Tackling Emerging Risk and Disruption Through Enterprise Risk Management (ERM)
A recent IERP Tea Talk on Tackling Emerging Risk and Disruption through ERM started with a question: when does an emerging risk become a risk? On disruption, presenter Ramesh Pillai suggested that the best way to deal with it is to be the cause of it. That way, the disrupter will be in control, and ahead of the curve. “Try and do things differently,” Ramesh said. “Move boundaries before these are changed for us.” It was important for risk professionals to remain relevant, and ensure that the mission and objectives of their respective organisations were aligned to their core values; and for this, the right understanding of ERM was necessary to ensure that risks were appropriately managed.
“Risk management – ERM – is not about the identification of risk,” he stressed. “It’s about achieving organisational objectives and improving the quality of decision-making.” ERM is the overarching discipline through all of these things. Risk professionals need to have the right understanding of ERM before they can actually ensure that emerging risk and disruption are being tackled properly. Processes, policies, frameworks and procedures need to be in place. But what is emerging risk, and why should organisations be concerned about it? Risk management is, to a large extent, common sense. The challenge of ERM is dealing with culture and human beings.
“That’s the hard part with ERM,” he said. “How do you get by that? How do you tailor it to fit the culture of the organisation? The technical aspects are easy to understand.” He pointed out that the greatest challenge may lie in the large number of consultants who don’t understand risk management and advise people inappropriately, which may lead to confusion. Citing risk appetite as an example, he said that this had nothing to do with ERM but was related rather to operational risk management – but many people do not understand this. “This matters because it illustrates that ERM is not actually complex. It is only complex if you don’t understand it or are confused,” he stressed.
ERM needs to be simplified and taken back to its core, so that people can understand it. There needs to be structure when doing risk management; hence the need for a structure to deal with emerging risk, and the disruption that it brings, and how to utilise ERM accordingly. ERM is a strategic management tool, and if risk management is done properly, and embedded in the organisation, it will help achieve the organisation’s objectives; support successful strategic planning; and it will give proper reassurance to all stakeholders that the uncertainty in relation to the organisation’s objectives and all risks are being properly considered and managed.
Business is run by management which does not own its assets; management runs the business as fiduciaries for the shareholders. In addition, it is not the shareholders alone who create value, it is the stakeholders as well. “If you look at how companies are valued, a chunk of the valuation comes from intangibles like goodwill,” Ramesh said. “The goodwill element is actually attributed to by stakeholders. So in today’s environment, when we talk about emerging risks, we have to take into account the considerations of stakeholders as well. Integrating risk management into strategic planning will result in the better identification of the obstacles to achieving objectives and creating and protecting value.”
In order to identify opportunities, you need to manage risks. Opportunity arises because of the way the risk is managed. “The world does not stand still for any organisation,” he continued. “Companies which will succeed are those that have processes ready to respond to changes. These companies are likely to be highly resilient.” The world of risk management is continuously evolving and adapting to change but the challenge is that risk managers do not change. “They seem to believe or understand that their role is administrative,” he remarked. “But it’s not. A risk manager is actually a strategic manager, at the end of the day.”
A lot of risk managers, and companies, do not see this. They find that the risk management teams do not add value. But if the risk management team does not show the value that it adds, the company cannot be expected to understand the value of the risk management team. It can do this by contributing to performance, strategies or strategic alignments and achievements. The team’s contribution stems from the process of identifying the impediments to achieving the organisation’s objectives. But why is there a need to manage emerging risks differently from the usual risks of the business?
“When you are dealing with emerging risks, there tends to be a general atmosphere of fear or mystique around what exactly an emerging risk is,” he said. “This makes us feel uncomfortable. Generally speaking, when talking about emerging risk, there is often little or no data on which to base your risk response or mitigation. Emerging risks therefore may appear more challenging to identify, assess and manage.” There are many different tools and techniques that can be used, but for firms to perform successfully and be resilient they each need to have their own appropriate approach for managing it.
But what exactly is an emerging risk? It is defined as a risk that is evolving in areas and ways where the body of available knowledge is weak. Emerging risks have characteristics which differentiate them from other risks. Using the Covid-19 pandemic as an example, “Emerging risks may arise and evolve quickly, unexpectedly – or both,” he continued. “Even though you may have anticipated them, they may not happen at all.” Emerging risks themselves are ambiguous and difficult to define. Experts recognised that a pandemic was likely but actually had no clue as to how to describe it; or when or if the event would occur, before it occurred.
The world’s last experience of a pandemic was the Spanish Flu, more than a century earlier. Emerging risks are always changing; the situation is chaotic. The main issue at one point was whether to protect lives or livelihoods but as time went on, it was realised that while lives were being protected, livelihoods were being killed off. The pandemic affected so many aspects simultaneously – lives, livelihoods, working patterns, mental health – while the time horizon changed rapidly, and variants appeared to further complicate matters. “Another characteristic is that emerging risk is uncertain,” Ramesh said.
“Because of the lack of knowledge about what emerging risk will become, and how it will play out, it is difficult to consider it with any level of uncertainty. Emerging risks are often external to the organisation, and outside direct control. The need to adapt and respond, rather than to control, is critical.” A final characteristic of emerging risk is its volatility. There can be significant changes in the risk within a short period. With the Covid-19 pandemic, there was a great deal of criticism of how the government was handling the situation but no government could really determine what course of action to take because it was an entirely new situation.
What constitutes an emerging risk? Any emerging risk may cause a massive economic loss on a macro level for society, which will subsequently impact everyone. There are generally three categories of emerging risks: new risk in a known context, such as a regulation which will change soon. Secondly, an emerging risk may be a known risk in a new context, such as a charity which decides to diversify its activity. Thirdly, an emerging risk may be a new risk in a new context – the risk was not even considered because it is completely new to the organisation. “Emerging risks may also be difficult to manage because the assignment of risk ownership can be complex and unclear,” clarified Ramesh.
What organisations can do is translate the vagueness of an emerging risk into an organisational risk which the organisation’s teams are familiar with. This makes it easier to drive the action to tackle the risk as this will redistribute the responsibility among the appropriate levels within the organisation. “This allows you to bring it down to an operational level and assign responsibility for managing it,” explained Ramesh. “Following through and preparing for emerging risks, not just identifying them, can make the organisation more resilient and confident in all the uncertainty that it faces, and allow it to adapt successfully.”
He added that many organisations identify emerging risks – and stop there. But they should prepare for it, he said. “If it doesn’t transpire, it doesn’t matter; but prepare for it – if it does transpire or become more realised, you’re ready to deal with it. That’s what risk management is all about,” he stressed. Organisations should be concerned with emerging risks because it enables them to build and maintain resilience. ERM provides that structure, and enables firms to thrive even in uncertain times. How emerging risks are identified and managed, and how the firm identifies and deals with disruption, are how its sustainability will be determined.
Resilience and sustainability will enable the firm to anticipate possible adverse scenarios or events, prepare for them, withstand or absorb their impacts, recover from the effects, and adapt to the changing conditions. “You may not be able to avoid it so prepare for it,” he said. “Sometimes risk cannot be avoided; you just have to deal with it.” Resilience can also help organisations respond to opportunities which arise, and make prompt, informed decisions. But with all these advantages to managing emerging risks, why do organisations avoid tackling emerging risks? “It is often very difficult, or even impossible, to quantify likelihood and impacts, let alone velocity, with any level of certainty, for emerging risks,” he said.
The ambiguous characteristics of emerging risks and the lack of information to understand them, make it difficult to take decisions on any level. Historically, many organisations have tended to sideline emerging risks, putting them in the “Too Difficult” bucket because emerging risks tend to sit in the low-likelihood, high-impact arena, and fall beyond the short-term objectives of the organisation. Emerging risks have longer-term impacts and because of this, they tend to be deemed low-likelihood and thus do not command the kind of attention that other risks do. If senior management and the board are inexperienced in strategic planning and risk discussions, this could present an additional challenge.
Ramesh also addressed the question of who should be involved in the emerging risk process. In short, everyone; the board, senior management and more critically – to have more robust discussions on this – all relevant stakeholders should be invested in it. Three techniques he recommended for identifying emerging risks were PESTLE analysis, SWOT analysis and Horizon Scanning. These are strategic management tools which are simultaneously ERM tools as well, in the right hands that know how to utilise them. Organisations need not use all three; they need to use only whichever tool they feel works best in their respective situations.
“PESTLE also provides you with a structure for Horizon Scanning as well,” he said. “It allows you to compartmentalise your thinking about potential emerging risks within each of the PESTLE categories. It allows for broader thinking.” The most relevant stakeholders, professional advisers and any other resources available to provide additional external insights that the organisation’s teams may not be able to provide. Pointing out differences between SWOT and PESTLE, he said that PESTLE deals mainly with external factors while SWOT looks at external factors and does further analysis. The SWOT analysis is simple and recognisable, and supports the identification of risks.
This provides a broader perspective of factors that could affect strategy; it assists in developing a strong understanding of the impact of what could be done to minimise adverse effects and maximise potential opportunities. Completing a PESTLE analysis is generally helpful prior to completing a SWOT analysis. These provide two different perspectives but can reveal common factors. With SWOT, as with PESTLE, relevant stakeholders are brought together to capture insights on various areas such as environmental or legal considerations. “What you need to do is to ensure that you have the right stakeholders involved,” he said. “That is really critical.”
Horizon Scanning, he said, was a technique used to identify a range of potential issues and risks that could impact the organisation in the future as a result of the complex and connected world in which it operates. “The definition of Horizon Scanning is a systematic examination of information to identify potential threats, risks, emerging issues and opportunities,” he said. “It can help you foresee and examine these immediately, ahead of the organisation, within specific time frames – short, medium or longer term.” Thus, Horizon Scanning can deepen the organisation’s understanding of the driving forces affecting future policy and strategy.
This will include clarification of some of the difficult policy and strategy choices and trade-offs, as well as the consensus among stakeholders on what the critical issues are, and how to tackle them; identify gaps in understanding of risk areas for research; or even to better understand driving forces. All of this will help create a new strategic approach that is resilient because it will be adaptable to changing external conditions. Like PESTLE and SWOT, Horizon Scanning needs to involve key stakeholders who work to an agreed timeline in small groups or as individuals. “What is important is to have a good understanding, in practical terms, of what companies see as emerging risks,” advised Ramesh.
He highlighted a few emerging risks that companies have identified in today’s environment. These include climate disaster/climate change; artificial intelligence (AI); 5G and the Internet of Things (IoT); new political landscapes; microservices; cyber crime; politics; the future of finance; urban migration and city living; quantum devices/computers; reputational risk and intangibles. “You need to think about how these things can affect you,” he said. These emerging risks have the potential to affect everyone. They are difficult to avoid but organisations can try to anticipate them, and deal with them more positively.
It is hoped that in the future, all organisations will collaborate to share best practices in order to make emerging risk identification more manageable in terms of resources available, and in terms of delivering higher levels of analysis and insights than any single organisation can achieve on its own. “Together we either die, or together we succeed,” concluded Ramesh. “If we help each other in terms of trying to identify critical emerging risks, we’re building a sustainable, resilient ecosystem which really benefits everyone, regardless. So we can compete and help each other out.”