Conducting Forward-Looking RISK Assessments
IERP Chairman Ramesh Pillai’s recent presentation on Conducting Forward-Looking Risk Assessments was part of a PETRONAS in-house event which focused on Sharing of Risk Profiling Best Practices. Beginning with the Institute’s definition of sustainability, he said it was a proactive approach to ensure the long-term viability, resilience and integrity of the business by optimising resource needs; reducing environmental, energy or social impacts; and managing resources while not compromising profitability. It requires thinking broadly about issues and impacts; engaging and partnering with stakeholders; and connecting and integrating sustainability across and within the business.
Applying these measures help the organisation to think broadly about value. He also comprehensively covered the definition of Risk in his presentation. ISO 31000 defines Risk as the effect of uncertainty on objectives; thus, the definition of risk is easiest applied when the organisation’s objectives are comprehensive and fully stated. The objectives themselves should be challenged, and the assumptions on which they are based should be tested.
This is a critical part of the risk management process. Addressing the issue of why organisations should adopt a forward-looking risk assessment approach, he said that while traditional risk management focuses on supporting an organisation’s efforts to achieve its objectives, tackling emerging risks can enable the organisation to build and maintain resilience. The process of doing so will go a long way in helping it to survive and thrive in uncertain times. Organisational resilience is critical as it enables the organisation to anticipate possible adverse scenarios or events, prepare for them, absorb impacts, recover and adapt to changing conditions.
Besides all this, a resilient organisation responds and adapts more effectively and promptly to opportunities. It makes informed decisions more confidently as well. Identifying the board’s oversight role and senior management’s responsibility to regularly review and assess the risks faced by their organisation, and plan for the effective management of such risks, he said that bringing in external experts could also be beneficial, particularly in helping the organisation to identify such risks. Experts in particular fields/issues being considered or representatives of relevant professional organisations could effectively fit the bill. He cautioned, however, that such conversations tended not to be easy but were essential nevertheless.
Speaking about the techniques applied in forward-looking risk assessments, he covered PESTLE Analysis, SWOT Analysis, Scenario Analysis, and Horizon Scanning.PESTLE – the acronym for Political, Economic, Social, Technological, Legal and Environmental – Analysis is for identifying external factors in these categories. It helps the organisation think about potential emerging risks and provides structure to the thought and analytical processes. He detailed the steps and processes involved, and advised that where the firm cannot bring together a wide range of stakeholders, it should bring together the most relevant ones that include professional advisors and other resources.
“The good thing about bringing external people into your analysis is that they will provide you with external insights that you may not have considered,” he said. “We can sometimes be blinkered to a certain extent in our own organisations. Maybe they will raise what, on the face of it, you initially consider irrelevant but it may give rise to good ideas and thoughts going forward.” Identifying SWOT Analysis as something the audience was probably more familiar with, he said that it helps the organisation understand its strengths, weaknesses, opportunities and threats. SWOT Analysis is a useful framework for thinking about PESTLE factors.
Strengths and weaknesses are internal; opportunities and threats are external. “SWOT and PESTLE approach the problem from different perspectives,” he said. “You can combine them, depending on how sophisticated the analysis needs to be, how much time you have for the analysis, and how strong the organisation’s resources are, in terms of doing this.” Cautioning the audience not to fall victim to ‘Analysis Paralysis,’ he said that those applying such frameworks should not get bogged down with the analysis. “The whole point of risk management is not to analyse too long or deeply, but to get to a point in time where the best decision can be made, given the constraints.”
Explaining the next technique, horizon scanning, he said this was used to identify potential threats, risks, emerging issues and opportunities. This helps the organisation foresee and examine risks immediately ahead, within timeframes. “All risk reports should automatically contain horizon scanning,” he said. “In its simplest format, it discusses (for instance) the political situation, developing scenarios, geopolitical issues or the stagflationary impact in countries around the world. You determine how far you want to look, and how the issues will affect your organisation. The minute you look at the horizon, it’s automatically a forward-looking assessment.”
The benefits of horizon scanning include deepening the organisation’s understanding of the forces driving policy and strategy; helping to build consensus among its stakeholders about issues and mobilising them for action; identifying and clarifying difficult future trade-offs in policy or strategy choices; and creating resilient strategy that is adaptable to changing external conditions. The fourth technique, Scenario Analysis, can be applied when considering potential sources of significant operational risk, and the need for additional risk management tools or mitigation solutions. It seeks opinions of business line and risk managers to identify risk events and assess their potential outcome.
Ramesh’s comprehensive overview covered the procedure for scenario analysis, how to determine which scenarios are relevant to the organisation, and how the scenario data that comes from the correct procedure can provide a forward-looking view of potential risk exposures.“Scenario analysis is usually considered in situations where events are low-frequency but high-severity,” he explained. Giving real-life examples from his own experiences, he described how scenario analysis was applied successfully. Identifying two major considerations when applying scenario analysis, he said that users must, firstly, be careful about biases, and secondly, make sure that they have a robust framework.
“One of the things I tend to do when I sit on Boards and chair Board committees is a ‘deep dive’ – where the Head of Department presents the strategy and objectives of the division or department to the risk management committee,” he said. “I want the Head of Department to tell the board how they are doing, what they are doing and why and what challenges they face; if they can do better; what support they need, and what is holding them back. What I am asking them about is risk. I want them to talk about the roadblocks. As risk professionals, we should be mitigating the cause, not the effects. I also use stress-testing – pulling all the details and data together, then asking the ‘What If?’ questions.”
He followed up with several examples to illustrate ‘What If Analysis’ – i.e., how everything is connected, and can impact the business. The whole point of doing forward-looking risk assessment, he said, was to ensure proper business and commercial sustainability. Concluding that this is what businesses should already be doing, he said that the reality was that many organisations were still at a very basic academic or operational risk phase and did not understand the need for such measures. Organisations usually have underlying cultural and competency issues that need to be addressed but “competency issues can be fixed; cultural issues are a bit harder to address, at the end of the day.”