Rain doesn’t know how to find the leak in your roof, yet somehow it does. And even if you take good care of your roof, one day the wind will blow from an unusual direction and the rain will find a new path to get into the house.
“When you are finished changing, you are finished.”
Risk seems to work that way as well. A risk does not know whether it does or does not create losses for your company. But somehow, one risk or another seems to find a way to harm many firms.
Deliberately cultivating adaptability is how enterprise risk management works to reduce exposure to and losses from those surprises. Here are four ways that ERM programs work to encourage adaptability.
Revisiting risk identification
All ERM programs start with risk identification. With the initial risk identification process a company will identify its top risks: the risks that are a potential threat to the existence of the firm.
But that risk identification and prioritization process becomes less and less accurate as time passes. Depending on the areas where a company does business, they may need to revisit their risk identification and prioritization process every other year; some companies even find it easier to just repeat the process annually.
But there is a danger with repeating the process too often. If there are no noticeable changes in the risks identified or priorities from year to year, then the process that merely reaffirms the prior choices will appear to be a needless piece of excess bureaucracy.
One way to enliven the update process is to consider what others are thinking. (See 2017’s Most Dangerous Risks.) The result you should expect is a shifting in the prioritization of risks from year to year. But it needs to be a shift if priorities that have enough credibility to actually shift the amount of thought, resources and attention towards the risks that have increased in priority. That means a shift that top management really believes in.
Standard risk management deals with “presenting” risks – the risks that we are generally aware of mostly because we have some experience or have seen others experience losses from those risks. But, we have also been warned of black swans and unknown unknowns that might come out of nowhere and knock us for a major loss.
In ERM, we call those unexpected risks emerging risks. ERM includes processes for identifying and preparing for the next emerging risks. Each year, Willis Towers Watson features possible new emerging risks to help with your ERM process.
As the risk register is updated, risk managers and company executives should consider whether it is time to elevate an emerging risk into the list of important presenting risks. In the “2017 Most Dangerous Risks” survey, for example, cyber-crime made the top of the list. Several years ago, cyber-crime would have been considered an emerging risk.
Risk control cycle
Much of ERM takes place within a risk control cycle. The risk control cycle has seven steps:
- Take Risks
Of the seven steps, the last, “Response,” is the opportunity to adapt if the deviation from the plan is great enough. In a highly developed risk control cycle, the Response step will also be planned in advance.
When the situation actually occurs where the Response is needed, the actual choice might or might not be the planned Response. But companies have found that if they have discussed and planned a potential Response in advance, they can be faster in developing an actual effective Response when the need arises.
Another key feature of a risk control cycle is that it is repeated and at each repetition the Assessment step is redone. When the Assessment step is repeated, the company has the opportunity to improve the risk management process. This is especially important for a new ERM system that is best developed by a step-by-step trial-and-error process.
In addition to the continuous improvement that comes with the risk control cycle, companies should include a deliberate risk-learning process as a part of their ERM program. One firm made risk-learning a regular part of their risk committee meetings. The first 15 minutes of each meeting is taken up by a risk management lesson brought to the group by a member on a rotating basis.
ERM will not be successful for the long run as a fixed, static system because risk in the real world is constantly changing, and usually in such ways that will gradually render old ERM processes ineffective. That is not a failure of those who build ERM systems; it is simply part of the nature of risk.
Continuous improvement of risk management
After the initial development project ends ERM needs to be on a course of continuous improvement. Just as the risk prioritizations of an organization are constantly adapting, the effectiveness of risk selection and mitigation processes are also evolving all of the time.
Revisiting risk identification and the emerging risks process work to adapt the subject of ERM, the risks, to the present and near-term future.
The risk control cycle is designed as a feedback loop that will bring the effectiveness of last year’s risk management into next year’s planning. Risk learning is the part of ERM that works to incorporate lessons from both the company’s own experience and the experiences of others into the knowledge bank of the firm. Adaptability is encouraged and institutionalized via ERM.
Adaptability is the fourth key to ERM.