The world is becoming an increasingly riskier place for organizations of all types and sizes – whether in the private or public sectors. Environments, 100-year old business models, social and political dynamics are being disrupted everywhere. A quick look at some of the more recent corporate disasters bears testimony to this.
|Catastrophe (& Estimated Cost)||Why ? Because they did not foresee / understand / communicate…|
|2008 Global Financial Crisis (trillions of dollars)||…the gigantic risks inherent in the complex financial products that were created, rated and regulated by the global financial institutions, ratings agencies and regulators!|
|2010 Deepwater Horizon blow-out ($60bn)||…the risks lurking under a culture of complacency and information withholding, within a hugely complex operation!|
|2011 Fukushima nuclear reactor meltdown ($188bn)||…the possibility of a tsunami in its disaster preparedness scenarios – because the last tsunami occurred over a 1000 years ago!|
|2012 Kodak bankruptcy||…the fatal risks to their business model emerging slowly but surely from the digital camera revolution!|
|2015 Volkswagen Emissions scandal ($40bn)||…the risks brewing internally from a closed, dictatorial culture, and a top-down “win-at-any-cost” mindset driven by the Chairman of the Board!|
And then, what about the Titanic (1912), Chernobyl (1986), Toyota (2010), Nokia (2013), GM (2014), Yahoo (2016) ?
Was there something common that was missing in all these systems, which lead to the infamous catastrophies ?
Yes, you guessed it right! They were NOT managing the warning signs, the danger signals on their horizons, owing to the absence of a reliable and effective (i) Framework and (ii) System for managing Emerging Risks.
A Definition of Emerging Risk :
Emerging Risk can be defined as a newly developing or changing risk, that is extremely difficult to quantify, but nevertheless could have a major impact on the achievement of your organization’s objectives.
Are Emerging Risks really different from Conventional Risks ? If so, in what way?
All risks by definition arise from uncertainty. When a Risk Manager creates a Risk Profile, a conventional risk has several dimensions of uncertainty, such as (1) likelihood (2) frequency (3) timing (4) impact, (5) velocity as in the speed at which the risk could manifest itself, (6) vulnerability/readiness as in how prepared your organization is to respond to the risk, and (7) duration of impact.
Now, an Emerging Risk has the exact same dimensions of uncertainty, BUT you could say that the degree of uncertainty is multiplied by a factor of say 10 or even 100 – this is the basic difference in a nutshell !
Some implications of this are:
- a risk which is emerging today, may become a conventional risk after a period of time, as we get more and more knowledge about its risk profile through research, analysis, etc…., and as the uncertainty around the above 7 dimensions diminishes.
- what might be a current risk for Organization A, may still be an emerging risk for Organization B.
What are the broad categories of circumstances which give rise to Emerging Risks ?
Once you understand these ‘contributing circumstances’, you will look for these circumstances on your entity’s horizon, helping you identify your emerging risks better !
Here’s a short list to set you thinking:
1: Complex systems
2: Closely interconnected system components
3: Changing social, economic or political dynamics
4: Untested technological advances
5: Inadequate multi-directional communication
6: Perverse incentives
I would strongly recommend all risk and internal audit professionals reading this article to visit www.irgc.org to gain a better understanding of the above, and more, factors.
Having gained a high level understanding of the definition of Emerging Risk and the Contributing Circumstances, let us now turn our attention to what constitutes the Governance Framework for managing your Emerging Risks.
The Governance Framework comprises 3 layers:
- Strategy & Roles
- The “Strategy & Roles” layer requires the Board and senior management to:
- formulate and embed the Emerging Risk strategy into the overall organizational strategy
- clarify the roles and responsibilities of the various actors in the management of Emerging Risks – the Board, Senior Management, Risk Managers, Line Managers, Internal and External Auditors, and Regulatory Authorities. But, the most important role in the Governance Framework is that of the Emerging Risk Coordinator, who acts like the glue that binds the various interested parties together. His overarching aim is to ensure that emerging risks and opportunities are handled effectively and efficiently to help the organization achieve its objectives.
- The “Culture” layer requires the Board and senior management to establish a strong mindset at all levels of the entity to deal with emerging risks and opportunities by:
- establishing explicit incentives that encourage horizon scanning
- removing any perverse incentives that discourage horizon scanning
- encouraging the bottom-up flow of contrarian views that challenge the status quo, the reporting of unusual events, the avoidance of “group think”
- The “Training” layer requires the Board and senior management to establish training programs that teach staff and executives at all levels on how to:
- undertake horizon scanning
- communicate clearly about potential emerging risks
- work in teams to improve understanding of, and response to, emerging risks
The 5-step Emerging Risk Identification & Management System
And finally, let us introduce the iterative system that functions within the Governance Framework, and which will help you identify and manage your Emerging Risks and Opportunities
STEP 1 – Early Warnings:
- DETECT signals on the horizon and EXPLORE possible future situations that may represent an Emerging Risk in the short & medium term
- CREATE A RISK PROFILE of these signals and situations
- FILTER & PRIORITIZE the list of Early Warnings to carry forward into Step 2
- Regularly update the above filtered list
STEP 2 – Scenarios
- DEVELOP comprehensive set of scenarios for each Early Warning coming from Step 1, including those Scenarios relating to “low-probability-catastrophic impact” events (“Black-Swan” events) [Refer Note below]
- Regularly update the above scenarios
|Note: Scenarios under Emerging Risks vs Conventional Risks In Conventional Risk Management, only those Scenarios which are considered probable today, and have a probability attached to them, preferably based on past experience, are used in the Risk Analysis. We do not consider events that might occur based on possible, though not probable, scenarios ! For instance, risk analysis of non-nuclear infrastructure does not normally consider the probability of a plane crashing into the infrastructure.
On the other hand, Scenario building for Emerging Risks Management considers all risk events that might happen in future AND all possible combinations of risk events, EVEN IF no reliable probability estimates are available.
Let’s say, in a piping system in a factory, 50% of the pipes are more than 10 years old, and the rest are between 0-10 years old. Up until now, no problems have been detected in the new pipes.
However, after reading an article in the IIA UAE magazine about Emerging Risks, the Risk Manager and the Factory Manager in consultation with the Maintenance Manager and the ERC, find that, in the summer months, owing to excessive heat in the rear of the factory, all pipes experience a certain degree of expansion. If the temperature climbs even 1º beyond NNº, the stress in the piping system could cause multiple domino-style ruptures throughout the piping system in the factory, with consequent chemical spillage, a major explosion if the inflammable storage tanks in the factory compound were caught in the midst of the spill, severe damage to the office building in the adjacent plot, along with loss of life and property. This risk has never materialized in the past, and there is no available probability distribution for this risk event.
The Risk Manager and the Factory Manager however realize how negligent they have been till now, by not considering such scenarios in their earlier risk assessments, and have vowed to carry on the good work in all their risk assessments from now on.
STEP 3 – Decisions
- DECIDE which Scenarios to follow through for managing the related Emerging Risk – based on which scenarios have the highest impact on the achievement of the entity’s objectives, if left un-managed
- IDENTIFY & EVALUATE possible risk management options [Refer Note below] for each Scenario relating to a given emerging risk
- IDENTIFY Windows of Opportunity during which the risk management option can be applied, Failure Thresholds after which it will be impossible to effectively manage the emerging risk, and Acceptability Thresholds below which it will not be necessary to manage the emerging risk
|Note: Risk Management Options (we can put this in a side-bar on the page to conserve space)
STEP 4 – Implementation
- Establish internal and external communication channels
- Allocate resources
- Clearly define roles, responsibilities and incentives
- Ensure adequate authority in line with responsibility for implementation
STEP 5 – Monitoring
- Monitor how emerging risks and opportunities are unfolding
- Review relevance and performance of decisions made and options chosen
- Update the risk management options
- Involve external experts to assess how the process is doing
Globally, stakeholders are pressurizing boards and managements to enhance their organisations’ ability to look into the future, to pick up signs of trouble and address them BEFORE they manifest themselves in the form of events. If you, as a Risk or Audit professional do not want a “Titanic” moment on your CV, I strongly recommend you stir your organization out of its slumber, and kick-start the establishment of a framework and a system for managing your Emerging Risks !