Technology and cyber-security risks top CFO risks of concern with CFOs feeling increasingly exposed to almost all categories of risk since Q1 2022, according to new Lockton research.
66% of CFOs have changed their approach to risk management from Q1 to Q3 due to the velocity of risk.
High-profile cyber events in 2022 capture the essence of risk velocity. What starts as an isolated cyber risk then spirals into brand and reputation risk, litigation risk, regulatory and compliance risk, and so on.
54% of CFOs think that the velocity of risk is of greater concern than risk likelihood or impact.
However, many CFOs felt they weren’t prepared to deal with the velocity of risk.
While Chief Financial Officers (CFOs) are increasingly responsible for managing strategic business risks, many feel they aren’t prepared to deal with the magnitude and frequency of systematic risks, according to new research in Lockton’s ‘CFO Strategic Risk Report: Risk velocity and the impact on business.’
To better understand the impact this is having on CFOs, Lockton, the world’s largest privately-owned insurance broker, in partnership with Longitude, a Financial Times company, surveyed 475 CFOs and senior finance leaders during Q1 and Q3 2022. Respondents represented companies with a minimum of $100m (USD) revenue, 50 of which were based in Australia and 12 in New Zealand.
Lockton executives also sought expert insight on the findings from Geoff Martin, Professor of Business Strategy at Melbourne Business School.
Perception of risk exposure increases in all 14 categories of risk, leading to decreased confidence
CFOs feel their exposure to almost all 14 categories of risk (including technology and cyber-security) has increased in the past six months. Lockton Pacific Chief Executive Officer, Paul Marsden, was not surprised that there was a significant decrease in CFOs’ confidence in preparing for geopolitical events given the volatility of global news in early 2022, but pointed to current high-profile cyber-events as clear evidence of risk velocity.
“Increased interconnectivity and interdependence of systems, brought on by digitalisation and globalisation have created an environment where one disaster can contribute to another. This is resulting in higher risk velocity: the speed by which a risk impacts a business and materialises,” Marsden said.
“In Australia, recent cyber attacks on a telecommunications company and a major insurer demonstrate when a major cyber event occurs, it’s not an isolated risk or issue. These events permeate into all parts of a business and they spiral quickly. For the insurer, they’re anticipating a $35m pre-tax hit to earnings for the first half of the financial year (not including any fines or extra compensation). Furthermore, on the first day of trading after the database was hacked, their share market fell about $1.75 billion. Having declared they did not have cyber insurance because it was deemed too expensive, the insurer is now having to front a bill in the millions of dollars. Litigation risk is pressing with future shareholder class actions on the cards. These are the real impacts and outcomes of risk velocity.”
66% of respondents have changed their attitude towards risk management
In light of increased velocity, 66% of respondents reported that their attitude to risk management has changed since Q1.
“Risks are now hitting organisations at a much faster pace,” warned Mr Marsden.
Offering advice for organisations, he said: “To build business resilience, risk velocity must be factored into traditional risk management models. However, businesses must accept that no plan is bulletproof and history is littered with failed crisis plans. The first step is to embrace a culture of risk management, then prioritise building a robust team and managing expectations. Organisations need diverse teams of individuals coming together to openly discuss risks with clear support from the board,” he concluded.
Aligning employee bonuses and financial incentives with managing risk
Professor Martin, an expert on strategy and risk at Melbourne Business School, weighed in on the findings and provided practical advice on managing risk.
“Firstly, be clear about your purpose and strategy – executives who want to lead effectively in a world of increasing risk velocity should start by being clear about their organisation’s purpose and strategy. What are they? Does everyone understand them? This is important because each risk you identify needs to be assessed in terms of how relevant it is to your purpose and strategy.”
He continued: “Determine your top capabilities and risks – make a list of the capabilities you need to succeed and risks you need to manage, then make sure they are widely socialised. Choose the five capabilities and five risks that are most important for you to build and manage over the next one, two and three years. Then, from those capabilities and risks, force-rank them. The main outcome you should be looking for is that everyone is aligned in understanding priorities regarding capability and risk. These questions are all asked in the shadow of your purpose and strategy.
“Finally, make sure incentives don’t increase risk – revisit your personal development and compensation plans to make sure you are aligning bonuses and financial incentives with managing the important risks. If someone has an incentive to maximise profit or revenue in a 12-month period, they might achieve it in a way that allows them to get their bonus – and move on to another firm or retire – in a way that substantially increases risk in a subsequent period.”
Click the download button (located on the right for desktop users and at the bottom for mobile users) and fill out the form to access the full report.