Dealing with New and Emerging Risks in an Ever Changing World

Paul J. SobelVice President/Chief Audit Executive

– Georgia-Pacific, LLCVice Chair – Professional

Development for The Institute of Internal Auditors

Presentation OutlineThe Changing WorldImpact of Emerging RisksEvolving Risk Assessment

ApproachDealing with Risks in a Dynamic

Business WorldSummary

2

The Changing World Global and organizational change Stressed financial structure and cash availability Bankruptcy and restructuring Fraud from many fronts Legislative imperatives and pressure Technological innovation Competition for market share Shareholders demanding increased accountability Client’s changing expectations Pressure/expectations from stakeholders and citizens Strategic alliances Mergers and acquisitions

3

Impact of Emerging RisksNew risks keep emergingRisk interdependencies are creating

almost unimaginable risk scenariosSpeed of change has rendered static,

annual risk assessments almost meaningless

There seems to be very little tolerance for ineffective risk management

4

Evolution of Risk Assessments In the 1980’s a formal risk assessment was

an uncommon, somewhat unsophisticated practice

In the 1990’s risk assessment became a “leading practice”◦ While it was more structured and sophisticated, it

still left many “blind spots” In the early 2000’s, annual risk assessments

were a standard practice◦ Some were updating risk assessments more

frequently◦ Still had “blind spot” issues

The financial crisis beginning in 2008 caused many to question the value of risk assessments

5

Risk Identification ApproachContinually scan the risk environment

◦ Check available public documents◦ Search for specialist publications

A lot of good stuff from outside the United States◦ Deeper knowledge sharing with competitors

Brainstorm previously unimaginable risk scenarios◦ Disciplined structured process

Embedded in strategic planning (60% of failures relate to strategic risks)

◦ Extensive consideration of interdependent risks◦ May need to bring in specialists (e.g., economists,

analysts, deal makers, regulatory experts)Consistently challenge the completeness and

veracity of all risk assumptions 6

Risk Assessment – The Past

Traditionally focused on Impact and Likelihood

Tends to be single point outcomes as opposed to range of outcomes

A good foundation, but is it robust enough in today’s business world?

LIKELIHOOD

IMPACT

Remote Possible Probable

High

Low

Medium

7

Other Risk Assessment FactorsVelocityReadinessCapacityControllabilityMonitorability InterdependenciesFrequency of occurrenceVolatilityMaturityDegree of confidence

8

Risk VelocityThis has become the risk assessment

“criteria du jour;” however, there are different types of velocity

Speed of onset◦ How quickly does the risk descend upon us?◦ Do we have much warning?

Speed of impact◦ Do we feel the effects right away, or does the pain

slowly increase?◦ Does it spread and impact us in other ways; e.g.

reputation?Speed of reaction

◦ Even if we see it coming, do we have the agility to timely react?

9

Risk ReadinessGiven that risk represents

uncertainty, how ready are we to deal with a risk event?

Focus is on an organization’s ability to:◦ Recognize the onset of the risk◦ Respond timely and effectively

Must also consider 3rd parties’ ability to respond timely and effectively

Risk readiness is really the response part of the risk velocity criteria 10

Risk CapacityDecisions regarding risk readiness

must consider an organization’s capacity to absorb or take on risk

First consider organization’s appetite and tolerance for the risk outcomes (before sustainability is impacted)◦ Resilience to consequences◦ Cost/pain to manage

Also consider recovery time – i.e., how long until the outcomes/effects are no longer felt

11

Controllability – Do we even have the ability to mitigate/control the risk?

Monitorability – Can we monitor:◦ Risk signposts to anticipate risk onset?◦ Risk impact to understand how much

we’re bleeding?Interdependencies with other

risks◦ Vulnerability to other risks being triggered◦ Correlation with other risks (Charles

Kindleberger)

Other Risk Characteristics

12

Frequency of Occurrence – Will a risk occurrence likely be a single event or will it occur multiple times?

Risk Volatility – Does the risk lend itself to an infrequent assessment (e.g., annually) or should it be re-assessed on a regular basis?

Risk Management Maturity – Is our risk management mature enough to trust our initial reaction to a risk event?

Degree of Confidence – How confident are we in our risk assessment judgments?

Other Risk Characteristics

13

How Do You Make Sense of all This Information?Mapping Multiple Dimensions Won’t

Work!

14

A Possible Approach?1. Start with traditional

impact/likelihood assessment2. Determine which Other Risk

Assessment Factors are relevant and meaningful

3. Assess whether those factors will significantly, moderately or negligibly affect:• How the risk is managed• How the risk is prioritized relative to

other risks• How the risk is monitored and reported 15

One ExampleRisk Impact Likelihood Factor A Factor B Priority

AAA High High 1BBB High Medium 2CCC Medium High 3DDD High Low 4EEE Medium Medium 5FFF Low High 6GGG Medium Low 7HHH Low Medium 8III Low Low 9

16

One ExampleRisk Impact Likelihood Factor A Factor B Priority

AAA High High 1BBB High Medium 3CCC Medium High 5DDD High Low 2EEE Medium Medium 4FFF Low High 6GGG Medium Low 8HHH Low Medium 7III Low Low 9

17

A Few CautionsDon’t make it too formulaic – it’s still

primarily about judgments!Never lose sight of the fact that risk

assessment must tie back to strategyPlan ahead for how you’ll respond to

significant risk events◦ Decisive decision vs. consensus building◦ Initial response may differ from long-term

response

18

Dealing with Risks in a Dynamic Business WorldNo one-size-fits-all or simple answersStarts with good risk information

◦ Identify risk events early◦ Initiate risk actions quickly◦ Monitor effectiveness of risk actions

Must have a good escalation process◦ Who needs what information and when?

Don’t just treat the symptoms; cure the disease

Be flexible to change; don’t become too attached to what worked in the past

19

In SummaryWe live in a dynamic, ever changing

business world◦ The speed of change will continue to increase◦ The impact of mistakes will become even greater

Identifying possible emerging risk scenarios will be critical to success◦ In particular, scenarios among interdependent risks

Risk assessment must consider criteria beyond Impact and Likelihood◦ But don’t make it too complex; it’s still about

judgmentsDealing with risk events requires a

structured and disciplined approach; an ad hoc, reactionary approach won’t cut it

20

QUESTIONS?

paul.sobel@gapac.com

21