Consulting the Crystal Ball. The evolution of Risk Management and predicting the greatest challenges for organisations in 2017 and beyond…



I have recently been reading on risk management and the evolution of it historically and especially, post the GFC (global financial crisis) to where we are now; and, projecting from 2017 and beyond (the next two years). I thought I would share with my network the result of my reading, as it is very interesting for those of us who work in this area.

Risk management remains a high priority for the financial services sector, organisations, boards of directors, including the inter-play of high trending concerns, being, regulatory compliance, cyber security concerns, weak economic conditions, tighter business operating margins and changing consumer behaviour patterns, expectations and the disruption of technology – to name but a few.

Geopolitical concerns remain in the mix, including how to adapt and move with the changes which impact a global community.

Since the GFC, substantial work has been done by organisations to address regulatory requirements. Whilst there have been enormous positive gains, such as:

– The universal adoption of CFO’s (Chief Risk Officers);
– The role of the CFO to report directly to the Board of Directors;
– Organisations having an independent enterprise risk management program (ERM) with a defined and understood responsibility matrix (up from 54% of organisations in 2006 to 92% of organisations in 2016);
– The adherence to pro-active risk management practices, including the encouragement of an organisation wide ethical and risk aware culture.
– It is clear for those of us that work in this area, we have made great strides in enabling risk management to now be the norm.

There are however negative consequences, which are also quite clear, including:

– Disruption to technology;
– Cyber security concerns;
– Access to cost-effective business support – professionals that possess skills in both risk management and financial services;
– The continued activity of regulators, the sky-rocketing costs of associated compliance, including the drive to streamline processes, look for ways to reduce costs margins for compliance and/or bring the skills in-house to drive greater efficiencies.

The main concern in the economic and business environment remains cost pressures. Global growth, per a March 2017 Deloitte report, see link below, has global growth at 3.1% in 2016 and projected at 3.4% in 2017, per the IMF (International Monetary Fund). Developed economies have tighter growth margins at 1.6% in 2016 and 1.8% in 2017.

Whilst weak global economic conditions show obvious challenges in the financial services sector and for organisations, ongoing low interest rates have also been flagged by the IMF as a concern for the solvency of many organisations.

Further, global trade in goods and/or services is far below historical pace, growth is 3% since 2012, less than half the average rate over the past 30 years. The slowing of economic growth is certainly a factor in these statistics.

Many global organisations asked to identify the top three concerns they see as their greatest challenges for 2017 and for the next two years, have named:

– Regulation and compliance (81% of respondents);
– Investment risk (72% of respondents);
– Cyber security and associated risks (35% of respondents).

Reasons and comments to this are varied, but universal in their overall summary.

Regulation and Compliance

This topped the list of respondents because it’s a constantly moving target that requires a strong compliance and risk management response program. For many organisations, there is a requirement to deal with multiple regulatory authorities.

Investment risk

Responses relate to construction, credit, market and liquidity risk in viewing the responses of 72% of respondents.

Tighter operating margins were the pre-dominant concern, followed by changes to investor and consumer behaviours and expectations, new regulation requirements and technology disruption followed thereafter.

The strain to the risk management matrix (people, process, technology, data, governance and culture), with more pressure predicted in this area in 2017 and increasing in the next two years, will drive the need for greater efficiencies and effectiveness in day-to-day processes.

A major concern raised is there is little or no investment in obvious solutions such as ICM (investment compliance management), due to pressures on business costs environment. This is clearly an opening for financial tech solutions to create a more automated option for streamlining risk management practices. Particularly, for repetitive and/or routine tasks. A decision to invest in this area would be a key differentiator for competition.

Whilst there is some talk that regulation has gone full circle and it has hit an inflection point in 2017, whereby, it will not go further; and/or attempts will be made to wind it back. See my article link attached from earlier this year.

In practical terms, regulation has come so far and there have been obvious benefits, adopting an approach that this would occur would be dangerous. Whilst the business costs environment is tight; and, the costs of regulation and compliance to business are great, for a stimulation to business growth to occur it is possible there will be some softening at the edges. However, in this uncertain landscape, it would be prudent to remain vigilant, continue to respond to risk management by putting in practice the positives that have been learned; respond, monitor and build on capabilities; and, do so in a cost effective and timely manner.

Become nimbler – respond effectively and efficiently, be agile, flexible and adapt to demands and changes.

Cyber and associated risks

Whilst, third on the list of respondents, many responses named digital disruption, such as, responses to regulation and compliance at number 1. Data was also included in response 2, investment risk. Therefore, cyber and associated risks remain a pre-dominant concern for organisations.

Improving management of cyber security and the costs environment remain a priority. Cyber was connected with regulation and compliance responses, as it continues to attract the attention of regulators and policy creators.

A wide range of cyber risks were named, including attacks on operating systems, users being locked out of their computers, data was accessed, theft, corruption of systems and data, improper release of confidential information, data and systems, IP and corporate strategy, were the main concerns raised by respondents.

Targets remain the financial services sector and organisations with key responsibilities to store secure and private data.

Boards of Directors

With the increased focus, scope and intensity of regulators, including requirements for compliance and volatile, tight economic operating margins, most respondents also reported their boards were devoting more time to the overseeing of risk management than two years ago.

It has become the norm for boards of directors to perform the traditional functions of risk management, including:

– review and approve the risk management policy for enterprise risk management (ERM) (93% of respondents);
– monitor new and emerging risks (81% of respondents);
– assess capital adequacy (70% of respondents).


Moving forward, challenges remain with regulation, compliance, cyber and investment risk. However, there are some positive findings; being, there is more support in organisations for risk management and cyber security. There is also more inclination for organisations and boards to seek the support of consultants in this field.

With this challenges remain for 2017 and beyond, with:

– securing ongoing funding (35% of respondents);
– sharing intelligence with industry peers and groups (34% of respondents);
– communicating effectively with senior management and the board (31% of respondents).

Challenges for boards remain with obtaining sufficient expertise, with many boards opting to engage consultants to address technical expertise required in risk management and cyber risks.

Regulation and compliance remain a challenge in 2017 and the next two years, including:

– tighter standards in compliance and regulation – raising the costs of doing business (59% of respondents);
– growing costs of required documentation and evidence of compliance, including, a focus on adopting measures of control for risk management, streamlining processes and centralisation of data; (56% of respondents);
– an increased inclination for regulators to take formal and informal enforcement action (42% of respondents);
– more intrusive and intense examinations by regulators which disrupts day-to-day operations (37% of respondents);
– introduced restrictions and/or prohibitions on profitable activities that require significant changes to the day-to-day business model and/or legal structure, including the rising costs of just doing business.

Day-to-day just doing business has certainly become more regulated and complicated post the GFC. Whilst positives have come out of this with streamlined processes and more accountability, the question continues to be posed in 2017 and beyond, as to whether an inflection point has been reached with regulation and compliance? Will there be a softening of the approach? Time will tell and it will be interesting to monitor developments in this area.

To read more on the Deloitte survey, click here

To find out more about SR Insurance Consulting, or to have a confidential discussion about your businesses requirements, click here

If you like this post, please write a comment, share it, post it to Facebook or Tweet it. If you think it can be improved, please comment.

Sarah Robinson @SR Insurance Consulting, is the Founder and Principal. SR Insurance Consulting is a business created to provide consulting services to businesses and small to medium sized brokers. Prior to starting her own business, Sarah was Assistant Vice President Claims, at a global leader in insurance and risk advisory solutions. She has served in a variety of insurance roles over the past 18 years, working for law firms, as an in-house lawyer and as a claims management specialist.

SR Insurance Consulting blog is not intended to act as advice. Should you require advice, please contact SR Insurance Consulting directly. The blog is not designed to be an exhaustive cover of each topic discussed. Each matter should be considered on a case-by-case basis.

Blog posting guidelines:
SR Insurance Consulting hopes that the blog is insightful and helpful to your business. It is aimed at being thought provoking, constructive and striking up a conversation in the insurance sector. To ensure that comments remain constructive, comments to this blog will be reviewed and edited to ensure they remain on topic, add-value and are helpful.

All postings are the property of SR Insurance Consulting.