Predicting the weather has come a long way—meteorologists no longer examine the clouds to determine the forecast. But they still can’t accurately predict the path of a hurricane. Does that mean watching the Weather Channel is useless? Of course not. We take steps to mitigate the effects of hurricanes by signing up for warning alerts and purchasing flood insurance.
Like hurricanes, emerging risks are hard to predict; we can’t pinpoint when risks will become real issues or how serious they’ll be, but we still need to be prepared to address them. So, how can you begin identifying emerging risks and responding to them appropriately?
Building Emerging Risk Awareness
Emerging risks can result from trends or events that occur suddenly and are often characterized by uncertainty in terms of probability, expected loss, and potential impact. As a result, they are constantly developing and changing over time, so they need to be reviewed often—approximately every three months. Advisors should assess the impact and likelihood of emerging risks based on their business and respond by implementing preventative steps to limit the impact. Identifying which ones are relevant and important to your business is an individual matter. Paying attention to expert resources helps, as does keeping an eye on current trends.
As of this writing, examples of emerging risks include:
- Market: Dramatic change in market factors with potential to impact financial accounts (Areas of focus include increased gold prices, credit spreads, and the housing market.)
- Political: Political changes or instability resulting in new regulatory rules or fluctuations in interest rates and taxes
- Operational: A possible breakdown in controls or procedures that could affect the day-to-day business (Areas of focus include trends related to new technology, cybersecurity, fraud, and reliance on outdated infrastructure.)
A Framework for Identifying Emerging Risks
Although there is no best practice standard for recognizing emerging risks, according to the Risk and Insurance Management Society’s report, Emerging Risks and Enterprise Risk Management, the following framework can be used to address emerging risks:
1) Conduct emerging risk reviews. Develop a formal, documented way of identifying, assessing, and reviewing emerging risks.
2) Integrate reviews into the strategic planning process. Companies need a disciplined approach for determining the importance and potential impact of uncertainties on their objectives.
3) Identify assumptions and perform disciplined assumption testing. A method of testing assumptions and beliefs in existing business models can prevent the organization from prioritizing known risks and overlooking emerging risks.
4) Challenge conventional thought processes and expectations. Look into what’s logically most likely to happen and what’s possible with each risk.
5) Apply new and developing methodologies to better understand and predict risk. Simulations can help you further develop what-ifs. At Commonwealth, we use a number of tools to help us identify emerging risks, including:
- The Economist
- The Independent Market Observer, written by Commonwealth’s own chief investment officer, Brad McMillan
- FINRA’s Office of Emerging Regulatory Issues
- COSO’s Risk Assessment in Practice report
- Protiviti’s Risk and Compliance resource
Developing a Risk Response Strategy
Once an emerging risk has been identified, it needs to be assessed, and a strong mitigation strategy must be built around it. Every organization should have its own risk response strategy, including a rating scale for determining the impact and likelihood of each risk in relation to the size, complexity, risk appetite, and business culture.
You should also take into account the controls your organization has in place to mitigate these risks and whether they are sound. Consider the risk before controls are in place (inherent risk) and the risk after controls are in place (residual risk).
Also look at the severity of the risk in terms of business context and associated business objectives as you decide which of these actions to take:
- Accept it: Analyze the risk and decide not to do anything about it.
- Transfer it: Pass risk ownership to a third party (e.g., insurance, performance bonds, warranties, or guarantees).
- Mitigate it: Apply activities that seek to reduce the impact and likelihood of a risk to an acceptable tolerance (e.g., attesting to having had a verbal conversation with your client to confirm that the request is valid).
- Avoid it: Use an alternate approach that eliminates the risk driver or impact (e.g., ceasing a product line, declining to expand to a new geographical market, or selling a division).
Adding Value Though Proactive Planning
The term “risk” carries a negative connotation for most people—something bad will happen, you will lose money, crash your car, and so on. Contrary to this perception, risk is neither only good nor only bad. It is merely an event that has the potential to affect your objectives. We just seem to place a greater emphasis on the loss rather than the gain. Taking risks drives progress within an organization, but assessing the impact is key to understanding whether there is a negative or positive effect on the business.
What emerging risks do you anticipate affecting your office in the next year? Five years? Beyond? Looking past today’s risks to tomorrow’s emerging trends and conducting strategic planning around these risks is an opportunity to be proactive and add value to your organization’s future.
Do you and/or your colleagues spend time trying to identify emerging risks to your practice? Do you have a risk response strategy in place? Please share your thoughts with us below.