Words: Clive Thompson
Illustration: Frazer Hudson/Ikon
The challenge for risk managers today is to understand how organisations are being revolutionised and disrupted by technology and increasing integration, and consider what the risk professional must do to add value in the future. It’s never been more important that we act to shift the perceptions of the past, that risk management — like health and safety — is old-fashioned and a bit of a blocker.
There is one version of the future where risk managers work closely with their boards. In this future, risk controls are fully embedded in the front line, freeing risk functions to focus on strategic risk, mitigating emerging threats and optimising opportunities. They embrace technology and create networks that bring stakeholders together for a mature conversation on the uncertainties their businesses face. But another version of the future sees risk management as a back-office compliance function. It is remote from the board, has no leadership role and is, in the worst-case scenario, replaced by technology. The Institute for Risk Management’s (IRM) Risk Agenda 2025 is trying to identify what risk management might look like in 2025 and to steer the future of risk towards that first vision of the future (visit www.theirm.org/thebigdebate for more details).
Governance issues, regulation and cost have forced risk onto the agenda, especially in financial services, and the Institute has recently put in place a certificate to demonstrate to the outside world that there are such things as risk professionals. Trained risk professionals will understand that aspects of risk must be embraced and that risk shouldn’t be managed to the nth degree, but instead optimised. Ultimately, if you understand your risk and you have better risk management than your competitor then you are going to be more sustainable in the long term.
Early feedback on an industry survey we have been conducting for Risk Agenda 2025 shows that our members see some of the key risks in the long-term future as geophysical risk and climate change. But there are many other factors already impacting on the risk landscape.
Globalisation means there is greater integration of business activities. In this interconnected world, if you have a large earthquake in Taiwan where most of the semiconductor industry is located that will affect mobile phone production everywhere for the next six months or more. There is a global interface to the risk. The Tianjin explosion in China was a good example of this because you had a loss of stocks and supplies, which had been haphazardly stored and were central to the supply chain. It was a massive aggregation of risk in one place, and the impact was felt across industries from pharmaceuticals to oil and gas.
“Reputation, data and intellectual property can all be put at risk by the use of social media by the business and its employees, and when things go wrong, they can go wrong virally”
This is just one of the factors increasing the speed of risk — the rate at which risks can crystallise. We have a huge number of risks out there but it is up to the risk manager to identify which are going to crystallise. Social media is having a similar impact on risk velocity and is something risk managers need to be more aware of. You can see how rapidly problems can escalate from recent high-profile examples with BA, Volkswagen and United Airlines. Reputation, data and intellectual property can all be put at risk by the use of social media by the business and its employees, and when things go wrong, they can go wrong virally. Staff must be educated and media-management plans made in advance.
At the same time social media presents an opportunity because it allows us to gather more information more quickly. You could almost create your risk register in real time through all the people in your first line of defence who can actually see the risks as they occur. The rate technology is developing at is staggering. Before long we should be able to have a real-time dashboard of how much risk you’ve actually got. With the Internet of Things, everything is linked and you can easily provide real-time reporting and monitoring of risk as you look across and process information from the various inputs. It should be possible to see any particular item which isn’t performing as you would expect.
In the IRM’s Perspectives in the future of risk report, the Chair of UK manufacturing trade body, EEF, Judith Hackitt, says we must be forward-looking and work through scenario plans and that using the past as a predictor of the future is “old hat”. I would agree, with one caveat. I see data and analytics as the next frontier in how we can gain much more insight into risk. We can’t, for instance, look at past lost time accidents and simply use them as a predictor for lost time accidents in the future. But if we put interlocking data sets together, we can be much more accurate. This isn’t just looking back, but using data analytics and potentially artificial intelligence to deliver greater insight to identify, predict and mitigate risky situations.
In the finance sector we’re using data to allocate capital to risks. That could release an awful lot of capital and help optimise businesses. We are seeing it much more in insurance. Insurance is a way of really leveraging your capital, if used properly.
At some point the use of data and forecasting might become so accurate that the requirement for insurance becomes much less. If you can be much more accurate in your predictions, why do you need to pay for the insurance? I’m not saying that’s going to happen in the next 10 years, but you can see a time when forecasting becomes much more accurate because it has the ability to take much more of the risk landscape into account.
Technology undoubtedly presents opportunities, but a lot of risk professionals are saying that if we rely on AI too much we take the humanity out of looking at risk. Risk is a subjective thing. We try to restrict everything down to a probability or some other measure, but there is also a qualitative nature to it. Can AI give that qualitative view? That’s a debate we will need to have in the future. In the meantime the use of behavioural science and the understanding of risk culture are becoming much more important. We are talking more about integrity, ethics, tone at the top — all those aspects which require a qualitative view, and you don’t currently get that from a machine.
Ultimately, more people must be encouraged to understand more about risk within an organisation, including those at the front line. If we can foster a risk mentality throughout an organisation, that will allow more people to identify and act against threats earlier.
Based on an interview with Simon Lyle, Editorial Director at White Light Media
Clive Thompson has more than 30 years’ experience in the insurance and risk management sector and is Senior Projects Director at Willis Towers Watson. He has been a board member at the Institute of Risk Management since 2014 and is the Chair of its Risk Agenda 2025 project.