Risk is having a good crisis; arguably it always does. The global financial crisis gave us new regulations to pre-empt a similar crisis in the future, and that continues to drive demand for consulting support, even though it’s become increasingly commoditised in the last couple of years. The COVID crisis has reminded business at large that our multifaceted, porous, and interconnected world is uniquely vulnerable to a pandemic. Further economic shocks, climate change, and cyberattacks are just some of the risks senior leaders will need to face up to in the future.

Some of this increased anxiety and activity will convert into spending with consulting firms. In our latest research, 37% of organisations said that they expect to buy more risk-related consulting work over the next 18 months as a direct result of the crisis. However, 14%, presumably in straitened financial circumstances, will spend less, and many organisations will try to use their own staff, keeping projects small and the rates they pay as low as possible.

What can risk consulting firms do to counter these pressures?

Our recent report on the risk services & cybersecurity market pegged the market as a whole at US$72bn, or US$60bn if we exclude the regulatory-driven element. Before the crisis, it was growing at a healthy annual rate of around 10%. Cybersecurity was growing most quickly (just under 14%), along with technology programme risk and risk transformation (both around 10%). Getting back to those levels of growth won’t be a case of returning to traditional ways of working: More than half the clients we surveyed said they expect that the changes to risk consulting being wrought by the crisis will become permanent. What changes do they expect? That more risk consulting work will be delivered via proprietary tools, more in-house risk work will be outsourced, and more (three-quarters of those in organisations with 5,000+ employees said this) risk consulting work will be delivered as a managed service.

By managed service we don’t mean a reversion to the 10-year deal solution typically applied to poor-performing IT functions, but rather the innovative integration of software and data into consulting engagements. This is something clients were asking for before the crisis hit: Frustrated by the advisory label, clients were already looking for efficient solutions that were focused on delivering a specific outcome, but which also provided tools their own staff could use and ongoing access to deep consulting expertise. Now, in the crisis, that existing trend is being amplified by the pressure on clients to avoid having consultants in their offices and the desire to make consulting firms more accountable for value delivered. Indeed, the surge of interest in outsourcing, as many organisations look to take substantial costs out, appears to be part and parcel of the same trend.

All this means that risk consulting firms won’t just need to consider which of their services will fare better in the post-COVID world, but how they will deliver them. Because clients’ direction of travel isn’t new, most major firms have already made significant investment on the technology side, building software tools that can sit alongside consultants and, in some cases, replace them.  But less thought has been given to the two other facets of this new generation of managed services: data and people. There remain huge opportunities to find, harvest, and create better data about what drives risk in, across, and between organisations. Combining specialist data from different parts of a business in new ways may improve organisations’ ability to predict some risks, and better monitor their response to those they can’t foresee, such as a pandemic. People need to change too: That much-maligned “advisory” label flounders on the impression, which still holds sway in many clients’ minds, that risk specialists give advice, but don’t act.

Being more accountable brings its own risks, but the greater risk for consulting firms lies in not changing.