I recently opened an ISO 31000 Forum discussion on “Does anyone really understand Emerging Risks?” The discussion proved illuminating so in this week’s post I thought I would share a summary of the forum discussion.
My opening premise was that most in the marketplace, are not clear on exactly what are emerging risks and how they should be managed. The 3 issues to cover were
1. What are emerging risks?
2. How do we identify emerging risks?
3. And at what point does an emerging risk become an actual risk?
In this article I will cover items 1 and 2 and cover item 3 in my next article "Managing Emerging Risks" as it is a major discussion in its own right.
What are emerging risks?
Are emerging risks new risk drivers/influences for which we should find how they will affect our risk profiles, such as the Cloud to IT, Bitcoin to Finance or ISIS to Oil supply. Or are they existing threats that have suddenly increased their likelihood such as Ebola for Africa Mining. Or are they just normal risks whose risk rating have had moved negatively.
I believe the consensus of the discussion was that emerging risks are both new influences/drivers or insignificant risks that have become more active (have increased likelihood or consequences, velocity, etc). One of the best ideas for understanding emerging risks was Steve Vaughan's (NZ Society for Risk Management) quadrant concept which I have attempted to show graphically below:
Within these axes there are four quadrants, but these are not sharply divided even though it is convenient to make divisions for understanding.
FastTrack Risk Product Demo
The advantage of Steve’s quadrant is that it highlights 3 areas outside the Comfort Zone, and that risk management practitioners tend to ignore.
New or Novel risks are not the same as new/novel situations or events. Although a technology or disease maybe new, the risk of technological changes or pandemics isn’t. Novel risks therefore would reside in what I have categorized as our Fear Zone or Steve’s “we don’t know what we don’t know” i.e. unknown events with no evidence and unknown consequences.
As Martin Davies (Causal Capital) highlighted “If risk is classified as uncertainty in objectives, it would follow that uncertainty couldn’t be greater than a complete void of experience but are risks truly novel?
If a risk practitioner has constructed a risk taxonomy they will be classing causal factors and outcomes and they will be attempting to control the causal space accordingly. It would follow that such risk frameworks are more resilient to novel threats. Just for a moment, imagine this discussion between a risk practitioner and the general manager of a business.
- CEO » “I have noticed that some controls in the business are not functioning as desired, we have also suffered from a few losses in processing, treasury took stacks of hits on its market risk function and a couple of our big customers look like they are going to default on their contracts … What are you guys actually doing in risk management?”
- Risk Manager » “I know it’s terrible the business has been going through all of these ordeals but if you want to know; we have been totally engaged in some awesome and very interesting research in the risk management department”
- CEO » “What is this work?”
- Risk Manager » “Assessing the threat from this novel risk we call Incandescent Agent Purple or IAP for short”
- CEO » “What is IAP?”
- Risk Manager » “I don’t know it doesn’t exist”
- CEO » “You’re fired, goodbye, pick up your stuff and get out of here”
Jokes aside, focusing efforts on things that haven’t happened when a business is failing from poor quality, errors, disruptions and rogue customers, is probably not a good use of a risk practitioners most limited of resources, time."
So let’s leave the Fear quadrant for the moment, as I will cover it in more depth in my next article on Managing Emerging Risks, and concentrate on the more obvious quadrants of Threat and Vulnerability.
How do we identify emerging risks?
Like 20/20 hindsight, identifying what were emerging risks is of no real benefit. The interesting point raised was to include internal/existing risks in scanning which why I prefer the term of environment scanning to horizon scanning as it is more encompassing.
If Risk is uncertainty in objectives then Vulnerability is about identifying what can both adversely and positively affect each of our objectives. You can mitigate vulnerabilities without having any obvious threats and thereby inoculating your business against future threats. You can then monitor the prevailing operating environment for abnormalities and identify causal drivers and influences.
The Threat Zone covers possible risks for known/perceived situations even if there is current no apparent consequences. I think here we have a lot to learn from the area of cyber security where the concept of Threat Analysis is independent of risk, in that it is continually monitored and developed even if there isn't currently a risk (emerging or material). I believe this is the really benefit of identifying emerging risks, i,e. to test and calibrate our models and controls, on which our corporate resilience truly relies.
Again another quote from Martin Davies: “When management at Malaysian Airlines were interviewed as to why they took the flight path that they had chosen (over Ukraine), their response was something along the lines of we have been flying that route for ten years or more. The operations and flight planning team at British Airways was also interviewed and their statements went along completely different lines; ‘we assess the changing conditions of all our flights and have deemed the Ukraine crisis as potentially threatening so we avoid the area entirely’.
My point is that technically Risk and Threat Management should be managed independently. It is similar to having risk modelling QA independent of model management. Due to cyber security threats often coming from new sources and/or targets, controls have to be developed for what is not currently a risk.
This required a lot of thinking outside the box and role playing. For example what if all existing controls failed, which leads to defence-in-depth or, what about attacks initiate by us, which leads to developing immunization/contagion mitigation.
I think Khanh Vuong summed up the main problem with the distinction between emerging vs. materialized risks, “is due to the high cost and commitment required to manage identified risks. Therefore, while some might argue that all risks can be analyzed and evaluated using a plethora of tools and processes there is significant financial decision and commitment of time to actively managing risks by an organization.”
Managing Emerging Risks is a lot more than just identifying “new toys” in our risk inventory. Next week I will discuss this more in Emerging Risks II - The Black Swan Syndrome. But by not managing all quadrants of emerging risks increases business exposure to censure in the event that they materialize because it will be deeded it should have known better. This means business need to ensure risk management funding is adequate to allow a full composite of emerging risks tactics including Threat Analysis, monitoring of causal factors, and development of future resilience. Business Continuity is the new black which Malaysian Airlines will soon learn to appreciate.
(Have a look at the Fast Track 5 minute video on how Governance should be managed.)
|Free Excerpt: Mastering 21st Century Enterprise Risk Management
Guide to selecting & implementing Enterprise Risk Management
See recorded webinar on the Mastering 21st century Enterprise Risk Management
|FastTrack Risk Management Data Sheet
How Fast Track provides risk management integrated as part of the day-to-day operational management method of work and decision making.