External Risks: How to Define Them. How to Fight Them.

A successful finance department should understand traditional business risks, such as fluctuating interest rates or cycling commodity prices. Yet some risks are unpredictable; not a single finance department could have foreseen in 2019 that a global pandemic was coming and the extent to which it would wreak havoc on human health and commerce.

In today's uncertain business climate, an organization's bottom line can suffer from external risk events and conditions so far removed from day-to-day operations that many companies might not have given them a second thought.

A risk is considered to be external when an organization has little or no control over if, when or how it might occur. When viewed in tandem with the related category of nonfinancial risk, this includes a wide range of potentially negative events. The World Economic Forum recently identified the top 10 external risks to organizations over the next 10 years, which include:^[1]

• Climate change
• Cybercrime
• Geopolitical polarization
• Geoeconomic fragmentation

Other potential external risks include supply chain disruptions, pandemics, regulatory changes and viral social media incidents. Additionally, many modern risks are overlapping and intertwined, such as cybersecurity concerns that are amplified by political risks.

“Cyberthreats remain a perennial concern for [Chief Audit Executives], yet the drivers of this risk have evolved as a result of new geopolitical conflicts and the heightened prospect  of  state-sponsored attacks,"  said Leslee  McKnight, vice president for the Gartner Legal, Risk and Compliance practice, in a public statement.^[2]  “Mitigation plans need to  be revisited to reflect the evolution of the risk and prepare the organization to meet increasingly stringent disclosure requirements in the event of a breach."

Insurance May Not Be Enough

Many organizations are far less proficient in identifying and preparing for external events than they should be. A survey of 300 finance leaders, from companies with between $100 million and more than $5 billion in revenues, found that fewer than 15% of respondents were highly confident in their company's ability to manage top business risks.^[3]

Counting on insurance to fill in the gaps may be a mistake. In 2022, Hurricane Ian devastated entire regions across the United States, causing an estimated $60 billion to $80 billion in economic losses.^[4]  Only a year prior, winter storm Uri struck the U.S., Northern Mexico and parts of Canada, causing at least $195 billion in property damage, becoming the most expensive disaster in the history of the United States.^[5]

Of those $195 billion in losses, only about 33% were covered by reinsurance.^[6] Moreover, even those organizations that were fully insured may not be made whole, since policies don't normally cover less tangible losses due to "operational disruptions," such as market share, customer sentiment and investor confidence.^[7] That leaves it up to organizations to invest in their own internal mitigation methods.

Prioritizing risk mitigation can be a smart decision for another reason: It may help boost investor confidence, especially for companies that have operations in regions prone to extreme weather events.

Accountability Starts at the Top

While organizations might not be able to prevent the external events that create risk, they can take steps to mitigate those risks. On a basic level, the methods and attitudes necessary for effective external risk management are quite similar to overall risk management.

Effectiveness starts at the top of the organizational chart, and C-suite executives must keep in mind that the tradeoff for convenience is often risk. For example, before businesses outsource work to external vendors, such as IT providers, they should consider the risks associated with doing so. Many of these risks are not being mitigated effectively, according to a recent study: Only 44% of respondents considered their institution to be extremely or very effective in managing risks from third-party service providers.^[8]

To combat these risks, leadership must first take accountability for them. The process can succeed more effectively when the chief risk officer (CRO) works collaboratively with the board of directors. The more complicated and riskier the business environment becomes, the more important it is for boards and CROs to work closely together.

Luckily, it appears that many businesses are already on the right track—64% of organizations surveyed reported that it was “extremely or very high priority for their institution over the next two years to improve third-party risk management." ^[8]

The Challenges of Measuring External Risk

On another level, external risk management presents some unique challenges. For instance, leadership may sometimes be hesitant to sink too much time into identifying large external risk issues. This is not necessarily due to   a lack of willingness but could be at least partially driven by the fact that risks are often difficult to quantify. Why should companies prioritize investment in preventing risks that they don't fully understand the scope of, and can't fully control?

Another challenging element to risk management is preparing for unexpected controversies within an industry, including any resulting public calls for regulatory reform. How can companies stay on top of these risks without giving the appearance of involving themselves in a political or social matter or movement?

One option is to create a centralized repository that tracks proposed and newly created rules and regulations, to identify how they could affect businesses if passed. This resource could also track public complaints against other similar organizations, and any resulting fines or penalties.

Of course, this is a double-edged sword. More tracking and logging means businesses will spend more of their valuable time doing routine, rote tasks. Most risk managers, who already spend much of their time identifying risks—when they would rather spend it on developing strategies to mitigate those risks—know this conundrum all too well.

This is where—for deeper levels of analysis—a rapidly evolving set of technologies, such as machine learning (ML), artificial intelligence (AI) and predictive analytics, might come in. These technologies are already offering risk managers the ability to automate time-consuming processes.

Treating Risk Management as a Strategic Tool

Companies that focus on resilience as a competitive advantage can see better results.^[9] Take advantage of strategic planning to focus on “how things work" in the business environment to develop new, forward-thinking strategies that can advance organizations further toward meeting their overall goals.

For instance, what if a manufacturing organization identifies a critical parts supplier that was completely shut down during the pandemic and took an inordinate amount of time to restart? A simple solution would be to increase inventory of that supplier's products or even to switch suppliers completely. A strategic solution would be to   investigate bringing production capabilities in-house or redesigning products to eventually avoid reliance on single- source components.

A strong risk management program also assures that everyone has a stake in the process, viewing risk management not as an annoying speed bump, but as an exciting new way of refining and improving opportunities for growth, expansion and profitability.

Ready to Help

PNC combines a wide range of financial resources with a deep understanding of different lines of business to help companies achieve their goals. To learn more, please contact a Relationship Manager or visit pnc.com/cib.