Business leaders and technology leaders have something in common: Neither is living their best life right now. What should be a golden age for innovation-fueled opportunity and growth has been marred by a business environment so volatile that companies spend more time adapting their strategic priorities to an ever-changing set of business and economic conditions than focusing on execution.
Volatility is the degree of change or fluctuation in the business environment. Characterized by an inability to predict what happens next, it leads to uncertainty about the outcomes of decisions. Worse yet, it can lead to paralysis in decision-making, derailed strategies, and missed opportunities.
Risk Management Requires a Fundamental Overhaul
Risk management is in critical need of updating. The fundamental equation for calculating risk exposure (risk = probability times impact) dates back to the 1600s. This equation is insufficient and flawed in that it doesn’t reflect current business dynamics or account for:
-
Risk’s velocity. Risk velocity is the time between when the risk occurs and when its impact is felt. In today’s business environment, the impact is nearly instantaneous. Consider that within minutes of a failed content update from cybersecurity vendor CrowdStrike, technology leaders felt the immediate impact of a global IT outage. Although a fix was deployed within 79 minutes, the recovery process for some companies was slow and painful. When technology powers nearly every aspect of business operations, the ripple effect becomes a tidal wave of disruption regardless of whether the event was malicious or accidental.
-
Interconnectedness of global systems. Competing in a global economy makes every crisis your crisis. From multinational corporations to small suppliers, when a single node in this complex network faces a risk event, it can create a cascading effect of chaos among the rest, regardless of sophistication, innovation, or size.
-
Compounding risk forces. It’s one thing to deal with a single critical risk event, but what happens when risk events happen all at once? Today, Forrester data finds that 42% of enterprise risk management decision-makers experienced three or more discrete critical events in the past 12 months, while another 19% reported six or more. Most risk events are a combination of multiple risk forces acting in unison. Isolating risks into discrete occurrences underestimates their scope and undervalues their impact on the business.
Dynamic Risk Management Meets Its Moment
As uncertainty and chaos plague business strategy for the foreseeable future, a new three E’s framework is needed to offer a foundation for identifying the three sources of business risk, helping business and technology leaders pinpoint what they can control. Leaders should use this to mitigate, prioritize, and pivot their program and priorities based on level of control and where they can affect the greatest change:
-
Enterprise risks that you have full control over. Risks that arise from your strategy, investments, operations, and policies are fully within your control. You have the power to mitigate as much or as little of the risk while adhering to regulatory requirements and operating within your risk appetite. You can transfer some through insurance or other contractual means, or you can ramp up risk management efforts. It may not be quick or cheap, but within your own enterprise, you control your technology investments, resource allocation, staffing levels, process changes, or strategic pivots.
-
Ecosystem risks that you have partial control over. When it comes to your ecosystem, your company is fully responsible for risks, regulatory adherence, disruptions, and failures of or via a third party, yet you only have partial control over how quickly to act and how fully to remediate unless corrective actions are specified in the contract. This means that, by confusing third-party risk assessments with compliance reviews and due diligence screenings, you’re failing to use the contract as a risk mitigation tool and giving up the partial control you had. Increased volatility will inevitably lead to more disruption in the ecosystem as changing tariffs trigger insolvency, economic uncertainty results in acquisitions, and new regulations require you to find alternative suppliers and have better visibility into concentration risk.
-
External risks that you have no control over. External forces, also known as systemic risks, build slowly, materialize quickly, and impact all enterprises and their ecosystems. Systemic risks are often overlooked, vastly underestimated, or routinely deprioritized because they are out of your control and therefore too existential to matter. While you can’t prevent tariffs, technology bans, pandemics, wars, or hallucinating AI from occurring, you can control how you identify, evaluate, and mitigate their impact on your business. For example, the on-again/off-again tariffs by the US on global trade partners have companies rethinking strategies, pausing investments, and reevaluating where they do business.
Use Context and Control as Your Guide
In times like these, the purpose of risk management is not to remove all risks but rather to determine which risks are worth taking — and at what cost — in pursuit of value. Use the three E’s Framework to stop feeling blindsided by volatility. With this framework, you can rely on context and control to take calculated risks and target those risk management efforts that are most consequential to your business and provide the greatest reward.