skip to content

Closing the risk rift: Real strategies from real leaders

Transcript

Play Closing the risk rift: Real strategies from real leaders

Ziad Akkaoui:

Good morning, good afternoon, and welcome everyone. Whether you're joining us from the East Coast, from the West Coast, anywhere in between, we welcome you. It's great to have so many risk leaders and professionals with us today from across Canada and beyond. My name's Ziad Akkaoui. I'm a risk advisory partner based here in Canada. I'm gonna be kicking off today's session and joined by my esteemed colleagues, Mike and Melissa from Canada that you see on screen, as well as Alisa from our UK firm, each of them bringing unique perspectives on the evolving global risk landscape.

Now, I have to admit, I was really hoping to be here this afternoon rocking an Edmonton Oilers Jersey, cheering them on for game seven, and not having to wear this suit. However, our Canadian Stanley Cup dreams were crushed less than 36 hours ago. It's kind of sad to say, but I read a stat this morning that apparently Canadian teams lost an eight out of 32 finals since the last Canadian Cup in 1993. I'll let you guys let this sink in a little bit. So instead, we'll channel that energy into something a little bit more constructive, helping organizations build stronger, more adaptive risk strategies for the future.

So here's how we're going to spend our time together today. First, I'm going to be kicking things off by exploring a few key themes from our Global Risk Landscape Report. Next up, our panel will come back on stage and we will dive deeper into what these findings mean on the ground for risk teams, for business leaders, and for boards alike. And finally, we'll wrap up with an interactive Q&A session. So as we go along, please feel free to send us your questions using the Q&A feature on the right hand side of the screen. We'd love to hear what's on your mind, keep the conversation as relevant and as interactive as possible.

Over the past decade, we've had the opportunity to track how global risk mindsets are evolving through our annual Global Risk Landscape benchmarking study. On the screen, you actually see the cover of the last 10 editions of our Global Risk Landscape Report. All are available on our website. This year, we heard from over 500 executives across multiple sectors, geographies, and roles. And what the data tells us is clear, organizations are facing deeper complexity, there's more pressure to move faster, and there is also growing misalignment between the risk functions and business strategy.

The results also noted that risk aversion is creeping upwards. Organizations are slipping backwards on proactiveness and the pressures of talent, technology, misalignment at the top are creating real headwinds for companies. In the next 10 minutes, I'll walk you through some of the most telling insights from this year's research. What's shifting, what's stalling, where we see the greatest opportunity for leaders to close the gap between risk awareness and real action.

As we turn our attention to the first highlight, we start with a clear signal. 69% of companies now describe themselves as risk averse or risk minimizing up from 61% just last year. What we're noticing or what we're seeing is companies are actually pressing pause on strategies due to a political uncertainty. Obviously, the election outcomes that have emerged in Canada as well as in the US, and you know, let's be real economic stagnation. For example, we've seen our trade war with the US escalate with the new tariffs. There are rising tensions between US and China. There's emerging EU regulatory headwinds as well.

So the problem is clear, playing it too safe is starting to cost on growth. It's challenging for organizations to make significant investments, especially when the federal reserve in the US just yesterday announced that growth was downgraded by 0.3 percentage points down to 1.4% while core inflation was raised by the same amount to 3.1%. And this isn't a regional phenomenon, it's global, including right here in Canada, economic uncertainty has made even stable sectors reluctant to commit to transformation initiatives. This is exactly the kind of environment where we see risk posture of organizations harden and risk aversion creeps in as you see from the results. And yet it's also a moment where strategic risk thinking is most needed.

Economic uncertainty demands scenario monitoring, planning for workforce resilience, and really a sharper focus on risks that are tied to talent, to AI adoption and productivity. As we transition to the next highlight, we note that risk aversion is just one symptom. The deeper issue is a growing sense of unpreparedness, particularly when it comes to people and regulatory risk. So this year, the risks companies feel least prepared for include regulation, supply chains, and most notably, people. In fact, talented people jump 10 spots in our rankings in Canada alone.

So what is driving this? Of course, labor shortages, but there's much more behind it. We're finding that business leaders are worried about how to manage emerging regulation. If we take a look right here in Canada, there's an imminent bill on artificial intelligence, on personal information and data protection, on consumer privacy, all are known as the proposed Bill C-27. There's another bill C-8 on cybersecurity as well. All of that means that change is coming as organizations start to adapt towards digital transformation and AI adoption.

Business leaders are also concerned on how to retain their best people. They're also concerned about how to build risk capability across the business, and also how to ensure employees gain real experience in a world where AI is automating foundational tasks. If you come to think about it, when entry level workers and analysts don't get exposed to manual transactional processes and really get into the fine level of detail, we risk creating knowledge gaps that will undermine future leadership and resilience.

So as we transition into the next highlight, here's a kicker for us. Even though executives know they're unprepared, their approach to risk remains largely reactive. In 2023, 29% of organizations surveyed saw themselves as proactive in their risk approach. Today, only 7%, that is a significant drop, this shift away from forward-looking risk management is really concerning. It means many organizations are being overtaken by events rather than anticipating them. Far worse, the cost of reactivity only compounds in today's fast moving world, especially with AI, climate events, geopolitical tensions, all of those are really accelerating risk exposure.

Basically, most businesses are still leaning on cautious approaches and traditional safeguards. Compliance is part of that picture, but the question now is whether it's being relied on too heavily. As we transition into the next highlight, we dive deeper into this disconnect. One big reason is confusion around whether the role of risk is strategy or compliance as a starting point. So we asked leaders to place themselves on a scale, trying to identify whether they're leading from a compliance focused approach when dealing with risk management to a more risk focused approach.

About half landed in the middle, claiming balance between compliance risk and taking a general risk-focused approach. But then when we probed further, asking whether executives face typical compliance trap symptoms, you know, something like box ticking exercises, underinvestment in risk technology, low visibility into strategic risks, not a single leader actually selected None of the Above.

So as we transitioned into the next slide, we compared the rankings of the CEOs to the CROs in terms of ranking problems with risk versus compliance, and it became very clear, there's a disconnect across the C-suite. Leaders think they're aligned, but they're solving different problems. Overspending on compliance, under investing in strategic monitoring tools, these aren't just budget issues, they're also strategic blind spots to the business.

We see it very clearly in this illustration that the risk officer on the right hand side highlights that there is limited adaptability to new risks as a top concern, or that they require more technology investments to pursue their roles. However, if we take a look at the CEO rankings, one of the top problems they've identified is an overspend on compliance and that they feel that risk is a box ticking exercise. So clearly there's a disconnect between the priorities of the chief executive officer and those of the chief risk officer.

In summary, this year's data tells the story of misalignment, but masked by balance. So as we transition into our next highlight, there's some good news to share with you though. Leaders are starting to act. While some may not realize they're in the risk rift, most executives are actively taking steps to climb out of it. They're starting to embed risk into culture, they're investing into real-time monitoring tools, they're prioritizing proactiveness over real emerging risks, they're even hiring external advisors to help them model out risk planning scenario analysis into their core functions.

So what we're gonna do now is we're gonna pause and we're gonna take a quick audience poll. So using the poll function on the right hand side of your screen, we're going to give you a moment to gather your thoughts on the following question, what's the biggest workforce-related risk your organization is facing right now?

I'm just gonna wait to see some results up on screen. So I'm seeing some votes come through to talent retention and attraction, employees' resistance to change, yes, absolutely. You know, they're all really relevant. I would say, you know, resistance to change isn't a people issue. It's often a leadership communications issue. Risk teams obviously need to be part of that change enablement. Also, when we take a look at like retention and attraction, those have become indicators of strategic agility. If you're losing talent, it's often because they don't see growth or impact within an organization. So definitely very, very relevant points.

So we'll end the poll here. Maybe we'll transition into our next highlight. And this one basically has to do with the people risk, which we just touched on. So we noted that 28% of executives ranked talent capacity as a top three risk. This represents more than double what that figure was last year. Clearly, this is not just an HR problem, it's a top line risk issue. The workforce is shifting under our feet. We have baby boomers that are retiring in large numbers, AI is changing roles, expectations, learning pathways for our staff.

So, you know, like the question that I ask myself here is, is can organizations hire, rescale, retain the right people who can operate in that world? And more importantly, can they thrive within structures they've built?

So as we transition into our final highlight, we note the same dynamic is playing out in cyber risk management, another area where talent, tools and tactics all matter. So as we look at the results, cyber is now a top three concern for 25% of executives, a number that continues to rise compared to 19% last year. What we note here is that threat actors are becoming faster, they're more coordinated, and they're obviously leveraging AI technology to their advantage to become more sophisticated.

If your organization is not investing in detection and prevention and risk response, in reality, it means your risk posture is weakening day over day. It's a telling sign when you take a look at cybersecurity indices or ETFs that are trading at double the rate of growth of the broader S&P 500. Organizations are making investments in cybersecurity tools in order to prepare for the next event. You know, we commonly hear the term with cybersecurity, it's not a matter of how, but it's a matter of when. Cybersecurity is no longer strictly about preventing the attack, it's really about preparing for the breach. It's a matter of how well you respond to the breach.

So what we're gonna do next is we'll take a moment, we actually wanted to launch a secondary audience poll. So again, using the feature on screen, let us know your thoughts on where you think AI will have the most impact this year.

So I see a few votes coming in for cybersecurity. I'll give you a moment to keep responding. You know, for me, cyber is clear when you think about it. AI and cyber is both, you know, meant to be your shield, but it's also your adversary. So the side with more innovation definitely wins. So I think it's a key point here. I also see some votes for demand forecasting, risk identification, you know, all very valid points, especially when you think of like risk identification, it's an area that's evolving and it's evolving really fast. Companies need to move more from quarterly assessments, semi-annual assessments, depending on the frequency you have, to more near-time risk sensing exercises or risk assessments.

So thanks, everyone, for the poll. What we're gonna do now is we're actually gonna close off the poll and I just wanted to spend a moment to talk about a year in review, or sorry, 10 years in review in our case. So as we look back over the last decade of our surveys and our reports, we note that risk has evolved in three, actually, sorry, in four ways.

Eternal risks, so we have our eternal risks, which is something like geopolitical tensions, climate threats, they never seem to go away. They'll continue to evolve and they will require long-term resilience for the future. We have our episodic risks. So just like our elections in Canada or in the US over the last year or so, or even just emerging regulatory changes, they're gonna come in waves. You can't always predict the impact, but you can try to prepare for it on a proactive basis.

We then have risks that are reducing or on a downward slope. You know, those are ones where general concern or prioritization has dropped. Things like business interruption, brand damage are increasingly understood as signals, but they're now being assessed as consequences to risks as opposed to standalone risks.

And then the final one we have is really the increasing risks. So we touched on cyber, we touched on AI strategy and AI governance, they are growing sharper, they're much more complex, they're more business critical each year.

So you know, to sum it all up, I think this year's report gives us hope. We're seeing movement from surface level symptoms to root cause thinking. So risk isn't meant to be a barrier, it's becoming a driver for smarter decisions for your organizations.

So with that, I'd like to invite my colleagues, Melissa, Mike, and Alisa back on stage. They're gonna join me as we dig deeper into how organizations are navigating this new global risk landscape. So over to you, Melissa.

Melissa Fournier:

Wonderful, thanks, Ziad, for that overview of the report, and thanks to everyone for being here today. So we'll jump right into our panel discussion. Ziad, that was a great overview, but to kick things off, I'm curious from each of you in terms of what you really see as the most urgent signal from this year's Global Risk Landscape Report. So maybe Alisa, I'll start with you.

Alisa Voznaya:

Thanks, thanks, yeah, Melissa. So I think from my perspective, because I've been looking at the Global Risk Landscape Report for a while, as Ziad has already positioned, we've been doing this for 10 years. We have a real serious wealth of richness of data, of what's happening from a kind of longer term trends perspective.

And one of the things we did, we did an analysis of the data and I'm a researcher by background and I couldn't see if something was an outlier or actually beginning of a new trend. So I think for me, what's really come to the fore is kind of the stabilization of what's in the top five. And ultimately we're seeing regulatory risk as number one.

You know, if you've engaged with the report before, great, but actually last year regulatory risk went up 14 places. It's really not been in the top 10 for a while. And to see it continue in that position is actually a really powerful message in terms of where people see risk, how they want to engage with it, and how it ultimately impacts other elements of what we do, right?

Then the other element is supply chain, which is becoming, I see it all the time, it's almost always in the top two or the top three, and the geopolitical tensions. What I find interesting about this, I'll leave the people risk for a second, but what I find interesting between those three is how they correlate with each other and how they multiply each other, right?

And I think this is why we're having these conversations, 'cause when regulatory risk came up last year, it was a bit of a shock. We're trying to figure out, well, what is driving this? And now we really understand it's about how do we respond to change? And sometimes regulation, right? The kind of the compliance element is how we focus on this. And maybe that's why people are unprepared, right? Because how we have to think about this 'cause that's how we actually manage risk.

But where does that come from? It comes from the uncertainty that we now are witnessing in the global landscape overall, right? And all the different, you know, the different challenges that we're seeing, you know, and obviously Canada has experienced it so powerfully this year, right? In such dramatic fashion.

So you can hear I'm Canadian myself, so watching that from the UK was a really interesting observation as well. And ultimately it plays out here, but I think it's had much more of an impact about how all of these things are connected for you.

So that's what I've taken away is kind of the rise of that big trend over time.

Melissa Fournier:

Absolutely, great. And how about you, Mike, what are you taking away?

Mike Abbott:

Yeah, I'll maybe add a little, just a couple of things to that. I think the biggest thing that I took away was the importance of action and not sitting on the sidelines and waiting for things to unfold in a year where there's just been so much uncertainty.

And, you know, one of the things that I believe is there's been so much uncertainty in Canada that it has really paralyzed some investment decisions, which may not line up perfectly as a risk mitigating activity, but the reality is, then by not acting, it's creating a risk that perhaps we haven't seen in the past. And it will be interesting to see as the year goes on how that, you know, creates additional risks for organizations.

So my big takeaway is if you're not acting and you're not, you know, taking steps to at least understand and then mitigate risks or take advantage of business opportunities, then you're probably, you're gonna be more and more in the minority as the year goes on. But I would say leading up to this point, probably in with the majority of organizations, a lot of standing and waiting and seeing.

So that's my big takeaway, action.

Melissa Fournier:

Action, great, and Ziad, you gave us a great overview, but what was the main takeaway for you as part of this year's report? 

Ziad Akkaoui:

Yeah, I mean, one of the key changes we've noticed in this year's report is when we ran it last year, artificial intelligence was being flagged as an emerging risk, and it truthfully is. This year, survey respondents had actually flagged it as a growing opportunity. So they're starting just to flip it over from being a risk to a real opportunity for a specific organization, you know.

And obviously like as practitioners in the area of risk management, you know, we're all for innovation, we're all for transformation, but you know, the truth is, is that we have to focus as well on making sure that AI is being implemented in a safe manner. And obviously there's lots of emerging regulation, there's lots of frameworks and standards that are out there that are critical.

So it's, not just the technology risk, it's going to be about strategy, it's going to be about governance. I mentioned previously, Canada has an imminent bill that was paused obviously because of the elections and whatnot. But more specifically, it's a new AI and data act that will be coming out and it's going to be a big shift for the Canadian landscape. And I don't think it's one that we're necessarily ready for.

When I take a look at like consumer privacy, consumer protection, we've had the 10 guiding principles for PIPEDA as an example. These will be significant shifts borrowing from some of the regulation we're seeing out in Europe when it has to do with GDPR, with the EU AI Act. So, I think regulation will slowly catch up to us in Canada. And it's clear that we're seeing that in our survey results.

And then the other thing that I was gonna say is that we're starting to talk to our clients to just let them know, to embed AI risk governance into their practices, you wanna align it to business outcomes. So that strategy adoption oversight just in general is growing in tandem. Waiting for the legislation to finalize is already too late.

So, we're starting to help our clients immediately get ahead of that by implementing frameworks. You know, ISO 42001 is one that definitely comes to mind, but there's two, three other ones as well that are critical for the success of AI regulation, but implementations as well.

Melissa Fournier:

Yeah, absolutely, and that's a great transition into our next question actually, which is back to you, Ziad, this idea between reconciling and balancing these growing compliance obligations with the pressure to actually innovate and remain competitive in the market as well.

So you gave that example around AI and regulation, but where are other examples or where are you seeing some of those biggest disconnects between maintaining that balance and maybe even some of the bigger opportunities?

Ziad Akkaoui:

Yeah, if you think about it like sectors, like financial services here in Canada, we see real tension. You have the regulatory environment that's tightening, you've got the Office of Superintendent Financial Institutions or OSFI that is evolving expectations. There's, you know, constantly new guides that are being published. There's new privacy obligations, third party risk management, obviously anti-money laundering crackdowns from, you know, that are basically emerging in the Canadian marketplace.

But at the same time, there's also immense pressure to modernize digitally and keep up with emerging fintechs. So I would say like the biggest disconnect is that many organizations are still investing heavily in compliance infrastructure without aligning it to strategic risks. So it creates friction between the teams because they're getting bogged down in controls and frameworks with very little visibility in terms of how their efforts are supporting innovation and growth.

So you want to keep going at it. I think the biggest opportunity is to also reframe compliance as an enabler of trust and differentiation as opposed to slowing down the business. So it's really about the value that it brings to the business.

And, you know, lastly, I would say that like we've seen Canadian financial institutions succeed by integrating risk in compliance into agile delivery models. They're embedding oversight into their product life cycles. You know, they're trying to be as proactive as they can as opposed to retrofitting that into their systems and their models.

Melissa Fournier:

Yeah, and Alisa, from your perspective in the UK, are you seeing some of the same things internationally, some of the same pressures driving this global risk rift kind of based off what Ziad's speaking about what we're seeing in Canada, what are you seeing internationally? 

Alisa Voznaya:

Well, thanks for that, I think maybe I'll preface this. I think Ziad made a really, really good point in terms of, 'cause we're talking about this risk, right? Between kind of risk management versus compliance. But I think your nuance is actually right on key there because I think compliance can be really powerful when it's part of that broader integrated piece about how we think about managing risks and building in the competitive advantage into it.

The issue around a compliance based lens is when it's just that, right? It doesn't, as you said, it's not an enabler, it's something that kind of just, it has a very limited functionality. And I think that, and I just wanted to be really clear that's what we're playing out with this report.

I'll be honest, I've personally seen a retrenchment internationally, right? So I work with obviously UK companies, but also international companies that have kinda different elements of where they operate around the globe. And so there's been this, let's go back to something that feels safe, let's go back to something that we feel like we can control in a world where we feel like we have very little influence and control, right? It just makes you feel a little bit better because you can influence this, but it's almost kind of doing it backwards.

What I do find positive, to go back to what, you know, that slide that Ziad's put up in terms of leaders actually know, they recognize what they need to do and what are the powerful things to drive that change. They struggle to deliver this, right? Because the things that, Ziad, that you've put up there talking about, looking at it from a risk culture perspective, talking about it, breaking down silos and looking at kind of the dynamic live response to risk, they're not easy things to do.

Maybe the third one you can possibly somehow automate, but in order to automate, you kind of need to have the thinking to that approach in place, which is almost the first two. So what I see this all the time, right? In the conversations that I have with leaders, we know we need to do this, but this takes time, right? So if we're gonna do this, we can't look for quick fix because they're evolutionary changes to the organizational structures of the DNA.

So I'll just give you some things of where I've seen these things work well, like actual experiences that I've had with companies, right? To go back to what they're saying is having conversations across the business, how do you actually get that culture in there? It's both in terms of how leadership teams meet each other, but also how they communicate this down into their team.

I had a head of risk the other day talk to me, and I actually really like her definition of risk, she said, "Risk is about communication, right? It's the ability to be able to tell a story of what this means." I think sometimes we draw on in all of this jargon, and I think compliance can actually buttress this sometimes in a very unhelpful way. But it's about having those conversations, what that really means and how that drives decision making.

The other one I've very, very critical is about do we have a culture where there is a cycle of where you can drive those news upwards, right? Not just the good news, but any news, right? So in every single case where there's a catastrophic risk that's materialized, someone in that organization somewhere knew about it, but didn't feel comfortable raising this. And I've seen this, I've come in, I've done a lot of work following kind of big events. Somebody knew, most of the time, lots of people knew, they just didn't know how to talk about this.

So how do you establish this, right? So how do you actually effectively do this? My mantra is around, it's that culture combination of psychological safety and accountability, right? So where we can constructively challenge and raise critical risks. So if everything's green on your risk register, you're doing something wrong, I'm concerned, right? But you know, it's also how you own that risk landscape collectively, but also individually through your roles.

And this is maybe the part where it doesn't sound as exciting about the management of risk, but it's directly linked to it. It's how you have a proper governance structure around those roles, right? It's a huge problem is not knowing who's responsible for what and where. So just recently, not gonna say who it is, so in terms of reference for a well known company that had three risk owners for principal risk with another four owners for the controls, and nobody knew what they were doing, right?

And so these things, I mean, like they're iterative, right? They can build them all together and they're not rocket science and they're building steps, but they're really intrinsic in order to make sure that this works. So that's my takeaway from this in terms of to create that culture, it's gotta be psychological safety and accountability and build in safeguards, which can support this through governance, so the way that people can speak up and actually have that communication element of how leaders communicate amongst themselves, but to their teams as well.

Ziad Akkaoui:

Alisa, you make a really good point. I'm just gonna add in just a comment here. When you talk about psychological safety, that is so important because when we go and we perform, you know, we work with clients on helping them build out the risk universe and coming up with risk mitigation strategies and whatnot, a lot of times you're meeting with leaders of an organization to identify what can go wrong and what the risks are and tying them back to strategy, compliance and whatnot.

But a lot of times to really get to the bottom of it, you need to go a layer deeper than that. And it's almost going to frontline staff and having conversations with them to really identify what can go wrong and providing them that psychological safety just makes the program that much stronger.

So I really like that you touched on this because this is a very valid point for us as well.

Melissa Fournier:

Yeah, and I was just going to add as well, I love that idea around risk is storytelling, 'cause again, as practitioners ourselves, we're all about risk and we understand it, but it's really about driving conversations, having context, having risk informed decisions. So using that information as power as an organization is having those discussions, making decisions at a strategic or operational level as well.

So we talked a lot about cyber threats and how AI is reshaping that risk. So Mike, I'm curious from your perspective, this idea of moving beyond compliance, which is gonna be a theme of today, but moving beyond compliance to build a technology-enabled resilient risk posture that's actually sustainable. How are you seeing organizations do this successfully and or unsuccessfully?

Mike Abbott:

Sure, yeah, I think it's a great question. You know, on a good news front, when it comes to the introduction of AI, you know, the world of cyber, the threats, they have evolved really every single day for the past 20 years plus, right? It goes way, way back. What is changing right now is, I would say the pace and the acceleration of that pace of changes. Not only in terms of controls that are available to organizations with AI, but the threats themselves and how they are morphing.

What organizations, you know, have done in the past and will need to continue to do is have dynamic cyber programs. There's nothing static about managing a cyber risk, right? And you really think about it from a risk first. And that's always my perspective is risk before compliance. I'll talk a little bit more about compliance in a second, but really, you know, manage that risk and how do you build that program? Well, it's people, it's process, it's technology, it's like anything else that's technology enabled. It always involves people.

If you've heard lots of previous risk reports, say people will be your number one risk. It's still the case, AI doesn't change that. It changes the speed of it. Programs need to continue to focus on the most important things to an organization. What do you need to protect? And then you need your overall program to be able to detect, respond, contain, restore, recover. All of those things are important. And then this doesn't change with AI.

You test your program, you test it, you test it, you test it, all of the pieces. Do people actually know what to do when something happens? Do they know how to communicate? Do you have a good risk register of the types of things that you're exposed to? Have you assessed your program? How do you update it regularly? All of these things are what dynamic cyber programs need to continue to be.

Now you have to layer in AI and where can you take advantage of it as well as how does it introduce new things? So risk before compliance, but compliance, and I think it's a really important thing to remember, why does regulation actually exist across the world? It's really for three things, safety and protection as two of those things, and then you'll have policy, policy direction by the government sitting in the day.

So all of those things are important, but they all go down to traditionally managing risks. As Ziad highlighted a couple of the regulatory changes that are coming, you know, C-27 and whatever version that is, which is really focused on AI data and privacy, it will have a very strong connectivity or intertwinement with cyber. And it's gonna be interesting as organizations look to comply.

Don't forget, your cyber program is there to manage your risks and never forget that. But regulatory change will be coming and it's always a challenge of am I managing risk or am I now just trying to be compliant? I'm of the viewpoint that you try to manage your risk, be aware of your compliance requirements.

Melissa Fournier:

Yeah, absolutely, couldn't agree more. Alisa, I'm gonna come back to you. We also saw, interestingly, in this year's report that talent risk has surged to be a top three concern now.

So it's always been there, it's always, especially on the backs of things like the pandemic, it's been present, but now that it's elevated so high, especially in sectors like technology and healthcare is where we're seeing it.

But do you have any comments on why you think this has happened so rapidly and how leaders should consider this risk and respond?

Alisa Voznaya:

Yeah, absolutely, it's a very good point, Melissa, right? Why is there this big climb? And it's really because, I could have talked a bit about it already, it's about the people agenda now poses a very multidimensional challenge. So a lot of the things that Ziad and Mike have talked about feeds into the people agenda.

Now, you know, I'm not a people kind of a risk specialist, but I have the benefit of working very, very closely with some of the best experts and people advisory services in the UK. So I've spoken to Melissa Bruno who's really supported me on this, but kind of, you know, we talked about three key things about what this has risen up in the last year.

So one of them is actually around leadership, right? It's the intense pressure on leadership. You know, organizations are in a constant state of disruption. And this can really breed leadership inertia, stasis that can manifest itself in risk aversion and a more compliance driven culture, right? So all of these things interplay with each other. It's not independent, it's not a siloed risk, it's really connected elsewhere.

And I suppose the second element of this, I'm not surprised that we're talking about AI's risk as an opportunity, as an opportunity and a risk because actually feeds directly into what's happening in the people agenda, right? So just to kind of plug it in here, because there's some really interesting information coming through this, but we're gonna be publishing a human-centric transformation in the age of AI report that's coming out soon.

And what we found in that report is that 36, so 34% of functional leaders stated that a lack of talent and skills are major obstacles to AI implementation. And that's one of the earliest and biggest barriers to AI really delivering value effectively is adoption, right?

And this means the kind of three things with that, it's around digital literacy, so leaders need to invest in their ability to lead increasingly digital organizations, which we've already touched on, you know, flatter, more complex, agile, and they require different leadership skills, so that ties back to leadership.

It's around capacity, so investing in AI is fundamental, but what we're finding is that leaders are investing in AI but not in the time it takes for workforce and really themselves to utilize it well, which is why we can have seen is like back and forth of what it means from an opportunity perspective.

And there's the whole aspect around digital re-skilling, right? You would think that this is something we've been kind of grappling with for at least a decade, but interestingly, digital skilling is more than AI, right? It's sector specific, it's often function specific, it needs to be codified in order to both kind of drive performance and then really attract and retain talent, but also re-skill in organizations who do not have access to a limited and demand external talent pool, right?

So these are really key things. And I wouldn't say it's a completely standalone thing 'cause it kind of speaks to the two things that we're already discussed. But the other reason we're seeing this on the rise, it's about the acquisition and the retention of the right skills, right?

With all organizations increasingly becoming more digital, yes, and AI being foundational for this competitive element of performance, right? And this is fierce. The competition for this is fierce, right? Which is probably why it's on the agenda for so many executives because it's the need to retain is a priority.

But also thinking what impact AI has on entry level talent, right? So do we re-skill, how do we actually build the foundational elements of people who then need to kind of rise up? But actually AI is replacing a lot of the entry level work. So it's really kind of, they're strategic and in some cases existential decisions, right?

And I suppose, look, I'm a risk practitioner so I've gotta plug risk back in, some of the organizations are really using risk proactively to think about the scenario planning, what this may look like, right? What do we need in order to build this resilient culture? And talent we know is a key risk.

So they're looking at different ways of what do we do? Which one do we focus on? Is it recruitment, their impacts of this and reward and et cetera, or do we re-skill? And what is the impact of that in the investment and the definition of the right skills?

So talent and people is a risk is actually very complex and nuanced and it's not something, you know, we need to acquire, retain. It's got so many different vectors that need to be explored, which is I think is a real challenge, for some people, a headache, but for some really something they wanna take on and explore how they empower the people within the organizations and also help grow, I suppose, what the organization looks like in the future.

Melissa Fournier:

Excellent, yeah, I love how you've broken that down. And it's interesting to see how much overlap there is between some of the other top risks we're seeing in the report and the people risk, they're really interconnected and they're driving each other.

So here in Canada, we know lots about geopolitical tensions and they're evolving fast, whether it's trade, regional politics, global alliances.

Mike, a question for you in terms of what you're seeing from Canadian businesses and how they're interpreting today's environment and how they're responding to these dynamics when they're thinking about their risk planning.

Mike Abbott:

Yeah, it's very calm waters here in Canada. Not much going on. Yeah, that's not what's really happening.

Yeah, so look, I had to do some math of how long I've been, you know, in this career and doing what I've been doing and I've never seen in the almost 30 years, it's not quite 30 years, an environment where we've seen so much, you know, I'm gonna describe as wait and see strategies to what's going on, right?

I talked a little bit about that, you know, with the report of my big takeaway is the action. This is one of those things that is just, it is very strange. It has been a very popular activity of waiting and seeing and you can understand, right? Things were changing literally daily, right? If you turned on the news, you would see something new, a new announcement on tariffs, you would see lots of conversations around interprovincial trade and let's remove those barriers.

I think it's a little bit more complicated once you go a layer deeper of what does it actually mean. And so I think the current threshold for uncertainty, a lot of organizations had not yet passed that moment to drive action. I think a lot of people stood back and said, "This is gonna be a little bit like when COVID first hit," right? Not sure what to do. What was the first action that happened? I think everyone got on Teams calls for 14, 16 hours a day, 'cause we weren't sure what to do.

That wasn't happening in the first couple of months of this year. There was a lot of organizations waiting for the rules to land. But over the past four or five months, you've seen an emergence of three types of organizations.

You've seen very active, proactive, one might even say taking a lot of, you know, what's already been said, scenario planning being one of the big things, but not overdoing scenario planning, picking a couple, 'cause you cannot possibly think of all scenarios and actively running them through as an organization to pick certain strategies.

You have another layer of organizations that I would say were interested and they've been interested in terms of what's the emerging risk landscape, what does the trade and tariff and interprovincial trades actually mean for them, but not necessarily any key actions.

And then you have that third bucket, and that still exists, of just complete waiting and seeing what are the rules really going to be, let's not overreact, let's just see what could actually change. There's a lot of, I think organizations in Canada that believe that this will still just go away. And I don't think there's any scenario at this point where this goes away. Whether it be in provincial trade, whether it be, you know, new trade deals, something is going to change.

So there's a lot of short-term activities organizations could be doing. Talked about scenario planning, updating your risk registers, right? These things are changing today, like things happening today. So you can have, you know, a viewpoint to how does it change your organization?

Understanding the government incentives. In the past when we've had, you know, disruptions in the market, the government always responds, something will come out in the marketplace, don't know entirely what they will be, but I've seen clients spending more time on what are the incentives that they can take advantage of today.

In the medium term, we've seen a lot of activity of driving revenue. Clients sitting back saying, "To battle this uncertainty, I'm gonna boost my revenue, might focus it on Canada, how do we do that? Cost reduction," and this leads into one of the areas that we are seeing more and more is strategies for AI adoption and more of an interest of where can I now deploy, what type of use cases could I take AI to take advantage of creating, you know, new moments of value for an organization.

And then long term, and this shows up in the risk register, how do I deal with my supply chains, or sorry, this showed up in the risk report, but, you know, how do I deal with supply chains? What type of opportunities do I have of changing my supply chains? What type of opportunities might I get from mergers and acquisitions? What new markets might they expose?

So all that to say is, there is a lot that organizations can and should be doing in and around the uncertainty. And I understand early days why you wouldn't, but the geopolitical environment isn't necessarily going to settle in calm. There's going to be things that are there.

Now is the time to take action, have a plan, be prepared to change your plan, but doing nothing at this moment, not a winning strategy.

Melissa Fournier:

Yeah, I love the theme of all of your responses today, Mike, have really been about action, right? What can you do today?

And so as we wrap up today's panel, I'm gonna turn to each of you, thinking about the discussion we've had, thinking about the Global Risk Landscape Report, if you had to pick one, 'cause I'm sure there's a lot, we've heard lots of practical steps that organizations can take today, but if there's one bold step or an underrated action that today's audience should consider taking in the next six months to build a more adaptive risk posture and start closing that risk awareness to action gap, what would that be?

And maybe, Ziad, I'll start with you.

Ziad Akkaoui:

Yeah, I would say that there's quite a lot that could be done, but I would say that you need to, organizations need to start shifting from prioritizing compliance as a driver of risk to thinking about putting strategy first and strategic thinking being a driving principle of risk management.

I'm not saying organizations don't do that, but I'm just saying that this should be a guiding principle for your risk management program. So, you know, I suggest start looking at your business plans. Take a look at the strategic objectives that your organization has put together and ask yourselves like, what are the critical risks that can derail what we're trying to build?

And you can obviously do it by silos within specific divisions or business units, but you want to make sure that you're able to turn every single strategy and identify what can go wrong and be very proactive about it and be honest with yourself. And obviously Mike touched on it many times today, take action, you know, don't just sit on the risk you know that it exists, but take action.

So what I mean by take action is model out these risk scenarios, reflect on what it actually means to your business. Economic volatility, supply chain, fragility, AI adoption, they're not going anywhere, they're here to stay and all it takes is one tweet or one news article to completely shift everything upside down.

So, I think it's really about moving from like a checklist-based approach, focusing from a compliance first mindset to a strategic mindset.

Melissa Fournier:

Great, and Alisa, what's your one bold step? 

Alisa Voznaya:

It's funny that we keep talking about the things that we have obviously talked to each other before, but we haven't practiced what we're gonna say. And actually mine is very, very much connected to everything Mike and Ziad have said. It's really about, for me, it's taking bold action, right?

And what I mean by that, related to everything Ziad had said, is courage to call out gaps, which then can lead to material failure, or not just material failure, but the fact that you're missing out on significant opportunities with this wait and see approach that Mike described. It's not unique to Canada, I'm seeing this everywhere. And it's a quick, quick, quick action to remediate as a consequence of that, right? So you're gonna see it, you're gonna call it out and you're gonna deal with it.

And again, to what Ziad had said for me is really important, it's combining that strategic view, right? Really kind of that helicopter view what that means, but then building out the tactical steps to deliver that response and that required change off the back of this.

That's probably all I'm gonna say because I think it's exactly what we need to see right now and there isn't very much opportunity to just be on the sidelines anymore.

Melissa Fournier:

And Mike, the last words from this one? 

Mike Abbott:

Yeah, so what I'll do, I'll sort of take this, I won't just say, "Hey, I agree with everything you said," but I do, but I won't just pick the same ones.

I think in Canada we've got a really unique situation. We've got a prime minister right now that is, you know, promising a lot of action, and you've seen and heard that as the tone that's coming out of Ottawa. What I would suggest is there's going to be a lot of opportunities in the next couple of years here in Canada around regulatory change and confusing compliance activities with risk management, right? Like there's gonna be a lot of opportunities to confuse those.

My one thing would be don't forget it's risk. Like, you're managing risk and trying to drive value and don't get lost in a compliance activity. It will be very easy to do because I think there's gonna be some really complex things, and in Canada we're in a unique spot where we've got the EU that is viewed as a overly regulated environment. I will just say in Canada, we've got provincial regulations that makes it pretty complicated too.

So there's gonna be a lot of regulatory change and don't confuse that for purely being a compliance type activity. There's gonna be a lot of opportunities that unfold. And I think that would be the big thing. Don't get lost in compliance. This is a moment of risk management and I would say opportunity creation for organizations.

Melissa Fournier:

Wonderful, so thanks to each of you. I think this has been a really incredible dialogue. I know I've taken a lot away from this as well. We'll bring you back out in just a few minutes for the Q&A.

But just as we start to close today's webinar, I want to highlight a couple of today's discussion takeaways from my perspective. So a lot of what we've heard already, but first this idea that risk fatigue is real, but being proactive and acting is essential. We heard that from Mike throughout today's discussion, the idea that we have to act.

Again, compliance is not the ceiling. Across Canadian and international markets, overreliance on compliance is constraining innovation. So it's about trying to find ways to embed risk into culture, not only process, that can unlock strategic opportunities and drive business resilience.

We've heard that it's becoming clearer than ever that people risk is business risk. There's a sharp rise in talent related concerns, especially with some of these AI related skills. It's now core to any effective risk strategy is understanding the people side.

We also talked a lot about cyber and AI risks, how these are converging quickly. Leaders have to view this opportunity not only as an opportunity but also as a threat and make sure that, again, it's coming from a place of rooted in risk management.

And one of the more compelling threads we've heard today is how risk is no longer either global or local, it's both. And it's all of the time. We're seeing geopolitical tensions driving supply chain redesigns and tariff implications. There's also regulatory fragmentation and differentiated risk appetites where we're seeing what works in one region doesn't always translate directly elsewhere.

Ultimately that means organizations need to develop strategies that are flexible enough to pivot globally but also really deeply rooted in local context, whether that's compliance expectations, market conditions, or some of those operational realities.

So as we close today's session, we're gonna invite you to reflect on this core question. Is your organization simply meeting compliance demands or are you using risk as a strategic lever for growth and resilience?

The 2025 BDO Global Risk Landscape Report makes one thing clear, leadership teams must be ready to act, not just react. So that starts with reassessing your risk universe, understanding which risks are truly material, how they're evolving, and where your organization stands today on the journey to risk management.

Our team can support you in all of this, whether it's evaluating your current risk posture, facilitating scenario planning, or designing and re-implementing proactive value generating risk strategies. Whether it's embedding risk into decision making, enabling that communication and culture, enhancing cyber resilience or managing regulatory complexity, which we heard a lot about today, we're here to help guide that transformation.

So before I bring everyone back, just in terms of what's next, after today's webinar, we'll send you a link to the full Global Risk Landscape Report and we'll also have a copy of today's webinar recording online for future playback.

I'll invite you to stay tuned for our next webinar where we're gonna continue the conversation with new insights and deeper dives into emerging risks. But in the meantime, we do encourage you to read the full report, identify one meaningful action you can take this quarter, maybe it's one you heard here today, whether it's launching a cultural reset, assessing your risk framework, or simply asking are we managing risk in ways that truly move us forward, ask yourself some of those questions and identify key takeaways. And we're always here to help bridge the gap if you don't know where to start.

Before we leave today, I wanna invite our panelists back to the stage to take a couple of audience questions with the time we have remaining. So the first question, I'm gonna lob this one to Mike, but feel free to jump in, Alisa or Ziad, if you have anything else.

So we have a question in terms of seeing that Canada's overall level of innovation is still weak, what recommendations can we make to prompt more initiative to create value?

Mike Abbott:

Hmm, well, appreciate you sending me that question. Like, there's a couple ways I could answer that. I could answer it at a broader political, you know, lens, but I think this is a matter, you know, for individual organizations, that's how I'm really gonna look at it.

I think, you know, Ziad had given a really good recommendation of understanding overall strategies and where I think individual organizations can do more of this would be looking at how do you create the value alongside the strategies that exist within an organization, right? Like what can you do wearing your risk management, you know, functions or within the business to help accelerate that?

I think at a political level, you know, the world of government incentives and how do you drive that out and how do you make investments in certain industry sectors, that's gonna be something that we here in Canada will have to tackle.

I think the low innovation is actually tied very closely to the low productivity scores that we here in Canada have and have had for a number of years. So this, you know, there's a couple of pieces, I think individual as organizations, really looking for ways of how you can do things differently and meet mandates differently, micro, and then at a political level, I think the government will come in and it's clearly on their agenda to drive that out.

Ziad Akkaoui:

I might just add one more point to this. If you take a look at Canadian organizations, typically I would say innovation is centralized in government funding, government programs, innovation labs, like within specific organizations.

But I think the real progress happens when it's really the frontline that is empowered to experiment. So it's really about giving our staff the opportunity to work in a fail safe zone, start small, fast cycle initiatives, I think is really helpful from that perspective.

I think you wanna be able to reward innovation and not necessarily slap someone on the hand if they tried something that didn't necessarily result in any value, but at least they gave it a try.

You know, comparing to other countries, obviously government funding, more tax credits for organizations that are innovating, I think is critical as well.

Melissa Fournier:

Great, excellent. So I realize we're at time, so I just wanna thank each of you for being here today. It was a really important dialogue I think. And I also just wanna thank everyone on the line. Thank you for joining us today and for being part of the shift from risk compliance to risk leadership.

And if you do have any questions, please feel free to reach out to us. We're always happy to answer them. We're always happy to meet with you and I hope you'd enjoyed today's webinar and feel free to read the full report.

Ziad Akkaoui:

Thank you, everyone.