Risk management in uncertain times

Coronavirus pandemic has challenged us with a prolonged period of uncertainty. While many of us are still coming to terms with its damage and long-term implications, one thing is certain: next time will be different. A track record in coping with this crisis does not promise that the success would be repeated in the future[1].

Companies are relatively familiar with known risks such as financial risks. From profitability and cashflow to the risk of fraud and corruption, financial risks are wide-ranging and critical. Not that dealing with these risks is easy, but we have seen how they happen and where the weaknesses lie. This can give us some clues on how we may mitigate them.

There are established control procedures, and businesses at times go beyond the necessary to adopt the best practice. Collectively, authorities and financial regulations are to prevent the worst of the damage spreading to the rest of the world. Knowledge from the past experiences helps us navigate risks.

Sadly, we know that emerging risks do not resemble what we have seen in the past.

Analysing the risk profile today

The World Economic Forum’s latest Global Risk Report[2] gives an overview of emerging risks. ESG risks are top up on the scale both in likelihood and impact. Right next to Climate and loss of biodiversity are societal risks, linked to our basic needs such as water and food as well as threat of diseases. Then come geopolitical and technological risks such as cyber.

Risks in high likelihood/impact categories have certain features: global, indiscriminate, and hard to contain once the crisis starts. Experts have been calling us to action for years, but due to the slow materialisation or localised impact of these risks, we have been rather slow to respond. However, they are no longer slow or localised.

ESG risks are top up on the scale both in likelihood and impact.

In the face of emerging risks, we need to reassess what we have built as our standard risk approach. Our preparation is mostly suited to risk events that have happened before, events we can evaluate, control and monitor to a degree. But this won’t prepare us for emerging risks.

Even the known risks are changing due to their interconnection with other risks. Risk types today only indicate where they originate: when it comes to their impact, they would affect us in many, often unpredictable ways.

Being imaginative about emerging risks

Preparing for emerging risks is not about scrapping everything and starting risk management from scratch. It must be done without compromising the defence against known risks. But it requires challenging the existing risk management from a fresh perspective. One practical way of doing so is scenario testing.

It may be worth thinking of a risk scenario for which the existing risk management is not built for. It should highlight where the scope and thus defence of the existing set up ends, and which perspectives and resources are lacking. This in turn helps shape the necessary defence to be built going forward.

Scenario testing should benefit from getting different perspectives across the organisation, and possibly stakeholders from outside. It may be worth inviting an independent observer or facilitator, so that each participant has an opportunity to express views.

Scenario testing should benefit from getting different perspectives across the organisation, and possibly stakeholders from outside.

You as a board member may wish to consider what role you wish to play in the process. In addition to offering support as the most senior part of the organisation, you may wish to take more active role by participating in the process, bringing a much-needed long-term vision and strategic thinking as well as the depth and breadth of experience. Designated risk leaders such as the CRO, the highest level of management responsible for risk, may indeed be grateful for you for bringing perspectives beyond the existing risk management structure.

One may say that, at its operational level, risk management is the task for management while the role of the board of directors is to exercise oversight. Even so, when we are uncertain about what risks are coming our way, it can become a little theoretical to talk about the oversight of the effectiveness of risk management systems.

Certain board members – those involved in risk management as the audit or risk committee members and chairs – may wish to observe how the organisation prepares itself for the uncertain future. This is particularly so given the interest within Europe to emphasize the importance of sustainable corporate governance and the role of the board of directors, of which we expect to see more from European Commission by mid-2021[3].

Conclusion

Emerging risks are not something we can avoid or mitigate, but we can improve our resilience and be better prepared to navigate them. This short article has discussed what could be the first step in preparing for future risk events as we think beyond the current crisis. In the forthcoming piece, we will have a detailed look into how we build our approach to emerging risks, including the role of the board of directors.

 

This is the main introduction article for DIF’s theme The Board and Risks, and its full version will be published in Boardview Magazine’s issue 1/2021 in June.

This article is based on Deloitte, Rebooting risk management: making risk relevant in a world remade by Covid-19, accessed on 1 March 2021. 2020. References are made to relevant sections of the publication in this article.

[1] Deloitte, Rebooting risk management, p.3.

[2] THE World Economic Forum, The Global Risks Report 2021 | World Economic Forum (weforum.org), accessed on 7 February 2021. 2020.

[3] European Commission, Sustainable corporate governance, Sustainable corporate governance (europa.eu), accessed on 1 March 2021. 2020.