The role of a risk manager would be much less stressful if all risk was quantifiable and with an abundance of data to make the right decisions to transfer, control or manage risk within an organization’s risk appetite. Unfortunately, risk management is not as easy as that.
There are a variety of “strategic risks,” those risks that are not inherently measurable and we know little about – risks that could potentially inhibit an organization from achieving its goals. They’re emerging risks that can give risk managers sleepless nights and a share of headaches – and we’ve seen a few of these developing risks become reality in the past few years, including:
- Pandemic, which in 2019 was number 60 on top risks in Aon’s Global Risk Management Survey but was ranked seventh just two years later.
- Geopolitical activity, which was 32nd on the list in 2021, but carries much more risk management weight as conflict rages on in Ukraine.
- Cyber risk, a risk that was number six in 2019, but was top-ranked by business leaders in 2021 after ransomware attacks surged globally in 2020 and exploited businesses of all shapes, sizes and occupancies.
Each has carried severe consequences for organizations caught flat-footed, and businesses have learned many lessons as a result. One of those lessons learned is the value of a strategic risk assessment -- a critical part of Enterprise Risk Management that enables organizations to make better and more informed decisions and to mitigate the exposure of strategic risks.
A strategic risk assessment helps risk managers and organizations navigate new forms of volatility by driving deliberation and action around uncertainties and untapped opportunities that affect an organization’s strategy and strategic execution.
Strategic Risk Management contains four pillars that require the collaboration of organizational leaders in all departments to properly help create a strategic decision-making process that identifies emerging strategic risks that could impact an organization and define the risk minimization and opportunity maximization actions the business should take to enable organizational resilience.
Scenario Analysis is an Important Element of the Strategic Risk Management Process
Each step of the Strategic Risk Management process is critical but creating a scenario analysis/risk quantification is one of the most useful, yet underutilized, tools that articulates potential future risk outcomes. Here’s a quick look at the key steps in conducting a scenario analysis and a simple scenario setup of a hypothetical exercise equipment manufacturer could have gone through in the early stages of the COVID-19 pandemic:
Opportunity, strategic target, process, or external event being explored:
The duration of the COVID-19 pandemic is uncertain, and related lockdowns, gym closures, mask mandates may be reimposed or fully lifted. Supply chain restrictions are impacting deliveries.
Identify impacted business of company operation:
Expected growth rate for sales of home exercise bikes and subscriptions.
How do we expect the business to be impacted?
Dig a little deeper and define sequence of events and the possible company actions that could, and the key implications of the scenario to the company, its employees or clients:
Expect that our revenue could be impacted by:
- Speed at which customers return to in-person exercise classes and gyms, rather than at home
- Supply chains are constrained; ability to meet demand the issues relies on ability to retool our supply channels and maintain high levels of product quality
Possible business outcomes
Define the Base Case, the Best Case, the Worst Case. What would cause each of those cases to become reality? What is the financial outcome in each of the cases?
- New variants cause lockdowns to be reimposed, may increase sales and subscriptions by a given percentage
- Supply chain restrictions are largely resolved, and sales can meet demand and shareholder profit guidance
- Growth rate slows to pre-pandemic level, but subscriptions are maintained as customers return to workplace/gyms
- Supply chains remain constrained, and we cannot meet demand
- Vaccination uptake reduces community transmission, and workplaces/schools/gyms reopen
Identifying the Emerging Risks
Strategic Risk Management is often about identifying and understanding risks the organization has yet to experience. Controls are then established to either mitigate or transfer the risk. Identifying unknown risk is hard, and often seen as “remote” or “impossible.” So how can unknown risks be identified?
The process goes beyond the risk manager, with colleagues looking beyond the day-to-day risks in their areas, identifying risks that seem impossible to occur – and then thinking about how to stress them to make them more severe or more positive.
Building those scenarios includes layering additional identified interconnected risks (war and cyber risk, for instance) or reputational effects that could generate negative consumer sentiment that make the situation worse, or perhaps better. Spur thought processes by drawing on outside case studies. These case studies could focus on scenarios that include:
- Supply chain disruptions. What happens if a major shipping lane is blocked? Where are the bottlenecks or single points of failure in the business’s supply chain?
- Geopolitical tensions or trade wars. How are potential growing rivalries between countries and ongoing disagreements and tariffs impacting the organization? Do you hedge this risk by sourcing products domestically?
- Cyber attack risk. Risk from cyber attacks is constantly morphing, and large-scale attacks can be catastrophic to the organization.
- Natural catastrophes. There were $343 billion in global weather and catastrophe-related economic losses in 2021. How would a major hurricane, freeze, flooding, tornado, or wildfire impact your organization’s operations?
- Risk from artificial intelligence. Think proactively about risks in a rapidly growing technology, including algorithmic bias, lack of transparency in decision making, privacy violations, trading volatility, deepfakes.
Enabling Organizational Resilience
After identifying strategic risks in your organization, the next step is defining the risk minimization and opportunity maximization actions – and track progress. Ensure the organization is agile to changing circumstances via these three steps:
Define success looks like: Document the critical assumptions made in the strategic plan and scenarios, then decide if you are ahead of or behind your plan.
What are your early warning indicators: Define Key Performance Indicators (KPIs) and Key Risk Indicators (KRIs). Determine if your assumptions were correct. Establish risk limits around each KPI and KRI and track in real time. Extrapolate, model and find if there are trends that may help to lead to more accurate future signals for action.
Enable decisions: Know the action you will take if a risk limit is breached. Do you take remedial action? Do you exit a market? If an opportunity exists, do you accelerate your business in that market? Who needs to know and be involved?
Remember that most risks are only partially insurable. Of the top 30 risks in the 2021 Aon Global Risk Management Survey only eight are considered to be insurable. Twelve are partially insurable and 10 are uninsurable; so risk managers must evaluate risk transfer strategies across all forms of risk capital, including traditional risk transfer solutions, captives, and capital markets.
Creating a strategic risk assessment is not easy and risk managers should never go it alone. Involve leaders in each business department, the C-suite, and external professionals to help determine the potential emerging risks that could impact the organization. Also work with your broker, who can guide you through the steps toward building a strategic risk assessment for your organization.