The New Riskonomy

Section 1:
Navigating the new risk economy

No area of an organisation is without risk. Business leaders must contend with strategic, financial, operational, regulatory, and reputational challenges every day. This environment continues to rapidly evolve (evidenced by the recent disruption by generative AI), and today, tech is often the driver of both opportunity and concerns.

Game-changing tech comes in many forms. Robotics and the Internet of Things (IoT) are revolutionising trade and logistics, while automation and AI are transforming software and service-based organisations. No sector is untouched by the recent leaps in technological advancement, and every organisation can apply digital innovation to create efficiencies in their operations or redefine their products or services for a competitive advantage.

The tech gambit

Getting tech right is difficult; getting it wrong is expensive. In the UK alone, businesses are losing a monumental £244 billion1 in revenue a year due to poor data and revenue loss. And in the first 9 months of 2023, US organisations saw the number of data breaches increase by nearly 20% compared to all of 20222.

Some of the most significant cyber incidents over the past year have occurred through third-party and vendor behaviour, emphasising the importance of factoring the threat of litigation into tech-risk readiness strategies, even when the primary organisation is confident in its practices. Increasingly, board members are legally required3 to undergo specific training and be actively involved in their organisation’s cybersecurity strategy, reflecting the potential scale of tech risk.

Only 4% of business leaders in our research believe that the changing technology landscape does not pose a challenge or threat to their organisation.

This falls to 2% of leaders at high-growth organisations. Yet, 91% are working at organisations that fall into the moderate or high range on our Riskonomy Radar – signalling a substantial disconnect between what business leaders are seeing and the action they’re taking.

Business leaders recognise their organisational vulnerabilities in today’s digital climate, and identify the top technology-associated risks that could impact their business over the next three years as: data management, cybersecurity, digital skills gap and misuse of generative AI within their organisation.

But three in five business leaders (60%) admit their organisation does not currently take a positive, proactive approach to technology-associated risks and doesn’t have the appropriate strategies and policies in place. This is despite 47% claiming their organisation recognises that it needs to implement these measures.

In short, the magnitude of today’s tech challenges is not consistently reflected in organisations’ approach to managing those risks.

  1. https://itbrief.co.uk/story/uk-firms-losing-244bn-annually-due-to-poor-data-and-revenue-loss
  2. https://www.apple.com/newsroom/pdfs/The-Continued-Threat-to-Personal-Data-Key-Factors-Behind-the-2023-Increase.pdf
  3. https://www.thomsonreuters.com/en-us/posts/government/sec-cybersecurity-rules/

Expert perspectives

It is dangerous to get data wrong, from many different perspectives. When it comes to tech risk, your organisation is only as strong as its weakest link – security needs to be part of your DNA so you can grow and ensure your revenue isn’t pulled elsewhere.

The cost of security issues can be monumental for organisations – from deliberate investments into new technology, to the cost of losing senior management time to crisis management. A collaborative, non-competitive culture is vital to protecting the overall business. Therefore, the involvement of your legal team, and how they are structured, in terms of compliance, privacy and operations can be crucial to create autonomy and ensure everybody knows what their role is.

James Atkin
General Counsel, Equifax

There are so many legal considerations surrounding technology – for example, privacy considerations, cybersecurity events and copyright issues – that it’s essential for legal teams to be integrated into with the business teams. And, legal teams also need to serve as key resources for Boards, helping them understand legal risks and Board obligations. Boards should be asking key questions such as ‘what are we doing already?’, ‘how are we managing risks?, ‘what is coming next?’, and importantly, ‘what don’t we know?’

William Intner
Partner, Corporate and Finance

Everything to play for

The data reveal that, on average, high-growth organisations are investing 13% more of their IT budget to protect against technology-associated risks compared with low-growth organisations, and 32% more than no-growth organisations. This trend remains consistent when considering the size of an organisation, with large high-growth organisations investing 24% more of their IT budget compared to large no-growth organisations, and SME high-growth organisations investing 18% more.

And this investment pays off; our Riskonomy Radar puts 42% of high-growth organisations in the low risk range (compared with 20% of no-growth organisations), and, 38% of no-growth organisations are in the high risk range (compared with 29% of high-growth organisations). While finding resources can be difficult in smaller organisations, the competitive value speaks for itself, as the data highlight a clear correlation between organisations that are investing in tech risk management and seeing high growth, irrespective of company size.

Expert perspectives

Business leaders are becoming increasingly aware of this association between technology-related risks and corporate performance. Everybody understands that, for example, server outages, hacks, or expensive tools with no adoption pose serious risks to corporate performance. But we are now also seeing a growing awareness that missing out on technological advancements poses risks to financial margins and competitiveness in general. Technology will help create competitive advantages and reduce risk and cost.

Sebastian Lach
Partner, Disputes

Putting technology risk sources in check

When directly asked, C-suite and GCs associate the external, macro environment with the highest levels of risk, followed by exposure points within their network. They believe that internal sources present the lowest level of risk.

Our Riskonomy Radar readings support this belief that macro factors – such as geopolitics, regulatory and compliance risks and the economy – present the biggest exposure to tech risk for organisations.

The radar suggests that 92% of business leaders are working in organisations that need to revisit and improve – or urgently prioritise and invest in – managing macro tech risks.

However, the radar reveals internal systems and processes are the second-most vulnerable areas for businesses when it comes to tech risk. Three-quarters (74%) of business leaders are working in organisations mapped to the moderate or high risk range on our Riskonomy Radar, indicating a need to revisit and improve their current approach to risk related to internal factors. Considering the extent to which generative AI has affected the technology landscape in the last six months alone, business leaders could benefit from planning more moves ahead when it comes to internal process risk assessment.

Our Riskonomy Radar suggests that the business network – including supply chains, scarcity of resources, data management and cybersecurity – currently presents the least risk exposure, with only 59% of scores falling in the moderate or high range.

Business leaders across all sectors associate macro factors with the highest levels of risk exposure compared with their network and internal processes, but those from life sciences were the most likely (46%) to attribute a high level of risk to these external factors.

With a growing focus on networks – especially regarding supply chains, scarcity of resources, data management and cybersecurity – C-suite and GCs in the tech and telecoms were most likely to identify this area as a risk (44%) in comparison to consumer (33%) and transport (34%). At the same time, a third of transport and consumer (33%) believe that the network isn’t a risk – showing polarisation within the sectors.

Understanding how people and talent play a role in technology related risk was also on the minds of C-suite and GCs within tech and telecoms, with 43% believing that their internal environment is a risk. Just 29% of those in financial institutions, 27% in life sciences and 28% in consumer believed the same.

Sector spotlight

Risk perception across different players

What level of risk do you attribute to the following areas of exposure?

Internal

(You – e.g. your people / talent / internal use of technology, including generative AI / data management / cybersecurity)

Your network

(e.g. Supply chains / scarcity of resources /data management / cybersecurity)

External factors from the wider world

(e.g. Regulatory and compliance risks / ESG / Geopolitics / the economy)

Tech

Internal

Your network

External

High risk Low risk

This new riskonomy will continue generating new opportunities for class actions, disputes over resources, digital talent litigation and liability around generative AI. As a result, regulators are likely to become increasingly involved in the management of tech risk, creating more urgency for business leaders to devise robust management strategies that address the key areas of exposure.

Next chapter

Section 2: Organisational
vulnerabilities

Read now

Chapters

Executive
summary

Read now

The Riskonomy Radar

Read now

Section 1:
Navigating the new risk economy

Read now

Section 2:
Organisational vulnerabilities

Read now

Section 3:
Risk openings in the supply network

Read now

Section 4:
Macro risk

Read now

Conclusion and recommendations

Read now

About this report

Read now