frameworks by:

• Getting the right experience on the board – people who have dealt with geopolitics for years in some way, and now have a wealth of knowledge to offer
• Encourage scenario planning so that, as far as possible, market shocks don’t come as a surprise. 
• Diversify supply chains to lessen the risk that tariffs, sanctions or conflict undo your company’s entire production line.

There is an endless number of risk factors to consider when approaching both of these topics. 

With cybersecurity, the move online during the pandemic means criminals have done the same. They have now had several years to build an arsenal of sophisticated cyberattack methods that can compromise anything from local business systems to entire public health services. Frameworks that don’t grasp this enormity are not fit for purpose. 

With AI, it’s even more complex because the technology is brand new to so many people, from frontline workers to boardroom directors. Many still don’t know what to do with it. Some avoid it entirely out of fear, others use it sparingly and don’t capitalise on its value, and others use it constantly without any proper training. 

All of this happens within the undeniable context that AI will be a standard tool of future offices, so engrained in our operations that the risk associated with it is everything.

• Bring in the right expertise at the board level.
• Elevate and integrate digital risk management as a core part of company-wide risk management. This goes especially for AI. 
• Conduct regular reviews of new tech capabilities and ask if your company can maximise on new potential and mitigate new risk.

ESG is a tough arena. Here’s why:

• Many governments and stakeholders consider it a new and vital part of corporate responsibility. 
• They have brought in new rules and standards to reflect this. 
• This means companies need far bigger capacities for reporting and data processing than before. 
• Meanwhile, backlash against ESG is loud and varies from simply disagreeing with the workload to disagreeing with ESG in principle. 
• Companies have to find a niche in the middle of all this noise. 

Does your risk management framework reflect this modern, chaotic view of ESG? If it doesn’t, you’re probably not alone, but it’s definitely not a time to sit idle and wait for change to happen around you.

• Consider what your ESG responsibilities are. This requires marrying your own mission statement with the expectations of regulators and other stakeholders.
• Bring in the necessary personnel at the board level. Give them ESG training if necessary.

Boards can’t function properly if one of their primary responsibilities – risk management – relies on frameworks that simply don’t work anymore. 

With the pace of change in today’s corporate landscape, it’s natural for frameworks to go out of date with little attention. Now is the time to give that attention, making updates where necessary, to safeguard future success.