In a world that is increasingly connected and evolving – where the value of global exports has increased exponentially, interest rates are negative, inequality and nationalism are rising, and fiscal debt is at levels never seen before – risk management functions need to rethink their approach. But how?
1. Rethink the current risk model
Traditional risk models were developed at a time when the world was vastly different – more stable, less connected and less complex – than it is today. At the time, there was no reason to consider the interdependencies between, or interconnectedness of, risks.
As a result, they under-present future risks, including for example, the 2008 global financial crisis and the 17 globally significant economic crises before it.
The new “best in class” risk management comprises of a combination of traditional risk management methodologies, understanding the networking of risks to determine the company’s exposures and adopting behavioral economic principles.
2. Consider the unprecedented developments – the future risks
Past behavior is a poor predictor of the future when the forces sharing the future are fundamentally different to what has gone before.
In essence, traditional risk models use historic data to “predict” the future. This data is a poor fit for modelling the new, emerging trends encountered today. So organizations should also consider future trends/exposures in their risk models, including:
Unfunded social security
Unaffordable medical costs
High frequency trading
EU (€) uncertainty
Trust and truth
Slowdown of China
Brexit, Catalonia, Scotland
Have we considered the future, emerging developments never observed in the past in our risk modelling? Have we built causation pathways between those risks in manners that are more enriched than merely relying on past correlations? Because that is how we’ve been surprised in the past – and we can afford it no more.
- Dr Andries Terblanché
3. Use expert elicitation
In order to identify new emerging risks, the discussion needs to extend beyond the risk management function or C-suite to include a diverse group of experts throughout the organization – those individuals with the deepest knowledge of the company, the greatest sector knowledge, up and down cycle experiences, and so on.
Interview them individually and collectively to identify the relevant risks. Consult them then to determine the interconnectedness of the risks in order to build a network of risks. Then consider how the future interconnectedness of risks differs from that of the past to create new risks.
4. Understand your network (of risks)
Organizations are more globally connected than before. Risks are no longer isolated within an organization’s wall. In a network (of companies, e.g. banks), any risk or exposure to Company A poses one for Company B. The most connected ones – the most “globally significant” – have literally become “too big to fail”, due to the knock-on effect it would have as the risks spread to the rest of the network.
A company may not be able to control the risks that arise from outside the organization, but it is crucial to understand where those risks lie, what the potential impact is and which ones are sufficiently significant to warrant disclosure. The latter is increasingly important as the regulators are beginning to focus more on networks.
What scares me is, what if the biggest, most important thing we just completely missed? …if in fact the dominant structure isn’t organisations, but networks.
- Jim Collins
Within the organization, management needs to not only consider the severity and likelihood of the identified risks individually, but also how they connect to create a network of risks. Then the priority for the board/management lies within the:
- Significant influencers: These are the “cause” – the risks that, if they occur, affect more risks than any alternative. They represent the biggest opportunity for prevention of other risks; the mitigation of systemic risks should begin with these risks to maximize payoff.
- Most vulnerable risks: These are the “effect” – the most concentrated risks, i.e. the most susceptible to contagion when any other risks in the network manifest. Being ultimately at the receiving end of most of the other risks, if these risks occur, they would lead to an existential crisis for the organization. So preventative and remedial controls are more important in these instances than detective ones.
5. Ask the right questions – of your board, of management, of your auditors
- How have we (internal audit, management, the board, external audit) considered the risks from outside our organization in our risk discussions and modelling?
- How have we considered the interdependencies of risks?
- What new emerging trends are pertinent to our future but do we have no precedent for in the past? How do we incorporate these into our risk management?
- What combinations of risks could we see in the future that we have not seen in the past?
- Where are the most likely connections found?
- Which are the most influential risks and which are the most vulnerable?
- How has the focus of our internal and external auditors changed to consider these risks?
- Where this been discussed and documented in the board?
- Do we need to make changes to our disclosures?
- How does this impact our strategy?
- Are we getting a balanced picture of our strengths and weaknesses?
About Dynamic Risk Assessment
In addition to the traditional measures of risk severity and likelihood, Dynamic Risk Assessment additionally considers risk interconnectedness (risks that link together) and velocity (expected speed with which risks will affect operations) to understand an organization’s systemic risk profile. It uses network theory and proven scientific methods to determine whether individual risks to a business can be expected to cluster together (interconnect) to form concentrations of risk events, and to determine where there is expected contagion between structural breaks and organizationally idiosyncratic risks.
The Board Leadership Center offers non-executive and executive board members and those working closely with them (including CROs and Heads of Internal Audit) a place within a community of board-level peers and access to topical seminars and ‘lunch and learn’ Board Academy sessions, invaluable resources and thought leadership, and lively and engaging networking opportunities.