Dynamic risk assessment

In a world that is increasingly connected and evolving – where the value of global exports has increased exponentially, interest rates are negative, inequality and nationalism are rising, and fiscal debt is at levels never seen before – risk management functions need to rethink their approach. But how?

Do	Don't
Implement a five year strategic risk plan in which your organization introduces interconnectivity between risks within two years, behavioral risk management within four, and 24/7 modelling of root causes within five Seek to understand and differentiate the velocities (time to impact) of different risks Actively consider developing trends that may pose downstream exposures, even if these have not manifested before Interview diverse people – cross-divisional, cross-hierarchical – and include specifically those who have experience of previous down-cycles Seek to understand what combinations of risks are most expected to occur in the future Identify the risks that are most influential in terms of systemic ‘flow-on’ effects onto other risks Seek to identify the combinations of risks that will pose an existential threat; use these for stress testing	Don’t rely only on traditional models that use past data to predict future risks / risk scenarios Don’t be blinded by sophisticated models – ask how, in plain English, the learnings of the Global Financial Crisis have been taken into account in the modelling Don’t accept/imply that risks will/do occur in isolation. If one or more have moved during a period, ask about the consequences onto the other risks Don’t believe in black swans – business is not a lottery Don’t mistake compliance for risk management – neatly ticking every box is not risk management Don’t mistake precision for accuracy. An exact answer may appear to be precise, but in risk management has often been precisely wrong

Don't

Implement a five year strategic risk plan in which your organization introduces interconnectivity between risks within two years, behavioral risk management within four, and 24/7 modelling of root causes within five
Seek to understand and differentiate the velocities (time to impact) of different risks
Actively consider developing trends that may pose downstream exposures, even if these have not manifested before
Interview diverse people – cross-divisional, cross-hierarchical – and include specifically those who have experience of previous down-cycles
Seek to understand what combinations of risks are most expected to occur in the future
Identify the risks that are most influential in terms of systemic ‘flow-on’ effects onto other risks
Seek to identify the combinations of risks that will pose an existential threat; use these for stress testing

Don’t rely only on traditional models that use past data to predict future risks / risk scenarios
Don’t be blinded by sophisticated models – ask how, in plain English, the learnings of the Global Financial Crisis have been taken into account in the modelling
Don’t accept/imply that risks will/do occur in isolation. If one or more have moved during a period, ask about the consequences onto the other risks
Don’t believe in black swans – business is not a lottery
Don’t mistake compliance for risk management – neatly ticking every box is not risk management
Don’t mistake precision for accuracy. An exact answer may appear to be precise, but in risk management has often been precisely wrong

1. Rethink the current risk model

Traditional risk models were developed at a time when the world was vastly different – more stable, less connected and less complex – than it is today. At the time, there was no reason to consider the interdependencies between, or interconnectedness of, risks.

As a result, they under-present future risks, including for example, the 2008 global financial crisis and the 17 globally significant economic crises before it.

The new “best in class” risk management comprises of a combination of traditional risk management methodologies, understanding the networking of risks to determine the company’s exposures and adopting behavioral economic principles.

2. Consider the unprecedented developments – the future risks

Past behavior is a poor predictor of the future when the forces sharing the future are fundamentally different to what has gone before.

In essence, traditional risk models use historic data to “predict” the future. This data is a poor fit for modelling the new, emerging trends encountered today. So organizations should also consider future trends/exposures in their risk models, including:

Unfunded social security

Unaffordable medical costs

Longevity

Demographic shifts

Networks

Political risks

Middle East

Regulatory changes

Energy revolution

Cyber wars

Nationalism

High frequency trading

Fiscal debt

Weather patterns

Central Banks

EU (€) uncertainty

Trust and truth

Inequality

Water

Food

Technology

Slowdown of China

Brexit, Catalonia, Scotland

Leadership

Inequality

Trade wars

Currency wars

Cryptocurrencies

Blockchain

Quantum computing

Pandemics

Have we considered the future, emerging developments never observed in the past in our risk modelling? Have we built causation pathways between those risks in manners that are more enriched than merely relying on past correlations? Because that is how we’ve been surprised in the past – and we can afford it no more.

- Dr Andries Terblanché

3. Use expert elicitation

In order to identify new emerging risks, the discussion needs to extend beyond the risk management function or C-suite to include a diverse group of experts throughout the organization – those individuals with the deepest knowledge of the company, the greatest sector knowledge, up and down cycle experiences, and so on.

Interview them individually and collectively to identify the relevant risks. Consult them then to determine the interconnectedness of the risks in order to build a network of risks. Then consider how the future interconnectedness of risks differs from that of the past to create new risks.

4. Understand your network (of risks)

Organizations are more globally connected than before. Risks are no longer isolated within an organization’s wall. In a network (of companies, e.g. banks), any risk or exposure to Company A poses one for Company B. The most connected ones – the most “globally significant” – have literally become “too big to fail”, due to the knock-on effect it would have as the risks spread to the rest of the network.

A company may not be able to control the risks that arise from outside the organization, but it is crucial to understand where those risks lie, what the potential impact is and which ones are sufficiently significant to warrant disclosure. The latter is increasingly important as the regulators are beginning to focus more on networks.

What scares me is, what if the biggest, most important thing we just completely missed? …if in fact the dominant structure isn’t organisations, but networks.

- Jim Collins^[1]

Within the organization, management needs to not only consider the severity and likelihood of the identified risks individually, but also how they connect to create a network of risks. Then the priority for the board/management lies within the:

Significant influencers: These are the “cause” – the risks that, if they occur, affect more risks than any alternative. They represent the biggest opportunity for prevention of other risks; the mitigation of systemic risks should begin with these risks to maximize payoff.
Most vulnerable risks: These are the “effect” – the most concentrated risks, i.e. the most susceptible to contagion when any other risks in the network manifest. Being ultimately at the receiving end of most of the other risks, if these risks occur, they would lead to an existential crisis for the organization. So preventative and remedial controls are more important in these instances than detective ones.

5. Ask the right questions – of your board, of management, of your auditors

How have we (internal audit, management, the board, external audit) considered the risks from outside our organization in our risk discussions and modelling?
How have we considered the interdependencies of risks?
What new emerging trends are pertinent to our future but do we have no precedent for in the past? How do we incorporate these into our risk management?
What combinations of risks could we see in the future that we have not seen in the past?
Where are the most likely connections found?
Which are the most influential risks and which are the most vulnerable?
How has the focus of our internal and external auditors changed to consider these risks?
Where this been discussed and documented in the board?
Do we need to make changes to our disclosures?
How does this impact our strategy?
Are we getting a balanced picture of our strengths and weaknesses?

About Dynamic Risk Assessment

In addition to the traditional measures of risk severity and likelihood, Dynamic Risk Assessment additionally considers risk interconnectedness (risks that link together) and velocity (expected speed with which risks will affect operations) to understand an organization’s systemic risk profile. It uses network theory and proven scientific methods to determine whether individual risks to a business can be expected to cluster together (interconnect) to form concentrations of risk events, and to determine where there is expected contagion between structural breaks and organizationally idiosyncratic risks.

About BLC

The Board Leadership Center offers non-executive and executive board members and those working closely with them (including CROs and Heads of Internal Audit) a place within a community of board-level peers and access to topical seminars and ‘lunch and learn’ Board Academy sessions, invaluable resources and thought leadership, and lively and engaging networking opportunities.

1. Financial Times, April 2017

Print friendly version

1000

Olivier Macq

Partner, Chairman Board Leadership Center | Audit

KPMG in Belgium

Connect with us

Find office locations kpmg.findOfficeLocations
kpmg.emailUs
Social media @ KPMG kpmg.socialMedia