In his book, The Black Swan: The Impact of the Highly Improbable, Nassim Nicholas Taleb defines “Black Swans” as random and rare events that underlie our lives and business, are nearly impossible to predict and have a huge impact when they materialise. According to Taleb, “Black Swans being unpredictable, we need to adjust to their existence, rather than naively try to predict them.”
In the past several years, many large-scale events (similar in nature to Black Swans) have manifested and changed the course of many businesses. Examples of these events include increased food and product safety issues; energy supply volatility; global financial instability; geopolitical instability; natural disasters etc. These events have had significant impact not only on the organizations located in the borders where they occurred, but also on various parties across geographical borders, industries and sectors.
Because of this unprecedented change in the business environment and risk landscape, organizations need to take a new look at their risk management processes and the allocation of resources to ensure that emerging risks are effectively identified, assessed, managed and monitored at all levels of the organization i.e. from strategic planning to day-to-day operational processes.
Although many organizations have put in place risk management processes to identify, assess and manage enterprise risks, their programs are repeatedly failing to identify emerging risks relevant to the organization; assess their impact and interconnectedness with other risks and mitigate them. This failure has implications for the organization’s strategy and objectives. It is therefore important that the organization’s board and senior management continuously scan the business environment for changes that could impact strategy execution and the achievement of business objectives.
A systematic approach to risk identification is achieved by first considering what risks the organization is facing on the macro and micro levels. Macro-risk identification involves the identification of major risks that may have significant impact, financial and otherwise, on the organization by using techniques such as industry analysis, competitor analysis, country analysis and market/environmental analysis. Micro-risk identification involves identifying sub-risks within the major risk classes that can usually be prevented by introducing effective risk control measures. Risk inspections, HAZOP studies, failure mode and effect analysis (FMEA), fault tree analysis (FTA), hazard indices, safety audits, legislation and codes of practice, research and risk sourcing can all be used to identify risks and their sources at a micro level.
In a fast-paced and changing business environment which is always presenting opportunities and threats, the organization needs to build a dynamic ERM model, be proactive and resilient. Lessons are still being learnt from the 2008 Global Financial Crisis (GFC) which started first in the US and spread overnight to other developed and developing economies. What began as a crisis only within the banking sector immediately spread over to other non-banking industries, for example, the automotive industry. This GFC revealed the shortcomings in the risk programs of many financial and non-financial institutions. Organizations that were once thought of as “too big to fail” have disappeared while others have come out stronger.
Since then, supported by a stronger risk management culture, organizations across industries, sectors and national borders have attempted to strengthen their risk management programs by using techniques such as risk assessment, scenario analysis, event simulations and stress testing as a basis for determining response strategies that are aligned with the organization’s strategies, objectives, risk appetite and tolerance.
Today, risks are very much interconnected and go beyond enterprises, industries and national borders. Businesses no longer conduct business locally. Globalization has made it easier for organizations to seek opportunities across national borders either through direct market entry or through joint ventures and collaboration with foreign partners. Although benefits can be accrued from collaboration, because of these interactions, the organization is also exposed to a wide range of risks which in turn has increased the complexities in managing risks.
Effectively applying ERM principles can help the business address risks that may appear unknown but have a huge impact when they materialise. By implementing ERM and building a strong risk management culture throughout the organization, business leaders are able to:
- Identify emerging risks relevant to the organization’s strategy and objectives by carefully scanning and analyzing all the relevant risk factors.
- Assess the significance of different risks to the business and stakeholders, their interconnectedness with other risks and implication to the business.
- Determine risk response strategies as well as consider collaboration with external parties to mitigate the risks and possibly even capture opportunities.
- Regularly monitor emerging risks through the effective use of qualitative and quantitative indicators.
In a global economy where opportunities are hunted across national borders and industries, risks spread equally very much. It is therefore important for boards and senior managers to ensure that the organization’s risk tolerances are not exceeded. Proactively monitoring risks and analyzing trends and the underlying relationships between risks helps organizations avoid significant losses and seize opportunities. By applying ERM to emerging risks, the board and management are able to reveal to investors and other stakeholders the organization’s agility to detect and respond to large-scale risks.
Risks affecting the organization’s business performance can be known, unknown and unknowable. Where the risks are known, their causes, probability of occurrence and likely impacts are well defined. These risks can therefore be measured and managed because they have manifested previously. Unknown risks are well defined but impossible to assign probabilities as to the occurrence of specific events e.g. acts of terrorism. Unknowable risks have not yet manifested and understanding of these is more of a speculative event. Understanding this distinction of risks is important. It helps with the allocation and reallocation of resources to help foresee risks that are currently being ignored.
Identifying, assessing and managing risks relevant to the organization should form part of its strategic planning and performance management processes. This also requires the organization to strengthen its ERM capabilities and skills to ensure adequate risk oversight and management. In addition to identifying risks relative to its key objectives, the organization also needs to embrace and manage risks throughout the value chain. Each relationship within the value chain not only does it imply new opportunities, but also risks. If one of the relationships fails, this results in consequences for all the relationship partners. Thus, it is important to understand the risks faced by each partner when identifying and evaluating risks. Through historical data and forward-looking analysis, the organization will be able to go beyond known risks and expose what may seem to be unknown risks.
In today’s complex and rapidly changing environment where an organization can thrive or disappear overnight, effectively applying ERM principles and building a strong risk culture to identify, assess and manage enterprise risks is important for executing strategy, driving business performance and meeting various stakeholder expectations.