What is an emerging risk? Certainly a tough question to answer – an emerging risk for one company could be an emerging trend for another, or an emerging sub-risk for yet another. This was the topic of one session at the NeuGroup’s The Corporate ERM Group meeting in May; members of the group exchanged ideas on what emerging risks are and how to approach them – as well as coming up with the right nomenclature.
Indeed, this matter also arises in the discussion around systems to support ERM. Systems require standardized terms and definitions. Effectively managing emerging risks requires everyone to know what an emerging risk is as defined by the ERM program.
Emerging markets for emerging risks.
As many economists note that most growth is coming and will continue to come from emerging markets (despite recent outflows from EM) one member pointed out that emerging market risks are often a microcosm of emerging risks more broadly (e.g. adequate talent pool and cybersecurity). Specific EM risks include tax hurdles, demands (especially in Brazil) for products sold in the country to be manufactured in the country, and security issues, especially with IT. It is very difficult to inculcate a company’s culture of compliance and ethics in countries with very different standards from the US.
Bridging silos through integration.
One of the biggest challenges in tracing potential risks is making sure that potential risk areas are not siloed, but rather are integrated to show commonalities in both location and potential mitigation strategies. One member company started this process by using a common risk taxonomy provided by one of the Big Four audit forms across the company. They then defined the risk management framework to align with the company’s overall risk appetite and individual risk ownership. The result was a comprehensive environment for integrated assessment and control of emerging risks.
Risk assessments meet in the middle.
The above company’s ERM office sits where executive leadership’s risk assessments meet process-based risk assessments. From the bottom, risks start with business controls’ standard assessments, move through “right sized” controls, and then up to “effective, efficient, sustainable controls” before reaching the ERM office. From the top, risks start with BOD oversight, pass through an executive leadership team objective-setting exercise, and then through management risk mitigation.
The ERM office, sometimes with the aid of external consultants, then examines the risk mitigation plans in place and makes sure that business units and monitoring functions are aligned. This drives improved stability in earnings and shareholder value, and ensures that risk ownership is spread throughout the company while still overseen by the ERM office.
To make it all work? This member follows three rules: get executive support, explain the value and reduce risk-management duplicity.
Emerging risks is a topic of perpetual interest for the ERM group and in other NeuGroups, both in order to identify potential risks that may be simmering in the background but pose a threat in coming years and also to learn of new or alternative ways to identify and monitor such risks. Developing a structure within the ERM protocol to accomplish the second objective will clearly help ensure the first objective is also met.