The digital side of risk: Research and recommendations from the 2023 Economist Impact Risk Reset study

Summary

Recently, Economist Impact conducted a global study sponsored by Iron Mountain that investigated how risk management is changing. The resulting paper examines that study’s data from a technological perspective. It considers how digital transformation both contributes to and helps to mitigate risk. It highlights some of the most important findings from the survey and offers recommendations for improving risk management as it relates to digital technologies.

Risk reset

Over the last three years, organizations have learned a lot of firsthand lessons about business risk. They’ve survived a worldwide pandemic that altered the way we work. They’ve watched as international conflict led to further disruptions in the supply chain and skyrocketing fuel prices. They’ve weathered storms, fires, and other natural disasters that resulted in outages and financial losses. They’ve defended their digital systems from barrages of cyber attacks. And they’ve strategized ways to deal with worker shortages and rising inflation.

These experiences have changed the way organizations view risk.

To find out exactly how risk management is changing, Iron Mountain sponsored a global study conducted by Economist Impact. The firm conducted primary research to understand how executives perceive the key internal and external factors shaping an organization’s approach to risk and the role that executives, technology, and the institutional setup play in risk management. Economist Impact surveyed 656 executives across key industries in Australia, Brazil, Canada, France, Germany, Hong Kong, India, Mexico, New Zealand, Singapore, the UK, and the US. They also consulted with risk management experts at The Clearing House, the World Economic Forum, and the Wharton School.

The resulting report, titled Risk reset: shifting focus from reaction to anticipation, delves deep into four key pillars of risk management:

1. Workplace evolution
2. Cyber security and data governance
3. Sustainability
4. Operational efficiency

4 key digital technology findings

The survey revealed that risk management has become a key focus for organizations over the last three years. In fact, 90% of executives said that identifying risks has become more important.

In addition, it found that technology plays a complex role in risk management. Here are four of the most important takeaways that relate to digital technology:

1. Digital risk and opportunity go hand in hand.

In the survey, 80% of executives said that technology offers their greatest risk, and their greatest opportunity. This dichotomy provides the foundation for understanding the relationship between digital technology and risk management.

In its analysis of the survey data, Economist Impact wrote, “Emerging digital technologies such as machine learning and artificial intelligence (AI) promise to expand the risk manager’s toolkit, spotting patterns in data that human analysts might miss. However, attackers also have access to these technologies, which could be used to find vulnerabilities or launch more persuasive phishing attacks.”

In many ways, the threat of cyber attacks is one of the most real and pervasive threats organizations face today.

The US Federal Bureau of Investigation received 800,944 cyber crime complaints in 2022 alone, with total reported losses of more than $10.3 billion. Most large enterprises repel cyber attacks on a daily basis, and those attacks are becoming increasingly sophisticated, particularly as nation-states become more involved.

And it isn’t just their own systems that need protection. When companies use software and services from third-party vendors, they open themselves to additional risk. Simeon Fishman, executive vice president and CRO at The Clearing House, explained, “For example, only a few vendors provide cloud services, which has the potential of resulting in cloud concentration. A tech-centric organization, through the software they use or develop, may unwittingly put all their eggs in one or just a few baskets.”

However, the solution isn’t to avoid technology. On the contrary, failing to capitalize on emerging digital trends can actually expose companies to a different kind of technology risk — the risk of falling behind the competition.

In addition, technology can help companies to mitigate some kinds of risk. For example, backup and disaster recovery services, cloud storage, cyber security software, data analytics, and other tools can help organizations

As they work to create their risk management strategy, organizations need to remember that digital technology is both a risk, and a mitigation tool.

2. Technology risk indicators are becoming more important.

Risk indicators are quantitative or qualitative signals that allow organizations to assess their risk level. The survey asked executives to indicate whether risk indicators from a variety of categories had become more or less important over the past three years. Across the board, an overwhelming majority of respondents said that each of the categories — reputational, operational, environmental, technology, and workforce — had become more important.

Reputational indicators, which include media coverage, customer complaints, and social media sentiment, showed the strongest change in importance, with 80% of executives saying this category had become more important. But technology indicators scored very high as well, with 76% saying this category is more important, 16% saying there was no change, and only 8% saying technology indicators were less important.

Technology risk indicators can include metrics that the IT teams probably already track, such as the number of cyber security incidents, network uptime, total software bugs, and mean time to resolution. They can also include more qualitative metrics measures that arise out of proactive risk management efforts. For example, you might measure the percentage of key roles in the organization for which you have a succession plan, or you might assess the effectiveness of your current IT risk management procedures.

The fact that executives are paying more attention to these indicators is a positive sign. It demonstrates that leaders are becoming more aware of how critical technology is to the business. It also reveals that digital transformation is having a widespread impact with the organization becoming more dependent on technology than ever.

3. Technology risk drives risk management improvement efforts.

The survey not only asked executives to look back at the last three years, but also to look ahead at where they want their risk management efforts to take them. In particular, it asked which kinds of risks would be driving their organizations’ efforts to improve risk management over the next three years. The top vote-getter, with 43% of respondents, was technological risks. It even beat out financial risk, which was selected by 41%.

What kinds of technology risk are executives worried about? Examples include the following:

• Cyber security: Malware, ransomware, phishing attacks, denial of service, hacking attempts, and other types of cyber crime could expose sensitive information, result in downtime, and/or result in higher costs for the organization.
• Downtime: Hardware or software can experience issues that result in services being offline, sometimes for extended periods.
• Third-party dependencies: Products or services that you offer might rely on vendors who can experience outages, expose you to cyber attacks, or go out of business.
• Obsolete technology: If you rely on out-of-date technology, you may face operational challenges or expenses associated with upgrading.
• Integration problems: As you deploy new technology, you may face unforeseen issues with getting it to work with other systems and software.
• Data loss: Even if you don’t experience a cyber attack, you can lose data due to theft, hardware or software failure, natural disasters, or other causes.
• Regulatory changes: Governments can pass new regulations that can impact the technology you use and develop.
• AI risks: The rapid rise of artificial intelligence has organizations concerned about potential issues related to bias and ethics.

Why are these risks driving improvement efforts more than others? The answer might relate back to the idea that technology risk and opportunity go hand in hand.

Organizations can address many of these technological risks by implementing new technology. And that new technology, in turn, offers opportunities to improve operations.

4. Data analytics and AI play a key role.

The study highlighted two key technologies that organizations are relying on for risk management improvements. Right now, interest in AI, particularly generative AI, is very high, so it might not be surprising that more than 8 out of 10 (83%) of executives said that they are using AI and cognitive technology in their risk management processes.

Similarly, 80% of participants said that their organizations are using data analytics in risk management “somewhat” or “significantly.” That also seems to make sense given the high interest in analytics across all disciplines and industries.

Both AI and analytics help organizations find patterns in their data. And if they can see the circumstances when difficulties have arisen in the past, they might be better able to spot similar situations in the future.

While AI, analytics, and other advanced digital technologies can be helpful, they aren’t a complete solution in themselves. Fishman warned, “Technology can only get you so far if you don’t have the right design, risk architecture, or data within your systems.” He added, “It is also critical to understand how business processes and data are connected. Once the design and data are in place, analytics and data interrogation tools can be leveraged to form a more comprehensive understanding of risk in an organization.”

That comprehensive understanding is really key — and one of the biggest areas where organizations have room for improvement when it comes to digital aspects of their risk management.