Emerging risks… how can we tackle what’s on the horizon?
Sword GRC Blog
Emerging risks… how can we tackle what’s on the horizon?
In unpredictable times, can we identify risks that we don’t yet know? David Lannoy, Associate Director of Risk Training & Practices at Chappelle Consulting and Specialist Member and Chairman of the Belgium-Luxembourg, IRM (Institute of Risk Management) explored the topic of Horizon Scanning and Emerging Risks in one of Sword GRC’s most popular webinars. If you weren’t able to attend, the key takeaways from the webinar are summarized below:
Risks we know, should know, and don’t know
For simplification, Lannoy suggests that risks can be categorized into three areas: The risks we all know (rising risks, upward trends, headlines), the risks we should know (upcoming risks, early trends, internal black spots), and thirdly, the most difficult category, the risks we don’t know (hidden risks).
Hidden risks can be signals that are ‘lost in the noise’ and are the true disruptors; take for instance the Covid-19 pandemic which presented threats that few can claim to have seen coming and prepared for.
Having analyzed the top ten operational risks for the FS (financial services) sector over 2011-2019 – though stressing that these risks apply across all industries – Chapelle Consulting observed that cyber risk and information/data risks were constant risks over this period. Regulatory risks ranked highly. Over the past four years assessed, organizational change, with companies moving to more agile ways of working posed potential additional risks. Since 2016, outsourcing and greater reliance upon external parties for critical activities have introduced risk into the landscape. And since 2017, theft and fraud have become highly likely risk areas. Two risk areas that have become less of concern are business continuity and reputation, the latter because reputation is not regarded as a risk in itself, but more as a consequence of operational or perhaps financial risk.
Are lessons from risk management being learned?
Lannoy observes that with the same top types of risks being identified time and again, the likelihood is that businesses are not learning effectively from risk management. “We are using events from the past to try and predict what will happen in the coming years. This is a good exercise but it may include anchoring bias.” To demonstrate this, he illustrates how banks and FS organizations have over recent years invested heavily in internal fraud programs, despite the fact that when losses are studied (Annual Banking Loss Report, ORX, 2019) other types of risks, such as process management, client and business practice, and workplace safety are far more significant in terms of impact.
While acknowledging that it may sound provocative, a further question to consider might be how organizations are using their information? “If you have an internal loss database where you are reporting all incidents, an analysis should reveal where you should invest to reduce the losses. The ORX report shows that internal fraud is not the highest priority,” he points out.
Consider anchoring bias
Anchoring bias – when the first data point that we see impacts our decisions – is extremely important. In the case of the pandemic, he points out that the initial data shared revealed low numbers of occurrences. It seems incredible to remember that world leaders initially likened Covid-19 to flu. “Anchoring bias in this way perhaps made us slow to react and take measures. When it comes to risk, companies are very much biased with information that they “know”. If they are considering a risk that they have already experienced, they will not challenge their assumptions. The role of the risk manager is to challenge existing information because this data will be used to make decisions.” He recommends incident reporting to detect trends, ascertain if the risk is increasing or decreasing, or increasing in occurrence but perhaps decreasing in terms of impact. “It will tell you how internal controls or mitigation measures are working and will overcome the anchoring bias that exists within organizations.”
How to address rising risks
When horizon scanning, the key questions might include:
- Which risks are most impactful for our organisation?
- How are we exposed?
- If we are, are these concerns translated into action?
- What market innovations exist or are being released to address these concerns?
- Better ideas come from diversity, so meet with like-minded peers and collaborate to exchange information to attain the right mitigation measures
How to address known threats
According to Lannoy, known threats may be addressed at organizational level by:
- Identifying impacts and interrelations – understanding how risks are connected
- Adapting operating models
- Enhancing existing environment with prevention and remediation controls
- Building a strong risk culture-defining collective behaviors
According to the Operational Risk Horizon 2020, ORX, 2020, information and cybersecurity is the top current risk category, while geopolitical and macroeconomic risks are the top emerging risks. Climate change is cited as of growing concern, with increasing public pressure and regulatory attention. Digital disruption remains a key concern, together with growing interconnectivity between types of risks.
Why do we miss the risks we should know?
- We adopt ‘linear thinking’ and consider only the recent past to predict the future
- Short attention spans – even major events recede from risk registers after two or three years
- Lannoy recommends that risk managers should go against the tide, challenge information, and look for blind spots
- We need to prepare for alternative scenarios including variations
- Lack of diversity – risk assessment should be conducted by numerous people with different profiles for the best possible insights
What can we do? Catch the ‘slow burn’
Many risks – hacking, code-breaking, climate change – were identified decades ago and have simmered away slowly. It is only now that we are seeing the consequences of these risks as they start to rise sharply. Lannoy suggests that focus should lie within critical processes, challenging systems, key people within risk management, projects and deadlines, and following up on decisions.
Scanning to address hidden risks
He also recommends that organizations analyse Political, Economic, Social, Technological, Legal, and Environmental (PESTLE) risks depending on their operating environments, using AI and technology as tools. Looking inwards, seek out blind spots including corporate taboos and weaknesses (an example being burnout within HR).
How to address the risks we don’t know
These are the risks that are hard to predict and Lannoy says that their signal is often ‘lost in the noise.’ He recommends that, even though mistakes will be made, organizations must build resilience, resist linear thinking and learn to recover from external shocks.
For Lannoy, the key is effective incident management, including early identification, speed of reaction, contingencies and backups, consideration of different approaches, and the creation of spare capacity.
If you’d like to learn more, the full Horizon Scanning and Emerging Risks webinar is available to view, free of charge.