Proactive risk management: Anticipate rather than react
by: By Tom Teixeira, Emily Channon and Marcus Beard, Arthur D. Little
Adopting proactive risk management allows organizations to identify emerging risks early, determine how to prioritize them, and respond to them quickly and effectively. It goes a step further than traditional enterprise risk management (ERM), which may not be enough for companies to adapt to emerging risks in time.
|Integrating proactive risk management involves moving from a reactive to an anticipatory approach. We have identified three key aspects that are integral to this practice.
Once potential risks have been identified, they can be monitored using KRIs, which provide leadership with a real-time health assessment of the organization. These contrast to key performance indicators (KPIs), which are traditional, well-established lagging indicators that provide situational awareness after a risk event has occurred. It is ideal to employ both leading and lagging indicators to support timely intervention. When the threshold is exceeded, an alert can indicate that the probability of a loss has risen considerably.
How can emerging risks be gauged when there is no supporting data? A helpful metric here is risk velocity, i.e., how quickly an organization will feel the impact of a risk event. High-velocity emerging risks should be given high priority.
For such risks, a “knowledge base – control effectiveness” map (see figure) provides an effective reporting tool, as emerging risks can be put in context by relating them to risks with which leadership is familiar. Where velocity is indicated by the size of the marker on the map, it is easy to identify which emerging risks require the highest priority for oversight.
Essential to successful risk management today is understanding the varying requirements for different categories or phases of risks. Static risks are positioned in the bottom-left quadrant of the map and can be effectively monitored by the risk function.
Conversely, high-velocity emerging risks, which are poorly understood and have no controls, should be managed through executive oversight and a disruptive management team. The result should be that as both understanding and control effectiveness grow, the risk migrates to the bottom-left quadrant. At this point the responsibility of oversight shifts to the risk function.
Adaptive response is the ability of an organization to manage different phases of risk through the most appropriate approach, balancing traditional and proactive methods. The output is achieved through breaking a project into numerous small sub-projects known as “sprints”. Regular meetings are held for progress updates and to ensure the optimal approach. This means the end goal is agreed at the project outset.
For organizations to respond effectively to risk within the current evolving risk landscape, a “sixth sense” must be engaged and a proactive approach employed. We have discussed three key aspects of this. A combination of proactive risk practices alongside traditional ERM methods can aid executives in preparing their organizations for the unforeseen.