The ongoing COVID-19 pandemic has moved the discussions and efforts on risk management up the priority list for businesses around the world, compelling them to rethink their strategies. Focus on proactive identification and preparedness for the Unknown Unknowns is now more necessary than ever. A key lesson from the current crisis is that low-frequency, high-severity events can occur at any time. The looming question, therefore, is which other such events are on the horizon and how prepared are we to manage them?
The risk landscape is continuously evolving and becoming increasingly tangled due to various technological, geopolitical, environmental, economic, and other factors, and their growing interdependencies. As such, organizations are now witnessing a rapidly changing risk profile, which not only warrants a quick response but also a better understanding of risk relationships and interconnectivity. To better tackle these evolving risks, organizations need to go beyond the conventional risk identification and mitigation measures and cultivate a culture of risk awareness—which will require a change in the very mindset of the employees. A proactive approach to educating the employees on emerging risks and encouraging knowledge sharing would help an organization improve its risk visibility and preparedness. The objective is to ultimately become a future-ready organization—one that is always on the front foot to deal with any incipient risk or challenge while ensuring efficient business operations. This future-readiness is an ongoing process and requires an integrated and agile enterprise risk management (ERM) framework.
One of the key elements of an effective ERM framework is identifying emerging risks. In its Global Risk Report 20201, published in January this year, the World Economic Forum (WEF) has classified global risks into five categories:
• Economic, which includes risks such as asset bubbles, fiscal crisis, financial failure, etc.
• Environmental, which includes factors such as climate action failure, extreme weather, loss of biodiversity, etc.
• Geopolitical, which includes risk posed by weapons of mass destruction, global governance failure, and interstate conflict, among others.
• Societal, which includes risks of infectious diseases, food crisis, water crisis, failure of urban planning, and other such factors.
• Technological, which includes risks stemming from cyberattacks, data fraud or theft, information infrastructure breakdown, and adverse technological advances.
These categories are largely comprised of external risks, which require scenario planning and stress testing to ensure an organization’s resilience to withstand such risk events. Risk managers, however, have to also take into account internal risks that are driven by human, technical, or physical factors. Internal risks are usually considered2 predictable and preventable.
In the wake of the coronavirus pandemic and the subsequent lockdown measures by governments, the global economy has taken a massive hit. The World Bank3 expects the global economy to shrink by 5.2% this year, which it says would represent “the deepest recession since the Second World War.” The crisis has not only brought about a paradigm shift in the way enterprises operate but also considerably altered their risk profile, affecting both financial and non-financial risk exposures. Businesses are reeling under the pressures of falling revenue, supply chain disruptions, and ensuring compliance with social distancing, reduced workforce, and other regulatory guidelines. In addition, the health and safety of employees have become the prime concern for organizations – not just physical wellbeing but mental wellbeing as well. The roles and responsibilities of risk managers, which principally include risk identification, reporting, and assessment, have considerably expanded to encompass several areas, including customer/client experience, employee relationships and wellbeing, business continuity, data security and confidentiality, brand name and reputation, regulatory compliance and more. Risk Leaders: Key Challenges and Expanding Role In addition, there is a growing demand from various stakeholders — C-level executives, clients, investors, regulators, and others — to be apprised of the various risks that a company is exposed to and planned mitigation measures, in a timely manner. A standardized risk taxonomy and a common risk register will help risk leaders ensure timely risk reporting in a consolidated and simplified manner. While the primary area of focus right now is withstanding the adverse effects of the pandemic, risk managers should not lose oversight of other potential risks while rethinking the risk management framework.
For the past decade, ERM has been largely viewed by organizations as a mere checkbox exercise. But the pandemic has underscored the importance of ERM, particularly the need for an agile and evolving approach to ERM which would ensure quick response to emerging risks — the benefits of which will not just help to cope with the current crisis but extend far beyond.
An ERM framework supported by the top management and leadership will help to set the tone throughout an organization. For this top-down approach to be effective, it is important to consider risk as an integral part of strategic business decisions, ensuring a coordinated and collaborative approach towards risk management. More often than not different executives and departments have different perspectives. To achieve a consensus then could be a daunting task. This could be overcome by facilitating discussions and ensuring better communication to provide better clarity on risk appetite, priorities, and accountability
A deliberate effort should be made to ensure that the risk program is in line with organizational goals and strategies, both in the short and long term. As business priorities and strategies change over time due to internal and external factors, it is imperative that the ERM program is regularly reviewed and updated to take into account these changes. This approach of routinely updating risk program will help ensure its relevancy, improve the risk appetite of an organization and enable it to make well-informed and timely decisions.
An integrated ERM framework that connects people, data and systems, as opposed to disparate risk programs, will help eliminate siloed processes and redundancies while improving overall efficiency. Integrating business continuity within the risk framework has become critical for organizations to truly overcome the challenges of emerging risks. A robust integrated risk program backed by technology will help establish a common risk taxonomy as well as other foundational elements and ensure improved collaboration across an organization. Risk, compliance, cybersecurity, third party, and business continuity teams need to be tied together to draw relevant data and insight.
In the context of the risks that an organization is exposed to, improving the peripheral view implies developing the capability to identify risk trends and signals which could seem feeble at the moment but could morph into something significant in the future. To build this capability, organizations need to implement risk monitoring strategy, tap into internal and external data for intelligent risk insight, and include risk awareness as a key element in the three lines of defense4. Risk assessments based only on current and historical data will provide an incomplete picture. It needs to be complemented with information on upcoming trends in the market, industry, economy, and the world at large. By encouraging employees to be cognizant of current and future risks, organizations will be able to proactively identify emerging risks and devise appropriate mitigation measures.
By adopting cognitive technologies, artificial intelligence, and data analytics, together with smart tools and apps, organizations can considerably simplify the process of consolidating risk-related data, understand their risk exposure, and respond quickly with proper mitigation measures. Automating risk management systems can engender several benefits such as better preparedness for risk events and timely and quantifiable insights for effective decisionmaking. Furthermore, there is a growing call5 among industry experts to establish risk appetite frameworks in organizations. A well-integrated risk appetite framework will enable organizations to better understand risk/reward trade-offs, comprehend risk exposure and undertake certain risks in a calculated manner, and enhance overall transparency for various stakeholders
The COVID-19 pandemic could be said to have been a much-required wakeup call for organizations to re-evaluate their approach towards ERM. The lessons learned from this experience are definitely going to help them better equip and prepare themselves for the future. A key takeaway has been that ERM is an ongoing process. The traditional approach of carrying out ERM processes once or twice a year has been proven largely ineffective. Also, automated ERM systems can help dramatically reduce response time to unforeseen risk events and, therefore, businesses should not shy away from embracing emerging technologies such as AI and machine learning. Importantly, organizations should encourage a risk awareness culture, make risk monitoring an inherent business process, and complement the ERM program with external information