How do you define an “emerging” risk? The term is used frequently, but not everyone defines it in the same way. At a recent meeting of risk professionals, we had an interesting discussion of emerging risks to compare not just how we define the term, but also to share practices for developing responses to and then monitoring and reporting on emerging risks.
Defining "Emerging" Risks
Most practitioners agreed that emerging risks are risks that are known to some degree but are not likely to materialize or have an impact for several years. Another characteristic of an emerging risk is that it can be very difficult to quantify as it can have far reaching impacts on industry and society overall. Most also agreed that emerging risks are different from “black swan” events in that you can usually see emerging risks coming and such risks typically develop fairly slowly. So an emerging risk may simply start as a trend, such as a demographic shift that may not have any material impact over the next two years, but may dramatically impact your business 10-20 years down the road. One example of an emerging risk is the demographic change in the United States resulting from the aging of the baby boomer population combined with the lower birth rate after the “boomer” period. This demographic issue has been widely known and reported for some time, but it has so many broad implications including the future of the workforce, demand for housing and durable goods, healthcare needs, pensions, social security, etc. that it is challenging to pin down the specific impacts it could have on any one organization.
Let me illustrate. The typical process involves a number of individuals rating the likelihood that each risk event will occur on a scale of 1 to 5, and then they rate the impact of each of those risks using another 1 to 5 point scale. An average is then calculated for all likelihood scores and then all impact scores. Two things seem to occur with some frequency when this process is used. First, when an individual doesn’t have a strong opinion about or direct knowledge of a particular risk, the default rating tends to be a 3, on the 1 to 5 point scale. Further, the process of averaging tends to “smooth” out any differences in views, so that many risks will have scores that are close to 9 (product of average likelihood rating of 3 and average impact rating of 3). While you can still arrive at your top ten risks in this manner, there may be a relatively small difference in total risk scores (LxI) between risk # 5 and risk #15, for example.
Importance of Emerging Risks in Strategic Planning
Emerging risks are particularly important in the context of strategic planning. Because strategic planning has a longer term horizon, assumptions about the future are much more critical and are much more likely to become invalid during the planning horizon. Accordingly, organizations should identify the critical assumptions in their plans that could be impacted by these emerging risks. By focusing on trends that are just beginning to emerge, organizations can identify potential shifts in critical assumptions and develop or modify strategies to either minimize the negative effects or capitalize on the potential opportunities that an emerging risk may present. For example, the aging of “baby boomers” in the United States will have a significant impact on companies that historically target a consumer in the 35-50 age group. Those organizations have to consider measures to respond to that decline in potential customers, such as expanding their target age group, or looking to regions outside the U.S. that may have growing populations in the target age group, or modifying their product offerings to appeal to a different demographic. The upside of emerging risks is that there is time to prepare, so incorporating consideration of emerging risks into your strategic planning process can yield great benefits. This is an opportunity for the risk management function to be a value-adding resource in the strategic planning process.
Reporting and Monitoring
Typically, emerging risks will not be among the top risks facing an organization. Many organizations separate their risks into tiers with the top 10-15 risks being in “tier 1” and the next 10-15 risks being included as “tier 2” risks. Where do emerging risks typically fit in those tiers? One practitioner noted that his CEO would get impatient if the same risks appeared as “tier 1” risks year after year. So it can be a challenge to keep the focus on a slow moving, long term risk. Other practitioners indicated that they addressed this issue by including emerging risks as “tier 2” risks and some organizations actually maintain a separate list of emerging risks.
Given the uniqueness of emerging risks and their significant strategic implications, I can see the value in separating these risks to keep them in focus. Most organizations also actively seek out information on emerging risks from external sources in order to monitor the trends in the risks previously identified and to become aware of newly emerging risks. One resource that was mentioned more than once was the Global Economic Forum’s annual risk report (World Economic Forum, Global Risks Report 2016). In addition, Protiviti maintains a microsite on emerging risks and publishes periodic newsletters with updates on emerging risks and trends (protiviti.com/emerging risks)
I have heard from many ERM leaders that they struggle to get the ERM function connected to the strategic planning function. Clearly, emerging risks can have serious implications for strategic plans, and this seems to be an area where the strategic planning function could benefit from knowledge typically found in the ERM area. Scott Williams, Director, Enterprise Risk Management at Lockheed Martin notes, “The information the ERM function maintains on emerging risks is a valuable input to our strategic planning process.”
Download a copy of the article here.
As Executive Director of North Carolina State University’s ERM Initiative, Bonnie Hancock works closely with senior executives as they design and implement enterprise risk management (ERM) processes in organizations they serve. That hands-on advising leads to insights about techniques useful in addressing a number of practical challenges associated with ensuring ERM processes are value adding without over-burdening the process. In this article, Bonnie addresses techniques that might simplify the process of prioritizing risks.