Risks are systemic when essential systems including financial, infrastructure, health, communication, and healthcare become dysfunctional. In the recent past, in addition to the COVID-19 related pandemic, there have been multiple other health related risks, including the H1N1, SARS, and other crises such as the financial crisis of 2008 which have demonstrated the ripple effect of risks.
Macroeconomic risks are perceived to be the most interconnected. This is perhaps because they are intertwined with multiple categories, including health, climate, and societal risks - making them disruptive. When these risks cascade across the complex interdependent and interconnected labyrinth of businesses, industries, economies, and nations they expose governance failures and inefficiencies of risk frameworks and regulatory guidelines.
Given the range of damage that a systemic crisis can inflict, it is important to understand the primary characteristics of this risk and its far-reaching impact.
Some of the key traits of systemic risks are:
As the robustness of the risk framework is tested today, organizations are looking to rebuild processes, systems and frameworks to address the upcoming storm of growing uncertainties and their impact on business.
The globalization of supply chains, financial markets, data network has increased the likelihood of exposure to man-made as well as natural incidents. We have seen how cyberattacks have disrupted industries and caused huge economic losses.
Ian Goldin and Mike Mariathasan explain the reason through the concept of Butterfly Defect. The concept draws on the premise that as a result of increased connectivity and globalization across individuals, businesses, and governments, micro incidents across the spectrum, aggregate themselves and roll into systemic risk, which poses real threat. Complex interdependencies of systems, processes, organizations, third parties, nations, with a lack of transparency, inclusivity, and resilience limit risk visibility.
Organizations that lack visibility into their internal as well as external business environment, are often unaware of the exposures and are ill prepared. Therefore, the potency of such events in the current environment becomes higher leading to widespread disruption and incapacitation of economies.
The wide-spread instability triggered by systemic risks, like the pandemic, highlights the need to better identify, comprehend, and address uncertainties. In the recent past, businesses have been operating in the integrated and dynamic global environment without the necessary tools to generate aggregated and forward-looking insights.
Organizations have focused on the past and historical data and have limited foresight as the risks and uncertainty are measured on existing “normal” benchmarks. However, today it essential to understand and delve into the concept of risk and uncertainty to better understand the limitations of the existing risk frameworks. While, risk is quantified based on the probability of occurrence of an unfavorable event, uncertainty is characteristically unpredictable as it stems from the dynamic, inter-relational systems and business environment. This key insight on uncertainty is not embedded in traditional risk processes and programs. The result is that organizations are unable to understand the interconnectedness between traditional risks and emerging risks, exposing them to “unknown-unknown” risks or uncertainties which cannot be foreseen.
The primary challenges of a systemic risk are related to its uncertainty coupled with the lack of or limited visibility of the true organizational risk posture. An integrated risk management program at its core builds a cohesive and unified risk framework across the organization. It provides contextualized insights which strengthen risk oversight and the ability to make business decisions.
Here are some of the key advantages of an integrated risk management program while preparing for systemic risks:
The success and strength of a risk program rests on its ability to streamline, structure, and corelate data. However dispersed investments by organizations over the years to address specific risks or compliance mandates, have not only increased the complexity of organizational data, but led to disjointed risk insights.
Organizations need an integrated view of risks and risk alignment to performance objectives. This requires integrating existing risk data and risk measurement programs to provide a single enterprise wide risk posture aligned to strategic objectives and core business initiatives.
IRM enables organizations to develop an infrastructure which brings together unstructured and structured data available across the internal and external ecosystem. This framework serves as the single source of truth for all risk related data, and helps decipher the interconnectedness of risks, regulations, issues, as well as audit results which guide business strategy and performance.
Events of systemic magnitude subject organizations to greater risk vulnerabilities and disruptions due to the rapidly evolving environment. To address this, business strategies need to be quickly re-directed, and modified, and business operations, investments, as well as structures need to be re-evaluated. Having a nimble, comprehensive, and coherent risk framework in such an environment becomes essential as it enables organizations to efficiently and effectively assess, comprehend, and mitigate risks across the organizations.
As the risk landscape becomes more complex and dynamic, organizations will require their risk and compliance taxonomies to be flexible across business functions while providing the ability to correlate each of the perspectives and aggregate them for reporting to any level of the multi-dimensional organizational hierarchy. By introducing governance structures, processes, and metrics an integrated risk management framework and program helps in informed decision-making, with real time insights. It helps drive agility in risk-based decision-making by offering one view of top risks which help ensure efficient risk mitigation actions.
The recent pandemic has shifted focus of organizations from known risks, to non-traditional risks including climate change, health hazards, data privacy threats, as well as geopolitical conflicts. While all these risks have been in the purview of most organizations, due to low probability of their occurrence, they have been on the back burner. However, COVID-19 triggered global disruptions have pushed organizations to reassess their risk prioritization.
To address this, organizations will need to combine their internal risk information with external feeds from not only regulatory bodies, but also social media, geo/disaster probabilities, benchmarks agencies and datasets providers. This collective intelligence will need to then be evaluated in conjunction with business strategies. Organizations need to not only access this information but also understand how these risks impact on specific business strategies, lines of activities, and “big bets”.
Going one step further, these collective insights can be leveraged to identify unknown trends and emerging risks. The availability of integrated and centralized repositories of risk data, as well as datasets and benchmarks, provide an organization with the opportunity to leverage AI and ML related analytics to recognize unknown risks. Risk response strategies can be devised based on this intelligence.
With a structured and streamlined cohesive risk framework, it becomes easier to adopt RPA tools for automating risk assessments or control monitoring.
Additionally, engaging with the front line with AI chatbots help capture observations on risks and issues, which can then be triaged and analyzed for trends and patterns. These insights provide the much- needed view into new risks that are emerging, as well as the information to prepare proactive response plans.
Risks today are inherently complicated and need to be assessed across multiple dimensions to understand the systemic impact of an event. Predicting change can be challenging. However, identifying key pockets of uncertainty in business continuity planning can enable organizations to prepare for uncertainty.
The interconnectedness of businesses’ internal and external environment adds a layer of unpredictability and dynamism to risks today. To build resilience, organizations needs to minimize the impact of an interconnected failure on core functions. With a comprehensive view on the dependencies of the critical business services, resilience considerations can be embedded in the organization. Such visibility helps prepare organizations for the volatility of the impact generated by problems associated with “business-threatening events.”
The current crisis has made organizations alert to the interconnectedness of risks and how the smallest micro incident could hurtle into a systemic risk, if unchecked. An integrated risk management approach powered by analytics and automation equips organizations with a clearer view and actionable insights into existing and future risks and their impact on the business. Armed with this data, organizations can power through crises with agility and responsiveness, with the ability to make risk-aware decisions, proactively.