To increase resilience in today’s evolving risk environment, companies must address a multitude of new external and internal requirements. Many companies are tackling these individually rather than holistically, however, which increases organizational complexity and raises the costs of managing it. How can companies combat complexity and boost efficiency by simplifying processes while still ensuring that they maintain a robust risk and compliance framework?

BCG's Global ESG, Compliance, and Risk Report 2024 explores the answers, highlighting practical measures that companies can take to achieve these goals. In doing so, it draws upon insights from BCG’s 2024 global survey of 200 senior risk and compliance executives across industries. We also leverage our experience in implementing efficiency programs and simplifying risk, compliance, and ESG management systems.

The survey produced four main findings:

• Companies are struggling to keep pace with shifting risk priorities, particularly with regard to nonfinancial risks related to ESG, geopolitics, cybersecurity, AI, and other topics. The potential for adverse media coverage and regional variations in risk perception intensify these challenges for global organizations.
• The constantly shifting landscape of risk priorities has led to a growing array of external and internal requirements, complicating risk and compliance frameworks to a point where they have become unmanageable and excessively costly. As management and internal auditors demand more stringent measures, internal requirements have emerged as significant drivers of complexity.
• Many companies have addressed new risks with a succession of isolated responses, leading to a proliferation of policies, processes, and workflow tools. To combat the resulting complexity and rising costs, companies have focused on high-level initiatives, such as training, rather than on more effective solutions that require greater commitment, such as implementing new processes.
• Companies significantly underutilize generative AI (GenAI) as a way to reduce complexity and costs. Because most companies are not fully aware of GenAI's capabilities, they limit its use to simpler tasks, such as risk assessment. Relatively few companies use it for more substantive tasks, such as identifying gaps in the risk setup or drafting policies.

Striking the right balance between complexity and resilience enhances both effectiveness and efficiency. Our recommended approach comprises four sets of actions:

• Adjust governance and risk management approaches. Conduct a thorough risk assessment to prioritize risks in order of severity. Allocate more resources to higher-priority risks while simplifying management of lower-priority ones, potentially reducing internal regulatory requirements and costs.
• Simplify risk management. Streamline organizational structures and clarify roles to optimize risk management, policies, and documents. Align risk management with audit activities to prevent overlap and ensure a strong defense model against nonfinancial risks.
• Enhance risk and compliance frameworks. Develop and implement real-time monitoring and response systems, using advanced analytics and AI to manage evolving risks. Ensure that the company updates these systems to align with evolving regulatory requirements.
• Leverage GenAI for risk mitigation and effective risk and compliance management. Invest in GenAI technologies to reduce complexity, enhance efficiency, and reduce costs in risk management. In parallel, prioritize implementing a responsible AI framework to address the associated risks.

These initiatives have decreased the number of mandatory documents, related processes, and resources by up to 50% on a global level, with even greater reductions locally.