The real risks that businesses should be identifying

In the next instalment of our ‘Covid-19: Our response’ series, we spoke to Dr Ann Parchment, Deputy Head of Strategy and International Business, who believes that traditional risk management thinking is inadequate for the current crisis, and indeed possible future crises.

For years businesses have concentrated on identifying generic risk, which excludes cross-disciplinary risk or multiple interconnected risks. Business leaders have leant on historical data as an indicator of the size and probability of a possible event, however they now face a combination of diverse risks which are of a magnitude not seen before. Global warming, pandemics such as Covid-19, and so on.

Typical thinking

Historically, focus has been on quantifying risk, but not on the integrated behaviour of risk. The influence of Enterprise Risk Management (ERM) proposed by the Committee of Sponsoring Organisations of the Treadway Commission (COSO) has meant that we focus on making sure we can demonstrate:
• Governance and Culture
• Strategy and Objective Setting
• Performance
• Review and Revision
• Information, Communication and Reporting

We believe this has detracted leaders from the full identification of risks. From the 20 principles that COSO propose, only four are important to understand risk identification:
• The identification of risk
• Prioritization of severity
• Implementation of risk response
• Developing a portfolio view

Where are businesses going wrong?

Leaders may identify the top 10 risks in terms of size, ignoring the potential of other initially low probability risks whose impact changes from week to week, such as Covid-19. Consequently, these lesser priority risks – based on historical size – may have an interconnected behaviour which could result in a catastrophic outcome.

“Leaders should not ONLY focus on the number, size or probability but ALSO on the thorough identification of multiple areas of uncertainty, hazards and risk.” Dr Ann Parchment

The 5 areas of risk that should be identified

Drawing on our extensive research, we believe that leaders should consider looking at their operations from five dimensions:

Generic Risk – the current method of generic silo identification e.g. health and safety, environment, legal etc
Interface Risk – Risks that occur at the interface of processes or operations
Causation Risk – commonly called a chain of causation or cascade where one Risk triggers another Risk
Accumulation Risk – Where several disparate Risks occur within a very short period of time
Emerging Risk – Truly new risks not just previously identified risk types which occur in new areas.

As seen through the current Covid-19 pandemic, leaders need to focus on different risk factors as they change week to week, e.g. supply chain risk and customer demand risk. They need to develop a team that can identify these types of risks earlier in the risk management activity.

“Firms that don’t take risk identification seriously, may face challenges or even liquidation due to poor risk identification processes.” Dr Ann Parchment

The five dimensions above reflect the complexity of the ‘real world’ and facilitates a cross disciplinary approach to the holistic identification of all risks which is auditable. Leaders who embrace risk identification from the start will be able to provide a more comprehensive understanding of their firm’s risk portfolio.

With thanks to Dr Ann Parchment, Deputy Head of  the Department of Strategy and International Business.