14 April 2009

Published in: Risk governance, Insurance risk

What you don’t know can hurt you

Dave Ingram and Johann Meeke of Willis Re describe the sound practices needed to make emerging risks management work as a process for preparing for "unknown unknowns."

Benjamin Franklin said, "In this world nothing is certain but death and taxes." He could have added one more thing -- "change." A changing world has new and emerging risks and as every investor knows, "the past is not necessarily a guide to the future."

Many of the most serious problems that have beset firms have not been repeats of past issues but very new situations. Emerging risks is one description that is used to refer to these "unknown unknowns." It is simply not sufficient for an ERM programme to fully master the control of potential losses from the risks that are known to exist right now. Many would consider the current financial crisis to be the result of emerging risks that were not sufficiently anticipated. Emerging risks may be unknown, but their consequences are real and insurers need to actively prepare for them.

Management should be monitoring and controlling the known risks. Emerging risks management is concerned with the impact of completely new or extremely rare adverse events. These risks cannot be managed via a control process. Monitoring systems would not show any results. But there are ways that the best-practice firms address emerging risks.

Emerging risks may appear suddenly or slowly, are difficult to identify, and often represent a new idea more than factual circumstances. They often result from changes in the political, legal, market, or physical environment, but the link between cause and effect is not proven. An example from the past is asbestos or silicone liabilities. Other examples could be problems deriving from nanotechnology, genetically modified food, climate change, etc. The recent problems experienced by banks and other financial firms resulting from mortgage losses could be classified as emerging risks.

The O-ring problem was known about before disaster hit the US space shuttle Challenger in 1986 - just not known in a way that helped

For these risks, normal risk identification and monitoring will not work because the frequency is usually completely unknown. Nevertheless, past experience shows that when they materialize, they have a significant impact on businesses and therefore cannot be excluded from a solid risk management program. Specific strategies and approaches must be implemented to cope with them properly.

Emerging risks can be unknown to the corporate body or merely unknown to the main decision takers. The O-ring problem was known about before disaster hit the US space shuttle Challenger in 1986 - just not known in a way that helped. When considering emerging risks, we need to consider communication to, and within, the corporate body. A good ERM approach should be able to handle both these aspects.

Emerging risks management will include a process of early warnings that will allow company management to anticipate disasters, however short the period of notice. Such a firm will have an inclusive approach to identifying and evaluating risk. This inclusiveness will encourage employees to express concerns openly, it will lead to the ability to learn from others' experiences and it will allow a constructive approach to intelligence-gathering of both hard and soft information. A firm with good emerging risks management would expect to perform thorough post-mortem analyses of problem situations and would feed the results of that analysis back into its on-going disaster-planning process.

While the best ERM programs will often have a comprehensive emerging risks process, that process is not well served by a routine checklist. A company with excellent extreme-event management practices will instil and sustain a decidedly non-routine, imaginative flavour into its process. This process will normally include:

• Searches of publicly available information on new risks
• Multi-disciplinary meetings to share knowledge across silos
• "Free thinking" workshops to explore the extremes of current knowledge
• An emphasis on logical "what if" thinking rather than emotional "that won't affect us"
• An emphasis on severity as, by definition, most emerging risks will be perceived as low probability - until they happen.
• Internal reporting that accepts that opinions can be as useful as facts

The following are examples of sound practices to manage emerging risks.

Identifying emerging risks

For insurance companies these risks can derive from such diverse issues as nanotechnology, major changes in the availability of capital, changing regulation and much more. Therefore, having some sort of early warning system in place, methodically identified either through internal or external sources, is very important. To minimize the uncertainty surrounding these risks, firms should consistently gather all existing relevant information to amass preliminary evidence of emerging risks. This will allow management to reduce or limit growth of exposure as evidence becomes more certain. The early warning identification will consider proper analysis of publicly available information and also some form of scenario-planning workshops that will encourage employees (and other stakeholders as appropriate) to envisage the more outlandish threats.

Assess the significance of emerging risks

Companies need to assess the potential losses from the emerging risks to their business by looking at how customers, employees and suppliers would be affected by the materialization of the risk. They need to assess the potential financial impact, taking into account potential correlation with other risks to which the firm is exposed. The degree of concentration and correlation of the risks in a firm's portfolio are two important parameters to be considered. The risk in question could be subject to very low frequency/high intensity manifestations, but if exposure to that particular risk is limited, then the impact on the company will not be relevant.

On the other hand, unexpected risk correlations should not be underestimated. Small individual exposures can coalesce into an extreme risk if underlying risks are strongly correlated. When developing extreme scenarios, some degree of imagination to think of unthinkable dependencies could be beneficial. The insurance industry has considerable data in certain risk areas (e.g. insurable risk) but struggles in other areas (e.g. operational risk). For the latter, the industrial sector tends to be quite advanced in scenario analysis as there has not been the same degree of application of the actuarial/probabilistic techniques well known in the insurance sector. Some of these uncertainty-modelling disciplines are increasingly relevant to the insurance sector.

Define appropriate responses

Responses to emerging risks might be part of the normal risk control process, i.e., risk mitigation or transfer, either through insurance, through the financial markets for financial risks, through hedging programs, or through generally limiting activity. When these options are not available or management decides not to use them, it must be prepared to shoulder significant losses, which can strain a company's liquidity. Planning access to liquidity is a basic part of emerging risks management.

Apart from liquidity crisis management, other issues exist for which a contingency plan should be identified in advance. The company should be able to quickly estimate and identify the impact of the situation and calmly communicate it to stakeholders. It should also have a clear plan for keeping current with obligations to avoid reputation issues.

Finally, sound practices for managing emerging risks include establishing procedures for learning from past events. The company should identify problems that appeared during the last extreme event and identify improvements to be added to the risk controls.

Key lessons

Emerging risks are not necessarily totally exotic. Major changes in everyday things can be emerging risks to many firms. The classic example is the impact of the PC on pen manufacturers. Another is the on-going changes to business caused by the internet. The resulting enhanced communications have brought down many of the distance barriers and have made the location of workers much less of an issue while creating new and unforeseen risks of data security and the recording in emails of casual conversations that can very easily be taken out of context in litigation.

Emerging risks may result in total failure of the company. The current financial crisis is one example that has already caused the demise of several significant banks.

The nature of emerging risks may be the cause of some speculation, but the effect of them can sometimes be all too real.

The need for a specific, inclusive and open-minded approach to managing emerging risks is paramount.

David Ingram, CERA, FRM, PRM, is Senior Vice President of Willis Re & Johann Meeke, BSc(Hons), C.Eng, M.I.Mech.E, is Executive Director, Enterprise Risk Management, Willis Analytics.

Back to top