Emerging risks are newly developing risks that cannot yet be fully assessed but could, in the future, affect the viability of an organisation’s strategy and business model. A risk-savvy culture sometimes needs an informal adhocracy to identify emerging risks in a timely manner.
When the National Association of Corporate Directors (NACD) published its Report of the NACD Blue Ribbon Commission® — Risk Governance: Balancing Risk and Reward in 2009, it recommended 10 timeless principles to assist boards in strengthening their risk oversight process. One principle was: “Consider emerging and interrelated risks: What’s around the next corner?” The NACD report noted that boards need to “look forward to understand elements in the environment — macroeconomic, political, technological, demographic, climatic/environmental — that may impact the conduct and effectiveness of the business in the future.”
Most organisations apply their risk assessment process periodically. But as everyone has learned during the pandemic, change never ceases. With risk by nature being disruptive, new developments often arise in between periodic risk assessments.
Enter adhocracy. The term “adhocracy” has evolved to describe an organisational approach that cuts across normal bureaucratic lines to capture opportunities, solve problems and get results. An adhocracy structure is flexible, adaptable and open to fresh perspectives on the business environment.
Timely identification of emerging risks between scheduled risk assessments may depend more on adhocracy than traditional, formal processes because these risks are anticipatory in nature and are often issues that are not on management’s radar. Ad hoc activities supplement established risk management processes and can lend themselves well to the fluid world of emerging risks.
Smaller organisations usually find adhocracy easier to implement than larger ones, thanks to less bureaucracy and hierarchy. But regardless of the company’s size, management must foster a risk-savvy culture that facilitates the recognition and communication of emerging risks up, down and across the enterprise so that critical and creative thinking can flourish. Below are six suggestions on how management can work toward such a culture and, in doing so, inform the board’s risk oversight.
Conduct brainstorming sessions. Brainstorming is one of the most commonly applied expressions of adhocracy. It brings the right people together to focus on one or more issues of mutual interest. The Latin phrase “ad hoc” translates as “for this,” meaning “for this special purpose” (e.g., to identify emerging risks). While these activities may be carried out through a formal management risk (or other “ad hoc”) committee, they may also be spontaneous, unplanned knowledge-sharing sessions to ascertain whether changes have occurred internally or externally that warrant closer attention.
Executives at one Fortune 500 company describe these activities as “taking a pause” to discuss risks to the business, particularly enterprise risks that present obstacles to achieving the organisation’s objectives. Brainstorming may focus on identifying extreme but plausible risk scenarios, such as a pandemic similar to COVID-19, a precipitous economic decline, an unexpected spike in interest rates or signals of impending change in the regulatory climate in key markets.
Encourage a cross-functional, cross-unit perspective to circumvent new risks. In large organisations with different operating units, it is important to understand how support functions and units interact with each other and with outside parties. Ad hoc sessions should embrace a cross-functional, cross-unit view. For example:
- Is procurement operating independently of research and development (R&D), design engineering, and finance in the pursuit of functional excellence? If so, significant exposure to excess and obsolete inventory can emerge.
- Do two or more operating units sell to the same customers? If so, customer concentrations should be monitored on a consolidated basis, not just for individual units.
- Do multiple units source from the same supplier? If so, is business continuity risk exposure monitored over time on an enterprisewide basis? If not, how should that be done?
Keep it fresh. While emerging risks may be identified through established committees, monitoring processes and forward-looking key risk indicators, a constantly changing business environment necessitates shaking things up to encourage people to think out of the box. To illustrate:
- Providing the latest information on market developments — perhaps sourced from the organisation’s various intelligence-gathering functions — grounds the dialogue in business realities, keeps the assessment evergreen and can elicit new insights into possible emerging risks.
- To overcome undue influence from the blinders of cognitive bias, ad hoc (and formal) assessments should encourage dissenting points of view, ensure that all views are heard (and considered) from the right sources, and stimulate creative and divergent thinking. This may mean holding back the smartest and most senior people in the room.
- Giving license to longer-term thinking can unleash dialogue that results in envisioning very different risks to the business. The World Economic Forum uses a 10-year horizon when conducting its annual risk study. Considering risks over a longer horizon is often a key distinction between organisations actively working toward alleviating sustainability risk, for example, and those who give lip service to such issues due to short-termism.
Pay attention to execution of the strategy. The 2009 NACD report suggests that boards focus on the risk of management failing to execute the strategy either due to unwillingness or lack of capabilities. A more recent NACD survey noted that nearly 70% of directors believe that their boards must strengthen their understanding of the risks and opportunities affecting company performance.
The organisation’s monitoring of performance should not be limited to the traditional retrospective metrics that “keep score” against quality, cost, time, innovation, customer loyalty and employee satisfaction targets. Such metrics should be supplemented with anticipatory and forward-looking indicators and trending metrics linked to the most critical risks to executing the strategy.
Watch out for “gray rhinos.” In 2018, NACD issued a report on board oversight of disruptive risks and the importance of adaptive governance as a framework for overseeing such risks. Management should assess the velocity and persistence of significant risk events and the organisation’s response readiness.
Ad hoc sessions should carefully consider possible disruptive risk events that are high impact, high velocity and high persistence so that focused efforts are undertaken to develop and improve response plans. Apart from the so-called “black swans” — the risks that no one sees coming — these “gray rhinos” can be just as threatening if they are disregarded until it is too late. Some examples include the bursting of the housing bubble in 2008, the impact of digital technologies on business models and the effects of an airborne virus pandemic such as COVID-19.
Expect the board to play a part in recognising emerging risks. Boards should be resourceful in considering external sources for insights on key topics. These sources may include industry developments, technological advances, investor feedback, benchmarking against competitors and changes in the regulatory environment. As there is no formal playbook for the board to follow when taking this initiative, such a collective effort amounts to adhocracy at its finest.
The 2009 NACD report states that the board is positioned to provide a value-added perspective on emerging risks because it is “inherently less insular than a management team might be on [an] issue.” This perspective is fostered by strong board dynamics in which directors engage senior management openly and collaboratively, retaining an independent mindset on the shareholders’ behalf.
In summary, the board should foster a risk-savvy culture that encourages management to look out far enough, monitor what matters both internally and externally, and devote efforts to assess the implications of change on the business. Effective adhocracy supports this culture by augmenting the formal processes management has put in place. Employees who are risk-aware and prone to visualising the big enterprisewide picture should be empowered to take the initiative to “connect the dots” when new developments emerge, determine whether the entity’s risk profile has been altered in a significant way, and recommend to decision-makers the best approach to capitalise on market opportunities and address emerging risks.
Questions for Boards
Following are some suggested questions that boards of directors may consider, based on the risks inherent in the entity’s operations:
- Is the board apprised in a timely manner of significant changes in the enterprise’s risk profile? Is the board satisfied that management is enabling the appropriate collaboration and informal dialogue up, down and across the enterprise to identify emerging risks in a timely manner? Does the exercise result in appropriate discussions and response plans on a timely basis?
- Is the board satisfied that management is continuously monitoring changes in the business environment to identify impacts on the assumptions and risks inherent in the corporate strategy? Is management looking out far enough when assessing risk to avoid constraining risk assessments with short-term thinking? Are the interrelationships among risks and interactions among operating units considered?
- Is management bringing enough creativity to risk assessments to stimulate fresh, unbiased thinking about emerging risks? Is the board engaged in these assessments in an appropriate way?
How Protiviti Can Help
Protiviti assists boards and executive management with assessing the enterprise’s risks and the capabilities for managing those risks. We help organisations identify and prioritise their risks, including emerging risks that can impair their reputation, brand image and enterprise value.