Predicting risks without the drama

About 18 months ago I was fortunate enough to attend an excellent risk management workshop. The content was well chosen and the variety of financial services companies represented ensured that a wide range of views and perspectives were aired by the attendees.

By mid-afternoon we had worked through various quantitative and qualititative techniques for measuring and managing risk, and I'd gained a good deal of benefit from hearing others talk about how they control similar risks to the ones I encounter each day.

We had almost worked through the agenda, when I asked what I assumed was an obvious question, but one that had not come up yet. "How do you identify and track early stage risks?" After a few minutes of discussion it was clear that no one in the room did this. There was an understandably strong focus on managing current risks, but identifying emerging ones did not seem to feature in anyone's job, apart from mine.

This seemed irrational. I accept that some risks come out of the blue, with no warning or obvious history, but I suspect that most do not. Indeed, other attendees agreed that some of the key issues occupying much of their day had been around in one form or another long before the risk management functions owned them.

When I returned to the office the next day, a colleague asked me if I had got anything out of the workshop? "Yes." I replied. "I'm starting to think that companies use their risk managers as either a Nostradamus or a Drama Queen."

A Nostradamus approach means you acknowledge that you cannot prevent things happening, but try to spot and understand them early. You use the time this gives you to work with colleagues to understand the issues as they develop. If you can, you avoid the problem. If not you have the time and knowledge to help your company to reduce the negative impact on the business.

Drama Queens are not tasked with actively scouting the external environment for early stage, potential risks. Instead, they have to wait until something bad has either happened or is imminent, and then run around doing their best to understand and deal with it.

OK, all of us risk managers do the Drama Queen bit. We cannot help it, not because of an over-developed sense of the melodramatic, but because commercial life is complex and sometimes serves up the unexpected and unpalatable at short notice. It is then our job to quickly make sense of and manage these with colleagues - to find the best possible solution for our companies.

However, it is equally true that many risks do not drop through the company letterbox without warning. In our risk management team we now have four years of experience in identifying and tracking these slow burners. The benefits have been to reduce the negative impact and cost to the company of various risks, avoid some entirely and turn others to our commercial advantage.

Surely this must be complex? Not really, but it does take some effort to get off the ground and perhaps the following remarks will help those for whom scanning the external environment for risks is new.

Why scan for early stage risks?
The answer has already been touched upon and the potential benefits are obvious. More time to understand an issue means more preparation time and should give the company a better result. The alternatives, corporate ignorance and panic, don't find many advocates in the business world as factors typical of successful businesses.

What do you look for?
The easy answer is those issues most likely to affect your business. But what are they? If we assume that you manage company-wide risk, why not ask those colleagues in other functions two questions. First, what external issues have been of the most concern to their department in the past few years (experience in their previous firms may be equally enlightening) and why? Second, what external issues are they most concerned about today and why? If the answers are as you expected, you are already on the right track. If not, you've just been pointed in the right direction.

Where do you look?
Why not ask the colleagues who have just told you about their concerns? If you wanted to find information on this, where would you look? Who else within the company do you think knows about this? We probably all forget just how much knowledge sits within our own firms.

Who should look?
In many cases the risk manager will be able to do this effectively. There will also be a benefit as the company-wide perspective that he/she has will help give a wider view of the potential impact of an early stage risk. However, some issues are best tracked by those with specialist knowledge. We had an example of this a few months ago, when the government issued a consultation paper on a technical legal issue.

I read it, realised it needed the input of an expert, and so passed it to a lawyer-colleague. He assessed the risk to the company and is now tracking the consultation paper's development.

Do issues need continual tracking?
Yes, normally. Some take a long time to develop, an extreme example being the Solvency 2 Directive, which may have a host of effects on the insurance sector across Europe. We have been tracking it for over two years already and expect to continue this work at least until it is implemented, probably in 2010.

Once factors are identified and tracked, what happens?
Information is only useful if it's interpreted and used. We have developed formal and informal ways of doing this, including the establishment of a multi-disciplinary committee, tasked with understanding and communicating to colleagues on early-stage risks.

Is it worth the effort?
This depends on the company. If the belief is that no risk factors of any note develop outside of the company over time, then the 'wait until it's upon us' drama queen method of risk management speaks for itself. However, the Nostradamus method comes into its own for those risks that don't arrive fully formed, with no notice, at your company's door. IT

Keith Martin is deputy head of business risks and controls at Cardif Pinnacle