2024 is the year to get serious about risk management. Here's how

Risk comes in all forms — and with variety, volume and velocity of different degrees. Invariably, addressing risk is the focus of risk management team divisions, which are key enabling functions in any organization that work to support fast and effective decision making.

Today’s era of disruption, of polycrisis, calls for advances in organizations’ readiness, response and resilience.

Ingraining risk management into every function within an organization can not only enhance resilience, but also lead to better strategies and outcomes. It’s no longer the only response that dictates an organization’s resilience, but also its readiness for every risk that is and could come to be.

Some risks are ‘knowns’, such as the emergence of AI as a technology or climate change. Then there are ‘unknowns’ — take, for example, a pandemic coming out of nowhere or the suddenness of a geopolitical flare up.

There are those too, which straddle the ‘known’ and ‘unknown’. An economic slowdown turning into a full-blown recession is one such risk. Any one risk manifesting is challenging enough to handle, let alone many coming to the fore together.

One thing is clear, though: The multiplicity and constancy of risk.

Any organization can ill afford a myopic risk strategy, for disruptive events — whether predictable or not — not only impact employees, customers, vendors, partners, society and environment, but may also pose an existential threat to the organization. Even if the threat is not existential, it may curb longevity or set back years of progress.

While risk is a constant, the way it manifests varies, and the response requires can depend on myriad factors. Just as strategy is an organization-wide function where islands of stratagem are pieced together into the whole, the different streams of risk views that flow across the enterprise must be united. Integrating this approach means switching from tabletop exercises in departments to embedding risk thinking, recognition, accountability and action into every dimension of the organization.

When risk is everyone’s business, when each person can identify and contextualize it, then risk management attains the primacy that it needs to move an entity from fragile to agile. Here are three key areas organization must work on to integrate risk management into the core of their business — and build a more resilient organization:

1. Culture to sense: Only the prepared thrive when it comes to risk management. The collective diversity of experience and learning of people in a large organization is the greatest armour in the face of uncertainty. If risk identification can be made an essential strand in the DNA of the organization, then risk detectability rises up many notches. The core risk management function is then freed up to move from being risk spotters to risk detectors, because risk identification becomes a skill that everyone possesses and is trained on.

2. Communication to respond: Once identification is pervasive, the next enabling mechanism is ensuring that there exist forums to talk about risk freely and without fear of punitive action or worse, boomerang effects where risk spotters are asked to take the onus of risk mitigation themselves. Inhibitions must be lowered with platforms to communicate risk as well as guidelines and guardrails that go with it. Doing so will enable the right kind of risks to bubble up within an organization and make their way to decision makers, who can then separate signals from noise, or signals of stronger frequencies than those with weaker ones in the given moment.

3. Context to adapt: When all dangers are clear and present in a unified view, then the course of action is to continually move forward with filters of relevance. These filters mark the contours of impact, with fundamental questions as to whether a certain risk needs response, who should respond to it and how they should do so. With these tactics set in motion, further streams of action and classification of responses take effect, such as direct or indirect, and whether speed or effectiveness weighs higher. Within a risk itself, actors must be traced to impactors for deeper correlations and micro-actions that add up to mitigation.

The next disruptor is already in play. In fact, many of them are. Some, such as generative AI, grew from infancy to maturity over many years. And others, like a pandemic, will happen when they do in one engulfing burst. The impact of each is wide, and to combat these, organizations too must widen their risk horizon scanning. Risk is omnipresent and organizations cannot let down their guard.

Whether it is known knowns or unknown unknowns, what everyone knows is the constancy of disorder — most, whether in business or in private, tend to overlook this because it is more comforting to do so. In today’s world of the polycrisis, organizations can no longer afford to overlook risk management.