Learn about our research evidence that reveals the weaknesses and shortcomings in current risk management practice which are both “art” and “science” related.

In today’s complex and unpredictable business environment, having a complete and thorough risk management system in place is now essential not only for protecting your individual projects, but also the organization itself. Most organizations now face multiple forms of risk, many of which are new or continually evolving.

There have been major developments in risk management approaches and systems in recent years and a high proportion of organizations now have enterprise risk management (ERM) systems in place, and have adopted more strategic approaches to this area of activity. However, many others have inadequate or incomplete risk management systems, which leave them vulnerable to multiple threats and unable to capitalize on the benefits of risk management.

The nature of business risks has also been changing, driving by factors such as the increased use of the Internet and social media and the growing complexity of supply chains. Risks are now often categorized as reputational, operational, and transformational.

The research evidence reveals that weaknesses and shortcomings in current risk management practice are both “art” and “science” related. The “science” of risk management comprises of the formal tools and techniques used to identify, evaluate and monitor potential threats to the organization, and the “art” of risk management comprises of the softer skills needed to identify and manage the more qualitative, people-related risks and to effectively integrate risk management with business strategy.

In the case of reputational risk management, for example, “art” is important for understanding organizational and stakeholder “politics”; for effective communications to positively influence customers’ and public perceptions of the brand, and for developing the types of trust-based relationships that are important when the organization has little direct control over the day-to-day actions of employees or suppliers. But “science” is also important for the effective use of IT and information systems to capture, analyze and monitor data on reputational risks; to ensure data systems are adequately protected against cyber-attacks, malware and other security breaches and to apply formal risk analysis techniques to reputational forms of risk. Similarly, the right combination of “art” and “science” must be achieved for effective identification and management of operational and transformational risks, and in the overall adoption of Enterprise Risk Management (ERM) solutions and the adoption of a strategic approach to risk management.

The Growing Importance of Risk Management

In today’s complex and unpredictable business environment, having a complete and thorough risk management system in place is now essential not only for protecting your individual projects, but also the organization itself. Most organizations now face multiple forms of risk, many of which are new or continually evolving.

How is Risk Management Changing?

There have been major developments in risk management approaches and systems in recent years and a high proportion of organizations now have enterprise risk management (ERM) systems in place. The most advanced of these are integrated with internal control and strategic planning systems, with positive impacts on business performance and competitiveness. However, many other organizations have inadequate or incomplete risk management systems, which leave them vulnerable to multiple threats and unable to capitalize on the benefits of risk management.

Key Drivers of Change in Risk Management

A number of factors are driving the need for new forms of risk management requiring different skills, systems, and processes than in the past. These include:

Increasing Legal and Regulatory Requirements: Private and public sector organizations alike now operate within a much tighter regulatory environment than in the past and must ensure that they are fully compliant with applicable regulations and reporting requirements in multiple areas, including health and safety, employment, finance, sustainability and ethics.

The Rapidly Changing Business Environment and New Business Models: Firms face higher levels of uncertainty and are under continual pressure to review and transform their business strategies and operating models. They face new types of risk, particularly arising from the more fluid organizational structures and business models that many are adopting.

Globalization of Economic Activity and Increasing Supply Chain Complexity: These increase the range of risks to which many organizations are exposed to, especially those operating across national borders with extensive cross-national supply chains or using offshore outsourcing.

The Impact of the Internet and Social Media: Firms are also exposed to types of risks that were relatively unknown in the traditional business environment, arising from the impact of the technology, the Internet and the widespread use of social media, particularly threats to their reputation from third party postings.

Increased Focus on Sustainability and Ethics: Expected standards of sustainable and ethical performance are high and failure to meet these involves significant risks. Organizations are also required to comply with a wide range of regulations and reporting requirements both at home and internationally, increasing risks of non-compliance.

Key Developments in Risk Management

The expanding and changing nature of business risks: Risks used to be conceptualized as financial or non-financial. Nowadays it is more common to recognize and define a wide range of risk types, which fall broadly into three categories:

  1.  Reputational: These risks have been increased exponentially by use of the Internet and social media, on which negative publicity from any source can almost immediately reach millions of people worldwide.
  2. Operational: Factors such as the globalization of economic activity and the use of extensive, multi-tier supply chains have vastly increased the potential risks within this area over which firms have limited control.
  3. Transformational: These have arisen and increased in significance now that firms need to undertake frequent major organizational change initiatives in order to stay competitive and achieve business growth.

Increase in the Strategic Importance of Risk Management: There is an increasing tendency for companies to make more explicit links between their risk management systems and their strategic decision-making and performance measurement systems. C-suite executives are taking more direct responsibility for and becoming involved in risk management, and many organizations are establishing Chief Risk Officers.

Growing Use of Enterprise Risk Management Systems: Holistic ERM systems integrate risk management across the organization, in a more structured approach that incorporates all categories of risk.

Art and Science Related Challenges in Risk Management

The “science” of risk management comprises of the formal tools and techniques used to identify, evaluate and monitor potential threats to the organization, and the “art” of risk management comprises of the softer skills needed to identify and manage the more qualitative, people-related risks and to effectively integrate risk management with business strategy. For effective risk management, it is crucial to achieve the right combination of art and science.

The research evidence reveals that weaknesses and shortcomings in current risk management practice are both “art”- and “science”-related. These include, for example:

Primarily Science-Related: Inadequate risk management systems; Inadequate use of technology, tools and methods

Primarily Art-Related: Inadequate risk management skills and expertise, especially soft skills; Lack of attention to the role of corporate culture in risk management

An “art and science”-based approach to risk management is also necessary because of the inter-relationships between organizational culture, systems and processes, which must be continually realigned with business strategy and objectives.

The Art and Science of Managing Reputational Risks

“Art” is important in reputational risk management, for example, for understanding organizational and stakeholder “politics”; for effective communications to positively influence customers’ and public perceptions of the brand, and for developing the types of trust-based relationships that are important when the organization has little direct control over the day to day actions of employees or suppliers.

But “science” is also important for the effective use of IT and information systems to capture, analyse and monitor data on reputational risks; to ensure data systems are adequately protected against cyber attacks, malware and other security breaches and to apply formal risk analysis techniques to reputational forms of risk.

The Art and Science of Managing Operational Risks

The complex, inter-related nature of operational risks and the need to generate reliable indications of their potential impacts means that this area requires high inputs of “science”. This includes specialist knowledge and expertise of risk management frameworks and analysis techniques, as well as a heavy reliance on information technology for data collection, analysis and monitoring.

However many operational risks are intangible or qualitative in nature and require the application of “art”; these relate for example to the attitudes and behaviours of frontline employees, middle managers or other stakeholders. The “art” of operational risk management therefore involves the use of soft skills to identify and manage these people-related risks.

The Art and Science of Managing Transformational Risks

The “art” of transformational risk management includes effectively defining the company’s fundamental purpose and transformation objectives and ensuring that these are clearly communicated to all employees and other key stakeholders. There is a need for both “art” and “science” to underpin effective executive sponsorship and governance of the transformation project and to assess and address weaknesses in organizational change readiness.