It is a noisy, risky world out there for organizations today. On top of all the digital disruption and change of the last few years, the world was blindsided by a global pandemic. The combination of risks and never-ending disruption presents a great challenge for executives to manage their businesses, in part because the risks are interconnected. While economic uncertainty related to COVID-19 remains a risk, a bigger concern for finance executives is risk related to business model change.
To survive and thrive in today's world, organizations must get better at identifying and managing risk. That includes committing more time and resources to identifying emerging risks and to better navigating known and unknown risks. Here are some ways to do it.
Utilize new tools
To get better at identifying unknown or emerging risks, companies can adopt a variety of tools and are consulting an array of sources. Tools that organizations can use today include:
- Artificial intelligence (AI) and big data.
- Black swan workshops.
- Bowtie analysis.
- Crowdsourcing employees' ideas on risks.
- Decision tree analysis.
- Key risk indicators.
- Predictive analytics.
- Statistical modeling.
- Strategic disruption workshops.
- Subject-matter expert interviews.
- Trend analysis.
- War games.
A common tool is to build an emerging risk and noise process that reviews numerous sources to pinpoint key trends that might require a deeper analysis. One version of this involves crowdsourcing of employees to increase employee involvement, where individual employees are recognized for contributing "best signals." Another version combines AI and big data and uses early-warning indicators and emerging risks for things that could happen. After identifying potential drivers and risks, AI tools scan unstructured data, such as news and social media, for signals related to drivers of their key risks.
Companies can use a more guided approach by applying the traditional STEEP (social, technological, economic, environmental, political) analysis. The signals and trends identified by this analysis are evaluated for their impact on the business model. Still other organizations combine trends and imagine a world where two different trends happen at the same time. Other companies apply the bowtie method to help them apply more rigor to the drivers and consequences of the risks. The method is so named because the end result, when the risk drivers and consequences are shown, resembles a bowtie.
A more strategic approach includes emerging risk workshops or strategic disruption workshops. In these workshops, executives challenge the status quo and current strategy, after having reviewed noise and disruption in the market. Harley-Davidson's unique version of this tool includes reporting the feedback obtained in these workshops to both the CEO and the board of directors. This accountability helps step up the involvement and seriousness of the workshop. Furthermore, in a world of emerging risks, noise, and disruption, what board would not want to be debriefed on the information discussed in these workshops that focus on strategy, business disruption, and emerging risks? As noted in an FM magazine podcast episode (see "Coronavirus Risks: The Importance of Preparation," FM magazine, March 3, 2020), companies that are more prepared for unknowns are more likely to perform better when the risk occurs, especially if they fully understand the business model impact of how one risk event can have many strategic implications (e.g., talent, supply chain, and access to certain markets).
Look in the right places
Many companies interview executives and conduct internal surveys to help them know their risks. Broader sources can be examined to get better at sensing the noise and emerging risks. The sources for noise and emerging risks are numerous and include:
- Compensation changes.
- Competitor actions, including job postings.
- Culture changes.
- Customer feedback.
- Empirical academic research.
- Employee feedback and pulse surveys.
- Industry conferences, reports, and trends.
- Internal risk assessments.
- Macroeconomic and geopolitical news.
- Operational anomalies or incidents.
- Patent filings.
- Published risk surveys.
- Regulatory actions.
- Social media.
- Startup and angel investor focus.
- Strategic plans.
Visualize the data, where appropriate
While some companies create emerging risk radars and reports, others develop two-dimensional risk maps. For example, the LEGO Group is known for prioritizing risks and setting the stage for appropriate actions by using a park, adapt, prepare, act (PAPA) model. A two-by-two matrix classifies risks on the dimensions of likelihood and speed of change. Each quadrant represents a strategy, with "park" representing the low probability and slow speed of change combination and "act" representing the high probability and fast speed of change combination. Mapping risks on impact and vulnerability might also provide valuable insights. In a COVID-19 world, the need for understanding speed (or contagion) was especially critical and could also be valuable for evaluating emerging risks. Another key might be to understand not only your business but also how these potential new risks might affect your customers, business partners, infrastructure, supply chain, etc. Finally, organizations need to rethink their action plans on the more significant risks. Large, high-velocity risks can quickly highlight weaknesses previously unknown in business continuity or disaster recovery plans.
Build a noise and emerging risk process
One new but increasingly common approach of leveraging enterprise risk management (ERM) capabilities of an organization is to build an emerging risk and noise process. Companies can view this as a funneling or filtering process — identifying the noise in the world and then filtering it to what will affect the company. Filtering out the noise helps companies get clearer signals for events that might affect the business and operating model. Building such a process can help companies be more prepared for new risks and help them rethink their current business. Emerging risks and change are part of the risk management frameworks recently updated by both the Committee of Sponsoring Organizations of the Treadway Commission (COSO, 2017) and the International Organization for Standardization (ISO, 2018). Principle 6 in the second component of COSO's ERM framework, "Strategy & Objective-Setting," can help start this type of thinking because it encourages organizations to "analyze the business context" for potential effects on the risk profile. Specifically, organizations can examine trends, the external environment, stakeholders, and other factors that affect both the current and future strategy.
ISO's risk framework also emphasizes that organizations need to understand the context to be able to manage risk in an integrated approach, adding that the organization itself can be a driver/source of the risk. COSO and ISO list sources of external risks as political, economic, social, technological, legal, environmental, trends, stakeholder relationships, contractual relationships, and networks. Internal risks include the vision, mission, values, organizational structure, objectives, strategy, culture, capabilities, data, and information flows. Contractual relationships and stakeholder relations can also be a part of the internal context.
Furthermore, Principle 15 in the fourth component of the COSO ERM framework, "Review & Revision," guides companies to "assess substantial change," specifically any changes that might affect the company strategy and/or company objectives. Both internal and external changes come into play here, too (as does COVID-19, a recession, or climate change). COSO adds examples of change that include rapid growth, innovation, change in leadership and personnel, change in the regulatory or economic environment, emerging technologies, labor shortages, mobility of workforces, and shifts in lifestyle, health care, and other demographic shifts. COSO also adds that practices for assessing change should be built into the business. In other words, leadership and the business units need to learn to think this way and not just to rely on the ERM team.
Share the efforts with stakeholders
A review of the 20 largest companies in the U.S. capital market reveals that almost all of them identified pandemic or public health crises in their most recent Form 10-K and/or Form 10-Q "Risk Factors" disclosures, but very few elaborate on the management of those risks. Companies outside the United States are getting more progressive in these public disclosures and in holding leadership accountable for ERM. For example, in its most recent annual report, the Sydney Airport discloses that its board "holds the Chief Executive Officer accountable for the management of risk within our risk management framework" (Sydney Airport 2019 Annual Report, p. 47, available at assets.ctfassets.net). Additionally, Rolls-Royce discloses that its board is responsible for the risk management system and that it is placing greater emphasis on emerging risks and embedding early-warning metrics into ERM (Rolls-Royce 2019 Annual Report, pp. 50-54). Furthermore, Volkswagen discloses that it is following the COSO ERM framework and also bravely notes that "no risks exist which could pose a threat to the continued existence of significant Group companies or the Volkswagen Group" (Volkswagen 2019 Annual Report, p. 189).
Successful companies know they must get better at spotting emerging risks, noise, and disruptive trends; assessing them; linking them to the business model; and making changes when appropriate. Major ERM frameworks around the world strongly suggest and support this view. Fortunately, risk thinking is evolving, and a variety of tools and sources, both traditional and nontraditional, can be used by risk executives to try to identify the emerging risks and noise. The company's survival might depend upon it.
About the authors
Paul L. Walker, CPA, Ph.D., was a member of the COSO ERM Advisory Council and is currently one of the American Accounting Association members of the COSO Committee. He leads the Center for Excellence in ERM at St. John's University's Tobin College of Business and is the James J. Schiro/Zurich Chair in Enterprise Risk Management. James H. Irving, CPA, Ph.D., is an associate professor of accounting and the Keiter Faculty Scholar at James Madison University in Harrisonburg, Va. To comment on this article or to suggest an idea for another article, contact Neil Amato, a JofA senior editor, at Neil.Amato@aicpa-cima.com.
"Securing Risk Management Wins From the Pandemic," FM magazine, Sept. 15, 2021
"5 Questions to Ask to Help Improve Risk Management," FM magazine, May 4, 2021
For more information or to make a purchase, go to aicpa.org/cpe-learning or call the Institute at 888-777-7077.
CPE SELF-STUDY BUNDLE
Lead your team through change with the Finance Transformation Certificate program.
CPE SELF-STUDY BUNDLE
Now, more than ever, effective decision-making is vital in an organization.
Data Analytics Core Concepts Certificate
An essential guide for accounting and finance professionals. Learn core concepts in data analytics and how to conduct and apply data analytics to projects in your organization.