The concept of risk is far from new. It is an integral part of conducting business, and a factor that evolves alongside organizations, markets, demographics, and jurisdictions. Yet while enterprise risk management (ERM) has always been in the C-suite's crosshairs in some form or another, an upsurge of unique and disruptive risks is giving board members reason to raise their voices.
Risks are a natural product of their environment. And in this era of disruption, organizations face new, complex, and ever-shifting risks from within and outside of their walls – all of which have the potential to propel them ahead or stall them in their tracks. Until recently, many of these risks may not have been considered significant (if considered at all), but as circumstances change, so too do the consequences of neglecting them.
As always, implementing an ERM program begins with recognizing the risks at your front gates. Today, they include geopolitical shifts (e.g. trade tensions, security threats), the impacts of climate change and sustainability (e.g. green technologies, chronic weather changes), and continuously adapting cyber threats; not to mention the pitfalls of social media platforms and disruptive technologies (e.g. machine learning, Internet of Things, robotics).
One must not discount the threats also coming from within the organization. Whether it's a result of digital transformation or the adoption of disruptive technologies, the pursuit of strategic alliances or workforce re-skilling, organizations assume new or additional risks with every action they take to boost internal efficiencies, strengthen customer relationships, pursue innovation, and enhance their overall ability to compete.
More and more, disruptive risks are finding their way into the boardroom. Even still, only one-fifth of Audit Committees feel that their organization's ERM program is robust enough to capture and respond to these disruptive risks. While there is a clear need to step back and re-evaluate risk programs, many find it difficult given the lack of experience and information regarding some of the more complex factors of these disruptive risks. 1
Herein, it helps to understand that while each disruptive risk has unique patterns and characteristics, some commonalities can be harnessed to better equip organizations to address them. For one, many of these disruptive risks are dynamic and time-sensitive. Their pace and velocity are phenomenal, meaning organizations can't rely on traditional static and snapshot-like risk management and reporting, and must, therefore, be nimble enough to continuously anticipate, read, and respond as they arise. The high level of ambiguity, uncertainty and a wide range of possible futures also hinders the ability to confidently model them.
Lastly, the world is becoming more interconnected, enabling risks to travel and hunt in packs. Understanding this, organizations would do well to stretch their analytics capabilities and adopt a more holistic, portfolio approach to risk management. In so doing, they stand a better chance at understanding and focusing on their critical connections and other pain points.
With shape and scope of risk only increasing, a more unified and fluid risk management strategy is vital to ensure the organization gathers its resources and collaborates in the face of disruptive risks. From yearly strategic planning sessions to more regular management meetings and everyday business activities, organizations should evaluate changing business conditions and potential risks in a format that fosters a culture of healthy dialogue, questioning, and objective challenge.
The good news is that the risk function is well-positioned to work with cohorts from across the organization to improve and maintain the visibility of these disruptive risks all the way to the top. Board members can also make that difference in helping to shape the risk oversight and management model. They can serve the organization by bringing in a different and independent perspective from their diverse backgrounds and experiences in other boardrooms, to help organizations face disruptive changes.
What should Audit Committees be asking?
"The critical thing to remember is that disruptive risks aren't going away, and nor are they going to wait for organizations to catch up. Board members must be bold in the face of risk by playing a key role in identifying, managing, and taking advantage of these risks to their specific organizations."
Edouard Bertin-Mourot, Partner, Risk Consulting, KPMG in Canada