The last 20 years have produced an increasing number of disruptive, complex and unpredictable events, even black swans. In this session at RIMS 2021, two risk management experts explore ways to identify and assess exposures to build resiliency to these events in your organization.
- Bob Bowman – Senior Director, Risk Management, The Wendy’s Company
- Chris Mandel – President & Managing Consultant, Excellence in Risk Management, LLC
While the risks less understood are difficult to address, they are often so substantial in impact that they can’t be ignored. Black swan events, while, by definition, are unpredictable, there are still steps that can be taken for an organization to be more resilient to the effects of these events.
Deliberative vs. Intuitive Risk Management
While two types of thinking exist in the realm of risk management, it’s critical to choose the one that best applies to your organization’s circumstances.
Intuitive thinking is guided by emotional reactions and simple rules of thumb acquired from personal experience and does not require extensive time or resources. This works well if there is sufficient experience and data on possible outcomes and if complexity is low. This type of thinking tends to underestimate risk prior to manifestation and overestimates risk following manifestation.
Deliberative thinking gives greater attention to reasoned analysis and complex protocols before choosing among alternative courses of action. This is an analytical and systematic approach to identifying multi-faceted sequences and consequences. It seeks to have decision-makers work to gain a full understanding of risk-related issues then undertake a comprehensive search for the best alternative. It also requires the use of data and expert information to examine the downsides and benefits of alternatives.
The Risk Spectrum
Within an enterprise risk spectrum exist four categorical types of risks, including strategic, operational, financial and external risk factors. Strategic risks include acquisitions, business models, competition, demographics, etc. While typically uninsurable, these risks deserve attention given they continue to have a greater negative impact on stock price than more easily auditable risk areas. Operational risks include customer service, infrastructure, processes, system capabilities, talent and technology. Financial risks include capital, cash flow, credit, debt obligations, and liquidity. External risks, include some of the emerging risks currently, including changes in economic policy, environmental factors, geopolitical factors, regulatory issues, tax policies, and weather events.
What Is An Emerging Risk?
An emerging risk is a risk that isn’t yet recognized or easily understood. These types of risks affect reputation and competition and have a high degree of uncertainty with no idea of how it will impact loss. They can be ignored or addressed, but ignoring these risks will likely become a greater problem in the future. The uncertainty of an emerging risk means that it has the potential to grow rapidly with low frequency but a high impact. While perceived as “unlikely,” those perceptions concern existing circumstances which could change at any time. Typically, the ownership of these risks doesn’t hold one individual accountable since the potential consequences impact multiple resources and objectives. Finding a risk champion for emerging risks can be challenging given the complexity is not clearly understood.
The acronym VUCA can be applied to the dangers behind an emerging risk, meaning they are volatile, uncertain, complex and ambiguous. Each of these items can amplify weaknesses within an organization’s risk management structure, with volatility amplifying vulnerability, uncertainty amplifying unwillingness to face the issue at hand, complexity amplifying the unintended consequences from other reactions, and ambiguity amplifying the need to make assumptions. We can dampen the VUCA effects with diligence, understanding, containment and agility. Focus on being ready instead of being right and know the signals that may sink your ship. Center yourself more quickly and respond, which requires moving forward before you’re even sure and adjusting along the way.
Issues Relevant to Strategy
Understanding the relevance, importance and uncertainty around emerging risks can help planning for them. Monitoring, reporting and addressing possible impact can help create a preliminary plan. But how do you plan for an event that hasn’t impacted your organization? Identifying emerging risks may be difficult, but utilize the tactics already in place and apply them, including surveys, financial statements, records, industry checklists, trend analysis, scenario analysis and environmental scanning.
Best Practices for Emerging Risk Process
Risks to long-term strategy should be prioritized when identifying what risks are most significant threats to your organization’s objectives, but before beginning your identification process, you’ll need to:
- Conduct emerging risk reviews
- Integrate or align emerging risk reviews with the planning process(es)
- Drive agreement on key assumptions and test them with rigor
- Challenge conventional thought processes and the status quo
- Apply the right methods to better understand and predict emerging risks
- Balance an internal vs. external environmental view
- Manage the emerging risk within the risk appetite and tolerances of your firm
Emerging Risk Options & Actions
While actionable, emerging risks don’t always necessitate a plan, given some of these events may not be relevant to your organization. Actionable options include acting on the factors contributing to the risk, developing precautionary measures, reducing vulnerability, modifying risk appetite to align with new risk, or using existing risk management measures. The type of action depends on the issues relevant to your organizational strategy.
Takeaways for Risk Managers
- Design and implement an emerging risk process.
- Uncover the unknown or poorly understood threats to businesses.
- Bring needed resources to address the new risks efficiently.
- Build resiliency and sustainability into the organization, regardless of exposure.
- Leverage new risks that lend themselves to exploitation.
- Leverage emerging risk processes for competitive advantage.