Dealing with New and Emerging Risks in an Ever Changing World
Download
Report
Transcript Dealing with New and Emerging Risks in an Ever Changing World
Dealing with New and Emerging
Risks in an Ever Changing World
Paul J. Sobel
Vice President/Chief Audit Executive –
Georgia-Pacific, LLC
Vice Chair – Professional Development for
The Institute of Internal Auditors
Presentation Outline
The Changing World
Impact of Emerging Risks
Evolving Risk Assessment Approach
Dealing with Risks in a Dynamic Business
World
Summary
2
The Changing World
Global and organizational change
Stressed financial structure and cash availability
Bankruptcy and restructuring
Fraud from many fronts
Legislative imperatives and pressure
Technological innovation
Competition for market share
Shareholders demanding increased accountability
Client’s changing expectations
Pressure/expectations from stakeholders and citizens
Strategic alliances
Mergers and acquisitions
3
Impact of Emerging Risks
New risks keep emerging
Risk interdependencies are creating almost
unimaginable risk scenarios
Speed of change has rendered static, annual risk
assessments almost meaningless
There seems to be very little tolerance for
ineffective risk management
4
Evolution of Risk Assessments
In the 1980’s a formal risk assessment was an
uncommon, somewhat unsophisticated practice
In the 1990’s risk assessment became a “leading practice”
◦ While it was more structured and sophisticated, it still left many
“blind spots”
In the early 2000’s, annual risk assessments were a
standard practice
◦ Some were updating risk assessments more frequently
◦ Still had “blind spot” issues
The financial crisis beginning in 2008 caused many to
question the value of risk assessments
5
Risk Identification Approach
Continually scan the risk environment
◦ Check available public documents
◦ Search for specialist publications
A lot of good stuff from outside the United States
◦ Deeper knowledge sharing with competitors
Brainstorm previously unimaginable risk scenarios
◦ Disciplined structured process
Embedded in strategic planning (60% of failures relate to strategic risks)
◦ Extensive consideration of interdependent risks
◦ May need to bring in specialists (e.g., economists, analysts, deal
makers, regulatory experts)
Consistently challenge the completeness and veracity of
all risk assumptions
6
Tends to be single point
outcomes as opposed
to range of outcomes
A good foundation, but
is it robust enough in
today’s business world?
Low
Traditionally focused on
Impact and Likelihood
IMPACT
Medium
High
Risk Assessment – The Past
Remote
Possible
LIKELIHOOD
Probable
7
Other Risk Assessment Factors
Velocity
Readiness
Capacity
Controllability
Monitorability
Interdependencies
Frequency of occurrence
Volatility
Maturity
Degree of confidence
8
Risk Velocity
This has become the risk assessment “criteria du jour;”
however, there are different types of velocity
Speed of onset
◦ How quickly does the risk descend upon us?
◦ Do we have much warning?
Speed of impact
◦ Do we feel the effects right away, or does the pain slowly
increase?
◦ Does it spread and impact us in other ways; e.g. reputation?
Speed of reaction
◦ Even if we see it coming, do we have the agility to timely react?
9
Risk Readiness
Given that risk represents uncertainty, how
ready are we to deal with a risk event?
Focus is on an organization’s ability to:
◦ Recognize the onset of the risk
◦ Respond timely and effectively
Must also consider 3rd parties’ ability to
respond timely and effectively
Risk readiness is really the response part of the
risk velocity criteria
10
Risk Capacity
Decisions regarding risk readiness must
consider an organization’s capacity to absorb
or take on risk
First consider organization’s appetite and
tolerance for the risk outcomes (before
sustainability is impacted)
◦ Resilience to consequences
◦ Cost/pain to manage
Also consider recovery time – i.e., how long
until the outcomes/effects are no longer felt
11
Other Risk Characteristics
Controllability – Do we even have the ability
to mitigate/control the risk?
Monitorability – Can we monitor:
◦ Risk signposts to anticipate risk onset?
◦ Risk impact to understand how much we’re bleeding?
Interdependencies with other risks
◦ Vulnerability to other risks being triggered
◦ Correlation with other risks (Charles Kindleberger)
12
Other Risk Characteristics
Frequency of Occurrence – Will a risk occurrence
likely be a single event or will it occur multiple times?
Risk Volatility – Does the risk lend itself to an
infrequent assessment (e.g., annually) or should it be
re-assessed on a regular basis?
Risk Management Maturity – Is our risk
management mature enough to trust our initial
reaction to a risk event?
Degree of Confidence – How confident are we in
our risk assessment judgments?
13
How Do You Make Sense of all This
Information?
Mapping Multiple Dimensions Won’t Work!
14
A Possible Approach?
1. Start with traditional impact/likelihood
assessment
2. Determine which Other Risk Assessment
Factors are relevant and meaningful
3. Assess whether those factors will
significantly, moderately or negligibly affect:
• How the risk is managed
• How the risk is prioritized relative to other risks
• How the risk is monitored and reported
15
One Example
Risk
Impact
Likelihood
Factor A
Factor B
Priority
AAA
High
High
1
BBB
High
Medium
2
CCC
Medium
High
3
DDD
High
Low
4
EEE
Medium
Medium
5
FFF
Low
High
6
GGG
Medium
Low
7
HHH
Low
Medium
8
III
Low
Low
9
16
One Example
Risk
Impact
Likelihood
Factor A
Factor B
Priority
AAA
High
High
1
BBB
High
Medium
3
CCC
Medium
High
5
DDD
High
Low
2
EEE
Medium
Medium
4
FFF
Low
High
6
GGG
Medium
Low
8
HHH
Low
Medium
7
III
Low
Low
9
17
A Few Cautions
Don’t make it too formulaic – it’s still primarily
about judgments!
Never lose sight of the fact that risk
assessment must tie back to strategy
Plan ahead for how you’ll respond to significant
risk events
◦ Decisive decision vs. consensus building
◦ Initial response may differ from long-term response
18
Dealing with Risks in a Dynamic
Business World
No one-size-fits-all or simple answers
Starts with good risk information
◦ Identify risk events early
◦ Initiate risk actions quickly
◦ Monitor effectiveness of risk actions
Must have a good escalation process
◦ Who needs what information and when?
Don’t just treat the symptoms; cure the disease
Be flexible to change; don’t become too
attached to what worked in the past
19
In Summary
We live in a dynamic, ever changing business world
◦ The speed of change will continue to increase
◦ The impact of mistakes will become even greater
Identifying possible emerging risk scenarios will be
critical to success
◦ In particular, scenarios among interdependent risks
Risk assessment must consider criteria beyond Impact
and Likelihood
◦ But don’t make it too complex; it’s still about judgments
Dealing with risk events requires a structured and
disciplined approach; an ad hoc, reactionary approach
won’t cut it
20
QUESTIONS?
[email protected]
21