May 16, 2016
Emerging Risks: Looking Around the Corner
May 16, 2016
Emerging risks can be like smoldering embers that can be seen and smelled before erupting into flames. Unlike a fire, these risks may take months or even years to manifest themselves as business challenges. For example, aging populations, growing income disparity, and sustained underemployment are long-unfolding changes affecting the world’s population. Unabated, they eventually will alter the social and political landscape and affect consumer demand for goods and services. It’s not a matter of if, but when.
Emerging risks are triggered by unanticipated changes in the environment and include events ranging from catastrophic events that make an immediate impact (e.g., a tsunami or terror attack), the realization of existing risks accelerated by external factors (e.g., changes in customer preferences or new competitor actions), and the emergence of internal business factors that have materialized over a longer period (e.g., a breakdown in the internal control environment or risk culture).
The identification of these and other emerging risks is important to boards that value early warning. The uncertainty around their ultimate impact on the organization make it difficult for senior management and risk executives to assess their relevance and formulate an appropriate enterprise response, and may make management feel reluctant to assign ownership of the risks. Most importantly, these factors make it hard for management to decide what to communicate to directors, given the board’s crowded agenda.
The following are practical principles for boards to consider with respect to how the organizations they oversee should identify and communicate emerging risks.
- Expect management to inform the board of relevant emerging risks and trends on a timely basis. Executive management and risk executives are responsible for communicating significant emerging risks and changes in critical enterprise risks to the board. The timing and frequency of these communications are dictated by the severity of the risk’s impact on the organization, the velocity (or speed of onset) at which the risk impacts the organization, and the uncertainty regarding if and when the risk will manifest itself. The board should expect management to review, monitor, and understand the most significant emerging risks and determine appropriate responses as the nature of the risks and their impact become clearer over time.
- Consider the potential consequences of newly planned actions. When new strategic objectives, research and development initiatives, mergers and acquisitions, and other opportunities are undertaken, it is important that management understands their impact on the entity’s resources, business infrastructure, and culture. In addition, the potential impact of the planned actions on customers, suppliers, regulators, competitors, and other external parties should be considered.
- Challenge critical assumptions using plausible and worst-case scenarios. The performance of a scenario analysis exercise will help to identify opportunities and avoids unacceptable losses and surprises. Management should assess relevant scenarios that could render invalid the critical assumptions underlying the business case and economic justification supporting proposed strategies, investments, acquisitions, and other key decisions. This assessment informs the board’s risk oversight by positioning executives and directors to challenge the key assumptions that matter. With respect to worst-case scenarios, the question is not “Can it happen?” but “What is the impact if it does happen, and how will we respond?”
- Use key risk indicators (KRIs) to identify new and emerging risks or changes to existing risks. KRIs are qualitative or quantitative measures used to monitor the critical risks, responses to them, and facilitate risk reporting. While key performance indicators (KPIs) are generally retrospective in nature, KRIs are typically forward-looking lead metrics. When KRIs are focused on successful execution of the strategy, we have seen them used effectively in conjunction with board reporting, particularly when they are linked to the critical risks and assumptions underlying the strategy.
- Look far enough forward to spot emerging risks and megatrends. Today, we see evidence of transformational change on a number of fronts. The digital technology revolution that’s increasing interconnectedness of people and things, the risk of cyberattacks, aging populations, income disparity (as mentioned earlier), increased urbanization and resulting new large markets, environmental decline (e.g., quality of air, soils and water), increasing nationalist sentiment, and geopolitical tensions in different regions are important dynamics of change. In the past, longer time horizons (say, 10 years) usually were needed to notice these risks. But today, many of these risks are becoming more imminent. Ignore them at the risk of an irrelevant strategy.
- Monitor the threat landscape driving known critical enterprise risks closely. Regulatory, cybersecurity, economic, talent acquisition and retention, identity and privacy, financial markets, and other top-of-mind issues pertinent to executive management and the board merit close attention to ascertain whether changes in these risks are occurring for the worse, leaving the organization in a vulnerable position. Metrics reported to the board for critical enterprise risks should focus on changes in the risk profile and whether such changes warrant an updated risk response.
Applying the above principles will help executive management and boards face the future with confidence through greater awareness of the risks that matter.
Jim DeLoach is a managing director with Protiviti, a global consulting firm.