Drive a Connected GRC Program for Improved Agility, Performance, and Resilience
Power Business Performance and Resilience
Discover ConnectedGRC Solutions for Enterprise and Operational Resilience
Explore What Makes MetricStream the Right Choice for Our Customers
Discover How Our Collaborative Partnerships Drive Innovation and Success
Find Everything You Need to Build Your GRC Journey and Thrive on Risk
Learn about our mission, vision, and core values
Establish a robust risk management framework, formulate policies, and improve business processes to build a truly risk intelligent enterprise.
Being risk intelligent is probably the utopia for most organizations, as it quite often requires you to constantly determine your organization’s top risks and accordingly modify your risk management strategies. Knowing what risks you can and should take, and what risks to keep at bay are vitally important to your organization’s health and value. According to Deloitte, an organization’s “value killers” are those risks with a high impact but often low frequency. These are risks that are correlated or interdependent, causing a domino effect on your organization.
Further studies have shown that out of 4 risk categories strategic risks, operational risks, legal and compliance risks, and financial risks - strategic risks have a greater impact on an organization’s stock price than the other more easily auditable risks. Within the “strategic risk” category, those with the highest negative impact are product risks, M&A risks, and competitive risks.
If you have already checked off a few of these risks on this list, you would need to take serious action to find out just how much value these are risks are eating away, and what are the possible strategies you could employ to keep them in check.
Donald Rumsfeld, U.S. Sec of Defense (2002), baffled everyone when he said: “There are known knowns. These are things that we know that we know. There are known unknowns. That is to say, there are things we know we don’t know, but there are also unknown unknowns. These are things we don’t know we don’t know.”
This does, of course, stands true when we talk “risk”. We never know what is coming around the corner at us and, at the very best, we can prepare for possible, predictable outcomes. Needless to say, managing emerging risks is critical to delivering a successful risk management strategy.
So what are emerging risks? Simply put, they are those risks that come with a high degree of uncertainty, making it difficult to predict where they would land on the loss curve. Additionally, because they are difficult to predict, they come with a degree of “uncertain relevance”: if you cannot predict it, how do you prepare for it and why give it so much importance? This gives rise to a host of other problems: how do you get a consensus on tackling emerging risks? How do you communicate its relevance, assign ownership, and identify and prepare for associated systemic or business practice issues?
This information can then be assessed in your emerging risk report, citing trends and events, as well as their implications for your organization. Based on this, you can establish KRIs, owners, risk mitigation plans, threshold warnings, scenarios, and monitoring mechanisms.
Most “insurable” risks are those that are of a high frequency but low or moderate impact. Most strategic and emerging risks are, however, of high impact and low frequency, and those are the ones that do the most damage - often hailed as “black swan” events. While not necessarily negative in their impact, black swan events, typically unexpected and random, are those that take you away from the norm, causing disruption or an unexpected situation to your business. Nicholas Taleb, the author of “The Black Swan: The Impact of the Highly Improbable” writes: “. . . the world in which we live has an increasing number of feedback loops, causing events to be the cause of more events (say, people buy a book because other people bought it), thus generating snowballs and arbitrary and unpredictable planetwide winner-take-all effects.”
The challenge for all organizations is to figure out how to manage these risks and where to focus risk management along the loss curve. How far out to where the black sawn lives should you look at, and where should you stop? Of course, many of these questions can be answered when you assess your risk appetite and risk tolerance.
There are two possible ways to develop an effective risk appetite strategy. One way is to keep asking yourself several questions while identifying your organization’s capacity to take on the risks.
This introspection needn’t take on a quantitative approach, although quantitative aspects can certainly be added. To get your strategy off the ground, you would need to ask these questions to the right stakeholders - going all the way up to the board. Once you have the answers, you are in a much better position to figure out how big a gap you need to bridge to succeed without taking more risks. This might require you to modify your existing strategies and/or exposures.
Another way to look at this is through the military-coined phrase “a VUCA world”, an acronym that stands for volatile, uncertain, complex, and ambiguous. Depending on how situations unfold, a VUCA world demands that you be able to anticipate the unexpected, adapt to changing conditions, maneuver through obstacles, be decisive on critical issues, and be ready to change strategies with limited information.
A “risk intelligent” organization should focus their risk management strategies on decision-making. You should be able to use this intelligence to take action, and make strategic decisions which align with your business goals and objectives. Moreover, employees need to be enabled to conform to your enterprise risk management strategy, thereby ensuring that risk is everyone’s job. The steps towards building a risk intelligence enterprise would include:
Often, especially now with so many changes taking place, businesses need leaders who need to plan and be ready for the change and the ambiguity that comes with it. While some might think that emerging and strategic risks have little or no part to play in the actual running of their business, it is impossible to stay completely indifferent to the exposure they might bring in. As a response to these forecasts, anticipation and preparation is vital. Your risk management strategy should involve collaboration among the leaders in your organization, to ensure that risks are mapped to business objectives, and the risk management process ties in to your overall corporate business strategy. This is indeed the secret to building a truly risk intelligence enterprise.
Subscribe for Latest Updates
Subscribe Now