Back to Blog

Emerging Risks: “Tell me what I don’t know”

Posted by Chris Mandel on April 19, 2016 at 10:47 AM

A CEO I once worked for used to say quite regularly, “tell me what I don’t know.” His view was he could read the Wall Street Journal or any number of other typical sources of intelligence and information about running organizations, just like me as his senior risk leader. What he was most concerned about, as are most CEOs, board members and other key risk stakeholders, were the things once described by Donald Rumsfeld in 2002 (Secretary of Defense from 2001 to 2006) right after 911. That is:

            “There are known knowns. These are things that we know that we know. There are known unknowns. That is to say, there are things we know we don’t know, but there are also unknown unknowns. These are things we don’t know we don’t know.”

For many, myself included, this was a bit of a mind-bender. Yet the essence of his ruminating is really quite simple. He’s alluding to emerging risks, those things that are by one definition, articulated as:

            “Those issues that have not manifested themselves sufficiently to be managed using the tools commonly applied to more developed exposures. They are “those risks an organization has not yet recognized or those which are known to exist, but are not well understood.”1

For leaders of all kinds, but especially for risk leaders, this area of the discipline is a black hole of possibilities, about which it is rarely immediately clear whether or not they require attention, let alone well-defined action. Some view these risks as “black swans” which by definition are things which didn’t exist, until they were discovered to exist. The unknown unknowns. But it is important not to ignore those risks we have some information and perhaps understanding about, even if they are remote or highly unlikely. This is true because they are often very destructive.

To understand these risks, let’s look at their common characteristics. First and logically, they are highly uncertain. As mentioned, their frequency is low but their impact is often very significant. They also have the potential to change quickly, even metastasize. They are risks that are difficult to drive a consensus about among subject matter experts. Because they may be completely unknown, they are typically not on anyone’s radar. Their qualitative characteristics are fuzzy at best. The ability to quantify them is usually non-existent. The relevance to the business, its strategy and objectives is also typically unclear at best. Most observers would say they are too futuristic to matter.

These risks are also hard to communicate. Because they are perceived as unlikely, possibly even irrelevant, they are viewed as deserving none of the limited time most executives have to address anything but the most pressing issues. Even so they may be embedded in existing practices and procedures, thus right in front of many, but not recognized as a serious threat to success. Finally and not surprisingly, these risks are difficult to find owners for, since accountability for addressing raises personal risks. Acting on these often complex exposures, implies redirecting time, resources and even priorities and thus can be expected to be met with substantial resistance.

In this increasingly VUCA (volatile, uncertain, complex and ambiguous) world we operate in, we are required to be better at anticipating, adapting, maneuvering, preparing for, and responding to even (and especially) these unlikely but value-destroying risks that simply should not be ignored.

So what should risk leaders do in order to get ahead of emerging risks? Well here’s a simple four step plan for moving forward.

  • Build an emerging risk strategy and process into your overall risk management strategy
  • Enhance your risk identification process to include low probability, high severity possibilities as they relate to strategic goals and objectives
  • Assess risk interconnectedness of these compared to other identified risks in order to understand how they relate to and possibly exacerbate other key risks
  • Answer the key questions for these risks regarding their: importance; relevance; likelihood; impact; immediacy; and necessary response

Enhance your risk monitoring and reporting processes to include specific key risk indicators tied directly to key performance indicators.

You may feel you don’t have the time or resources to take on these tasks, but I think we can agree that you don’t want to be left flat-footed when your CEO asks “tell me what I don’t know.”

1 Source: Risk Management Society