Although traditional enterprise risk management (ERM) works well for complex organizations facing risks that have already been determined, they may fall foul of emerging risks due to lacking the agility to adapt in time.
In contrast, proactive risk management offers organization-wide engagement to ensure a dynamic response to risk. This approach involves identifying emerging risks early, determining how they should be prioritized, and then responding to them quickly and effectively.
The integration of this approach involves a shift from a reactive “measure and manage” approach to an anticipatory “sense and respond”. We explore three key aspects that are integral to proactive risk management:
As complexity and uncertainty increase, so do the associated risk and the difficulty of identifying this. Predictive risk identification techniques such as horizon scanning and key risk indicator (KRI) monitoring should be used to detect, predict and monitor emerging risks. From this, potential emerging risks can be identified in advance, and effective management strategies put in place.
Once potential risks have been identified, they can be monitored using KRIs, which provide leadership with a real-time health assessment of the organization. These contrast with key performance indicators (KPIs), which are traditional, well-established lagging indicators that provide situational awareness after a risk event has occurred. Such metrics are useful for preventing known risks, but they do not provide the whole picture.
The “Holy Grail” is to have a set of both leading and lagging indicators to support timely intervention to protect the organization and mitigate the risk. KRIs are most effective when detailed understanding of a risk allows informed thresholds to be set. When the threshold is exceeded, an alert can indicate that the probability of a loss has risen considerably and the risk requires immediate attention.
Emerging risks are particularly difficult for leadership to prioritize when traditional rating methods rely on severity and likelihood – how can these be gauged when there is no supporting data?
A helpful metric here is risk velocity, i.e., how quickly an organization will feel the impact of a risk event. The high-velocity emerging risks should be given high priority and brought to the attention of the executive.
For such risks, a “knowledge base – control effectiveness” map provides an effective reporting tool for executives, as emerging risks can be put in context by relating them to risks with which leadership is familiar.
Where velocity is indicated by the size of the marker on the map, it is easy to identify which emerging risks require the highest priority for oversight. The dynamic nature of the map provides a more engaging way of presenting risks than the traditional risk register.
Essential to successful risk management today is understanding the varying requirements for different categories or phases of risks. Static risks – which are well understood, have effective control methods, and are unlikely to fluctuate a great deal in the future – are well suited to traditional governance and oversight. Such risks are positioned in the bottom-left quadrant of the map and can be effectively monitored by the risk function.
Conversely, high-velocity emerging risks, which are poorly understood and have no controls, should be managed through executive oversight and a disruptive management team. The result should be that as both understanding and control effectiveness grow, the risk migrates to the bottom-left quadrant. At this point the responsibility of oversight shifts to the risk function.
Adaptive response is the ability of an organization to manage different phases of risk through the most appropriate approach, balancing traditional and proactive methods. One proactive method is disruptive management, which comprises multidisciplinary teams that can challenge conventional methods, adapt a project as it develops, and foster a “fail early, learn fast” attitude. The output is achieved through breaking a project into numerous small sub-projects known as “sprints”, with proof of concept required at each stage.
Regular meetings are held for progress updates and to ensure that the optimal approach is used. The result is that the end goal is agreed at the project outset; however, the route to get there may deviate from initial expectations.
Using forward-facing practices enables the team to adapt to changing information as understanding of the risk evolves. A reporting tool such as the knowledge base – control effectiveness map then provides evidence of success, as teams should observe migration towards the bottom-left quadrant if their approaches are effective.
For organizations to respond effectively to risk within the current evolving risk landscape, a “sixth sense” must be engaged and a proactive approach employed. We have discussed three key aspects of this: forward-facing practices, dynamic prioritization, and adaptive response. A combination of proactive risk practices alongside traditional ERM methods can aid executives in preparing their organizations for the unforeseen.