About 12 months ago I wrote the feature article for the Institute of Internal Auditors’ global e-zine on the top 10 risks for 2010.
I received an email this week about the article which prompted me to have a look back at what I’d said, and also some of the comments which had been made in response.
My focus at the time was on ‘strategic risks’ a risk category which is often not focused on because they are hard to pin down. These risks tend to move from inconceivable to possible and probable moving quickly on your risk matrix over time and with increasing consequence. And as these things are often unprecedented, its often not clear how these will manifest themselves. As such, some of my top themes tended to be underlying drivers rather than specific risks which can be put in clear focus.
I’ve been talking and writing about this area – strategic risk, black swans, emerging risk, risk foresight and unknown unknowns for a few years now. This has led me down a range of paths including working with futurists, former futurists, board members, CRO’s, CAE’s, and even being on a debating team with people from the WEF’s global risk team. The results of this work can be confronting, particularly as it often challenges fundamentals and norms that we’ve taken for granted during the latter phases of industrialisation.
The human response
What has become more interesting and evident to me over time hasn’t just been the risks specifically but the usual responses I normally get when pointing out some of the big strategic risks as I see them:
- These risks are not present today, and I’ve got bigger things to deal with in the near term, so please don’t waste my time with this lala land stuff (fair enough, but risk is a business of uncertainty rather than certainty)
- I don’t believe these risks are going to manifest during my tenure, and they’re not in my role description or KPIs, so they’re not my problem (fair enough, this is not easy stuff to deal with, but raises some issues)
- You’re right, there are some blind spots, and thanks for pointing some new ones out so I can find out more. (Ureka!)
- Yes, I agree, and here’s some YOU’VE missed. (Very exciting, let’s talk)
My work is deliberately focused working with people in category 4 and sharing what I learn with those in category 3. In my view, these are the people who will avert massive destruction in shareholder value and create competitive advantage and possibly even market strength as a by product.
Where does strategic risk capability lie? Where should it lie?
Thematically with some notable exceptions, the greatest capability in being across strategic risks seems to lie at the board. Management, risk management and internal audit are mostly focused in the day to day. Their tenures often don’t align with the unfolding nature of these risks over time, whereas ultimately these will come home to roost with the board. This means a good board, and a diverse and well networked board with varied experiences and world views is key, and has been the basis of my arguments for board diversity including but beyond gender.
The challenge is when risks emerge which are not within the experience of the board, possibly because these risks are unprecedented. This is when risk forecasting capabilities are essential to avoid blind spots, which has been the crux of my argument since the GFC. Simply if organisations don’t have this capability in house, boards need to get someone in occasionally to challenge the organisation’s thinking on strategic risks and risks which will manifest themselves beyond the CEO’s tenure.
So how did the crystal ball go?
It is worth looking back to see how the top 5 themes list fared 12 months later with the benefit of hindsight, some of which were refuted by some who commented on the article. Here’s a few thoughts.
- Energy prices. Forecasters are saying we’re still 12 months away from $100/barrel, but this week world leaders are leaning on OPEC to increase supply to try and postpone the rise. Coal prices are increasing quickly. Governments are strategically positioning around energy security as they understand the consequences to be catastrophic. This continues to be one to watch.
- Industrialised world atrophies while the emerging economies grow. There are clear signs of this. Have a look at the Europe vs China story.
- Population pressures and constraints on commodities. Notice that the resource companies are the ones driving economic growth in the developed world over the past 12 months? Seen what’s happening with food prices lately, and why Canada and Australia are now economies and currencies of preference in the developed world?
- Structural currency rebalancing? Yes, many were in denial on this one, but I’m very happy that I advised my clients to unwind their exposures to certain currencies. The consequences for them would have been more than material and in some cases catastrophic leading to a crisis of confidence in management and the board, with potential knock on effects into the broader community.
- Climate change. Sure, I’ll agree, not a risk in itself, but on at least half of the boards and audit and risk committees I sit on, it’s a key driver which those organisations will need to deal with creatively if they are to keep achieving at the rate they’re used to. And although not yet mainstream, there are some disruptive innovators doing some things in carbon markets which previously were unheard of.
So in some of these risks resulted in a material impact for some organisations, industries and countries. Some did not. But it’s fair to say that all five themes did drive changes in the risk profile, and are increasing in likelihood and impact.
I guess all of this raises a philosophical question about who should be responsible for keeping an eye on strategic risk. In my experience the board and independent risk committee tends to do okay at it, but management is very much immersed in delivering this year’s plan. Taking your eye off these can be devastating. We’ve seen too much of this as I’ve written and spoken about many times.
At the time of the article, the internal audit profession was positioning itself to provide assurance over the risk frameworks and risk reporting of organisations. This article introduced a few ideas on what this actually means, including the provisions of Principle 7 of the ASX Corporate Governance Principles in relation to material business risk. For me, internal audit’s role is to see whether this emerging risk capability is in place and working well. If it isn’t internal audit has an obligation to let the most senior people in their organisation know, including the board.
I hope this has stimulated debate, including people who don’t agree with me, and if it has, then this has been very worthwhile. I’d love to to rekindle the debate, including from those who believe these risks are right, and those who still think it’s all a bit fluffy.
The original article and space for comment can be found IIA’s Global website.
For those who are keen to find out more, I’d also welcome people to trawl my archives of articles, papers, presentations and video on the topic and join the mailing list for future updates. Where available, these are on this site free of charge.