Organisations today face increasing challenges within the modern risk landscape, with greater vulnerabilities, more complex dependencies and less predictable competition than ever before. Consequently, even the more mature traditional risk management practices fall short in their ability to manage emerging risks.
Organisations all too often find themselves perilously unprepared for handling some of their greatest risks. Companies increasingly need to shift from a "measure and manage" approach, to a "sense and respond" approach to emerging risks before devastating events occur.
A glimmer on the horizon or an evolving risk?
Emerging risks fall into two sub-categories: the "glimmer on the horizon" and the "evolving risk", each presenting their own challenges.
The "glimmer on the horizon" is the earliest manifestation of an emerging risk; it is the calm before the storm of a completely new and unforeseen risk event (a "black swan"). The basis of "sense and respond" is embedding the organisation within its environment to such an extent that it can anticipate this development before the risk poses an imminent threat. Early identification through the application of Artificial Intelligence (AI) and Machine Learning techniques enables both damage mitigation and capitalisation of opportunities before the competition ("upside risk").
"Evolving risk" refers to an already-existing risk that changes, usually developing into a greater threat than previously acknowledged, often due to inadequate risk management (in some sectors the term "grey rhino" is used to differentiate such foreseeable but unmanaged risks from the genuinely unforeseen "black swans"). Here the organisation is paralysed due to either insufficient understanding of the risk, or a belief that the risk is too difficult to effectively mitigate. The result is a culture of complacency and over-reliance on traditional, reactive risk controls.
Forward facing practices
Early identification is fundamental to proactive risk management, with forward-facing practices at its core. Key techniques to achieve this include:
- Key Risk Indicators (KRIs): leading indicators collecting data from the organisation's environment to provide early warning of risk events. Effective KRIs are particularly useful in aiding decision making where data is limited.
- Horizon scanning: subject matter experts (both within and outside of the organisation) analyse trends using political, societal and organisational data to identify emerging risks.
- Anti-fragile approach: the organisation continuously self-disrupts in order to drive continuous improvement.
To account for inter-dependencies in risks, these techniques should not be applied within silos, but rather through a cross-functional approach.
Effective risk management requires the continuation of established approaches for well-known risks alongside the development of a proactive response to emerging risks. The appropriate management strategy can be determined through risk velocity (how quickly an organisation will feel the impact of a risk event occurring), knowledge base (how well understood the risk is) and control effectiveness (the robustness of any existing risk controls). These may then be analysed on a knowledge base - control effectiveness map (illustrated below), which puts emerging risks into context by relating them to risks with which leadership is familiar, preventing either evolving risks or "glimmers on the horizon" from being overlooked.
Emerging risks are positioned in the top right quadrant, with velocity indicated by the size of the marker on the map. It is then easy to identify which emerging risks require the highest priority for oversight. In contrast, static risks in the bottom-left quadrant are well understood, have effective control methods, and are unlikely to fluctuate significantly in the future. Such risks are well suited to traditional governance and oversight. The map should be used as a dynamic tool, thus with growing understanding and control effectiveness, emerging risks should migrate to the bottom-left quadrant.
High priority emerging risks should be managed in an adaptive way, built around a "fail early, learn fast" attitude. Techniques with proven success within agile organisations include:
- Scenario planning: teams tasked with exploring the outcomes of risk realisation and different approaches to mitigating such risks.
- Disruptive management techniques: allowing multidisciplinary teams to adapt a project as it develops by breaking a task into sub-projects known as "sprints".
- Proactive pockets: demonstrating the success of proactive risk management in temporary groups that form and dissolve as the risk priority migrates.
The most effective response will utilise strategic, operational and financial perspectives and be able to target multiple emerging risks at once.
Proactive risk response is a valuable tool for enabling organisations to optimise their risk controls in the face of emerging risk. Through the effective application of forward-facing practices, dynamic prioritisation and an adaptive response, all maturities of risk from static, to evolving risk, and even the "glimmer on the horizon", can be effectively and appropriately managed.
The sixth sense of risk - Navigating the emerging risk landscape by Arthur D. Little
Emerging Risks. New World. New solutions A Guide for Airmic members, in association with Marsh