Operating model risk is likely to be the next big risk services market after cybersecurity. But who’ll benefit?
According to our estimates, risk consulting and related services were worth US$72bn in 2019, US$18bn of which was cybersecurity consulting (note: definitions differ—our numbers don’t include systems development, outsourcing, or hardware and software sales). Pre-crisis, the overall risk market was chalking up growth in the region of 8-10% a year, with demand for cybersecurity typically increasing at more than twice that rate. While the market is likely to contract in 2020 in response to the COVID crisis—there are aspects of risk management that clients deem discretionary and will de-prioritise in a time of cost-cutting—it’s still likely to be the next best performing market after technology consulting.
But incumbent players, new entrants, and—increasingly—investors will need to ensure they sidestep the less attractive parts of the market. Traditionally, the risk services market divides into two parts: pre-emptive and remedial. The pre-emptive market covers a wide array of risk mitigation work (around policies and controls, for example) as well as reviewing compliance, technology assurance, etc. By contrast, the remedial market is focused around helping client organisations respond when something has gone wrong—which can take the form of short-term stemming of the crisis and/or long-term sorting of the ramifications. Typically, clients prefer the pre-emptive work to be done by generalists, notably the Big Four but increasingly strategy firms too, not least because it’s not always clear where the problems lie. Working with a firm that can draw on different capabilities as required makes perfect sense; having a brand that will be credible at board level helps reinforce that. The remedial market is far more specialised, because the nature of the problem is known. Clients’ main concern will be to hire a firm that has precisely the right skills. Here, brand is less important than deep expertise and a track record of proven results.
This familiar landscape will be reshaped by the COVID crisis—because the nature of the risks organisations face has changed. Standard risk analysis focuses on two dimensions: the likelihood of a risk materialising, and the extent of the impact were it to do so. For the last decade, the likely-to-occur/high-impact box in the matrix has been occupied by cybersecurity risk: Even organisations that hadn’t experienced an egregious information security breach assumed that they would probably have to deal with one eventually. As a result, the remedial market has been dominated by technology firms—those that can not only tell a client how a breach occurred, but can also put in place measures to prevent it from happening again. The COVID crisis has pushed operating model risk into this same category: Even once we’re through this pandemic, no one is going to assume it will be the last, or that complexity and globalisation make for robustness. However, operational risk covers a multitude of topics, from strategic choices about where organisations are based and the extent to which they rely on external suppliers, through to lower-level tactical questions of supply chain management and workforce planning.
This creates an opportunity for new players to enter the remedial space: Technology firms will not have an advantage because the root problems won’t always be immediately apparent, and the skills required to solve them will be more diverse. They’ll need to broaden their capabilities, and quickly. At the same time, the new entrants will need to learn from the success of technology firms where cyber is concerned, by demonstrating that they can both pinpoint an issue and take responsibility for solving it in both the short and long term. This will involve different delivery models, especially investment in managed services that combine proprietary software with specialist knowledge. They will also need to do more to prove to clients that they have precisely the right expertise, at sufficient depth.
The market for operating model risk services in the future could be as big as the cybersecurity market is today. Leveraging it will depend on combining the breadth of the pre-emptive market with the specialisation of the remedial. In other words, suppliers will have to change their own operating models if they’re going to succeed.