It’s difficult for the board to allocate time to discuss the “unthinkables” when management isn’t doing it. Below, we summarize practical principles for recognizing emerging risks and the importance of directors setting expectations of management to inform the board’s risk oversight process of these risks on a timely basis.
Emerging risks are triggered by unanticipated changes in the business environment and include potentially disruptive events of varying velocity ranging from catastrophic events (e.g., a tsunami, hurricane or terror attack) to realization of existing risks accelerated by external and/or internal factors over a longer period (e.g., a breakdown in the internal control environment or risk culture). They also may arise from dramatic shifts in the marketplace (e.g., customer preferences, competitors, technologies, regulatory requirements and/or economic conditions).
Emerging risks are important to boards that place high value on early warning, and occasionally looking around the corner keeps the risk dialogue with management evergreen.
Every organization needs effective processes that identify new and emerging risks as well as changes in existing risks. These risks are highly relevant to the board risk oversight process. Like a time bomb, they can be hidden from view deep within the organization’s processes, waiting to emerge suddenly and dramatically without warning.
For example, a flawed culture that is lax on environmental health and safety can lead to an incident that forces the enterprise’s leaders into damage control mode almost immediately. Or unknown (and known) product defects that create a public health hazard will eventually be exposed to the light of day in the public arena, and when they are, the company pays the price.
Emerging risks can be like a smoldering fire one can see and smell from afar before it erupts into uncontrollable flames; however, they may take months or even years to manifest themselves. For example, aging populations, growing income disparity and sustained underemployment have been unfolding for a long time. Unabated, they eventually will alter the social and political landscape and affect consumer demand for goods and services. It’s not a matter of if, but when.
The very nature of emerging risks and the uncertainty and lack of consensus as to their ultimate impact on the organization make it difficult for senior management and risk executives to assess their relevance and the appropriate enterprise response. Due to this lack of clarity, management may be reluctant to assign ownership of the risks.
These factors make it hard for management to decide what to communicate to directors, given the board’s crowded agenda. That said, considering emerging risks periodically in the context of the overall strategy keeps the enterprise’s risk profile and risk management dialogue fresh and focused with a forward-looking perspective.
Most companies engage in a periodic risk assessment exercise, typically on an annual basis. But the speed of change continues to escalate. Processes that are effective in identifying new and emerging risks between periodic risk assessments are essential to board risk oversight. Even if the identified emerging risks are not well-understood, the ensuing dialogue can increase risk awareness.
In the spirit of fostering that awareness and informing the risk oversight process, the following are principles for boards to consider with respect to how the organizations they oversee should identify and communicate emerging risks:
- Expect management to inform the board of emerging risks and trends relevant to the business model on a timely basis – Executive management and risk executives are responsible for communicating significant emerging risks and changes in critical enterprise risks to the board.
The timing and frequency of these communications are dictated by the severity of the risk’s impact on the organization, the velocity (or speed of onset) at which the risk impacts the organization and the uncertainty as to if and when the risk will manifest itself. The board should expect management to review, monitor and understand the most significant emerging risks and determine appropriate risk responses as the nature of the risks and their impact become clearer over time.
- Consider the effect of potential consequences of newly planned actions – When new strategic, research and development, mergers and acquisitions, and other initiatives and opportunity pursuits are undertaken, it is important that management understands their impact on the entity’s resources, infrastructure (policies, processes, people and systems) and culture, as well as on its existing activities designed to achieve other priority business objectives. In addition, the potential impact of the planned actions on customers, suppliers, regulators, competitors and other external parties should be considered.
In the real world, new decisions or planned actions are rarely isolated; therefore, an effective impact analysis should identify significant unintended consequences that may arise from them over time. For example, if new marketing channels were entered into and customer demand were to double, could the existing supply chain support that increased demand? If procurement decided to increase inventory levels of certain raw materials to meet expected higher demand and reduce cost per unit, do marketing, sales, engineering and production agree that the increased inventory will likely be used over a reasonable period? The point is, the board should expect a robust assessment of potential risks that could arise due to a particular decision or planned action, including how inter- relationships among potential events can act as accelerants of emerging risk.
- Challenge critical assumptions using plausible and worst-case scenarios – Scenario analysis assesses the impact of one or more events on key business objectives with the intention of identifying opportunities and avoiding unacceptable losses and surprises. Management should assess relevant scenarios that could render invalid the critical assumptions underlying the business case and economic justification supporting proposed strategies, investments, acquisitions and other key decisions. This assessment informs the board’s risk oversight by positioning executives and directors to challenge the key assumptions that matter – not only at the point of decision-making, but also looking forward through ongoing monitoring activities over time.
With respect to worst-case scenarios, management and directors should ensure that those used are extreme enough. Low-likelihood risks such as a pandemic (an epidemic of infectious disease), infrastructure fragility (loss of the power grid) or the collapse of fiscally distressed countries or cities may be highly relevant to the company’s business model. The question is not “Can it happen?” but “What is the impact if it does happen, and how will we respond?” The worst case can happen anywhere on the planet. If a single-source supplier is in the geographical footprint where it does happen, there will be consequences for any customers who lack a well-thought-out response plan.
- Use key risk indicators (KRIs) to identify new and emerging risks or changes to existing risks – KRIs are qualitative or quantitative measures used to monitor risk and risk responses and facilitate risk reporting. While key performance indicators (KPIs) are generally retrospective in nature, KRIs are typically forward-looking lead metrics. When KRIs are focused on successful execution of the strategy, we have seen them used effectively in conjunction with board reporting. KRIs linked to the critical risks and assumptions underlying the strategy offer insightful intelligence on whether the strategy is performing as expected − and provide an early warning capability if it isn’t. Nothing good happens if critical strategic assumptions become invalid and neither management nor the board is aware of the change until it is too late.
- Look out far enough to spot emerging risks and developing game-changing megatrends – Today, we see evidence of transformational change on a number of fronts – the digital technology revolution that’s increasing interconnectedness of people and things and risk of cyberattacks, an aging population driven by declining fertility and increasing life expectancy, increased urbanization (resulting in new large markets), growing income disparity and sustained underemployment, environmental decline (e.g., quality of air, soil and water), increasing nationalist sentiment and geopolitical tensions in different regions, mass refugee migration amid rising terrorism threats, and other dynamics of change.
In the past, longer time horizons (say, 10 years) usually were needed to notice these risks. But today, many of these risks are becoming more imminent, with a wide-ranging impact for strategists, policy- makers and decision-makers in many businesses and industries to consider. Ignore them at the risk of an irrelevant strategy.
- Watch closely the threat landscape driving known critical enterprise risks – Regulatory, cybersecurity, economic, war for talent, identity and privacy, financial markets, and other top-of-mind issues pertinent to executive management and the board merit close attention to ascertain whether changes in these risks are occurring for the worse, leaving the organization in a vulnerable position. Risk metrics reported to the board for critical enterprise risks should focus on changes in the risk profile and whether such changes warrant an updated risk response.
Applying the above principles will help executive management and boards face the future with confidence through greater awareness of the risks that matter.
Questions for Boards
Following are some suggested questions that boards of directors may consider, based on the risks inherent in the entity’s operations:
- Does the organization undertake a dynamic view of risk by considering the interrelationships among risks to identify game-changing risk themes germane to the company and its strategy?
- Is the board apprised in a timely manner of significant changes in the enterprise’s risk profile? Is there a process for identifying emerging risks, including potential “black swan” events? Does the exercise result in appropriate updates to response plans on a timely basis?
- Is the board satisfied that management is monitoring changes in the business environment to identify impacts on the critical assumptions and risks inherent in the corporate strategy? Are necessary updates to the strategy made in a timely manner to reflect changes in business realities?
How Protiviti Can Help
Protiviti assists boards and executive management with assessing the enterprise’s risks and the capabilities for managing those risks. We help organizations identify and prioritize their risks, including emerging risks that can impair their reputation, brand image and enterprise value.
Board Perspectives: Risk Oversight (Issue 79)