Making sense of risk in an interconnected world
It's crucial for boards and organisations to understand the big picture by identifying links between risks and spotting opportunities too.
By IRVING LOW
The Business Times, 14 June 2021
FEW boards and their organisations anticipated the profound impact that the pandemic has had on their revenue models, supply chains and ways of working. Extreme events, sometimes with catastrophic consequences, are expected to occur more frequently in the future. Yet, despite the use of extensive risk identification, evaluation and management methodologies, boards continue to be surprised by downside risks and "black swan" events.
Boards play a critical role in shaping their organisations' risk appetite and ensuring that an adequate and effective risk management framework is in place. This oversight role has also never been more challenging in today's world, as the number and scale of risks faced by organisations have proliferated.
This puts the focus on the enterprise risk management function.
In traditional risk management strategies, risks are prioritised on two dimensions: impact and likelihood. Risks are evaluated through qualitative and relatively subjective means, forming a top-level risk profile. Mitigation strategies are designed on a risk-by-risk basis to reduce the likelihood and impact of the risk event occurring.
The challenge with this approach is that it tends to be siloed, static and focused on discrete events. It is also usually based on historical data, which may not always be a good indicator of future events.
Further, this approach does not consider the interdependencies between risks or the effect of clustering risks. Risks do not manifest neatly in isolation. They often combine and spill over into each other. Many organisational failures are a result of multiple related risks materialising simultaneously, sometimes within a short space of time.
So, if these risk mitigation strategies are somehow under-presenting future risks, boards and management might need to re-calibrate their governance and risk frameworks.
In addition to likelihood and impact, two more dimensions of risk should be considered - connectivity and velocity.
Connectivity relates to the impact risks have on each other and how they can be expected to trigger or exacerbate each other. Most risks do not exist in a vacuum. Instead, they form complex relationship networks. Strongly connected risks can set in motion a series of events with severe and catastrophic consequences.
Velocity measures the speed at which a risk can escalate and adversely impact the business. It therefore helps to differentiate risks that may have the same likelihood and impact but are intuitively different in importance due to differing velocities.
With additional risk perspectives and data analytics, a more dynamic visualisation of an organisation's risk network can be constructed to glean insights into the systemic risk landscape.
Groups of strongly connected risks form "risk clusters". Collectively, these clusters increase the likelihood and severity of the related risks. All connected risks within a cluster are likely to trigger or be triggered by other risks creating a more severe impact overall.
Take, for instance, the Covid-19 situation. On its own, the risk of a pandemic could well be deemed a low residual risk due to its rare nature and mitigation controls around business contingency and safety controls, policies and procedures. As we have seen, this clearly forms part of a high severity risk cluster, having a critical impact with other risks such as supply chain disruptions, falling customer demand, liquidity concerns and operational disruptions, as a result of physical distancing regulatory rules and even border closures.
In addition, by considering risks as a network and quantifying influences between risks, the most influential risks (risks that will trigger most of the other risks across the network) and the vulnerable risks (risks most likely to occur following the occurrence of any other risks in the network) for an organisation can be identified.
Indeed, better decisions regarding prioritisation and resource allocation can be made when the organisation maps out how and where a cluster of connected risks may "hit" the value chain. Mitigation of the organisation's systemic risks, for example, should begin with the most influential risks, while preventive controls should be preferred over detective controls for the most vulnerable risks. Additional mitigating actions or controls can be viewed in a more holistic and systematic manner to address the root causes.
By applying data analytics and visualising risk in four dimensions - likelihood, severity, connectivity and velocity - companies can better assess the impact of potential risk events, identify key dependencies, potential single points of failure and other factors, as well as more objectively measure significant threats.
On the flipside, there may be opportunities open to boards that manage risk more effectively than their peers. Organisations that effectively manage their greatest systemic risks may better position themselves to seize competitive advantages in the market.
To do this, it is crucial to understand the big picture by identifying links between risks. After all, any change to a single risk element can result in unexpected repercussions that reach the rest of the network.
The writer is a member of the working committee of the Best Risk Management Award in the Singapore Corporate Awards by the Singapore Institute of Directors.