Every day, risk managers focus on known and common threats to their organizations, applying to their trade a standard set of tools that are both well-developed and commonly accepted. Like most disciplines, corporate risk management has a comfort zone where time-tested methods have a fairly predictable impact on results. When I was a risk manager in a large, global corporation, I operated happily in this comfort zone for many years, and with great success. Management was pleased when the efforts of my team reduced the company’s total cost of risk, and we sometimes even produced unusual outcomes that contributed significantly to a strategic corporate priority.
Then came September 11, 2001. The twin towers were a game changer for most of the world and certainly for risk management professionals. No longer could a successful risk manager limit his or her view of risk to the known, expected, and well-understood. For the first time, unknown, highly uncertain, unexpected, and poorly understood risks—in other words, “emerging risks”—were not only relevant, they were a priority.
Corporate boards and the C-suite were energized around getting a more complete view of the company’s risk profile and began proactively taking responsibility for managing emerging risks, as well as more predictable threats. Executives began to require their risk management teams to look much further out on the loss curve and to consider events that were not only unlikely, but in some cases viewed as impossible. Author Nassim Nicholas Taleb popularized the concept of the “black swan,” an event that takes a company by surprise and has major consequences. His book “The Black Swan: The Impact of the Highly Improbable” was described in a review by the Sunday Times as one of the twelve most influential books since World War II.
In the aftermath of 9/11, corporate boards, executives, and other risk stakeholders have become increasingly concerned about managing those exposures that they least understand. However, amid the crush of day-to-day management of more obvious risks, coupled with the still-pervasive tendency to focus on the immediate and short-term, many risk managers continue to have difficulty devoting adequate resources to identifying, quantifying, and then mitigating emerging risks.
What Are Emerging Risks?
The risks that sit in the far tail of the actuarial loss curve (see Figure 1, below) are the ones that most trouble senior leadership at the typical company. As the individuals who have ultimate accountability for the company’s ability to achieve its goals, the board, CEO, and other executives want to stay ahead of all the unexpected events that might directly disrupt the organization’s strategy and plans. One CEO I worked for used to ask risk managers: “Tell me what I don’t know and can’t foresee.” I also like the way former U.S. Secretary of Defense Donald Rumsfeld put it in 2002:
There are known knowns. These are things that we know that we know. There are known unknowns—that is to say, there are things we know we don’t know. But there are also unknown unknowns. These are things we don’t know we don’t know.
It’s a brain-teasing perspective that captures well the vagaries around high levels of uncertainty fueled by rapidly changing world events. Such is the nature of the proverbial black swan, a creature that was not known to exist, then was discovered and became widely recognized as a reality.
Some say that emerging risks are those risks that don’t currently exist. Instead, I like the definition put forth by The Risk Management Society (RIMS):
[Emerging risks are] those issues that have not manifested themselves sufficiently to be managed using the tools commonly applied to more developed exposures. They are those risks an organization has not yet recognized, or those which are known to exist but are not well understood.
A good example of an emerging risk is the changing nature of the climate. Whether or not you buy into the notion of human-caused global warming, changes in weather patterns may affect your organization over time. And although some aspects of climate change are clearly outside the job description of the corporate risk manager, there are decisions that companies can make today to help mitigate their vulnerability to shifts in weather patterns that may happen in the future. For example, an organization might be considering opening a new regional office in a coastal “tier-one” (highest risk) hurricane zone. The company’s risk management team can certainly apply traditional loss-prevention techniques to the project, using methods such as increased roof strength, special evacuation plans, multiple backup facilities, etc. They can ensure that the right property policies and preparedness plans are in place. However, they can also consider more strategic decisions that could affect the level of exposure the company chooses to take on—up to and including choosing not to locate the new facility in a tier-one zone. Of course, such a decision involves many variables. The first step is to develop an understanding of the company’s exposure to and attitude toward emerging risks.
Develop a Process for Emerging Risk Management
What can risk managers do to discover your company’s black swans? How can you identify high-impact events that have never before occurred, but that some people believe are possible? Therein lies one of the key challenges of emerging risk management. Getting a handle on it means we need to rethink how we look at all the company’s exposures.
Risk management professionals, both within the insurance industry and in other sectors, often use the term “PML” to refer to the value of the largest loss a company might face in a particular disaster, assuming the normal functioning of any protective measures that the company has put in place. PML is usually thought to stand for “probable maximum loss.” But I believe we need to change it to “possible maximum loss.” Even when we can’t pin down our expected losses precisely, fiduciary duty requires that we consider the implications of a possible risk event and quantify any impacts that are quantifiable.
That’s why corporate risk management teams need to design a process for rating different emerging risks according to the relevance, importance, and uncertainty of each. The process should involve periodic emerging-risk reviews with key risk stakeholders and other subject matter experts in the company. The risk-rating process helps ensure that the company can make good decisions around resource allocation on risk mitigation. This process needs to align closely with—if not be integrated with—the company’s strategic planning process. The ideal approach would be to use a sub-process that feeds key risk assessment information to the planners, on their timeline. Then planners could use this information to make key decisions that form long-term objectives supporting the corporate strategy. This process enables planners and executive decision-makers to understand more clearly the extent to which objectives are achievable or at risk of misses.
The best starting point for launching an emerging risk management program is to get the company’s key risk stakeholders together to discuss the priorities and focus for managing risk within the organization. Together, this group might review the World Economic Forum’s (WEC’s) annual “Global Risk Report,” which evaluates the level of geopolitical, environmental, societal, technological, cultural, systemic, and economic risk faced by businesses around the world.
While at first glance, these risk categories may seem to be outside the control of any one company, most businesses are affected by each of them. It’s in their interest to take action to reduce their exposure, or at least be better prepared for the possibilities these risks imply. A few key questions that risk leaders might ask about these exposures are:
- How do these rank in order of potential impact on the company?
- Is the exposure short-term, medium-term, or long-term?
- What scenarios can we test in each relevant category for how we would be impacted; and, therefore, what can we do to prepare for the more common possibilities?
- What key strategies would be most impacted by each category, and to what extent?
The answers to these starting-point inquiries will lay the groundwork for how much a company decides to invest in treating the exposures and the more specific risks that emerge from them.
In addition to possible macro-level black swan events, a complete scanning of a company’s internal and external environments includes two other views as well. One is a micro/industry view that includes an assessment of competition, markets, regulators, analysts, sectors, and alliances. The other is an organization-specific view that includes an assessment of clients, customers, vendors, suppliers, and distributors. For the industry and organization-specific perspectives, it’s important to use both internal and external sources of information. Data should come from the obvious sources like financial statements, process documents, surveys, and subject matter experts, and from less-obvious sources such as industry trends, competitor activity, obsolescence trends, a competitor loss event analysis, etc.
As a company contemplates possible future black swan events within its industry, customers, and supply chain, it also needs to answer two key questions. First, how does the organization as a whole define risk? The definition needs to be understood and agreed upon by all stakeholders who will have to manage risks to meet that definition. And second, what point on the loss curve do the board and senior management want to manage risk to? Answering these questions will undoubtedly lead to other related discussions. For example, should risk managers assign more importance to the likelihood of an event or to its possible impact? Likelihood and impact are rarely equivalent; how much relative importance a company places on each stems from the organization’s overall risk attitude.
In essence, the company needs to figure out where it resides on the spectrum of risk-taking that spans from “risk averse” at one end to “risk assumptive” at the other. If the company already has a well-defined risk strategy and risk culture, it may be well on its way to understanding the many components of risk appetite including risk capacity, tolerances, targets, limits, and current exposures. In organizations that have put less effort into formalizing their risk culture, risk managers will need to work with senior management and other risk stakeholders to formally define the corporate risk appetite before beginning the hard work of uncovering emerging risks.
Uncover Your Organization’s Black Swan Risks
Once a risk management team has a handle on the organization’s level of risk aversion, they need to consider how far out on the likelihood axis they want to go in evaluating emerging risks. In other words, how unlikely can an event be before it is considered irrelevant to corporate risk strategy? This is the ultimate question in the management of emerging risks. It defines where the company should focus in the tradeoff between likelihood and frequency, what resources it should deploy to mitigate emerging risks, and the level of sophistication needed in the tools and techniques to manage risk effectively.
The emerging risk committee needs to come to a consensus on which emerging risks the company should look at, and on the most relevant scenarios for assessment and testing management of each of those risks. However, it may be difficult to achieve a consensus. Opinions about the relevance of different types of risk, and the underlying assumptions of the scenario analyses, are heavily influenced by each person’s unique biases and attitudes toward risk. Thus, they’re rarely aligned. This is a key reason why driving consistency around risk attitude and risk culture is a central objective of an emerging risk management program. The program won’t be effective without the buy-in of the people who will be charged with monitoring emerging risks and implementing mitigation programs.
Finally comes the risk mitigation process. Emerging risks are often either internally systemic—e.g., the result of an inadequately designed IT infrastructure or the company’s insufficient response capability for cyberattacks on core systems—or, from the macro external environment, viewed as outside the control of the company’s management.
Even when that is the case, the organization can usually take measures to improve its resiliency in case an emerging-risk event actually happens. Business continuity management professionals recognize that resiliency efforts should focus not on the type of event the company is preparing for, but rather on the impacts that could impinge on the company’s success within a particular time frame, irrespective of the cause or source of those impacts. For example, whether New York was affected by the 9/11 terrorist attacks or Hurricane Sandy some 13 years later, the implications for the area were similar, including the impacts on jobs, living conditions, population displacement, insurability investigations, and emergency response resources. Similar preparations also had the potential to reduce many of the impacts attendant to both events.
See also the sidebar:
Finding ownership for risk mitigation is another challenge the emerging risk committee is likely to encounter. Human nature is such that few people are going to be interested in volunteering to own a potential cause of organizational failure. This truth is exacerbated by the fact that emerging risks are difficult to communicate about, so driving necessary action can pose a major challenge. Mitigation of emerging risks usually requires a top-down mandate and assignment of responsibility.
This is another aspect of risk management that needs to be addressed at the time that the emerging risk committee is defining the desired risk culture, which by definition is the set of desired behaviors that inform risk taking and the attitudes that employees—especially risk stakeholders—take toward risk management. The emerging risk process defines the company’s path toward this goal.
Risk Management for Competitive Advantage
Since losses of all types are important, they all must be managed. Many companies do a good job of managing the more routine and common exposures, although not necessarily with a clear view into the company’s risk-taking capacity or risk tolerances. But those same companies may let risks that are hard to predict and hard to quantify fall by the wayside. That’s no longer good enough. The evolving and increasingly volatile global risk landscape is changing more rapidly than ever before—which means that the uncertainty surrounding events of low likelihood and significant impact is also on the rise.
Most risk maturity models include the expectation that organizations have some discipline and rigor around an emerging risk process that can inform decision-making and board oversight. It is a fundamental fiduciary responsibility of best practice governance. Indeed, in numerous recent board-level surveys on the risk management attitudes of senior leaders across broad spectrums of industries, one fact has emerged consistently over the past decade: Boards want the companies in their charge to pay more time and attention to black swan-type uncertainties and their possible impact on the corporate mission.
Insight into emerging risks is crucial in setting an achievable corporate strategy. Any significant failure to predict and budget for loss exposures might prevent the company from successfully executing operational or strategic plans. Thus, collaboration among risk and planning professionals is essential in shoring up the company’s ability to achieve its objectives.
No organization can afford to be flying blind along a risk curve that presents an infinite number of combinations of likelihood and impact, many with catastrophic potential. Don’t let the “it won’t ever happen here” mentality infect your organization. By dedicating the right resources, attention and strategy to emerging risks, you can create competitive advantages for your organization and improve the chances of achieving your mission.
Chris Mandel is the senior vice president of strategic solutions for Sedgwick Inc., where he is responsible for helping the company reach its strategic vision of serving the current and evolving needs of its current and future customers, as well as helping lead the industry vertical to the next level. To learn more about Chris, visit www.sedgwick.com.