Risk consulting: The competitive landscape changes again
Operating model risk is likely to be the next big risk services market after cybersecurity. But who’ll benefit?
According to our estimates, risk consulting and related services were worth US$72bn in 2019, US$18bn of which was cybersecurity consulting (note: definitions differ—our numbers don’t include systems development, outsourcing, or hardware and software sales). Pre-crisis, the overall risk market was chalking up growth in the region of 8-10% a year, with demand for cybersecurity typically increasing at more than twice that rate. While the market is likely to contract in 2020 in response to the COVID crisis—there are aspects of risk management that clients deem discretionary and will de-prioritise in a time of cost-cutting—it’s still likely to be the next best performing market after technology consulting.
But incumbent players, new entrants, and—increasingly—investors will need to ensure they sidestep the less attractive parts of the market. Traditionally, the risk services market divides into two parts: pre-emptive and remedial. The pre-emptive market covers a wide array of risk mitigation work (around policies and controls, for example) as well as reviewing compliance, technology assurance, etc. By contrast, the remedial market is focused around helping client organisations respond when something has gone wrong—which can take the form of short-term stemming of the crisis and/or long-term sorting of the ramifications. Typically, clients prefer the pre-emptive work to be done by generalists, notably the Big Four but increasingly strategy firms too, not least because it’s not always clear where the problems lie. Working with a firm that can draw on different capabilities as required makes perfect sense; having a brand that will be credible at board level helps reinforce that. The remedial market is far more specialised, because the nature of the problem is known. Clients’ main concern will be to hire a firm that has precisely the right skills. Here, brand is less important than deep expertise and a track record of proven results.
Chair | Non Executive Director | Financial & Professional Services
4 年Really interesting piece Fiona Czerniawska . I would certainly agree that the Covid-19 crisis has increased the scrutiny on Operational Risk and Business Continuity Planning, particularly in financial services. I do think that specialist firms like fscom are increasingly being sought out over big consulting or technology firms due to deep domain expertise around Risk and Compliance.