Implementing an effective risk management framework within an organisation remains a key part of the corporate governance expectations in the revised UK Corporate Governance Code 2018.
In addition, however, the latest revision introduces a new requirement to:
- Carry out a robust assessment of emerging risks as well as principal risks
- Explain in the annual report what procedures are in place to identify emerging risks
- Explain how these risks are being managed or mitigated.
We look at how an organisation can identify emerging risks, and propose questions boards and their committees should raise to satisfy themselves that these are included in their risk approach.
Five questions on emerging risk for the board and its committees to consider
Deploying effective monitoring mechanisms
Organisations increasingly use Key Risk Indicators (KRIs) and other automated techniques such as analytics to identify emerging trends and increasing risk exposures so they can quickly manage downside risk and exploit upside risk to maximise opportunities ahead of their competitors.
These mechanisms depend on articulating tolerance levels for each metric, and triggering escalation procedures once a risk is out of tolerance. In addition, as more organisations start using continuous control monitoring and ‘real time’ risk reporting, it becomes much easier for the board and executive to be informed of existing or new risks.
Approaches that fall into this category are predominantly focused on external factors. To manage emerging risks here an organisation must regularly look outward to understand how environmental changes can create new risks or increase existing ones.
It must also consider the origin of emerging risks, and the external forces that can threaten its success. Once identified, these should be assessed and a timeframe agreed and monitored by a diverse range of stakeholders with different insights. Finally, monitoring mechanisms, such as KRIs and analytics, should be used, and regular reports escalated to oversight bodies.
Companies are increasingly sharing risk intelligence with industry partners, or using specialist advisors to deliver regular updates and intelligence to inform the emerging risk profile, and specialist risk scanning tools to monitor emerging risk indicators.
The current pace of change will mandate risk communities and ecosystem sharing. However, as the need for third-party partnerships grows, so too do the risks, and organisations need robust third-party risk management (TPRM) capabilities as part of their emerging risk approach.
The role of culture
A risk aware culture in an organisation which encourages proactive risk management behaviour is also vital to identifying emerging risks. This becomes particularly important in light of the revised 2018 Guidance on Board Effectiveness released by the FRC in July.
An organisation must consider the procedures necessary to identify, monitor and escalate emerging risks, and ensure individuals are aware of them. These requirements should be embedded into business as usual and become part of the organisation’s accepted behaviours, values and culture.