As 2006 draws to a close, it seemed appropriate to ask our StrategicRISK Benchmarking Club to do some crystal ball gazing, looking at emerging risks and trends and methods of identifying and managing them.
Most risk professionals responding to our survey believe that regulatory and reputational risks will increase significantly over the next five years. Risk of missing strategic business opportunities and exposure to outsourced service providers tied for third place, followed by political risk, risk associated with strategic partnerships, the consequences of climate change and next-generation IT threats. 25% or more respondents also mentioned pandemic disease, economic instability, terror threats and their effects, organised crime (including identity theft), and increased competition from overseas.
Just over half (53%) rated their organisation's vigilance, preparation and protection against emerging risks as good or excellent. This still leaves a substantial proportion of organisations that are uncertain about the adequacy of their protection. However, most appear to have put processes and resources in place to deal with their perceived emerging risks. Some respondents stressed the value of enterprise risk management here. For example, one respondent replied: "ERM is the key, empowering all operational managers to 'scout' for risks (threats as well as opportunities). Therefore, devoting resources to training and education and reporting processes is essential". Another commented: "We have created an ERM function to address these. In that function, we created specific tools to measure, monitor and assist in mitigation decisions - especially breach of confidentiality and political risk".
Identifying and managing new risks is not always easy. We asked risk professionals about the factors that influence their forward-looking risk management. Most cited their peers and colleagues as the first port of call for information on managing emerging risks and hold regular assessments of emerging risks on a six or 12 month basis. The means of assessment vary, although refreshing risk registers, mapping and modelling were mentioned by some, with individual business units within an organisation making a significant contribution to highlighting and monitoring their own risks. Comments included:
- "Firstly, (we) map the risk at high level to (a) the business entity and its business environments (including interaction with customers/suppliers) (b) individual products (c) business units (and end-to-end connectivity/dependency). Then, (we) drill down to specific pressure points (ie practical potential impacts)."
- "Generally, a silo approach - the business unit assesses its own risks. Senior managers meet at least once a year to share issues and ideas at a global level, more regularly at a regional level, and monthly at a business unit level."
- "A rule of thumb regular meeting with 360 deg risks considerations: tangible versus intangible; quantifiable or not; insurable or not; degree of probability times potential severity - with reputational risks and risks to intellectual property mounting speedily in importance."
- "We survey key leaders, conduct interviews, and are going to start a survey of middle management as well. Also we do ad hoc risk identification through liaison roles with key organisations."
Additional comments on anticipating and neutralising unknown future risks included:
- "No matter what the 'trigger' is, the firm must be ready to respond. It is too easy to spend time on specifics rather than a general readiness. The response should be tested and lessons learned from the test."
- "Our strategy is to look ahead as much as possible but at the same time to make our organisation as strong and as broadly based as possible - an attempt to cover all eventualities."
- "As usual, probably the major risk will emerge unexpectedly, so preparedness to confront rupture all through the organisation is an essential tool to maintain resilience and sustained growth."
- "In the future we will develop a better radar screen for emerging risks, using all internal risk specialists to brainstorm issues and feed back more formally to the board and managers."
- "The biggest risk we face is loss due to risk aversion. Surveys like this show that the focus is on decreasing risk, and that is mostly counter-productive. Risk management becomes very costly when decreasing risk ... Risks will perpetuate and their outcomes have similar effects regardless of their reasons for coming into being. (We should) focus on more than neutralising and push the positives."
With outsourcing cited as a key growing risk by a number of respondents, it might be expected that risk professionals would be reluctant to tread this route. But when we asked which risk management areas most lent themselves to outsourcing, nearly two-thirds believed that they could outsource claims handling by 2011. And, having identified new risks, our respondents considered that risk managers are generally or moderately effective in communicating them to senior management.
Finally, we asked our Benchmarking Club members for any further views on how risk will be managed in the future. These are some of the comments:
- "Much will be outside traditional risk transfer markets."
- "People will look for risk sharing and risk pooling opportunities with counterparties. This can include compensation mechanisms for uninsurable risks."
- "Hopefully risk management will be seen and more accepted as a specialist activity which is not in the domain of auditors, with health and safety, business continuity, corporate governance, etc, incorporated into a statutory requirement ... It is also hoped that business organisations appoint risk managers in more senior roles - even at board room level - so that the broader spectrum of risk includes strategic planning, policy review, performance management, quality management and decision making."
- "I would like to see risk managers become a dying breed, but only when we have reached the point where everyone manages their own risk effectively. That is a Utopian vision so the emphasis will be on supporting/advising/facilitating rather than doing (except in a few very specialist/technical areas)."
- "In five years, risk management will become much more developed and focused on operational risks, as the methods for measuring and predicting these risks are learned. Risk management will also be used much more as a way to take risk aggressively, rather than to merely decrease risks without valid consideration of the costs of doing so."
- "It very much depends on whether risk managers truly embrace risk management or continue to be insurance managers reacting to the insurance cycle and other external events."
- "Our sector (professional services) is likely to pay much more attention to risk management and is likely to develop a healthy interest in risk management and risk managers."
- "Raising more awareness of corporate risk issues and furthering the links between good risk management and good management - it is NOT the risk manager's role to manage risk for the whole organisation but to facilitate changed behaviours and assist with processes to do this."
- "Responsibilities will devolve more to line management; the risk management role will be more one of coordination and facilitation of risk analysis, loss prevention and risk transfer strategies."
- "Risk management becomes more integrated over time, and risk managers should be used by the business to evaluate all major changes and decisions - all the way downstream from strategy and planning."
- "Risk management has to be embedded in the operational processes to be effective. As such, outsourcing it is a source of risk per se. Should the operational process itself be outsourced, it is one more reason for strong risk management over it."
- "Risk managers still need to have a more senior role in the organisation and be given more credence by the board."
- "Risk management will be increasingly driven by regulation and at the boardroom level. Risk management is also a source of competitive advantage."
- "The CRO should be a non voting member of the executive committee reporting directly to the risk committee of the board of directors."
- "The goal of most risk managers is to embed the management of risk and thus it may be that the specialist risk manager will disappear if we truly achieve this goal."
- "The importance of risk managers' roles is gradually being recognised. I foresee more senior level appointments across all industry sectors."
- "There is still a need for the application and use of common sense."
Sue Copeman is editor, StrategicRISK
Around five years ago, companies in the UK had begun to get to grips with the Turnbull report on corporate governance and the resulting London Stock Exchange requirements. Since then, the whole subject of risk and corporate governance has moved up the board agenda - but the key problem of spotting what's around the next corner remains.
This research highlights some thoughts on identifying emerging risks and how companies are trying to deal with 'unknown unknowns'. Inevitably, outsourcing - a major corporate trend as companies focus on their core strengths which often include use of brand to sell related products - is seen as a key growing risk. But, as a company that provides claims management services, we were heartened by the fact that the majority of respondents believed they could outsource claims handling by 2011. The message has to be that when outsourcing you need to choose the right supplier - one who will comply with regulation and reduce risk, not add to it.
For further information about Crawford & Co please visit www.crawco.co.uk or contact Paul Bermingham, Director, Corporate Multinational Risks on +44 20 7220 1562.