In today’s increasingly uncertain risk landscape, executives are continuously searching out ways to curb vulnerabilities, complex dependencies and the threat of disruption. According to experts at Arthur D. Little, leaders now require a “sixth sense” of risk, to provide intuition into the emerging risk landscape and enable their organisations to sense and respond to emerging risk. This can be achieved through a proactive approach to risk management, write UK-based advisors Tom Teixeira, Emily Channon and Marcus Beard.
At its core, proactive risk management involves identifying emerging risks early, determining how they should be prioritised, and then responding to them quickly and effectively. The integration of this approach is facilitated by a shift in risk management from a reactive “measure and manage” approach to an anticipatory “sense and respond” tactic , which utilises organisation-wide engagement to ensure a dynamic response to risk.
Traditional enterprise risk management (ERM) is well suited to complicated organisations facing determinant risk. This typically features optimised risk management strategy – a one-size-fits-all approach based on past experiences; a “Measure and manage” risk approach – reactive response with separation between risk management and organisational strategy; and lengthy internal and public monitoring methods – risk registers, audit committees and annual reports.
Such risk management approaches can lead to over-reliance on conventional methods and discourage exploration of novel risks and control measures. Even organisations with exceptional risk management processes may fall foul of emerging risks as they lack the agility to adapt in time. Indeed, the more skilled an organisation becomes at managing its known risk profile, the harder it may be to spot weaknesses or respond quickly to new threats. Three key aspects that are integral to proactive risk management:
As complexity and uncertainty increase, so do the associated risk and the difficulty of identifying this. Predictive risk identification techniques such as horizon scanning and key risk indicator (KRI) monitoring should be used to detect, predict and monitor emerging risks. Subject-matter experts should scan the horizon, analysing trends to determine probable futures using political, societal and organisational data. From this, potential emerging risks can be identified in advance, and effective management strategies put in place.
Once potential risks have been identified, they can be monitored using KRIs, which provide leadership with a real-time health assessment of the organisation. KRIs are leading indicators which are calibrated to provide a “red flag” prior to a risk event occurring; the calibration should be directly related to an organisation’s risk tolerance. These contrast to key performance indicators (KPIs), which are traditional, well-established lagging indicators that provide situational awareness after a risk event has occurred. Such metrics are useful for preventing known risks and recording the performance of control measures, but they do not provide the whole picture.
The “Holy Grail” is to have a set of both leading and lagging indicators to support timely intervention to protect the organisation and mitigate the risk. KRIs are most effective when detailed understanding of a risk allows informed thresholds to be set. When the threshold is exceeded, an alert can indicate that the probability of a loss has risen considerably and the risk requires immediate attention.
Emerging risks are particularly difficult for leadership to prioritise when traditional rating methods rely on severity and likelihood – how can these be gauged when there is no supporting data? A helpful metric here is risk velocity – how quickly an organisation will feel the impact of a risk event. For example, reputational damage due to one-off extremely negative media coverage would be high velocity, whereas changing customer needs as they embrace new preferences would be lower velocity. The high-velocity emerging risks should be given high priority and brought to the attention of the executive.
For such risks, a “knowledge base – control effectiveness” map provides an effective reporting tool for executives, as emerging risks can be put in context by relating them to risks with which leadership is familiar. Where velocity is indicated by the size of the marker on the map, it is easy to identify which emerging risks require the highest priority for oversight. The dynamic nature of the map provides a more engaging way of presenting risks than the traditional risk register, and can be a useful visual tool for working sessions.
Essential to successful risk management today is understanding the varying requirements for different categories or phases of risks. Static risks – which are well understood, have effective control methods, and are unlikely to fluctuate a great deal in the future – are well suited to traditional governance and oversight. Such risks are positioned in the bottom-left quadrant of the map and can be effectively monitored by the risk function.
Conversely, high-velocity emerging risks, which are poorly understood and have no controls, should be proactively managed through executive oversight and a disruptive management team. The result should be that as both understanding and control effectiveness grow, the risk migrates to the bottom-left quadrant. At this point the responsibility of oversight shifts to the risk function.
Adaptive response is the ability of an organisation to manage different phases of risk through the most appropriate approach, balancing traditional and proactive methods. One proactive method is disruptive management, which comprises multidisciplinary teams that can challenge conventional methods, adapt a project as it develops, and foster a “fail early, learn fast” attitude. The output is achieved through breaking a project into numerous small sub-projects known as “sprints”, with proof of concept required at each stage.
Regular meetings are held for progress updates and to ensure that the optimal approach is used. The result is that the end goal is agreed at the project outset; however, the route to get there is not set in stone and may deviate from initial expectations. Using forward-facing practices enables the team to adapt to changing information as understanding of the risk evolves. A reporting tool such as the knowledge base – control effectiveness map then provides evidence of success, as teams should observe migration towards the bottom-left quadrant if their approaches are effective.
For organisations to respond effectively to risk within the current evolving risk landscape, a “sixth sense” must be engaged and a proactive approach employed. A combination of proactive risk practices alongside traditional ERM methods can aid executives in preparing their organisations for the unforeseen.