Contributor Insights: Building Trust Through ERM In an Uncertain World

Submitted by: Ernst & Young

Authors: Janoe Krzeminski, Ralph Vermeiren, & Will Weerts

Contributor Insights - Abstract: In light of the current crisis, adapting risk management to the changing environment and being resilient in the face of unpredictable, high-impact events means that the shift of the ERM function to a more agile, responsive, and reliable function must be reinforced and expedited. The foundation of this responsive outlook is built upon a thorough understanding and assessment of all types of risks and driven by a robust risk culture. By simultaneously addressing the strengthening of risk management and reinforcing risk culture, the next generation of ERM can be cemented in any organization and allow for genuine building of trust in this transformative age.

Uncovering the Unknown: Building trust through ERM in an uncertain world

The biggest challenge in decades"The global crisis caused by the COVID-19 virus has challenged humankind on a scale not seen in decades. Being an epidemiological calamity, it surpasses human-made boundaries, controls, and it directly affects the most valuable of human functions, our health. It has left countries scrambling to implement suitable response measures, forced large parts of the world economy into idleness, sent markets plummeting, and brought financial difficulty to many businesses. It has altered the daily life of everyone and remarkably originated only a few months ago. As with so many profound crises before, a very obvious question immediately arose: could this situation have been foreseen, and how could we have prepared for such an event?COVID-19 is a catalyst for change. Change as part of adjustments to the global spread of the virus; change as part of local regulation to counter and limit the impact of the health crisis; and change in the shape of ideas and concepts to adjust to the ‘new normal’ set by stringent government regulation and healthcare guidance. Most of the insights published by the government and companies focus on how they can tackle immediate threats and address the longer-term prospects (Van Dissel, 2020; Rijksoverheid, 2020). The objective of this paper is to examine the longer-term prospects of Enterprise Risk Management (ERM) in light of the current crisis.

Black Swan, Unknown Unknown, or Grey Rhino?

As the COVID-19 crisis has surprised so many, it is easy to presume that the current pandemic situation has not and could not have been foreseen. In a way, the pandemic represents a highly unlikely scenario, even though it is one with vast consequences and a global scope. This perspective reflects the thoughts of Nassim Nicholas Taleb who, in 2007, wrote a book in which he termed these occurrences as “black swan” events (Taleb, 2007). It also resounds with a concept already long present in engineering and project management.

Though popularized by US Secretary of Defense, Donald Rumsfeld, in the early 2000s, the term 'unknown unknowns' is used to indicate that the most challenging events are not those for which the impact remains uncertain, but the potential for failures yet to come in areas that no one is paying attention to (Rumsfeld, 2002).

"The most challenging events are not those for which the impact remains uncertain, but the potential for failures yet to come in areas that no one is paying attention to."

In other words, the event that the decision-maker does not imagine and therefore does not consider: a 'black swan' before it manifests itself (Feduzi & Runde, 2014). Whatever the angle towards the unknown character of the event, risk is a major component in these thoughts and is the dependence on imaginative power involved. What is known to one actor may be unknown to another. A pivotal moment such as 9/11 might have been a 'black swan' for many around the world, but it certainly was not for United States security agencies (The 9/11 Commission Report, 2004). The question then arises whether the current situation can thus be more likely understood as being predictable from the position of decision-makers, and that action has not been taken accordingly or insufficiently.

Different from 'black swan' events, predicted high-impact events have been dubbed 'grey rhinos' by Michele Wucker, who studied events with high probability and high impact, though which are still systemically being neglected (Wucker, 2016). So, has COVID-19 been predicted? In media, philanthropists like Bill Gates and politicians like President Barack Obama are often quoted to have had knowledgeable foresight (Obama, 2014; Gates, 2015).

Our preparedness

To understand the prediction of this crisis in business, we examined the risk management paragraph of fifteen AEX- and AMX-listed companies on the basis of available annual reports for 2019. This shows that two companies have listed COVID-19 directly as a risk, though their 2019 reports were published well into the crisis. By examining earlier reports of these two companies, we find that they have been listing pandemics as a strategic risk before. No other corporate in our population has listed a pandemic, infectious disease, or even a more generic major health crisis as a considerable threat to business.

This begs the question of whether a pandemic or similar high-impact risk is considered under a different name or perspective – for example – a major incident, geopolitical developments, or other natural external causes. Thirteen companies have listed geopolitical developments as a major risk, eleven companies have acknowledged the possibility of climate or environmental risk, and many others have listed a major incident or other risk to business continuity. Our research shows that the majority of companies have covered 'unpredictable' high-impact risks one way or another.

This raises several questions. If these high-impact risks have been listed in published annual reports and therefore have been considered important, why have these assessments not led to an earlier response? Has the necessary connection between cause, risk, and effect been made to allow for an effective response definition? Were alternatives considered to avert, mitigate, or endure these high-impact events? We have found that three companies have considered the use of scenario assessment or planning. Does this imply that, apart from risk assessment and management, contingency planning is a tool to fill the gap in risk assessments, though it is not frequently used? Within our research of fifteen annual reports, we have not yet made an in-depth analysis of the work surely done within corporations in the risk management context. Many questions relating to risk management have risen from this crisis and warrant attention to better prepare for future events.

Risk Management in an ever-changing world

We believe that it is important to view the COVID-19 crisis in a broader perspective. The geopolitical order is shifting and adding uncertainty to the world. Unpredictable regional and state actors have an impact on world stability, and their influence widens (Sweijs & Pronk, 2020). Simultaneously, customer behavior and interaction are changing rapidly. Consumers are more concerned and vocal about accessibility, quality, and service, being more conscious about sustainability and inclusiveness, among others (Rajagopal, Castaño, & Flores Villalba, 2016). Service or product delivery is changing equally as quick, supporting the ever-increasing customer demands of transparency, personalization, and accessibility (Rogers & Cosgrove, 2019). In the meantime, an increased consideration for climate change and humankind’s contribution to that change has expanded (Meijs et al., 2020).

"If these high-impact risks have been listed in published annual reports and therefore have been considered important, why have these assessments not led to an earlier response?"

In this dynamic background, businesses are managing evolving consumer expectations, new partnerships, dynamic ecosystems, changing industrial boundaries, disruptive business models, and new competitive domains (COSO, 2017). We are well underway in the transformative age, and all the while we recognize that organizations struggle to stay in control. Propelled by earlier financial reporting scandals, damages, and expanded regulation of management and corporate governance, especially since the financial crisis in 2008, Enterprise Risk Management (ERM) has been developed as a holistic approach for corporate risk management (Oliveira, Méxas, Meiriño, & Drumond, 2019). Under the common notion of 'building trust, house in order,' corporations make an effort to not only address the obligatory element of risk management, fulfilling legal and regulatory requirements and control functions but also mobilize broader measures to instill trust with internal and external stakeholders. The Oxford dictionary defines trust as: 'a firm belief in the reliability, truth, or ability of someone or something' (OED Online, 2020). Building trust by all means available means integrating ERM into comprehensive approaches that bind security, risk, compliance, and privacy. Trust thus covers various perspectives, both the enabler of interaction (IDC, 2020) as well as attributes of market dynamics (Edelman, 2020). While it covers a wide spectrum of attributes, ERM is a necessity in maintaining both capability and reliability–in other words, trust.

In retrospect, the onset of the COVID-19 crisis shows that ERM functions potentially have not been able to adequately identify, assess, and act upon this particular external risk. Even with the COSO framework containing ample guidance to effectively install and integrate the ERM function (Anderson & Frigo, 2020), our desktop research shows that connecting indicators, identification, assessment, and the ability to avert, mitigate, or endure high-impact risks in comprehensive risk management are not self-evident. The question lingers whether this has resulted in a lack of consciousness to the risk – possibly qualifying the COVID-19 crisis as Wucker’s 'grey rhino.'

It appears that existing ERM is not yet suitable to avert, mitigate, or endure 'grey rhinos,' let alone 'black swans.' It is not unlikely that other examples of 'black swans' will be missed and become 'grey rhinos' at future occurrences, as neither theory nor practice is delivering the desired value or confidence. Not planning for or adjusting to the scenarios that threaten business leaves a high level of vulnerability. Without conscious action or inaction on such a risk, the business is not only left with a vulnerability but vulnerability with unpredictable impact and direction. The question arises whether the ERM function still supports business objectives if it does not support the intelligence and decision making on these high-impact risks. Is ERM still adding value if it is not able to spot 'black swans,' 'grey rhinos,' or other high-impact events? Should ERM spot these unknown events at all, or should ERM build a process supporting the identification of these events? Should ERM be able to adjust to the rapidly accelerating developments in the business environment and at the same time be ready to cope with unpredictable high-impact events, such as COVID-19? If no, why not? And if yes, how?

Building change

When considering long-term developments, even without particular attention to the current pandemic, organizations need to change in order to cope with the rapid transformation of the environment, and ERM needs to adapt with it. Some of these adjustments have already been identified before the current crisis and are generic in nature; for example, moving towards an active strategic function, mobilizing opportunity and value-adding capabilities (Anderson & Frigo, 2020). The risk management function needs to move from its defensive role towards a more active and mobilizing role to better define and set the strategic course for the organization. This ties into the various types of risk, including downside risk, which impacts negatively; outside risk, that impacts negatively or positively beyond the control of the company; and upside risk, which offers benefit to the company by impacting positively. ERM should be moving away from downside risk avoidance to upside risk mobilization and optimization of strategic organizational goals. This entails being more adaptive and future-focused. Defining and understanding the long-term objectives, deliverables, and challenges for leadership are a prerequisite for even being able to start mobilizing upside risk. In short, this moves ERM from simply mitigating risk to marshaling new upside opportunities and adding value to boardroom decision making.

Much of the management language has been proposed to accompany ERM, though none of that matters if we do not address the issue currently laid bare by the COVID-19 crisis: the potential inability to identify and address 'grey rhinos' and other high-impact risks that have serious ramifications, or even the potential to topple a business.

Addressing root causes

From our research of the COVID-19 risk management response, we identify two root causes that have driven the current situation: first, the risk management functions seem to be unable to process a 'grey rhino' event such as COVID-19. In other words, an identification or assessment issue. Second, even without regard for the effectiveness of risk assessment, the current organizational approach to risk or risk culture has not stimulated a sound connection between risk assessment, risk appetite, and risk management. We discuss risk assessment and risk culture more closely hereafter."

First of all, organizations need to better understand risks in order to make informed choices: either accepting, avoiding, transferring, or mitigating the implied impact with sufficient measures as part of a thoroughly understood risk appetite or turning the risk into opportunities (Andersen & Sax, 2019). Although risk perception is a well-known theme in risk management, it is worth repeating its importance: one person may be oblivious to a threat that another person may uncover as a 'black swan' or 'grey rhino.' Likewise, one person may value a risk as acceptable that another person may find as of paramount importance. Risk perception can be understood from different viewpoints (Spencer, 2016). However, central to these perspectives is the subjective judgment of people regarding the characteristics and severity of a risk. It is important to be conscious of the limitations and pitfalls that are tied to this subjectivity (Hubbard, 2009).

A key element of this judgment is thus collecting, selecting, and interpreting signals to that risk. In other words: risk identification. Risk identification is the process of acquiring information about emerging events and potential strategic implications, as stated by Sax & Andersen (2019).

They also underline that 'firms that acquire extensive information about the environment before making decisions are better equipped to identify viable alternative choices that are essential for strategic success and firm performance' (Andersen & Sax, 2019).

Understanding the environment, having knowledge of emerging events and high-impact risks is a necessary part of risk management, as 'executives can only act on those phenomena to which their attention is drawn.' Risk identification and risk assessment thus benefit from a more prominent position in the ERM cycle. This could mean moving away from the semi-annual, paper-based risk assessment to a dynamic and continuous in-depth scanning of the environment. Contingency preparation, risk modeling, red-teaming, or scenario planning can be strong tools to adjust weak points, build on resilience, and incorporate redundancy into the risk identification and assessment phase.

Leveraging technology

And as we have seen, part of the problem is not just having the right information – but having the right information, with the right interpretation, at the right time, with the right person. The ability to quickly process and interpret large amounts of data from multiple sources is key to achieve that goal. Leveraging state-of-the-art procedures and technology directly benefits ERM: being data-driven, technology-enabled, dynamic (real-time) monitored, agile, and responsive (Watson, 2018). To this end, predictive analytics and dynamic modeling are being applied within many organizations. By using solid parameters and reliable data, the relationships and choices of individuals and entities can be put into agent-based modeling, allowing for more effective and in-depth analysis to support decision making. Similar modeling and data-driven methodology are being applied to next-generation risk management. For example, the random sampling method, also known as Monte-Carlo simulations, gives insights into sources of uncertainty (Liu, Li, Wu, Liu, & Zhang, 2018; Hubbard, 2009). The ability to apply the latest techniques and tools such as process-mining, machine learning, and dynamic modeling allows tackling the challenge of having too much information and generating useful assessments, models, and scenario plans. By leveraging more readily available data and increased data-processing capabilities, boardroom decision making becomes backed by next-generation ERM that is built upon verifiable data and insightful modeling.

But a recalibration of risk identification and assessment also requires a broad risk perception: all variants of risks should be considered, including unpredictable or unlikely risks, known and unknown, 'grey rhino' or 'black swan.' First of all, this means fostering creative and imaginative thinking and being conscious of threats, trends, or events that might have been identified elsewhere. The fact that COVID-19 was part of the public sector thinking shows that cross-sector intelligence can be invaluable. Secondly, expanding our appreciation of risk from understanding the probability and impact of the risks associated with an organization to also include urgency, such as threat velocity, business vulnerability, and corporate readiness, further guides a better risk assessment.

"Part of the problem is not just having the right information –but having the right information, with the right interpretation, at the right time, with the right person."

Evolving Risk Culture

Besides adjusting the appreciation of risk assessment as a tool to identify and address 'grey rhinos' and other high-impact risks, risk culture is of great importance. Culture within an organization influences how it applies the risk management framework: how it identifies risk, what types of risk it accepts, and how it manages risk (The Institute of Risk Management, 2012; Anderson & Frigo, 2020). This potentially means the difference between identifying an unknown high-impact risk and not uncovering that same high-impact risk. As we have seen in our examination of the risk paragraph for fifteen corporates, the majority of companies have covered 'unpredictable' high-impact risks one way or another. But the existing risk culture has potentially not led to these companies effectively accepting or managing the risk involved in situations like a pandemic. Risk culture works in two ways. First, having a healthy risk culture is critical in allowing the organization to find the fine balance between risk avoidance and risk acceptance to create long-term value. Secondly, it helps to embed the risk management function as an opportunity to seize competence, rather than just a compliance-driven initiative. Although the scope of this paper does not allow for the full discussion of opportunities to address risk culture, there are two findings from our research. First of all, leadership is a key driver in the establishment and adjustment of risk culture (Anderson & Frigo, 2020). With the so-called 'tone from the top,' organizations can adapt to a more agile and responsive Risk Management Function by strengthening their risk culture across all levels of the organization. In light of the current crisis, strong leadership means fostering creative thinking and inviting dissenting opinion in the Risk Management Function to uncover unknown high-impact risks to the company. Scenario planning and red-teaming can be a supportive element to this development. If this tone is publicly shared in annual reporting, it can further strengthen stakeholder and societal trust.

Secondly, the strengthening of risk culture can be supported by expediting the transformation from the traditionally formal and segregated function to an agile and comprehensive function. This means a shift in responsibility to the first line in a three-lines-of-defense model, as well as incorporation of other related competencies into one common risk strategy. No more should there be a standalone cyber strategy, enterprise resilience, and business continuity management, but rather an integrated and comprehensive risk management approach founded on building integrated trust. Our research has shown that building a comprehensive risk management approach is further strengthened by cross-sector insights, such as factoring in which global risks are identified by local, regional, or national public entities. By having a comprehensive risk management approach, the governance of risk management within the organization is simplified, competence is focused, and decision making is unified.

Lessons for the future

The current COVID-19 crisis is a catalyst for change, set in the pre-existing dynamic of the rapid advancement of our geopolitical, societal, ecological, economic, and technological environment. It has underlined the fact that outside risks with a global impact can have fundamental consequences that must be addressed."

More than ever, with the right knowledge at hand, the risk management function enables business leadership to navigate risks and take opportunities that arise. In order to facilitate the enhancement of ERM, we highlighted two opportunities for change: further emphasis on the development of healthy risk culture and simultaneous progress on thorough, data-driven identification and assessment of risk. A more responsive, robust ERM function allows for better tracing of emerging events and unpredictable high-impact risk, while contributing to much-needed trust in times of uncertainty while creating sustainable long-term value.