RIMS Executive Report

The Risk Perspective

Emerging
Risks
and

Enterprise Risk
Management
 Emerging
Risks
and

Enterprise Risk
Management

Editors
Soubhagya Parija
Walt Williams
Drew Zavatsky
Russell McGuire

Contributors
RIMS ERM Committee:
Pete Fahrenthold
Ryan Egerdahl
Grace Crickette
Jeffrey Vernor
John Hach
Rupak Mazumdar
Joseph Milan
Laurie Champion
Michael Phillipus

Carol Fox, Chair, RIMS Standards and Practices Committee

Mary Roth, RIMS Executive Director

Art Director
Joseph Zwielich

© 2010 Risk and Insurance Management Society, Inc. (RIMS) All rights reserved. www.RIMS.org
 Risk Management is a practice as
Background

that originate and are managed within managed using the tools commonly applied
old as mankind itself in its most functional silos or specific business units of to more developed exposures. Emerging risks
fundamental objective of optimizing an organization. Conceptually, ERM requires are those risks an organization has not yet
the outcome of risk-taking. a mind shift to incorporate an entity-level recognized or those which are known to exist,
Venturing out of the cave took view of risk, an understanding of risk but are not well understood. To quote Donald
courage and presumably a management options and the use of Rumsfeld, former US Secretary of Defense,
reasonable assessment of the risks consistently developed risk information to “There are known knowns. These are things
and risk management options (I’ll support decision making and management we know that we know. There are known
leave the cave, you watch my back and be practices. The implicit idea is that ERM will unknowns. That is to say, there are things
ready to run!). As in primitive times, the help organizations focus on the most relevant that we know we don’t know. But there are
concepts of danger, safety, adventure, risks to achieving an organization’s goals, also unknown unknowns. There are things
reward, predictability and stability are both from an operational as well as a we don’t know we don’t know.” An ERM
common in daily life and in risk management strategic perspective. program that does not address the potential
theory. Like people, organizations vary in their challenges created by the existence and
ability and willingness to take risks – and While ERM has yet to be universally accepted development of emerging risks will not
in their expectations regarding appropriate as an essential business discipline, ERM meet its goal of protecting, and generating
rewards associated with risk-taking behavior. knowledge and experience have evolved to opportunity for, the organization.
As the complexity and pace of modern the point where there is a growing consensus
civilization has increased, the perceived value regarding “best practices” and standards It is in this context that a discussion on
and sophistication of risk management has for excellence in the discipline. Generally emerging risks is necessary to continue
also evolved - not just in its use of formal accepted tools and resources, as well as the evolution of this discipline, and to help
tools of risk analysis, but also in terms of internationally established standards, are practitioners and organizations achieve full
its importance to effective management of available that can assist an organization to value from their investment in ERM. The
today’s organizations. design and implement an ERM framework recent global financial crisis – which was
that fits well within each organization’s identified early by some risk managers as
Enterprise Risk Management (ERM) has culture and management practices. an emerging risk – raised many serious
become a standard practice in most questions, some of which focused on the
advanced organizations. ERM distinguishes Unfortunately, many organizations tend to effectiveness of risk management practices
itself from traditional risk management in focus mainly on near-term risks without and, more specifically, ERM. Analysis of the
several aspects, the most significant of which paying adequate attention to “emerging root causes of the resulting recession is
is that it considers risks from the enterprise risks,” i.e., those issues that have not ongoing.
perspective as opposed to focusing on risks manifested themselves sufficiently to be

2 © 2010 Risk and Insurance Management Society, Inc. (RIMS) All rights reserved. www.RIMS.org
 Do existing ERM • Might emerging risks be de-emphasized
when organizations place their focus on
frameworks and internal and better-known issues?
tools de-emphasize • Might emerging risks be overlooked when
– or overlook – organizations think of “external risk” Characteristics of
primarily in the context of macro-level
emerging risks? global issues? Emerging Risks
• Might these emerging risks be overlooked
because an organization’s existing ERM Most existing ERM frameworks prioritize risks
frameworks and tools do not identify the in terms of their potential impact and the like-
interconnectedness of various risk factors? lihood of occurrence. While this is an effective
technique for assessing known risks, it is
The answers to these questions can not always effective in addressing emerging
provide insight into common deficiencies in risks. Emerging risks differ in several key
existing ERM frameworks and tools. There characteristics which suggest the need for
have been several papers written on additional and complementary risk analysis
emerging risks by thought-leaders such tools and risk management techniques.
as the Society of Actuaries, Pricewater-
houseCoopers, Ernst & Young and Lloyd’s Characteristics of emerging risks commonly
include:

“
that tend to focus on macro-level global
it is often challenging issues such as global warming, energy supply
disruption and nano-technology risks, etc. • High level of uncertainty – Both
These issues are important and should be frequency and potential impact of risks
to establish credible assessed for potential impact on an are difficult to assess. Typically, emerging
organization’s risk profile both today and in risks are expected to be characterized by
links between the “big the future. However, other emerging risk very low frequency (“not likely to happen
issues that are closer to home (those soon”) and relatively high impact. However,
emerging risks are sometimes present at
picture” global issues resulting from industry/sector prospects
low impact levels with the potential to grow
and trends; customer and supplier issues;
strategic plans; etc.) are also important – sometimes rapidly – to a more significant
and the practical to consider. And, from a practicing risk level of impact.
professional’s perspective, it is often Example: Rapidly shifting demographic patterns
impact of these issues challenging to establish credible links While it is known that worldwide demographic
between the “big picture” global issues and patterns (e.g. age, ethnicity, etc.) are evolving,
on the risk profile of the practical impact of these issues on the the impact of these changes on any enterprise
risk profile of any particular organization. can be highly uncertain as very few statistical
Without credibility built on appropriate benchmarks may exist.
any particular analysis of close-to-home risks, discussion

“
of the macro issues and the “emerging risks” • Lack of consensus – There is a general
organization. may have little actionable value. lack of consensus both internally (within
an organization) and externally (within
This paper will outline how ERM can address the public at large) regarding the drivers,
emerging risks and will: impacts and likelihood of an emerging risk
• describe the characteristics of emerging event occurring. This seems logical, since
risks; and by definition the risk is relatively new,
• describe certain best practices for identify- unknown and/or changing in some new
ing and assessing emerging risks. way. As quoted in the Survey of
Emerging Risks published by the Society of
Actuaries, “assessment of emerging risks
‘requires managers and modelers to think
outside their comfort zone. Often there is

© 2010 Risk and Insurance Management Society, Inc. (RIMS) All rights reserved. www.RIMS.org 3
 “ There is a real possibility of an emerging risk being
perceived as so unlikely to occur that it does not warrant
attention (“it can’t happen here” syndrome), or is relegated
to a “watch list” as a type of phantom risk that has little
bearing on existing circumstances.

no incentive for firms to contemplate risks with current and future customers. Without
“
This example underscores the difficulties in
that others are ignoring’. In fact, even when understanding or factoring in the degree of communicating the importance of risks that
the management recognizes something is relevance and importance of this emerging have not been experienced yet. The majority
amiss, the market penalizes prudency at risk on an organization’s decision making and of risk management resources tend to be
least in the short run and in these days of the achievement of its objectives, ignoring the focused on current operational, financial and
quarterly earnings announcements trend of adopting new communication modes compliance risks. Less tangible (or already
management continues to behave could prove detrimental to the company. On accepted) strategic risks and Taleb’s “black
somewhat like lemmings.” the other hand, if this emerging uncertainty swan” types of low-probability risks are often
Example: Global financial meltdown is included in the organization’s strategic under-resourced.
Even after seeing signs of recession, there planning, the emerging risk could become an
was a lack of consensus regarding the opportunity for growth. • Difficult to assign ownership –
inter-relations of various causal factors, Emerging risks often defy easy categorization
or the speed of the expected decline. This • Difficult to communicate – It can be with known and accepted risks, and as a
lack of consensus made understanding and difficult to develop understanding about an result it can be difficult to assign and/or
managing the emerging risk very challenging. emerging risk. There is a real possibility encourage ownership of an emerging risk.
Confusion over root causes of an emerging risk of an emerging risk being perceived as so Understanding and managing emerging risks
can also make management of the risk more unlikely to occur that it does not warrant often requires an interdisciplinary approach.
difficult and may facilitate further similar attention (“it can’t happen here” syndrome), Example: Global warming
losses – once again proving the adage that or is relegated to a “watch list” as a type No one person or workgroup can sufficiently
‘those who do not learn from the past are of phantom risk that has little bearing on “own” this risk, as the increasing volatility of
destined to repeat it’. existing circumstances. This makes climate conditions can significantly impact
communication to senior management personnel, shareholders, business resources,
• Uncertain relevance – Uncertainty over difficult, particularly using traditional risk insurance markets and legal and regulatory
evolution of the risk is a hallmark of management tools with their focus on silos. demands. In addition, the timeline for the
emerging risks. Little guidance is available Example: 9/11 progression of climate change is widely
for determining how emerging risks can be Prior to the attack on 9/11, few resources unpredictable.
obstacles to (or accelerate) the achievement were allocated to terrorism preparedness.
of objectives. Without being able to analyze However, after 9/11, terrorism became a top • Systemic or “business practice”
the relevance and importance of emerging boardroom agenda item, and massive funding issues – Some emerging risks can be
risks to a particular set of objectives, has been assigned to identify and respond to embedded in long accepted practices, but
emerging risks may be perceived as too terrorist threats within the U.S.A. and may not be fully understood or appreciated
futuristic to matter for strategic planning elsewhere. While the concept of terrorism until triggered by some external or internal
purposes. was widely known prior to September 11, change.
Example: Social media growth 2001, the perceived possibility of a Example: Bundling subprime mortgages into
Adoption of digital technologies is a trend significant terrorist event within the U.S.A. securities
that has been gaining traction among broad was not enough to allocate adequate time, The complexity of these instruments made
demographic groups for dissemination of attention and other resources to prepare for accurate assessment of their inherent risk
information, where the speed of dissemination it. This was an emerging risk that was largely very difficult. The risks became widely
is almost more important than the accuracy ignored until a significant event actually understood only after many of the underlying
or meaning of that data. An emerging risk occurred. The prior attack on the World Trade mortgages began to fail.
inherent in this trend is that companies may Center in 1993, and the increasing negativity
become unable to properly communicate towards the policies of that time were, in
hindsight, evidence of the emerging risk.

4 © 2010 Risk and Insurance Management Society, Inc. (RIMS) All rights reserved. www.RIMS.org
 Why emphasize Organizations do not intend to fail. As Alan
Lakein put it, “failing to plan is planning to
embedded assumptions actually provided a
false sense of security that made companies
emerging risk fail.” This rather obvious statement provides like Lehman Brothers more vulnerable to
management? the motivation for addressing emerging risks: emerging risks. Most importantly, as noted in
as organizations gain a greater understanding the RIMS Executive Report entitled The 2008
of risk management, and attain more Financial Crisis: A Wake-up Call for Enterprise
advanced competencies to manage risk, they Risk Management, the failure to use ERM
have also developed processes, models and to keep senior management informed on
controls to give assurances that dramatic both risk-taking and risk-avoiding decisions

“
volatility in expected results can be avoided. ultimately created an even more uncertain
Enterprise risk While these risk management practices have environment.
proven to be useful, it is often the unexpected
managers can add risk or a little understood interaction of some The challenge for risk managers lies in
key risk factors that cause even the most uncovering these emerging risks, bringing
value to organizations risk-intelligent organizations to fail. resources to bear to address these risks,
and building resiliency and sustainability for
For example, the increased complexity and events that cannot be predicted through the
by helping them pace within the macro business environment usual historical analysis and risk models.
creates additional risks which may not always Given that competitive advantage lies in
communicate risk be well understood by an individual organization, addressing issues in a nimble and efficient
sector or market. As finances, supply chains manner, enterprise risk managers can add
issues and allocate and business processes have become value to organizations by helping them
increasingly intertwined and time-sensitive, it communicate risk issues and allocate
has become more critical to understand these resources appropriately, and by turning
resources appropriately, interdependencies and the risks associated emerging risks into opportunities.
with them. These relationships bring
and by turning operational benefits, but may also expose By having a constant and robust discipline of
the organization to risks which manifest scanning the internal and external environ-
emerging risks into themselves in ways that were not previously ment for emerging trends, companies can

“
considered. This was evident in the recent formulate more effective strategies and
opportunities. financial crisis as many companies failed –
even though they had devoted substantial
build plans to execute those strategies while
managing the underlying risks. Organizations
resources to quantifying and modeling the that effectively manage these emerging risks
risks that were judged to present the most can successfully outlast and outgrow their
imminent threat. In some cases, the competition.
over-reliance on these models or their

Emerging Risk - Organized Crime and Data Incursions

Data incursions have always existed since the deployment of computer systems. Initially, much of these incursions were accidental, or by
inquisitive but not always malevolent computer “geeks.” However, with the increasing recognition of the value of personal data and the
potential to use this data to obtain money, goods or even for money-laundering, organized crime has rapidly evolved as a primary driver of
data incursions. Stolen personal data can be bought through multiple sources including some on-line auction sites (although not the usual
freely-accessible public auction sites), and nearly one-third of the data on these underground sites is personal credit card details.
The organized crime approach has led to an explosion in the theft of personal data records with over 280,000,000 records stolen in 2008
compared to 230,000,000 records stolen between 2004 and 2007. In other words 25% more records were stolen in 2008 than the total
stolen for the prior 4 years! The causes of the attacks to gain access to this data have shifted dramatically, with 90% of breaches in 2008
involving organized crime. For a chronological view of reported data breaches visit http://www.privacyrights.org/ar/ChronDataBreaches.htm.

© 2010 Risk and Insurance Management Society, Inc. (RIMS) All rights reserved. www.RIMS.org 5
Best Practices in Identifying and
Assessing Emerging Risks
Enterprise Risk Management best practices,
with regard to identifying and quantifying
include establishment of early warning
signals to track the development of the Approaching
emerging risks, continue to evolve, and will emerging risks over time. For example, Emerging Risks
do so for quite some time. While no clear banks may not have taken on so much risk
best practice standard has been identified if they had tested their assumptions about Practitioners should balance focus on
to recognize and mitigate emerging risks, the continuous rise in housing prices, relevant macro-level trends with important
various tools and processes provide greater particularly when there were signs of rising micro-level organizational or industry issues
insight for evaluating such risks. unemployment and an extraordinarily high that may be developing. This requires
level of leverage in the financial industry. additional tools and techniques that are part
• Conduct emerging risk reviews – • Challenge conventional thought of their existing risk management toolkit,
Organizations should establish a formal, processes and expectations – Testing though possibly in new applications where
documented process for identifying, the potential impact of an emerging risk traditional approaches to risk identification
assessing and periodically reviewing against the organization’s business model and assessment may not work. Organizations
emerging risks. This process should involve requires an assumption as to how the risk are complex adaptive systems and many
the members of the management team will manifest itself in terms of visibility risks that may be measured in a traditional
responsible for the achievement of and impact. As emerging risks are often sense are often symptoms of more deeply
strategic goals, and should occur with the result of the continual evolution of the rooted and less understood emerging risks.
sufficient frequency to ensure that the business environment, an emerging risk
review of the risk environment is reasonably may manifest itself in a manner that differs Misplaced confidence regarding the
current. In addition, the review process from the conventional expectation. The understanding of risks through historical/
should incorporate features that allow for analysis of an emerging risk should extend statistical analysis can lead to a false
immediate communication of new beyond what seems to be the most logical understanding of the complex interplay of
information about risk as it is discovered. development path for that exposure and risk factors within the system. The key is to
• Integrate emerging risk review into the also consider other development paths that understand, articulate and manage risk within
strategic planning process – Emerging are possible given the characteristics of the the risk appetite of the organization over a
risks may be more distant and more risk, even if they seem extremely remote. longer time horizon. This longer horizon not
strategic in nature, and therefore aligned • Apply new and developing methodologies only considers known risks but the impact of
with the organization’s strategic planning to better understand and predict risk – emerging risks on the strategic objectives of
process. Conducting risk reviews in One example is how the Bayesian Belief the organization.
concert with the strategic planning process Networks are helping to drive the
will help enforce a disciplined approach estimation of risk where previous tools
regarding the relevance, importance and failed to provide a defensible approach to
effect of uncertainties on organizational developing realistic risk assessment values
objectives and improve management’s (e.g. probability and impact). The Bayesian
decision-making process. Belief Networks can help capture and
• Identify all assumptions and carry out calculate the interconnectedness of
disciplined assumption testing – different risk factors, along with the
Establishing a disciplined approach to testing composite impact of these risk factors
assumptions and beliefs in existing business which may differ significantly from their
models will help organizations avoid natural individual impact. Also, use of simulations
tendencies to prioritize known risks (those and scenario analysis to further develop
for which there is historical precedent and emerging risk scenarios and “what if”
information) over emerging risks which may analyses can help organizations understand
not be perceived as serious in the short the implications of potential emerging risk
term. The disciplined approach should events.

6 © 2010 Risk and Insurance Management Society, Inc. (RIMS) All rights reserved. www.RIMS.org
 About the Risk and Insurance Management Society, Inc.
The Risk and Insurance Management Society, Inc. (RIMS) is a
not-for-profit organization dedicated to advancing the practice of
risk management. Founded in 1950, RIMS represents some 4,000
industrial, service, nonprofit, charitable and government entities. The
Society serves more than 10,000 risk management professionals
around the world.

About the ERM Center of Excellence

RIMS ERM Center of Excellence is the risk professional’s source for
news, tools and peer-to-peer networking on everything related to
Enterprise Risk Management. Whether you are initiating an ERM
program within your organization, in the implementation phase or
streamlining processes, in RIMS ERM Center of Excellence you will gain
access to the key information and connect with the risk practitioners
that will put you on the road to ERM success.

To find more information on RIMS programs and services, to

enroll in membership or access RIMS ERM Center of
Excellence, visit www.RIMS.org and www.RIMS.org/ERM.

RIMS
1065 Avenue of the Americas
13th Floor
New York, NY 10018 The information contained in this paper is based on sources believed to be reliable, but we
make no representations or warranties, expressed or implied, regarding its accuracy. This
Tel: 212-286-9292 publication provides a general overview of subjects covered and is not intended to be taken
email: [email protected] as advice regarding any individual situation. Individuals should consult their advisors
www.RIMS.org regarding specific risk management issues.