Why also a best practice risk assessment has not planned for novel risks
And how you can train your capabilities of identifying novel risk – no matter whether you have to do it as an individual for your family and friends or as a professional for your own business or for the one you take care of?
Hope for the best – the anticipated risks
Do you remember the times when we watched series like Star Wars, Knight Rider, and movies like “back to the future”? We hoped to beam us somewhere but would not have expected that our colleague at work would suddenly appear in our living room – beamed through the walls from the place he lives. We were able to envision that action but not expecting it.
What happened over the last months of the global pandemic based on COVID-19 is often compared to the financial crisis in 2008.In the same turn also mentioned as a “black swan” event. But is that true? Is it a black swan? Were these events completely unpredictable? No, especially when we trust the risk trend reports (for example done by the http://www3.weforum.org/docs/WEF_Global_Risk_Report_2020.pdf called The Global Risks Report 2020 and the one from previous years).
Plan for the worst – the novel risk
We work with large corporates having the strategic goal of implementing and running a best-in-class risk management and compliance system. And they really do well and are prepared for their most relevant risks. The identification, assessment, valuation, and management process are well established and implemented.
Comparing the external information like a trend report with the actual risk landscape it demonstrates that some risks seem to be far off for the individual managers and therefore the risk is not further taken into consideration. Also, retrospectively we hardly see any client having a pandemic risk on the risk landscape included – in the past.
As such risks which are far off and can hardly be envisioned are called “novel risks”.
The known and anticipated risks are treated in the standard process of a risk management by being rated with the likelihood and impact that specific risk has for the company. This never happens to novel risks.
There are different situations in which a novel risk can get materialized:
Out of imagination: This happens if the corporate (or also society experience) is not given and therefore the risk cannot be identified.
In a perfect storm: Every of the single incident isolated would be manageable but not the cumulation of all them together.
Enormous speed in scaling: The actual situation of COVID-19 could be categorized here as we were already familiar with global viruses we experienced in the past. The difference yet is that the characteristics of CoV-2 are different to SARS.
Taking these three categories into consideration for the next risk assessment could already support the adaptiveness and creativeness – and hopefully address a risk which was not yet on spot to protect the assets.
The risk of biases
It is not new that we are all biased when it comes to risk identification, assessment, and management. Important signals are often overseen because different biases are stronger than the necessary independent mindset, and the risk-intelligence needed for professional judgement. The bias of normalization and groupthink hinders us to see anomalies.
Stepping back and focusing what is really needed – not only in crises but far before and especially during the process of risk assessment is the human instinct. This strength would be the first step of identifying anomalies and the connected risk. But what if the next crucial step is missing?
Speak-up culture for risk identification
The speak-up culture is not only important when it comes to misbehaviour, fraud, or non-compliance but especially also during the process of risk identification. Having the ability to identify anomalies by using the human instinct is not enough to protect the company. Establishing a speak-up culture to become aware of potential risk is one of the key elements in an Enterprise Risk Management System.
To promote and empower the responsible employee – in this case also the risk owners – to bring up their identified anomalies could make a huge difference. In addition to that the risks identified by external sources – like mentioned above – bring value too. It does not mean that a risk in a specific industry will only be existent there as it never was in our industry so far. I could change rapidly.
Thinking in these three categories above: are there any incidents not yet on the risk landscape which should be?