As we start a new year that could prove to be ‘somewhat' volatile and challenging from a risk management perspective for most organisations, shared below are a few of our thoughts and expectations on likely areas of focus for risk practioners in 2025 (and beyond), drawing on reflections of the most common areas of client support we provided in 2024. To provide some context to this, the clients we partnered with over the past year covered a pretty diverse spectrum, having revenues ranging from c.$1 - 50bn and operating in sectors spanning Pharma, Financial Services, Extractives, Logistics and Consumer Products, amongst others, with headquarters located across all global regions.
Engagement highlights of 2024
ERM (multi-year) transformation projects - since Covid we have been averaging several of these a year. Previously I (Matt E) led the ERM advisory practice at a big 4 for over a decade, and in that time these types of engagements were, in my experience, relatively uncommon. Obviously this could be a coincidence in terms of increased frequency of requests for such support we are seeing, but what we routinely hear from clients is that the main driver behind such investments - and they are significant undertakings - is the desire by senior management to derive more value and actionable and robust intelligence from risk management efforts, as well as assure risks are being consistently managed and made transparent throughout the organisation (of course, major crises or strategic shifts can also spur profound system changes too).
None of this is new per se, although leverage of data and technology (AI being an obvious driver), deeper and more robust analytics, better business integration and more engaging (and streamlined) reporting is arguably far more central to (and expected from) ERM systems than it used to be. What hasn’t changed, and is still true for any ERM approach, are the foundational factors that determine whether it is successful and a truly value adding activity: sustained support and sponsorship by leadership, governance that ensures ownership of risk by the business, relevant and insightful outputs that are accurate, fresh and reliable, a framework that is tailored to how the business operates, thinks and focuses so is additive to decision making and minimises bureaucracy etc.
These types of transformational projects by their nature are lengthy and testing endeavours, so productive and enjoyable (I know its risk management but doesn't mean it can’t be fun!) stakeholder experience is also a key success factor for embedding change. This means that risk leaders, as well as being technically competent and credible, really do need to have effective interpersonal skills, while also being resilient in dealing with the complexities and stress such rollouts inevitably can present. My own personal experience of delivering these projects is that the people side - building interest in the discipline and securing buy-in and ownership at all management levels - is by far the most important and productive investment of time.
Focused analytics - most people recognise that risk management is not moving blobs around on a heat map (not that I buy the narrative that any firms do actually manage risk this way). Heat maps are still widely used however, despite their well known flaws, as extremely busy management teams that are often drowning in reporting (understandably) appreciate the brevity of a one-page summary. Of more concern to us though is the scope and robustness of the underlying analysis of organisational risk environments. Depending on the approach deployed, enterprise risk assessment may only provide a snapshot of a sample of significant known risks, and these are typically based on subjective single point assessments so can be wildly inaccurate / not representative of actual exposure realities.
In the last few years, we have seen a much greater interest from clients in understanding the broader spectrum of risks they face and in more depth (initially driven by Covid), including emerging risks (highly uncertain exposures, often over extended timeframes), existential and extreme tail risks (note these are not black swans as they cannot be predicted - a commonly misunderstood term), and risk distribution / curve analysis. While emerging and existential risk analyses enhance understanding of the breadth and type of risk exposures an organisation can face that may previously have lacked visibility / focus, risk curve development can help inform comprehension of the true nature of a risk’s exposure by leveraging scenario analysis to develop a model of its distribution at various impact severity and probability levels, which can (if need be) still be plotted on a heat map!
This approach does require a fair bit more effort than traditional ERM assessment (although typically less than statistical models like Monte Carlo), but the outputs are far more robust and objective as they leverage a broad array of data sets and do deliver much more interesting / actionable insights. One word of caution though - outputs from this type of analysis often produce very different risk assessment scores than what may have previously been determined and reported, so this needs to be socialised appropriately with stakeholders.
BCM ‘plus' - while operational resilience has taken centre stage in the financial sector and beyond in recent years, BCM continues to play a significant foundational role and is a vital component in strengthening an organisation's ability to withstand and recover from disruptions. It is increasingly clear that BCM is not just a standalone function but an integral part of the broader operational resilience and ERM landscape (and we see this reflected in client demand). Aligning these disciplines is essential for achieving a unified approach, which includes establishing a common language, shared metrics, and outputs that inform both e.g., risk profiles and scenario selection. This alignment also enables organisations to set more nuanced recovery objectives and account for evolved disruption risks, such as those posed by third-party dependencies and cyber security. By evolving traditional approaches, BCM continues to reinforce its relevance in building a resilient and adaptive organisation.
ERM / supply chain risk management benchmarking - a number of our clients asked us to review prevailing practices (both common and leading) in ERM and supply chain risk management to support benchmarking of their current states and inform future development priorities. In the past I used to deliver a lot of client maturity assessments (which could sometimes be risky to a relationship if our scoring didn’t align with expectations...), but demand for this sort of formal review we find is generally less frequent than it used to be (although as noted above, this could be coincidental to our client portfolio).
Compared to say 10 years ago, a lot of the basics of good practice still remain the same however – corporate strategy alignment, accurate risk characterisation, objective assessment, alignment with key business processes, data leverage and dynamic monitoring, impactful reporting, practical articulation of risk appetite etc.
Some key differences are clear though, including (as reflected above) evolution in the nature of risk analysis performed, which is now broader and deeper due to the more expansive and complex risk environment organisations have to navigate, and technology, in particular use of AI and ML. The use of this in specific risk domain areas is already impressively broad across multiple sectors and not actually that new in several. That being said, its use in core ERM (excluding functionality in some GRC software tools) I don’t believe currently reflects some of the claims or perceptions that may be inferred from what you read online i.e., a significant number of organisations are still not currently using it systematically as part of their ERM approach and their frameworks have not been updated yet to structurally integrate AI deployment.
However, we believe its architectural implementation will soon become far more common judging by the number of conversations we are having on how to expedite this, which is a nice segue into what we anticipate will be key focus areas for us in helping clients in 2025:
Expectations on areas of risk management focus in 2025
Unsurprisingly, Geopolitical risk will likely be top of the agenda this year (and for the foreseeable future) – Trump, tariffs and the associated economic fall-out, how the various conflicts across Europe and Middle East progress, political shifts to populist parties, retrenchment from DEI policies, and the ever-looming doomsday scenario of China invading Taiwan. Organisations should model and stress test their own sensitives to different scenarios to evaluate efficacy of mitigation options and determine early warning triggers for action, enhancing their resilience. The geopolitical models we developed with clients in 2024 revealed some surprising insights into just how severe (and likely) these impacts could be, as well as the complexity of correlations.
Supply chain risk – certainly influenced by the above, but with a myriad more exposure types to contend with – predictive risk monitoring and strengthened supply and demand forecasting (AI augmented), upskilling of staff on risk and resilience, and resilience by design principles such as partnerial approaches to third party relationships we expect will be an ongoing focus.
Cyber risk – an evergreen risk with astonishing dynamism, the complexity and sophistication of the threat and required defences can be a challenge for cyber experts to convey to lay executives (never mind manage), although the severity of impacts are typically easier to grasp. Risk functions have a key role to play in supporting management understanding of exposure scenarios with more in-depth and robust risk analysis and reporting – when we perform cyber risk modelling we find it often delivers very different outcomes to those on enterprise risk registers and can serve as an effective platform for leadership engagement and debate.
Deployment of AI based-ERM systems – a starting point here for risk functions that are yet to engage with the technology could be developing enhanced early warning risk surveillance and risk identification approaches – using AI to leverage the data landscape, its trend and pattern recognition capabilities etc. Other areas could include support with focused risk research and analytics / prediction (we routinely use this ourselves to supplement our desktop risk analysis), reporting and analytical automation, ERM system and controls compliance monitoring, deployed agents / chatbots for business advisory support, amongst many other potential applications. Of note though are the intrinsic risks of using AI too – data security and privacy, bias, accuracy and reliability etc. which risk leaders also need to ensure are effectively mitigated.