How to: Deal with complexity

The risk landscape facing organisations is changing. The world has become increasingly complex and interconnected, creating new risk management challenges. We are moving from a world in which boards believed they could manage and control risks, to a present where established risk approaches are often being outflanked and outpaced.

Board members we have spoken to have identified three main shifts in the risk landscape. Firstly, they feel that the risk frameworks and processes they have in place no longer give the level of protection needed.

Secondly, they see increases both in the speed with which risk events take place, and the extent to which their impacts on the business become contagious (i.e. spreading across different risk areas). The speed and contagion of catastrophic risks that can threaten an organisation’s existence are a particular concern.

Thirdly, boards sense they are spending too much time and money on running their current risk management processes, rather than being able to quickly and flexibly identify and tackle new risks. Some have doubts about whether their spending on Enterprise Risk Management (ERM) frameworks is fully justified by the level of protection gained.

The speed and contagion of catastrophic risks can threaten an organisation’s existence

Underlying this shift in the risk landscape is the increasing frequency and impact of Black Swan events – unforeseen risk events that can have a major impact. These events can hit businesses without warning with potentially devastating effects.

If organisations are to be prepared for these shifts and events, their existing approaches and mechanisms for risk management will need to evolve. Below are five steps for organisations to progress from managing specific risks to achieving wider resilience to risk events.

1.     Consider risk across the three categories

Alongside financial and operational risks, organisations are also exposed to strategic risk. Strategic risk may spring from a failure to respond to shifts in the external economic, political or regulatory environment, and includes legal and compliance risks. It could also result from changes and/or flawed risk assumptions in the organisation’s strategy.

An important point to note is that many businesses have not tended to focus on strategic risk, because they have regarded risk and strategy as two separate concepts, rather than seeing taking risk as being fundamental to value creation in business.

The reverse-stress testing approach effectively accepts that it is no longer possible to forecast events themselves, and instead focuses on managing their knock-on effects or consequences.

2.     Look at risk through the consequence lens

Identify how you can enhance your existing risk management framework by adding tools and techniques such as scenario modelling, predictive indicators and particularly “reverse stress testing”.

The reverse-stress testing approach effectively accepts that it is no longer possible to forecast events themselves, and instead focuses on managing their knock-on effects or consequences. For example, an airline might test out the impact of most of Europe’s airspace being closed down (as happened with the volcanic eruption in Iceland). Such reverse-stress testing can be an effective way of focusing on extreme events and protecting organisations against unknown risks.

3 Develop a risk aware culture

Organisations need to move beyond merely identifying, measuring and prioritising the various risks they face towards a broader focus on the resilience of whole systems within which they operate and contribute value. These include the organisation’s industry, political and financial environments. It also includes progressing from explicit risk controls to a risk aware culture in which risk is managed in a coordinated way across different interests, organisational units and external relationships. Risk management should not be seen as the preserve and responsibility of risk professionals, but as a vital issue for every employee.

4 Focus explicitly on risk appetite

The uncertainty of today’s environment means that solely analysing historical data is no longer a reliable way of predicting future events and impacts. Overwhelming boards and audit committees with risk information can actually hamper understanding of the key risk issues. Instead, organisations need to encourage boards to be more explicit about the organisation’s risk appetite in pursuing its strategy, and then build awareness at all levels of what risks it is willing to bear. Greater clarity on risk appetite can aid board effectiveness; non-executives, for example, sometimes criticise executives on their boards for being too cautious in terms of risk.

5 Align risk and strategy

The alignment of risk and strategy should be a key requirement for enhancing an organisation’s risk resilience. The board needs to take the lead by clearly articulating its attitude to integrity, risk and safety, linking this to its view of the organisation’s environment, culture and value proposition. In this way the board will be taking a more holistic view of risk management, and the interplay between risk appetite and strategic goals.

Aligning risk and strategy can help the organisation strengthen its relationships with external stakeholders, enabling the board to communicate more clearly on how the business builds a trusted reputation and organisational resilience.

Richard Sykes, PwC governance, risk and compliance leader