Organisations are finding it increasingly difficult to manage and control risks. Armoghan Mohammed looks at why the dynamics of risk are changing.
The world is moving from a past in which boards believed in their ability to manage and control risks, to a present where established risk approaches and thinking are being repeatedly outflanked and outpaced.
‘Black swan’ events - those that occur without warning and have a profound effect on society and business – are happening more frequently.
Today, ‘black swans’ are regarded as one of three types of risks that organisations face. They cannot be predicted or avoided. The others are ‘known risks’ that companies can identify and seek to avoid, plan for and mitigate, and ‘emerging risks’ that have come onto the radar, but whose full extent and implications may not yet be clear.
By their nature, black swan events should only occur at irregular intervals. Yet recent experience suggests that events fitting the criteria for black swans are happening with increasing regularity. This acceleration raises the question of whether the black swans are actually turning grey - meaning that, rather than being isolated, outlier events, they are actually manifestations of a new, more uncertain and less predictable reality.
If organisations are currently under-protected against the new risk environment, it follows that their existing risk management approaches and mechanisms are falling short. PwC recently conducted research into how various multinationals have responded to low-probability, high-impact risk events. Key findings include:
The boards of big organisations do not generally fully understand the risks that they are running - or how the knock-on impacts can spread across risk categories. This makes it harder to manage organisations within their risk appetite. The internet and social media allow information to move instantaneously around the world, morphing opinion into fact. Companies that cannot deliver the right responses quickly are getting caught out.
Checks and balances at board level are often not in place because the board may not have people with enough industry expertise to ask tough questions about executives’ decisions. There is frequently a gap between what management says about risk, and what it delivers. It helps when the board is asking the right questions, such as: Are the CEO and board setting the right behavioural example and risk-aware culture, in line with the strategy? Are rewards encouraging risk-based thinking and behaviour? In addition to financial and operational risks, are we as a board sufficiently focused on managing strategic risks?
Assuming we will continue to live in a world where predicting and controlling risk events is no longer feasible, what is an appropriate approach? A key consideration for each organisation is how it frames and perceives risk. Our view is that organisations should look to build on Enterprise Risk Management (ERM) by making changes to the way they frame and think about risk.
First, the business should move away from only identifying, measuring and prioritising the discrete risks they face. Management should focus more broadly on the resilience of the entire systems to which they contribute, ranging from global, industry, political and financial environments. All organisations need to progress from controls to risk cultures, managing in a coordinated way across different interests, organisational silos and external interactions.
Second, since analytics will not be enough on their own, boards will need to be more explicit about the organisation’s risk appetite in pursuit of its strategy, and to build awareness at all levels of what risks it is willing to bear. Some may regard risk management as a distraction from the day job that is effectively someone else’s problem. In fact, it is part of everybody’s job, every day. Many non-executives voice frustration that the executives on their boards are too cautious in terms of risk - so greater clarity on risk appetite would certainly aid board effectiveness.
Third, there should be a parallel drive to integrate risk and strategy and to embed a risk-aware culture, behaviours and beliefs at all levels of the organisation. Ideally, this will be driven by the chief risk officer (CRO) or equivalent executive on the main board. Having more senior representation of risk will also help to remove the artificial distinction between financial, operational and strategic risk and uncertainty, and encourage a more holistic view.