By Carmen Rossiter
Mitigating the potential impact of emerging risks is challenging enough for organizations, let alone tapping into the opportunities that may lie behind those new risks. To deal with the unknown, organizations have adopted a range of tools and approaches. In a recent panel discussion at the Conference Board of Canada, titled “Emerging Risks – Disruption is the New Normal”, the speakers talked about what is required of Emerging Risk Management (ERM) to deal with new risks, drawing on their own experience in planning for the unknown. They shared real-life strategies that can better equip risk managers to operate in an environment where “unknowns” are no longer the exception.
Let’s define emerging risks. They are risks that are becoming more apparent or prominent and that were not previously contemplated – they are evolving. Emerging risks can arise from both inside and outside the organization. Interestingly, Principle 10 of the COSO ERM framework (identifying risks) specifies that an organization should identify new, emerging and changing risks to the achievement of the entity’s strategy and business objectives.
The panel was asked to talk about types of risk, which can be categorized in this way:
- Known Knowns – Things we know. They are expected and top of mind. We will take action by anticipating, controlling and preparing for them.
- Known Unknowns – We know there are some things we do not know, and this is the typical domain of “emerging/developing risks”. We need to put those at the top of the priority list. Action should be to act; don’t let it slip or procrastinate or we might be caught off guard if risks happens.
- Unknown Knowns – Someone knew but not those performing the risk assessment. It’s a blind spot that is dangerous and needs to be moved up to “Known Knowns”.
- Unknown Unknowns – We don’t know what we don’t know. These are surprises that, if they happen, it’s time to panic!
Some emerging risks are more difficult to capture than others. The most “important” emerging risks to capture are strategic ones since they should be top priorities for any organization, executives and the board. It is also important to look at risk categories over time. In the World Economic Forum’s Global Risks Report 2019, researchers look at changes in categories of risk and ranking over decades. These have evolved from mainly economic concerns in 2008 to now mainly climate and technological concerns.
Capturing emerging risks requires a combination of approaches to cover your bases. One of the most important is staying plugged in to trends that could turn into risks or opportunities. Track the news for international/global events, feelings, sentiments, politics, societal changes and changes in preferences. The Global Risk Report is a great source that compiles research to identify rising risk trends.
From these trends, consider their potential impact on the organization as both risks and opportunities. It’s not a solitary exercise. Engage others: discuss, socialize ideas – there are no bad ideas – and don’t dismiss ideas with “it’s never going to happen”. Reach for things “not previously contemplated”.
Also, do a reverse stress test on your strategy. What event(s) could impact achievement and totally derail, kill or destroy the organization.
How do you utilize technology in capturing, assessing, evaluating, and communicating emerging risk? Panelists reported seeing a number of technologies in use for ERM: good, bad and ugly, but none endorsed a particular solution. The critical success factor in using technology in risk management is recognizing that it is only one of many elements of a successful risk management infrastructure.
The concluding discussion among the panelists was, “what advice would you give an organization just starting to address emerging risk within their overall ERM program?” These were among the top suggestions:
- #1 – it’s time to get started. Now!!
- Start small and show tangible progress early
- There are no bad ideas – start the dialogue – open communications – and have the risk conversation.
Carmen Rossiter is a director of SEEC’s Masters Certificate in Risk Management and Business Performance Leadership (starting April 29, 2019) and was a participant in the panel discussion, held March 6 at the Sheraton Centre Toronto Hotel. To learn more about the course visit the program website.