Just 25% of global companies model the impact of emerging risks on their business, with major new threats and systemic risks “overlooked” by most firms, according to a new survey and report from Marsh.
Based on a global survey of 1,000 large and mid-sized firms from different industries, Marsh’s first Risk Resilience Report states that companies agree that risk is rising from six emerging risks – pandemics, cyberattacks, new technologies, climate change/ESG issues, regulatory changes and geopolitical risks. But it says not enough is being done to manage these threats.
Marsh says there is “a significant perception gap, with firms’ risk management functions prioritising short-term threats over those that are high severity but lower frequency”. Too much emphasis is placed on perils that pose an imminent threat, while other risks, often seen as slower to evolve, are ignored, Marsh adds.
Some 75% of respondents said their risk management and insurance-buying processes are aligned to their long-term growth strategies, but Marsh says businesses have not measured the impact of emerging risks on revenues and operations. “More work needs to be done when it comes to anticipating and modelling key emerging risks,” said Marsh CEO John Doyle, commenting on the report’s release.
At the same time, risk-resilient firms are gaining competitive advantage because they are able to anticipate risk, keep losses to a minimum and return to business as usual quicker, Marsh says. “Risk is now seen as an opportunity for organisations to achieve competitive advantages. This shift in mindset requires an expansive, forward-thinking view of risk management and resilience,” the report states.
Recent events have played out in full the severity of long-odds scenarios and the interconnectivity of risks. “The Covid-19 crisis, the temporary closure of the Suez Canal, major cyberattacks and other recent events have all exposed the fragility of global systems and serious shortcomings in organisations’ preparedness to manage major crises,” said Mr Doyle. “Effective strategies to build more resilient businesses will not only facilitate faster recovery but also increasingly become a competitive advantage,” he added.
The poll finds that cyber, regulatory and pandemic risk are the most important facing today’s businesses, with geopolitics perceived as the least important. Some 45% of those surveyed said cyber risk is the most important, but only 18% said they are fully prepared for the threat. While 46% of respondents said their business could withstand the financial impact of a significant cyberattack, Marsh says only one third of businesses actually model cyber risk. The biggest impact of cyber risk would be felt by clients, the survey found, followed by damage to the company’s reputation and supply chain.
The highest number of respondents, at 46%, conduct scenario-based modelling of pandemic risk, presumably because they’re on high alert following Covid-19, but only 28% said they are highly prepared.
Almost all respondents, at 93%, said regulatory risk is either important or the most important emerging threat, but 73% said they only partially measure the risk, or not at all. Marsh said just 32% of firms evaluate D&O cover requirements in response to regulatory changes, and only 19% have an effective process in place to evaluate new insurance requirements on the back of these changes.
Some 85% of respondents said climate/ESG is an important or the most important emerging risks. But 45% said they have an ineffective or no process for identifying or implementing changes based on climate/ESG risks, and 40% said they do not stress-test financial impacts. The survey finds that 20% to 30% of respondents do not believe climate change/ESG affects any part of their business.
The survey reveals that 80% of respondents believe they are prepared or highly prepared for risks from emerging technologies, but it found as many again only partially measure or do not measure the potential financial risk from new technologies.
Geopolitical risks ranked as the least important for 33% of businesses. Marsh found disparity between business size, with 40% of firms that achieve revenues of more than $10bn actively monitoring geopolitical risks, compared with 16% of smaller firms.
Marsh maps out four steps for boosting risk resilience, which it says could “transform” risk management. These are anticipating risk, connecting risk management to business strategy, avoiding gaps in the perception of preparedness and measuring relevant data.
“Our survey findings show that more work needs to be done when it comes to anticipating and modelling key emerging risks as they develop,” Mr Doyle said.