During a roundtable Protiviti co-facilitated in Chicago in late 2013, a director observed that he couldn’t get any of the boards on which he served to allocate time to discuss the “unthinkables.” The ensuing dialogue pointed to the importance of effective methods for recognizing emerging risks and of directors having the appropriate expectations of management to apply those techniques to inform the board’s risk oversight process.
Effective risk management requires understanding more about what we don’t know than what we do know. In particular, it must recognize when new risks are emerging. Too often, risk assessments plot the usual “known knowns” on yet another risk map, leaving executives and directors underwhelmed because the process doesn’t really tell them anything they don’t already know and leaves little insight about what to do next.
The board should expect management to consider emerging risks periodically. To illustrate, the CEO of one company has an independent party interview her direct reports each year regarding their views on the company’s top risks in view of both the strategy and its execution and considering such factors as likelihood of occurrence and the severity, velocity and persistence of impact. The interviews are synthesized into a “top 10 list” indicating, for each risk, whether its significance is increasing, declining or unchanged from the prior year. New risks included in the top 10 are identified along with the risks that fell out of the top 10. This analysis is reviewed with the board of directors, which expects an update at least annually. The risks are then considered in the business planning process. The risk assessment is updated as significant new risks emerge.
There are myriad operational, financial and compliance risks embedded within every organization’s day-to-day operations. A process focused on prioritizing these day-to-day risks isn’t likely to identify the most critical emerging risks. To identify emerging risks, management needs to apply more divergent and innovative techniques that focus on such things as the implications of change in the business environment on key assumptions underlying the strategy and business plan, the tracking of trends and key risk indicators to spot early warning signs, and the analysis of interdependencies among risks to identify emerging risk themes germane to the organization.
Following are some observations regarding techniques for identifying emerging risks:
- Understand the uncertainties inherent in your strategy – Strategic uncertainties arise when the critical assumptions underlying the strategy are becoming, or have become, invalid and management and the board are unaware of the change. These risks are potentially lethal and leave management playing out a “losing hand” in the marketplace. Management should apply contrarian analysis to think outside the box to identify risks, scenarios and circumstances that could ultimately bring the company down or cause significant harm. They should focus broadly on actions competitors may take, how customer preferences could change, the threat of substitute products, or the implications of losing a major supplier, channel partner, customer or other vital component of the value chain. Also, it may be useful to look beyond the company’s industry to determine whether a significant issue affecting one industry could spill over into another. Any number of risks could be germane to a company’s assumptions over its strategic planning horizon (e.g., another liquidity/credit crunch, a slowing Chinese economy, and disruptive threats to the business model from new technologies). High-impact, low likelihood risks such as a pandemic, a solar storm, infrastructure fragility and fiscally distressed cities may be relevant to the sustainability of the company’s business model.
- Use robust scenario analysis to evaluate management’s “view of the future” – Due to their longer-term nature, risks emerging from changes in the external environment may require an analysis of scenarios to understand fully their potential impact on the business model. Scenario planning can help management cope with uncertainty by surfacing the vital signs on which the company must focus. It blends the known with the unknown into a limited number of internally consistent views of the future spanning an appropriate range of possibilities. Scenario planning and stress testing help management challenge assumptions and expectations, address “what if” questions, and identify sensitive external environment factors that should be monitored for change over time. By deepening their understanding of the pain of the unexpected, management can identify when contingency plans are required and reinforce the need for flexibility, and even exit plans, in executing the strategy.
- Make sure your worst-case scenario is extreme enough – The Japanese supply chain disruption taught a valuable lesson about the use of singlesource suppliers. When it comes to physical phenomena (e.g., weather, earthquake, volcanic eruptions, flooding, etc.), arbitrary curtailments in the period used to gather empirical data supporting decision
models can be dangerous and create a false sense of security. Based on prior studies, the catastrophic Japanese tsunami was a 1,000-year event. Hurricanes Sandy and Katrina are other reminders that eventually the worst-case catastrophes can happen. The reality is that the worst case can happen anywhere on the planet. If a single-source supplier is in the wrong footprint, there will be consequences for its customers who lack a well-thought-out response plan.
- Look out far enough – Part of the challenge is thinking sufficiently long term. Earlier this year, the World Economic Forum (WEF) published its annual update on global risks.1 This study views risk through the lens of a 10-year horizon across five categories – economic, environmental, geopolitical, technological and societal. Among its findings, it reports:
- The risks of highest concern are fiscal crises in key economies, structurally high unemployment and underemployment, and water crises.
- The risks considered high impact and high likelihood are mostly environmental and economic. In addition to the three risks noted above in (1), they include: greater incidence of extreme weather events, failure of climate change mitigation and adaptation, and severe income disparity.
- The risks perceived to be most interconnected with other risks are macroeconomic in nature – fiscal crises, and structural unemployment and underemployment – and they are strongly linked to social issues, such as rising income inequality and political and social instability.
- The potential failure of global governance emerges as a central risk that is connected to many different issues.
While these threats may not have an immediate impact, they are nonetheless important considerations over the longer term. Companies and their boards should be thinking about the implications to the company’s business model of longer-term trends that reach beyond the longest time horizon considered by their strategy-setting and risk assessment processes. The WEF report provides useful insights in this regard.
- Pay attention to signs your strategy is on its last legs – An “early mover” is a firm that (a) quickly recognizes a unique opportunity or risk and (b) uses that knowledge to evaluate its options, either before anyone else or along with other firms that likewise recognize the significance of what’s developing in the marketplace and seize the initiative. Early movers to exit an obsolete strategy always end up in a better position because they have the advantage of time, with more decision-making options before the inevitable market shifts invalidate critical assumptions underlying the strategy. Timely identification of emerging risks can enable an organization to become an early mover.
- Watch out for risks embedded in the organization’s culture – Some emerging risks are like ticking time bombs. Sometimes, they are just waiting to erupt suddenly and dramatically without warning and, in essence, represent “hidden” risk exposures that could trigger unexpected and embarrassing surprises. As they are driven internally rather than externally, these risks are unique and often come as a result of behaviors and deficiencies deeply embedded within the culture. For example, deferred maintenance over the course of many years due to budgetary pressures can ultimately lead to a significant environmental and/or safety disaster. Today’s shortcuts on quality can trigger tomorrow’s product recalls, regulatory sanctions, challenges from the plaintiff’s bar and brand erosion. A culture that emphasizes cost and schedule considerations over prudent health and safety standards creates an unsustainable environment that will ultimately pay the price when the day of reckoning arrives. Management acceptance of a lack of segregation of authorization, execution and settlement activities creates exposure to a rogue trader engaging in unauthorized trading or speculation. Companies that fail to position their personnel structurally to escalate important issues, without fear of reprisals or repercussions on their compensation and careers, are exposed to executives at the highest levels losing touch with what is really happening in the business and its customer-facing processes. These and other deficiencies in the “tone of the organization” can spawn risks of which decision-makers are unaware. Strategic drift and changes in the organization’s structure, policies, processes and personnel can lead to subtle shifts in its culture over time that can create exposure to these embedded risks.
- Make sure someone owns your most critical emerging risks – Once an emerging risk has been identified, someone must own it so it can be tracked and evaluated as conditions change. Risk owners analyze external/macroeconomic trends, assess the likely direction of trends over time, and design effective risk measures to analyze the impact of emerging risks on the organization’s strategy and performance. If appropriate, a risk response should be incorporated into the strategy and/or business plan to address the risk. Risks that are inherent in the corporate strategy or a critical management decision may require revisiting of the risk/reward trade-offs underlying the strategy or decision.
Questions for Directors
Following are some suggested questions that boards of directors may consider, based on the risks inherent in the entity’s operations:
- Is the board satisfied that management is periodically monitoring changes in the business environment to identify any impact on the assumptions and risks inherent in the corporate strategy? Are necessary changes to the strategy made in a timely manner in response to change?
- Does management periodically evaluate who within the organization may be in a position to take unreasonable risks? Are there lines of business that are generating unusual returns that no one outside the unit can really understand? Does management periodically evaluate whether the organization’s incentive compensation structure may lead to unacceptable risk-taking?
- Is the board apprised on a timely basis of significant changes in the enterprise’s risk profile? Is there a process for identifying emerging risks, including evaluating the effect of potential extreme events (socalled “black swan” events)? Does the exercise result in appropriate response plans on a timely basis?
Board Perspectives: Risk Oversight (Issue 55)