Establish a robust risk management framework, formulate policies, and improve business processes to build a truly risk intelligent enterprise.Download an Insight
- Knowing What Risks to Take and How to Manage Them Intelligently
- Emerging Risks and Their Impact On Your Overall Risk Management Strategy
- Managing Black Swan Events: The Loss Curve as a Guide to Manage Risk
- Developing a Risk Appetite Strategy
- Building a Risk-Intelligent Enterprise
Knowing What Risks to Take and How to Manage Them Intelligently
Being risk intelligent is probably the utopia for most organizations, as it quite often requires you to constantly determine your organization’s top risks and accordingly modify your risk management strategies. Knowing what risks you can and should take, and what risks to keep at bay are vitally important to your organization’s health and value. According to Deloitte, an organization’s “value killers” are those risks with a high impact but often low frequency. These are risks that are correlated or interdependent, causing a domino effect on your organization.
Further studies have shown that out of 4 risk categories strategic risks, operational risks, legal and compliance risks, and financial risks - strategic risks have a greater impact on an organization’s stock price than the other more easily auditable risks. Within the “strategic risk” category, those with the highest negative impact are product risks, M&A risks, and competitive risks.
If you have already checked off a few of these risks on this list, you would need to take serious action to find out just how much value these are risks are eating away, and what are the possible strategies you could employ to keep them in check.
Strategic risks are difficult to quantify, define, and manage, and often end up in the emerging risk category. When it comes to strategic and emerging risks, there are some key questions to consider:
- What is the effect of these risks, and how can you effectively manage them?
- What are they and where do they come from?
- What are the processes you need to tweak within your risk management strategy to account for strategic or emerging risks?
Emerging Risks and Their Impact On Your Overall Risk Management Strategy
Donald Rumsfeld, U.S. Sec of Defense (2002), baffled everyone when he said: “There are known knowns. These are things that we know that we know. There are known unknowns. That is to say, there are things we know we don’t know, but there are also unknown unknowns. These are things we don’t know we don’t know.”
This does, of course, stands true when we talk “risk”. We never know what is coming around the corner at us and, at the very best, we can prepare for possible, predictable outcomes. Needless to say, managing emerging risks is critical to delivering a successful risk management strategy.
So what are emerging risks? Simply put, they are those risks that come with a high degree of uncertainty, making it difficult to predict where they would land on the loss curve. Additionally, because they are difficult to predict, they come with a degree of “uncertain relevance”: if you cannot predict it, how do you prepare for it and why give it so much importance? This gives rise to a host of other problems: how do you get a consensus on tackling emerging risks? How do you communicate its relevance, assign ownership, and identify and prepare for associated systemic or business practice issues?
Deciding on what emerging risks you need to focus on depends on how well you scan your external environment. That information then needs to be checked off according to its:
- Level of uncertainty
This information can then be assessed in your emerging risk report, citing trends and events, as well as their implications for your organization. Based on this, you can establish KRIs, owners, risk mitigation plans, threshold warnings, scenarios, and monitoring mechanisms.
In order to do this, you need a strategy to tackle the unknown, and prepare for the potential black swan event:
- Establish a specific process to uncover the poorly understood threats to your business. This should also be translated into common business terms to relate to your audience and stakeholders.
- Bring key stakeholders together to address these risks efficiently and sensibly. Whether they are the risk and control owners, or regulatory bodies, it’s important to get their understanding of these risks, and determine which emerging risks would need greater focus.
- Facilitate the drive for consensus among contributors on scenario planning. Scenario planning is probably the best way to make possibilities real and to arrive at real strategies to counter possible negative impacts. However, driving a consensus on emerging risks is difficult because you could come up with multiple scenarios and you would need to come to a common ground on which scenario(s) you need to focus on and how.
- Review and eliminate, or defer low relevance risks. Because organizations are often grappling with resource constraints, efforts can be concentrated only on those risks that have relatively high relevance and probability.
- Leverage emerging risk processes for competitive advantage. If you have an emerging risk process, you probably have by default some element of competitive advantage. That will be decreasingly so as more people realize this.
- Bring forward and highlight risks that lend themselves to exploitation. When looked at how risks can be turned into opportunity, emerging risks can present a means to grow and innovate.
Managing Black Swan Events: The Loss Curve as a Guide to Manage Risk
Most “insurable” risks are those that are of a high frequency but low or moderate impact. Most strategic and emerging risks are, however, of high impact and low frequency, and those are the ones that do the most damage - often hailed as “black swan” events. While not necessarily negative in their impact, black swan events, typically unexpected and random, are those that take you away from the norm, causing disruption or an unexpected situation to your business. Nicholas Taleb, the author of “The Black Swan: The Impact of the Highly Improbable” writes: “. . . the world in which we live has an increasing number of feedback loops, causing events to be the cause of more events (say, people buy a book because other people bought it), thus generating snowballs and arbitrary and unpredictable planetwide winner-take-all effects.”
The challenge for all organizations is to figure out how to manage these risks and where to focus risk management along the loss curve. How far out to where the black sawn lives should you look at, and where should you stop? Of course, many of these questions can be answered when you assess your risk appetite and risk tolerance.
Developing a Risk Appetite Strategy
There are two possible ways to develop an effective risk appetite strategy. One way is to keep asking yourself several questions while identifying your organization’s capacity to take on the risks.
- How much risk are we taking? (And how do we measure this?)
- How much risk can we take? (This refers to our risk tolerence)
- How much risk do we prefer to take? (This refers to our risk appetite)
- How much risks do we need to take to reach our strategic goals?
- Which risks do we want to take and which risks are unacceptable and why?
This introspection needn’t take on a quantitative approach, although quantitative aspects can certainly be added. To get your strategy off the ground, you would need to ask these questions to the right stakeholders - going all the way up to the board. Once you have the answers, you are in a much better position to figure out how big a gap you need to bridge to succeed without taking more risks. This might require you to modify your existing strategies and/or exposures.
Taking risks from a vuca standpoint:
Another way to look at this is through the military-coined phrase “a VUCA world”, an acronym that stands for volatile, uncertain, complex, and ambiguous. Depending on how situations unfold, a VUCA world demands that you be able to anticipate the unexpected, adapt to changing conditions, maneuver through obstacles, be decisive on critical issues, and be ready to change strategies with limited information.
Building a Risk-Intelligent Enterprise
A “risk intelligent” organization should focus their risk management strategies on decision-making. You should be able to use this intelligence to take action, and make strategic decisions which align with your business goals and objectives. Moreover, employees need to be enabled to conform to your enterprise risk management strategy, thereby ensuring that risk is everyone’s job. The steps towards building a risk intelligence enterprise would include:
- Establishing a framework, policy, and process to assess and manage risks
- Identifying key risks and vulnerabilities, as well as the plans needed to address them
- Assessing where risks could have a significant impact on the organizational value
- Establishing a risk appetite statement in alignment with your business objectives
- Deciding those who have the authority to take risks and holding them accountable
Often, especially now with so many changes taking place, businesses need leaders who need to plan and be ready for the change and the ambiguity that comes with it. While some might think that emerging and strategic risks have little or no part to play in the actual running of their business, it is impossible to stay completely indifferent to the exposure they might bring in. As a response to these forecasts, anticipation and preparation is vital. Your risk management strategy should involve collaboration among the leaders in your organization, to ensure that risks are mapped to business objectives, and the risk management process ties in to your overall corporate business strategy. This is indeed the secret to building a truly risk intelligence enterprise.