Project Leader, Uncertainty Advantage
Boston
By Nick D'Intino, Elton Parker, Alan Iny, Tad Roselund, Ankita Srivastava, and Nikita Dalmia
A recent BCG survey found that nearly three-quarters of senior executives have confidence in their company’s strategic risk management capabilities. (See “About the Survey.”) At the same time, however, most have experienced impacts from increasingly frequent and severe disruptions, such as cybercrime, technological changes, or various industry-specific events.
BCG’s Uncertainty Advantage team surveyed 200 senior executives to assess their companies’ strategic risk management and resilience capabilities. Approximately two-thirds of the respondents were either C-level officers who report directly to the CEO or executives who report directly to a C-level officer. All global regions were represented. Financial institutions, consumer goods, and technology, media, and telecommunications were the predominant industries. (See the exhibit below.)
This disconnect between the survey findings and the actual experience of many companies suggests that these executives are overly confident about their organizations’ ability not only to mitigate the negative consequences of risk but also to capitalize on the positive ones. (See Exhibit 1.) To build truly world-class strategic risk management capabilities, companies need to see risk as a two-sided coin, with “challenge” on one side and “opportunity” on the other.
In practice, this means perceiving and pursuing both the value protection and the value creation potential of disruption. Companies must support this dual perspective with strategic foresight and a risk-sensing mindset that allow them to anticipate challenges and opportunities and take well-informed proactive measures to address them. Successful companies will accelerate the achievement of their strategic objectives, enhance their ambitions, and ultimately build greater organizational resilience.
Most survey respondents were confident in their organization’s strategic risk preparedness, with 71% feeling well-prepared. Additionally, 79% of respondents consider strategic risk management a priority for their company. Such preparedness and capabilities are essential, as 53% of respondents said their company had experienced a crisis or major disruption during the past year. Indeed, despite the confidence expressed by executives, real-world outcomes paint a different picture of companies’ preparedness.
Overlooked Costs. The financial toll of crises can be severe. During the pandemic, for example, 94% of Fortune 1000 companies experienced supply chain disruptions from which it was predicted they would need three to five years to recover. And these disruptions cost large companies an estimated average of $182 million per year, not even including the related reputational damage.
Cybercrimes also have a significant impact, with the average cost of a data breach climbing to $4.5 million in 2023, a 15% increase over the previous three years. By 2028, global cybercrime expenses are anticipated to reach a staggering $13.8 trillion. Similarly, costs related to natural disasters, regulatory changes, and labor strikes are rising. Not surprisingly, survey respondents said that such financial impacts were their main consideration in prioritizing risks. (See “Which Risks Are Executives Most Concerned About?”)
Survey respondents ranked cybercrime and IT disruptions as the foremost strategic risks in the near term (within the next year) and the medium term (in the next three to five years), likely owing to the steep recovery costs they impose.
Over the longer term (ten years or more), survey respondents view technology shifts as the primary risk. But they do not include this disruption among shorter-term risks, an omission that may cause them to miss out on future growth opportunities, such as those to be gained by expanding digital sales, moving into a new market or geography, or implementing GenAI to improve efficiency.
Secondary strategic risks cited in the survey vary across industries, reflecting each sector’s perceptions of challenges and opportunities:
Companies need to prepare not only for acute crises but also for emerging disruptions that could threaten their survival. Business history offers many examples of companies that lost their competitive advantage when faced with strategic market shifts. Recent examples include the following:
Unforeseen Opportunities. Equally important, many organizations fail to recognize both the value creation opportunities arising from potential disruptions and the ways in which they could greatly enhance their advantage. In our survey, 80% of respondents said they view risk in a mainly negative or neutral light. This suggests that many companies are missing out on bold moves that could disrupt their markets—such as leveraging their advantaged position to be first movers, early adopters, or game changers.
Identifying and capitalizing on potential opportunities are crucial to maintaining a competitive advantage. Technological disruption, for instance, can create innovation opportunities, such as the development of new products or services that leverage cutting-edge technology. Similarly, purposeful market disruption can create new customer segments and open previously untapped markets. The emergence of new competitors can provide opportunities to partner, acquire, and expand, as well as to enhance media coverage and customer engagement by highlighting competitive differences. Additionally, companies can create disruptions that promote a competitive edge by pinpointing and lobbying for favorable regulatory changes.
By recognizing disruptions and adapting to changing circumstances, businesses can thrive and secure long-term success. For example, the increased adoption of telehealth and e-commerce during the pandemic demonstrated how disruption can lead to innovation and growth. Similarly, the rise of remote work has catalyzed the development of new collaboration tools and platforms, creating opportunities for companies to innovate in the digital workspace. And the growing focus on sustainability has driven innovation in green technologies and eco-friendly business practices, while the push for electric vehicles has spurred advancements in battery technology and charging infrastructure.
To ensure that they are truly able to proactively address both the challenges and the opportunities inherent in future risks, companies need to enhance their strategic risk management and resilience capabilities. This entails establishing processes to anticipate and detect early signs of disruption, amplify insights, make decisions, and take the appropriate actions—and do all this faster than competitors. It also involves envisioning multiple outcomes (including the intended and unintended consequences of disruption) and developing contingency plans that enable a nimbler response.
Companies must lay the groundwork necessary to sense and capitalize on the opportunities that arise from disruption. This requires building the capability to identify emerging technologies that could impact their industry and developing the risk appetite to place early bets. Companies with advanced strategic risk intelligence and management skills can find ways to shape or influence potential disruptions to benefit their business over the long term. This may include strategies like advocating for regulatory changes, shaping industry standards to align with their products and processes, or negotiating favorable trade agreements.
Leading these efforts from the top is essential. Our survey results suggest that understanding and documenting strategic risk appetite and risk management strategy are becoming table stakes. Nearly three-quarters (72%) of the surveyed companies have a documented strategic risk appetite that is communicated to all internal stakeholders. The board of directors and the CEO are most commonly involved in approving organizations’ strategic risk appetite (in 43% and 42% of surveyed companies, respectively). By contrast, in 25% of companies or less, that responsibility lies with other positions or functions, such as the chief financial officer, the chief risk officer, or a risk management committee. A risk management strategy is in place at 85% of the companies surveyed. The board of directors, the CEO, or both approve the risk management strategy at approximately half, and the CFO or CRO is responsible at approximately a third of the surveyed companies.
But leadership involvement and high-level strategy documents do not, by themselves, guarantee success. To effectively manage strategic risks on a day-to-day basis, companies must develop robust processes deeper in the organization. First, they should assess how well they are implementing their documented risk strategies across different levels of the organization, as indicated by their actual experiences during disruptions. The results from this assessment will highlight initiatives, such as increasing the frequency of testing, that can help turn the documented strategic risk appetite into actionable and practical business processes across the company. These processes will enable the organization to identify, prepare for, and take advantage of disruptions earlier and more comprehensively.
To improve strategic risk management and identify disruptions that could affect a specific industry or sector more accurately and earlier in the process, companies should invest in developing enhanced strategic foresight: the ability to anticipate, analyze, adapt to, and shape future trends better and faster than competitors.
Strategic foresight enables a deeper understanding of potential futures, enhancing the organization's ability to make strategic decisions. These decisions are aimed at pursuing both value protection and value creation, as well as exploiting future market shifts with a focus on their medium- and long-term implications. In the short term, strategic foresight contributes to more informed operational decisions. Over the long term, it allows companies to make advantageous choices concerning potential challenges and opportunities with greater speed and agility.
Developing these capabilities allows organizations to elevate and enhance their strategic risk preparedness. To lay the foundation, they must shift the organizational mindset, tie strategy and risk closer together, and improve sensing, monitoring, and reporting.
Shift the organizational mindset on risk. By encouraging a culture that views risk as a two-sided coin, organizations can move beyond traditional risk aversion to a more balanced approach that sees the potential for both value protection and value creation in every disruption. Consider implementing training and awareness programs to reshape perceptions of risk within the organization. These programs should help people understand the value creation side of risk and its integral role in strategic planning.
To reinforce efforts to reshape perceptions, promote the concept of intelligent risk taking as a possible source of innovation and competitive advantage. As an easy first step, consider asking teams to document the beneficial aspects of a disruption rather than only its detrimental effects. Then, on a regular basis, conduct other exercises to assess and elevate the organization’s preparedness to play both offense and defense in the face of disruption. (See “Gauge and Raise Your Preparedness.”)
Here are some of the ways that organizations can test and strengthen their preparedness for disruption:
Tie strategy and risk functions closer together. Integrate risk management processes directly into strategic planning by establishing cross-functional teams that include risk and strategy professionals. Instead of conducting perfunctory risk assessments, regularly review and adjust the strategic plan based on periodic and/or threshold-triggered risk assessments. This ensures that the risk and strategy functions are aligned and mutually reinforcing, facilitating a dynamic approach to navigating uncertainties. Use the outcome of the strategy process to inform and refine the next wave of continuous risk sensing and scanning.
Improve sensing, monitoring, and reporting. By combining the strengths of talent, technology, and analytics, organizations can improve their ability to scan and monitor the landscape for trends, early-warning signs of major inflection points, and indicators of movement towards or away from previously established decision points. This enables the organization to proactively identify and leverage opportunities for competitive advantage, as well as improve its preparedness for unintended negative consequences.
To house and help implement this capability, companies should have a centralized hub—an “information fusion center”—where various data streams converge to generate risk intelligence. (See Exhibit 2.) The center informs strategic decision making by collecting raw data from the organization’s key strategic nodes, curating and transforming it into contextualized information, and then disseminating actionable intelligence back to decision makers.
To improve strategic risk management, companies need to overcome obstacles relating to costs and inefficient budgeting, which almost half our survey respondents cited as the top barrier. The financial burden and misallocation of resources can hinder the effective implementation of strategic risk management initiatives. Meeting this challenge requires assessing the company’s existing strategic risk and resilience capabilities to understand the most effective ways to allocate resources toward building better capabilities.
Respondents cited the perception of risk management as another important barrier. The failure to view risk management as a priority can result in inadequate investment in the capabilities needed to bolster resilience. Companies should therefore elevate CROs to a central strategic position, directly involving them in high-level strategic planning and decision making, and doing so earlier in the process. Together with the foundation-building steps discussed above, this will ensure that companies make risk considerations integral to business strategy, promote a culture of risk awareness—especially its value creation potential—across all levels, and foster interdepartmental collaboration.