In part 2 of my analysis of the ISO 31000 forum on “Does anyone really understand Emerging Risks?” I look at the 3rd question: How do you manage the unknown?
Black Swans are a native of Western Australia and as prevalent in Perth as “Black Swan events” these days. The obvious answer is once an Emerging Risk has been identified it becomes a material risk and needs to managed as all other risks in your risk inventory. So why all of the focus on Emerging Risks then? |
As Martin Davies (Causal Capital) highlighted, there is “coterie of risk bodies that are quick to label any major catastrophe as a black swan.” The theory of black swan events, developed by Nassim Taleb in his 2001 book Fooled By Randomness was firmly aimed at high-profile, hard-to-predict, and rare events that are beyond the realm of normal expectations and the non-computability of the probability of the consequential. Let me reiterate those two key points, beyond the realm of normal expectations and the non-computability of the probability of the consequential. Very few of the events attributed as Black Swans fit that definition. Black Swans are NOT risks we didn’t think likely so we didn’t bother accounting for them. Basic statistics are freely available on the frequency of earthquakes and cyclones per regional area. There is also a wealth of research on financial markets instability and pandemics.
Further, it must be realised that a risk is not the same as its cause or driver. Although there are continually new causes that introduce uncertainty into systems, impact/effect is rarely new, or novel. An outbreak of a new strain of Ebola locally might be novel but the risk of social breakdown from another source isn’t (see ‘Minerva Research Initiative’). The overuse of black swan label, has board/executive levels now focusing, probably inordinately, on emerging risks. i.e. a fear response.
Senior Management Consultant Robert Jeges, commented “I would think that it is more useful to speak of emerging technologies/business/scenarios etc. and that it is the adoption of these is what creates and suppresses risk. Ok, so what happens for instance when we adopt a market strategy with a “known” risk and later a competitor comes up with a killer app that completely changes our risk; what do we call that if not emerging risk? I would call it risk identification failure. A harsh but true term.”
I’m not advocating against managing emerging risks but the reporting of emerging risks to board level is drawing attention away from in-building resilience into a business (fixing what ain’t broke) to instead (over)reacting to novel events. I have to agree with Martin about the use of the Risk Matrix as the “curse on our industry”. It is as useful as a thermometer in a closed room. Conversely, I’m an advocate for scenarios as they not only give context, perspective and direction but also elicit input and evolution with every review. By definition, emerging risks are those we don’t understand and therefore we are in need of methods of enlightenment not a “feel-good” reporting tool.
Sadly funding for true ERM is always under-estimated begging the question where to spend limited resources. Capturing and monitoring insignificant risks (a 10 fold increase in risk registers) has a substantial handling and analytic cost. Martin Davies highlighted the real issue, while commenting about the effects on world trade from regional “black swans” events:
“the supply chain around these ‘situational’ outcomes should always drive resolution of gaps in our epistemic landscape of causal knowledge but only if risk practitioners are monitoring the prevailing operating environment for abnormalities and identify causal pathways to such novel factors.
For risk managers; I believe they need to ‘get their house in order before attempting to consider the assessment of such ‘things’ and I call these novel factors things because we don’t even know whether they are going to end up being threats.
There is so much to do in risk management and I suggest risk practitioners focus on the expected and known event space before running off to consider any work in the unknown-unknown zone.”.
That is it would be more beneficial developing, what I like to call, a Causal DMZ, as well as testing the resilience of our objectives, and improving crisis management.
A DMZ is not a protective barrier, but an area for clear and easy monitoring that allows an effective reaction time to any incursion.
Looking at our graphic on sources of Emerging Risks from last week, we can, and should, prepare/manage both the Threat and Vulnerability quadrants. After all Risk Management is about managing uncertainty i.e. the unknown.
The real purpose of identifying emerging risks is to test/validate our environmental monitoring of risk drivers/influences (causal space) on the threats to our objectives. We should be putting more of our efforts into identifying how our objectives can be threatened (material weaknesses), and building a causal DMZ that is sufficient to meet any possible threat not just newly identified emerging risks.
The design of a causal DMZ is beyond the scope of this article but some of the key tools you need to have in place would include:
- Business Continuity Framework
- Risk Inventory of causes, influences and drivers
- Set of KRI with collars
- Horizon scanning/Environment monitoring
- Corporate Objectives linked to Strategic and Tactical risks
- Multiple Scenario Analyses off those risks
- Independent Threat Analysis function and vulnerability testing
Yes this requires a major investment by business in itself but to borrow a quote from my book Mastering 21st Century Enterprise Risk Management, “Just as the 1890s world of the Wild West had disappeared without trace by the Roaring 1920s, so too will the business world of the 1990s, in which we still operate today, be long forgotten by the 2020s.” We are living in a changing era and have to in build evolution into the business to survive.
(Have a look at the Fast Track 5 minute video on how Governance should be managed.)
Bio:
Greg Carroll - Founder & Technical Director, Fast Track Australia Pty Ltd. Greg Carroll has 30 years’ experience addressing risk management systems in life-and-death environments like the Australian Department of Defence and the Victorian Infectious Diseases Laboratories among others. He has also worked for decades with top tier multinationals like Motorola, Fosters and Serco.
In 1981 he founded Fast Track (www.fasttrack365.com) which specialises in regulatory compliance and enterprise risk management for medium and large organisations. The company deploys enterprise-wide solutions for Quality, Risk, Environmental, OHS, Supplier, and Innovation Management.
Mastering 21st Century Risk Management” which will be available from the www.fasttrack365.com website in a couple of weeks. Meanwhile a recent Webinar on the topic can be seen at http://www.youtube.com/watch?v=nQoJj6FBxrY&feature=youtu.be in which we show how emerging best practices provide a good picture for how enterprise risk management should look in the 21st century.