Keep external risks on the radar with regular horizon scanning

This week Tony and John discuss external risks using operational risk software and the importance of horizon scanning. This exert is taken from their book Mastering Risk Management…

One of the problems of risk management, and indeed management generally, is that so much time is spent worrying about internal risks and not looking at the external environment. Generally, the risks which mainly bring a firm down are about people, often senior management, or external risks.  However, we constantly urge management, as well as risk management, to horizon scan all the time.

Horizon scanning permeates so many areas of risk management including, risk culture, implementing the risk management framework, reputation damage, information security and cyber risk management, business survival and recovery and, third parties, outsourcing and supply chain risk management. 

P R E S T E L

Horizon scanning requires first the effectiveness of each independent function of the three lines of the defence. Having done that, they can then come together to understand the whole firm’s exposures, its processes and the environment in which it operates.  A useful mnemonic from social sciences – PRESTEL – helps to think about external risks and horizon scanning.

Looking at these categories of external risks in a bit of detail, you begin to realise why any firm must tune their radar screen: 

Political – Political uncertainty may impact national and international markets. Geopolitical shifts, interstate conflicts and terrorism may restrict (global) growth.

Regulatory – Shifting sands in rules and regulations which firms must monitor, including regulations related to privacy, product development and approval, and broader governance expectations. 

Economic – Economic conditions may restrict growth of the labour market. Evolving customer preferences and demographics shift the existing customer base.  Activist shareholders.  New competitors and disrupters. 

Social – The pressures on firms from the press, social media (including customers and ex-employees), politicians, wider society, and local communities.  Activist populists, such as Extinction Rebellion or Black Lives Matter.  Behaviours and personal conduct of management and other key representatives may not conform to societal ethical expectations.  Effects of human pandemics and epidemics. 

Technological –  Emerging technologies and adoption of digital technologies (AI, robotics, natural language processing) may need new skills, upskilling, reskilling of  employees; lack of necessary skills out there.  Disruptive innovations may outpace ability to compete or manage risk appropriately. Insufficient preparation for cyber threats may significantly disrupt core operations and/or damage brand. New competitors ‘born digital’ with low-cost base can disrupt established firms. Risks of privacy and identity management. 

Environmental – The effect of climate change, including on supply chains. The Task Force on Climate-related Finance Disclosure, sponsored by the  Financial Stability Board, includes not only the finance sector, but also  energy, transport, materials and buildings, agriculture, forest products. Green and brown finance. 

Legal – Apart from regulations and laws such as the Bribery Act, there are a myriad of host country business practices which change.  WEF Global Risks Report.

The executive summary from these examples shows the five headline risks: 

■ an unsettled world 

■ risks to economic stability and social cohesion 

■ climate threats and accelerated biodiversity loss 

■ consequences of digital fragmentation 

■ health systems under new pressures (and before Covid-19) 

Similarly, Larry Fink, chief executive officer (CEO) of BlackRock[i], wrote in his Annual Letter to CEOs, the following: ‘Companies must ask themselves: What role do we play in the community?  How are we managing our impact on the environment? Are we adapting to technological change? Are we providing the retraining and opportunities that our employees and our business will need to adjust to an increasingly automated world?’.

Apart from highlighting these risk categories, both external and internal, they are all constantly changing every day. The business environment is one of uncertainty. We have to manage effectively the most significant threats and opportunities. It means that firms must watch all these elements daily. Problems can come quickly, can occur slowly, but the impact can be profound. It is critical to ensure the risk management frameworks to address external and internal changes as part of a firm’s normal continual improvement processes.  Those who are resistant to change and fail to adjust their business model and operations will fail. Of course, things will happen unexpectedly. The question is whether you are resilient. That is the challenge for all firms.

Risk management should be encouraging managers to open their eyes and ears to other forms of data – information is a much better word – than the purely numeric, even as far as gossip and casual comment. That goes even further against the basic laws of probability which demand independent, objective observations of homogeneous events, a long way away from the world of risk. Having said that, even actuaries admit to using quantitative  frameworks to structure their ‘guesses’[ii].

Quantitative analysis undoubtedly has its place, but the best actuaries are applying intelligent risk management, which is what this book (Mastering Risk Management) is all about.  There’s a view that if it isn’t a number, you can’t manage it. Numbers, even if they are spurious, give the comfort of certainty – dangerously so if they are spuriously accurate. Risk is not about risk management by numbers. It is about managing people and circumstances which are constantly changing and where judgements, even when based as far as possible on hard evidence, are necessarily subjective. That’s one argument for colours (or words) in certain risk reports, rather than apparently precise numbers. A picture tells a thousand words. In risk, a colour can tell a thousand numbers.

[i] Larry Fink’s Annual Letter to CEOs 2020 https://www.blackrock.com/corporate/investor-relations/larry-fink-ceo-letter: A Sense of Purpose.

[ii] Ericson, R., Doyle, A. and Barry, D., Insurance as Governance (Toronto: Toronto University press/, 2003.

Taken from Mastering Risk Management by Tony Blunden and John Thirlwell and published with kind permission from Pearson Education Published.  Readers of this blog are entitled to a 25% discount on Mastering Risk Management through the following URL: https://www.pearson.com/en-gb/subject-catalog/p/mastering-risk-management/P200000003761/9781292331317   Please use discount code MSTRSK-25