In this blog we discuss several questions we commonly hear from clients on how to practically approach emerging risk management, including how to define, analyse and report outputs.
The concept of 'emerging risks' is not new. It has been considered for years by various industry and public sector bodies and NGOs and they have been explicitly analysed by a number of organisations across a range of sectors, particularly those that need to take a longer-term view of risk due to their investment timelines and asset lifecycles, such as insurance, extractives and the military to name a few.
In recent years it has received more general attention by Boards in light of, for example, the continuing evolution of technology and environmental concerns, and increasingly by regulators such as the UK’s Financial Reporting Council (FRC) which has made updates to the UK Corporate Governance Code to include emerging risk provisions.
In this blog we discuss several questions we commonly hear from clients on how to practically approach emerging risk management, including how to define, analyse and report outputs. As with many aspects of risk management, there are no definitive right or wrong answers, so we invite discussion and perspectives on what we outline.
What is an 'emerging' risk?
A quick search on google will throw up many definitions for 'emerging risk' (we have our own too!). Common motifs include that they are generally longer-term in nature, linked to developing global trends of various flavours, and characterised by a high degree of uncertainty which makes it hard to predict how and when they might manifest and the impacts they could have on an organisation(s) with any specificity, although these are likely to be significant.
From an Enterprise Risk Management (ERM) system perspective this typically means that emerging risks are risks that are or can be recognised but there is currently insufficient information or experience with them to know how they will play out (there may be a range of plausible models for this). Therefore in practice they cannot be accurately quantified, nor have specific controls applied other than watching brief activities e.g. ongoing analysis and monitoring (noting that strategic changes could also be a management option).
They often will not fall within typical enterprise risk timelines either which usually align with strategic planning horizons and have a clear link to current strategy, nor are they classified (obviously) as day-to day or ‘burning issue’ type risks (excusing the technical error of calling an issue a risk) as these are shorter-term and more certain in terms of potential outcome and likelihood.
Sources of emerging risk often include the usual suspects: technological, societal, geopolitical / economic, environmental and legislative changes and developments, with future trend and scenario analysis techniques frequently deployed to inform emerging risk identification and management strategies if appropriately contextualised to the organisation.
Are ‘Black Swans’ emerging risks?
Not in our view. Nassim Taleb defines black swans as outliers that are beyond normal expectations as nothing in the past can point to their possibility, yet are extremely impactful when they do occur, and which appear to be more predictable in hindsight than they actually were (for example the 2008 financial crisis). We see black swans as closer in concept to 'unknown unknowns', as made famous in Donald Rumsfeld’s speech; events that are not predictable and come as a surprise to the observer. Emerging risks are 'known unknowns', i.e. they are predictable but highly uncertain in terms of timing and impact.
Black swans are however relative to the observer’s knowledge; with full prior knowledge, there are arguably no black swans. For example, the events of 9/11 was a black swan to the US population although it was not for the terrorists. Similarly, as some of the excellent books and film post the financial crisis have highlighted, a number of individuals got very rich by taking positions in expectation of their own predicted outcomes.
Why should I invest time and resources in emerging risk management?
Emerging risks can threaten the legitimacy of business models, as well as the ways of working of entire industrial sectors.
For example, 3D printing is redefining how and where products are made, and to what specification; with global uptake, such a distributed, customisable production process may drive changes in customer demand and expectations, making existing machinery, supply chains and networks which have stood for decades obsolete.
Developments in gene therapy and a trend towards wearable technology will hopefully dramatically improve the health of millions of people. What will this do for demand for pharmaceutical drugs?
More far-fetched perhaps, but what would happen to the price of diamonds if a meteorite was successfully mined and the extra-terrestrial diamond brought back to earth (see Elon Musk's and Jeff Bezos' SpaceX and Blue Origin respectively).
Opportunities emanating from emerging risks can also be significant. In the above example, developing an algorithm and patenting it for 3D printing designs may enable a single organisation to dominate an industry. Pharmaceutical companies may seek to divert R&D spend towards novel therapies which can help improve outcomes for more targeted groups of patients in a more sustainable manner than using traditional drugs.
First mover advantage and an agile mindset can be vital. Ignoring or deprioritising emerging risks could waste potential opportunities and doom an organisation never to catch up when they start to bite. It’s easy to evangelise though if you’re not a CEO with an expected tenure of only a few years and a vast number of challenges and investment decisions needed to be made now, never mind in five-, ten- or twenty-years’ time.
In our experience, CEO engagement can vary widely on this topic and when lacking requires Board focus to be taken seriously (the governance code changes should also provide added impetus to UK listed firms in having a robust approach to emerging risk management, reporting and disclosure). Note also that a 'wait and see' strategy may be a valid response to an emerging risk; allowing a development, trend or pattern to mature may be the right option before making a more purposeful intervention, the risk being timing it right.
How can I identify and manage emerging risks in practice?
Determining the right approach to adopt will be influenced by a number of factors including availability of existing insights and intelligence within the organisation such as long-term strategic analyses (is there a strategy function that has done this already?), future focused research and market reports and industry forecasts (what are associations, academics, consultants and peers saying?), the complement of internal experts that can be engaged to support understanding, and organisational familiarity with techniques such as scenario analysis, horizon scanning and war-gaming (do you have a Business Continuity Management (BCM) function that is expert in this?).
The size of the organisation and its innovation position within an industry value chain and/or cross-sectoral capability, product/service line etc. will also be contextually relevant and influence the approach taken e.g. is there capacity to conduct war-gaming exercises by apportioning management and staff teams to act as competitors in scenario exercises and test different strategic options and outcomes? In addition, who is best placed to lead and facilitate emerging risk work – the risk function is an obvious candidate but collaboration and support from other relevant functions such as strategy, BCM etc. will typically improve the experience and outputs.
As might be expected, there are however some facets to a robust approach that we feel traverse organisational specifics (a few summary ideas and suggestions highlighted below). What is often key in our experience for deriving useful outputs and engaging leadership with emerging risk work is to make it as specific and relevant to the organisation as possible. This type of work gets into fascinating debates and can energise budding Nostradamus’s but don’t lose sight of the ‘so what’.
Desktop research and analysis
Gather any relevant internal and external analyses and reports available that will provide insights on the future direction of the organisation, its products, markets, services and sectors. There is a large body of content publicly available covering areas such as global emerging trends and risks and long-term industry forecasts that can be leveraged.
Identify the key assumptions, dependencies and value drivers behind the organisation's current strategic objectives and business model to understand how future developments, trends and scenarios could affect or make these redundant, and how they may need to change and evolve – are there any obvious options, opportunities and risks, and under what anticipated time horizons?
Engage internal (and external) experts
Identify who within the organisation is likely to have useful insights into future direction, options, opportunities and risks. Are there any external subject matter experts, think tanks and industry organisations worth consulting with that are known for their work and understanding? Is there an opportunity to collaborate with peer organisations in performing analyses? External input is often key to avoid an insular focus on only those areas that the organisation already knows, which will likely result in a compromised emerging risk profile.
Develop a structured question set and survey/interview respective experts to capture their thoughts as well as test outputs from the desktop work.
Hold analytical workshops
Summarise into scenarios the outputs of analysis and surveys/interviews by detailing future sets of conditions, linkages and inferences that could affect the success and viability of the organisation, i.e. from the list of potential factors identified, which ones could be materially relevant to executing the organisation's strategic objectives and maintaining a relevant business model in terms of both threats and opportunities (ignoring probability) and in what timeframe?
Convene a workshop(s) with an audience of relevant experts and management representatives (covering core areas such as operations, marketing, technology, strategy, sustainability, legal etc.) to debate, challenge and refine the scenarios presented as well as add to and develop new ones as required. Discuss what is missing, expectations and assumptions over different time horizons and what this could mean in terms of specific risks and opportunities and options for how the organisation could respond, when and how. Also debate risk dynamics – how quickly is it envisaged that an emerging risk could become more certain and near-term to warrant transition to being considered an enterprise risk (or principal if of sufficient severity).
Document outputs from the workshop(s), including identified emerging risks with sufficiently precise descriptions to be specific to the organisation, and share with the attendees to validate interpretation and conclusions. Include proposed next steps to manage identified risks of significance and details of potential metrics and risk indicators that could be tracked to provide early warning of changes in status that might trigger a review or intervention. Hold a follow-on workshop to finalise outputs, as required.
Report to leadership
Present (ideally) or concisely report outputs from the work to the Executive, Audit and/or Risk Committee and Board (depending on governance arrangements), making clear key findings, the ‘so what’ of the risks to the organisation, proposed ownership and management strategies for debate (being very clear on what you want them to appreciate and/or make decisions on), next steps and sign-off.
Agree emerging risk management approach going forward e.g. biannual exercises/refresh and reporting, ongoing monitoring and escalation thresholds, external disclosure etc.
What can I do with an emerging risk profile?
Having agreed with senior leadership what the organisation's emerging risks are, the next step is to implement a plan to deal with those risks. A useful starting point is to develop indicators for each risk which can be tracked to provide early warning of changes in each risk's dynamics and levels of certainty.
Tolerances and thresholds can be set for the indicators which specify when escalation is necessary and a proactive intervention maybe warranted. Potential responses may vary widely and could include: conducting a more detailed assessment of the risk and/or a strategic review of the organisation; adjusting project(s) strategy; amending the organisation's risk appetite and resiliency positions; communicating potential impacts on future strategic performance and earnings expectations to stakeholders; assessing potential investments ranging from transformative game-changers, to small 'bets' / 'insurance policies' to protect downside exposures; re-allocation of capital / cash and resources from existing objectives to new priorities; and identifying and pursuing potential partners / JV options.
Of note is the increasing number of technology options available to support automated monitoring of risk drivers and metrics, both emerging and enterprise, that help to address the data volume challenge that can be inherent to monitoring a potentially large suite of required intelligence sources.
When do risks transfer from emerging risks into ‘enterprise’ or 'principal' risks?
There is no black and white answer. A reasonable guide could be that for each emerging risk, ask yourself: could I assess this risk, based on the current information available and using the organisation's traditional risk processes, with acceptable precision i.e. could you confidently assess its likelihood / impact in the strategic planning timeframe? If the answer is yes, it is likely the emerging risk is sufficiently 'real' to transition into the ERM system and profile and, if of sufficient severity, be included as a principal risk.
How should I report them in the annual report? Should I include them alongside principal risks?
In our view it is important to differentiate between principal risks and emerging risks in your reporting as they are both quantitatively and qualitatively different. However, as is the case for principal risk reporting, we feel it is critical to make them relevant to the organisation so readers can understand the context – just having a laundry list of trends or vague risk and control descriptions that if you put your hand over the name of the organisation would make it hard to guess who it is or even the sector they operate in is not helpful. Of course, no one wants to disclose commercially sensitive information, but more informative and specific reporting, rather than exposition and volume, should be the aim.
What do I need to look out for? What are the common challenges you have seen?
Emerging risk management is a developing discipline for many organisations with a wide range of maturities and approaches. Outlined below are some of the common questions and challenges we see and our thoughts on potential resolutions to address them.
A lack of believability / credibility in the risks identified
Emerging risks deal with developments, trends and patterns which are, by definition, novel and therefore highly uncertain. Suggested hypotheses often make easy targets for challenge and dismissal by sometimes cynical management (that will never happen…to us).
We find that being transparent on the objectives of the exercise, and the recognition that emerging risks are inherently judgemental (a tough sell in some industries), helps to set the right tone for the discussion and debate. When articulating emerging risks, it is also vital to be as specific and relevant as possible to the organisation's objectives and future direction, calling out the potential impact (the 'so what') on strategy / earnings expectations, as well as any assumptions you have made. Providing background information and supporting evidence concisely also helps to solidify the proposal.
A myopic or narrow-minded view on potential emerging risks may result in an incomplete picture of the threats and opportunities facing an organisation. This can be driven by a reliance on groupthink.
Seek a diverse range of views from a variety of sources (internally and externally). Collaborate cross-function. However, retain an element of professional scepticism - do not take everything you are told at face value.
In addition, it is important to synthesise the information you are obtaining and try to spot any potential trends or patterns. Rarely do risks occur in isolation, particularly for emerging risks where there can be so many interconnected factors. Are there any external system dynamics at play, or potential for contagion and correlation between individual emerging risks?
For example, the rise of Amazon is dependent on, among many other factors, a combination of AI (to provide better recommendations), broadband penetration (to improve the online shopping experience), the rise of the gig economy and drones (to enable next day deliveries through Prime) and the development of cloud technology (allowing Amazon Web Services (AWS) to become a cash cow to fund investments in other parts of the business, including lower prices on amazon.com). Any of those developments on their own could be dispelled as not a threat by traditional bricks and mortar stores. Together, they are proving to be existential.
Boards and leadership teams, including CEOs, average tenure is declining and increasing in volatility. Their life span does not stretch into that of the typical emerging risk - those developments may be dismissed as a problem for their successor!
Getting buy-in and support is therefore a challenge so, as a risk leader, having senior support is vital. As is selling the need for dedicated analysis and monitoring of emerging risks - it is both the prudent and right thing to do in the stewardship of an organisation, particularly as the dynamics of these risks can be volatile, so it may in fact become incumbent leadership’s problem. However, recognise at times that there may be more significant issues at hand. Use common sense and empathy – considering the rhythm of the organisation and busy periods, when is the best time to conduct an emerging risk assessment?
A confused taxonomy
We have explained definitional aspects for emerging risks above, as we often see confusion over wording and terms which can be a hindrance to management efforts. Below are some other common terms that usually will benefit from being defined at the outset:
Black Swans - extremely low probability and high impact events, predictable with hindsight
Unknown Unknowns - by definition, not knowable and unpredictable to the observer, be it an enterprise or emerging risk. Black swans are often considered a type of ‘unknown unknown’ event
Scenario analysis – process of evaluating future conditions and events and challenging these to explore and understand alternative outcomes
Horizon Scanning - an approach used to identify emerging risks through a systematic review of potential threats and opportunities in different timeframes
War-gaming – testing future scenarios and events using teams to e.g. represent the organisation and competitors
Risks outside the strategic planning timeframe - emerging risks are time agnostic - often they are longer-term in nature, but they can be within strategic planning timeframes as well
Previously unidentified risks - risks missed in the risk assessment process (which could be for a variety of reasons) are sometimes confused with emerging risks e.g. have your peers or organisations of similar stature that operate in other sectors identified risks that you haven’t – do you know why? Such risks will typically not classify as ‘emerging’ but they could be (and such comparisons can be a useful check of the completeness of your risk profile anyway).
Educating management upfront on what is meant by 'emerging risks' and other common terminology will support richer and more streamlined conversation and debate.
Does this resonate with your experience? Anything you think is important to add, or that you disagree with? This is an emerging area (apologies!) and we are keen to know your thoughts and opinions so please comment and let us know, or drop me a line to discuss.