SAN DIEGO – Cyber attacks – once again identified as a top critical business risk – are expected to be a source of emerging risks, but forecasting for all emerging risks could prove more challenging over the next three years, suggests a new report released Monday by Marsh and RIMS.
In all, 48% of risk professionals polled say forecasting critical business risks will be more difficult three years from now, while 26% say it will be the same, note Marsh and RIMS, which jointly issued the 13th Excellence in Risk Management report, Emerging Risks: Anticipating Threats and Opportunities Around the Corner, at the RIMS 2016 Annual Conference & Exhibition in San Diego.
The report is based on more than 700 responses to an online survey and a series of focus groups with risk executives conducted in January and February by insurance broker and risk advisor Marsh, a wholly owned subsidiary of Marsh & McLennan Companies, Inc., and RIMS, the risk management society.
The research found that transportation, manufacturing and financial institutions were the most likely to see forecasting becoming more difficult; communications, media and technology companies, public entities and education institutions were the most likely to see forecasting staying the same or becoming easier.
Adding to the challenge of almost half of respondents believing that forecasting risk will be tougher in the near term is the finding that risk professionals are increasingly being relied upon to identify and assess emerging risks. “We’ve all experienced this elevation of risk management at our institutions, but… as we are battling for budget, it becomes pretty easy for risk management to get pushed over to the side,” the report quotes an assistant vice president of risk management at a major university as saying.
“There remain organizational and other barriers to providing that critical view ‘around the corner,’” notes a joint statement from Marsh and RIMS.
“Whether emerging risks are on your doorstep, around the corner or on the far horizon, they have the potential to catch organizations unaware,” says Brian Elowe, Marsh’s U.S. client executive leader and report co-author. “It’s important for risk professionals to maintain awareness of global risk trends, and to make the connection to their organizations’ business strategy,” Elowe points out.
“The interconnected dynamics of geopolitics, technological advances, global economic integration, social instability, climate change and more mean that the manifestation of one risk is increasingly likely to influence others,” the report explains. “So when a known risk — hurricanes, for example — meets with an emerging risk such as rising tides, the outcome is not easy to predict. The combination may exacerbate volatility and create new vulnerabilities with the potential to significantly damage organizations that have not prepared for the convergence of the old and the emerging,” the report states. [click image below to enlarge]
That makes anticipating emerging risks all the more important, but adds the report, “this growing interconnectedness creates an environment where keeping up with evolving issues becomes more difficult. Therefore, success in risk management now often comes to organizations that develop a multidimensional approach to identifying and managing complex risks.”
Respondents cite barriers to understanding the impact of emerging risks on their business strategy and decisions, and the lack of cross-organization collaboration.
“Lack of collaboration across the organization is still an issue for many risk professionals. On the other hand, breaking down silos has become less of a concern for executives,” Carol Fox, vice president of strategic initiatives for RIMS and report co-author, says in the joint statement.
Tackling emerging risks must “encompass internal cross-functional conversations — formal and informal — around the intersection of risk and strategy, senior leadership engagement, and tapping into external information sources. Risk professionals are encouraged to broaden the scope and collaboration around emerging risk issues within their organizations,” Fox suggests.
Lack of collaboration across the organization has persistently proved a concern for risk professionals. “In fact, the needle has not moved in five years: For a similar question in 2011, 43% of risk professionals cited this as the main barrier to preventing a full understanding of the risk landscape — exactly the same percentage as in 2016,” the report states. “Among the C-suite, on the other hand, the percentage of respondents citing this as a barrier dropped from 41% in 2011 to 28% this year,” it adds.
There are some positives. A director of risk management for a global technology company reports she is “starting to see some of the silos breaking down, and seeing more risks being incorporated into everyday conversations. I see more people taking ownership for risk within their own groups, and then sharing across functions how they’re managing that risk, and then working collaboratively.”
Asked where critical risks are emerging from, the report offers three categories:
the here and now – critical, dynamic risks that are already a significant concern to the organization;
around the corner – risks that are one to three years away; and
on the horizon – complex and often broad threats and uncertainties that can have unexpected adverse effects on organizations.
Not surprisingly, cyber attacks once again are regarded as a top concern. Six in 10 respondents peg cyber attacks as the likely source of their organization’s next critical risk, followed by regulation at 58% and talent availability at 40%. [click image below to enlarge]
“How is it that an issue that has been a Top 10 risk in dozens of surveys over the past five-plus years is still viewed as emerging?” the report asks, answering that one reason is the nature of attacks continues to evolve. “Much of the attention around cyber risk now starts at the executive level, and thus commands attention. It has become apparent that to manage this risk at the enterprise level it cannot be delegated to the information technology (IT) group — every leader, indeed just about every employee, has a stake in managing cyber risk.” [click image below to enlarge]
“More can be done to better identify, assess and manage the impact emerging risks may have on organizations,” notes the joint statement, as illustrated by the research finding that 60% of respondents use claims-based reviews as one of the primary means to assess emerging risks compared to just 38% who use predictive analytics.
“The widespread use of claims-based reviews means that a majority of organizations are relying on studying past incidents to predict how emerging risks will behave rather than using predictive analytic techniques like stochastic modelling and game theory to help inform their decision-making,” Elowe says.
“Although there are clear benefits to reviewing claims, there are other tools available and likely more suited to assessing emerging risks,” the report points out, adding that predictive analytics “should be part of a comprehensive approach to evaluate critical emerging risks.” [click image below to enlarge]
But report authors also note that a clear hunger exists to develop better methods to identify, assess and quantify emerging risks. “Nearly three out of four respondents said their organization would benefit by improving the use of analytics to quantify emerging risks. But risk professionals question whether their organizations will finance the required tools and talent.”
The report offers several recommendations for how to be ready for the risks ahead, including the following:
foster broad collaboration around risk issues in the organization;
use a broad array of information sources to understand emerging risks;
push ahead on the use of data and analytics as a means to identify, assess and manage emerging risks;
seek external voices to challenge conventional thinking in the organization; and
pay attention to social media.
More coverage of RIMS 2016 Annual Conference & Exhibition in San Diego