Element 7: Emerging Risks

This information sheet is intended to assist Commonwealth officials at all levels to understand:

• The nature of emerging risks
• The benefits of effectively managing emerging risks
• Different approaches to identifying emerging risks
• Practicals steps for managing emerging risks, and
• Practical steps for escalating and communicating emerging risks.

Emerging risks are newly developing or evolving risks on the horizon that can affect the achievement of an organisation’s strategic objectives. It may be difficult to fully articulate or assess their likelihood or consequence, given they are newly developing and may not yet have a track record to analyse. Identifying, communicating and managing emerging risks is crucial in order for an organisation to achieve its strategic objectives.

After an emerging risk has been identified, it is important that it is effectively escalated and communicated throughout the organisation. In conjunction with this escalation process, appropriate and considered mitigation activities may be planned and implemented that are commensurate with the materiality and proximity of the risk and the entity’s risk appetite and priorities.

Emerging risks can be conditions, situations or trends that may be observed in the wider community or internally. They may be complex in nature and can be rapidly changing or evolving. Due to the inherent level of uncertainty associated with emerging risks, they can be hard to anticipate and even more difficult to measure. They should be supported by indications and reasonable information that justifies the emerging risks as being material and needing further assessment.

What makes a risk an “emerging” risk can be related to a series of factors, including:

• Novelty – it is not a risk previously considered or expected
• Source – change and disruption in the external environment creates new sources of risk not previously considered
• Uncertainty – there is a greater degree of uncertainty associated with them
• Timing – the risk would materialise beyond the immediate strategic risk horizon.

As a result, emerging risks tend to:

An example of an emerging risk could include the following:

• An increase in extreme weather events.
• A potential change in regulations and legislation.
• The emergence of new technologies.

It is important for an entity to pay attention to global trends and Key Risk Indicators (KRI’s). This forward-thinking mindset helps prepare decision-makers for emerging risks that may threaten the achievement of strategic objectives. There are a number of mechanisms that can be used in order to identify emerging risks:

Figure 1: Mechanisms for Identifying Emerging risks

• Horizon Scanning/Risk Sensing: This involves examining all of the information and data available to detect any early indicators of an emerging risk in your entity’s operating environment. This works towards enhancing your situational awareness and supports your understanding of your internal and external operating environments. Some of the methodologies involved in risk sensing include:
  • SWOT analysis: This is a methodical examination of Strengths, Weaknesses, Opportunities and Threats. It is a useful approach for identifying any external or internal trends and factors that give rise to risk.
  • PESTLEE analysis: This stands for Political, Economic, Social, Technological, Environmental and Ethical. This provides a useful framework to guide thinking in identifying risks that are on the horizon, by providing consistent categories to consider these risks. This analysis should enable entities to understand the events that could occur or are occurring in their external context that can make a difference to an entity’s ability to carry out functions and activities and reach strategic outcomes.
  • Risk Sensing Technology: Cognitive risk sensing helps organisations analyse large samples of available data to better anticipate emerging events and gain the intelligence to predict risks. This process allows entities to detect emerging threats and opportunities more effectively, understand the potential impact to them, enhance the quality of its insight and make better informed decisions.
• Utilising strategic documents: This involves identifying your entity’s goals and subsequently the future dependencies or uncertainties that could stand in the way of achieving these objectives. Through reviewing your entity’s corporate plan and identifying drivers of success, you may be able to identify more clearly what must go right if you are to achieve these objectives and consider any potential roadblocks and barriers that may prevent the fulfilment of these objectives.
• Traditional methods: These are more common approaches that involve consultation with both internal and external stakeholders that facilitate a discussion and awareness about any potential emerging risks. Some of these include:
  • Risk Workshops: These are an effective way to bring stakeholders together to brainstorm risks that are on the horizon and to challenge the thinking within an entity.
  • Risk bow-tie analysis: This is a process that works towards identifying where new or enhanced controls may be worthwhile when dealing with an emerging risk. It is a graphical depiction of pathways from the causes of an event or emerging risk to its consequences in a simple qualitative cause-consequence diagram. This visual approach can be undertaken through a brainstorming session with stakeholders that first of all looks to identify any new or evolving pressures. Attention is then directed towards examining and extrapolating the causes, consequences and controls.

Figure 2: Risk Bow-tie Analysis

Once an entity has identified potential emerging risks, these risks should be prioritised to create greater focus and clarity, and appropriately monitored and managed. An example of a process for managing emerging risks, including responsibilities of the business and risk function, is outlined below:

Figure 3: Process for managing emerging risks

Emerging risks need to be communicated regularly and escalated appropriately in order for them to inform decision-making. The following are a number of channels which may be useful to escalate and communicate emerging risks:

• Risk watchlists: Risk watchlists provide an opportunity to monitor and draw attention to any pertinent emerging risks on the horizon. They provide an opportunity for active assessment and communication in relation to their nature, consequence and likelihood of materialising. Through inspection of these risk and communication of these watchlists, the messaging provided to the executive can be tailored around the severity of the threat and consequence presented by any emerging risks.
• Formal quarterly risk reports: These can provide detailed information on the entity’s top emerging risks and allow for greater visibility over any new or evolving risks that have the potential to affect business operations in the future. Scenarios may also be used to demonstrate the potential consequence should emerging risks occur and drive discussion about the entity’s strategic options. This reporting may also include existing risks which are potentially impacted by emerging or future risks.
• Regular reporting to the Executive Committee: This can include informal and formal upwards communication as part of the regular internal reporting This can work towards embedding emerging risks into the risk conversation in the entity’s existing reporting channels. This can also help inform the executive about the potential challenges the entity may face in the future.
• Risk workshops: A broad, diverse and robust risk dialogue at these workshops with an emphasis on emerging risks can help to overcome blind spots, foster risk awareness and support any kind of Strategic Risk Assessment. It is necessary to broaden the dialogue in these workshops to involve different stakeholders and platforms, such as Chief Risk Officers and Chief Operating Officers.
• Risk committees: Consideration of emerging risks at these meetings helps provide a level of oversight. Focusing on emerging risks at these committees can help the entity turn their attention towards putting in place measures to combat emerging risks that threaten the achievement of business objectives in the future.

These approaches to escalating emerging risks will enable the entity to understand if the future consequence of the risk would be within its risk appetite and tolerances as well as providing a greater understanding of potential threats and opportunities.

This information sheet is intended to assist Commonwealth officials at the Foundation, Generalist, Specialist and Executive levels to understand:

• risk reporting and its role in good management and decision-making
• formalising risk communication requirements in a risk communication plan
• practical steps for developing a risk communication plan.

A positive risk culture is one where staff at every level appropriately manage risk as an intrinsic part of their day-to-day work. Such a culture supports an open discussion about uncertainties and opportunities, encourages staff to express concerns and propose solutions, and maintains processes to elevate matters to appropriate levels.

Risk reporting is a key method of communicating risk across business units and between multiple layers of an entity. Risk reporting generally informs stakeholders of the following:

• Risk events which have occurred and near misses. This can include an analysis of the cause of risk events and near misses and, where appropriate, identify expected versus unexpected risk events or losses.
• The current status of the risk profile. This type of reporting is the most common and includes information about the entity’s risks and how they are being managed. It is important to consider who this information will be reported to (that is, who needs to know).
• The current risk exposure. This is a succinct analysis of how much risk you are exposed to. Reporting risk exposure generally involves Key Risk Indicators (KRIs) across all categories of risk. KRIs are a mix of qualitative and quantitative measures that provide insight into how the underlying risk profile of the entity might be changing before the risk occurs.
• Emerging and future risks. This type of reporting is forward looking and often involves scanning the external environment. Scenarios may also be used to demonstrate the potential consequence should emerging risks occur and drive discussion about the entity’s strategic options. This reporting may also include existing risks which are potentially impacted by emerging or future risks.

These approaches to communicating risk will enable the entity to understand if it is operating within its risk appetite and tolerances as well as providing a greater understanding of potential threats and opportunities.

Risk reporting will be most effective where it is embedded in management level discussions and linked to broader management reporting. However, formal risk reporting regimes are only one form of risk communication and, while they are important, they cannot be relied upon alone. It is also important to continually communicate what you’re doing in relationship to risk management and why you’re doing it.

There are a number of channels to communicate risk in your entity, both formal and informal. Some common channels are outlined below.

Risk forums and committees 

Risk forums provide oversight of risk through discussion of key issues by a group with appropriate representation. Whilst multiple risk committees can exist, most commonly there is a primary risk and/or audit committee which has oversight of risk, compliance and audit matters. The nature and type of forums and committees will depend on the underlying nature of an entity’s responsibilities and operations.

When considering additional risk forums, consider whether internal communication is required to more effectively manage shared risk. Additionally, where the entity is exposed to specialised risks, consider establishing a separate risk forum or committee to enable a more robust discussion on that particular area of risk. Common specialised risk forums include project and program risk; safety and environmental risk; security risk management; and technology risk.

Face-to-face meetings 

Where possible, meeting with key officials is the best way to start the risk management process and to communicate key risks. Informal meetings can also give officials the opportunity to ask questions and can make them feel more involved in the risk process.

Internal reporting channels

Where sensible, consider embedding the risk conversation into your entity’s existing communication channels. This can be through newsletters, intranet pages, emails or even flyers and posters. This can help to inform officials about the risk management program as well as communicating key risks.

Risk communication and consultation plans are a way of identifying and formalising the approach the entity will take to communicate risk issues both internally and externally. It details the key stakeholders involved and the approach to be taken to communicate risk information, changes and concerns with each party. When developing a risk communication plan, consider the stakeholders involved, communication method, purpose, content, timing and required frequency of communication.

Step 1 - Identify and understand stakeholders

Consider the ‘RACI’ approach – Responsible, Accountable, Consulted and Informed – to identify key stakeholders and what their roles will be throughout the process. Once established, these may be incorporated into the risk management plans of the entity, division and/or specific risk owner, as appropriate. This discipline is particularly useful for shared and complex risk where stakeholders may be distributed and not immediately apparent.
 

The RACI concept

Step 2 - Determine communication type and method

Once stakeholders have been identified, their expectations and information needs can be determined. Think about what each stakeholder needs to know in order to assist with implementing decisions, and what is the best method to communicate this with them?

The manner in which risk information is exchanged will vary depending on the role of stakeholders in managing risk.

Step 3 - Establish a common language

It is common for large entities to operate multiple risk activities or programs, each tailored for specialist types of risk within different areas of the entity. However, a single overarching risk framework provides the basis for a common risk management approach, language and terminology to encourage consistency in the understanding and communication of risk.

Step 4 - Define the specific purpose of the communication

Stakeholder consultation can be used to raise the awareness and perceptions of risk management. Engagement with stakeholders allows for a greater understanding of the diversity of stakeholder needs as well as perceived gaps in existing communications approach. This will enable communication to be increasingly targeted and increase the value of risk discussions.

Step 5 - Determine the frequency of communication

For each stakeholder and type of communication, an appropriate frequency needs to be determined depending on the nature and impact of the content. This should take into consideration the status of the risk in the context of risk appetite, threat to objectives, the severity of risk and when the risk is expected to occur.

Consider the availability of relevant information when determining the appropriate frequency of communication. Ideally, information communicated will raise awareness and provide sufficient time to drive both proactive and corrective actions.

Step 6 - Assign responsibility for communication

For each stakeholder and communication channel, consider who the most suitable person(s) is for providing the communication in a timely manner, as per the risk communication plan.
 

An example of the structure of a basic communication plan. 

When developing a risk communication plan, it is important that subject matter experts are engaged. They may bring expertise in the risk being considered, the stakeholders and environment concerned, or in the discipline of risk management itself. Relevant risk management subject matter experts may include enterprise governance, risk and compliance specialists but also experts within specialised areas of risk for example, technology, security, privacy, safety etc.

This information sheet is intended to assist Commonwealth officials at the Generalist and Specialist levels understand how to identify key entity risks using strategic documents and risk workshops.

Risk management requires leaders to focus on risks that threaten the achievement of strategic objectives. It helps to consider things that “must go right” to achieve the objectives, and the uncertainties that exist around those things that can jeopardise achievement of the objectives. Identifying risks to strategic objectives are a valuable investment of time and effort in support of achieving entity objectives. This information sheet provides general guidance to enable entities to identify key entity risks to communicate upward to Senior Executive Staff (SES).

Risk workshops are an effective way to bring stakeholders together to brainstorm risks and to challenge thinking. Effort should be taken to ensure risk workshops are engaging and focussed on participant involvement to ensure robust discussion on the identification of risks within the entity.

Workshops provide the opportunity to share learnings, discuss perspectives and agree on ownership of risks. To generate buy in and accountability from key stakeholders it is important to circulate the agreed outcomes as soon as practicable.

The following steps will help you to plan and run an effective risk identification workshop.

1. Identify relevant stakeholders

The key to a successful workshop is having the right mix of stakeholders in attendance. These stakeholders could be relevant executives and key decision makers, subject matter experts, and people in operational roles likely to be involved with day to day management of the risks. It is important to have initial contact with identified stakeholders prior to the workshop to gain their input on any additional personnel required to attend. Below are some examples of the types of stakeholders that may be considered:

• Executive leadership group or committee
• Subject matter experts for each risk category or risk owners (for example, HR Manager for a “people” risk category or Chief Information Officer for a “technology” risk category)
• Anyone likely to be flagged as a risk or control owner or may have an informed view on potential risks and consequences
• Representatives of any operational areas that may impact or be impacted by the realisation of objectives to be considered in the workshops

2. Conduct preliminary discussions

Initial discussions with select key stakeholders should be conducted to set up an agreed process to run the workshops. These discussions should explore the interests of each stakeholder at the workshop, and ensure a variety of perspectives will be present. The discussions will also potentially provide an early understanding of the risks that will be developed in the workshop and inform any additional resources that may be distributed prior to workshops.

These preliminary discussions will:

• provide participants context before attending
• familiarise stakeholders with the risk identification process
• establish the interests of workshop attendees
• identify risk themes to be discussed at the workshop
• build relationships and rapport prior to the workshop

3. Identify and review the strategic context

Following on from the preliminary discussions, the strategic context of the workshop should be established. First, determine what the objectives are for the project or business area. This can involve a review of corporate plans or project aim statements. It is often also advisable to review the Key Performance Indicators (KPIs) as these can clarify how success is being measured.

Next it is important to review the risk framework and supporting documents that apply to these risks. These can include the entity’s risk appetite and tolerance statements, risk category definitions, and risk likelihood and consequence descriptors. This guidance must be understood prior to the workshop, so that the risks can be articulated in a way that is consistent with the framework.

The final preparation for the workshop is to collect and review any pre-existing documents that have reviewed risks relevant to the workshop objectives. Relevant documents may include risk assessments regarding shared activities from partner entities, risk registers from other areas of your entity or risk assessments from previous years. Once all documents have been collated a selection of key documents should be distributed to workshop attendees prior to the meeting to assist with their preparation.

Workshop preparation steps include:

• Identify the objectives of the project/business area/entity (context)
• Determine the measures of success (KPIs)
• Review the risk framework
• Collect and review risk artefacts that from the context, including organisational plans, risk assessments from partner entities, or risk registers from previous years
• Circulate key documents as reading prior to the workshop

4. Run Workshop

On the day of the workshop, it is ideal that the stakeholders would have read the context material and have an understanding of the objectives to be considered. It important to note that the role of the facilitator is to guide and direct the group through the risk management process, while remaining impartial. This may include challenging ideas and drawing out risks.

The facilitator should clarify the scope of the assessment that is being undertaken. For example, a particular category of risks (that is, risks to our people) or the top 5 operational risks facing the entity. In addition, the facilitator should provide some principles on what makes a good risk statement and why it matters. A good risk statement should outline an uncertainty that could happen, what could cause it and why it would affect objectives.

5. Risk Outputs

At the end of the workshop, you should have some identified risks and notes on the discussions. This register should include the key elements of each risk as raised in the workshop including the risk owner, sources and consequences, rating based on likelihood of the consequence, current controls and proposed treatments. After the workshop the risk register may need to be refined to ensure that each risk is clearly articulated and all relevant elements of the risk have been explored. This step may involve some extrapolation to fill identified gaps, but any information conceived at this stage will be confirmed in the next step.

Drafts of the risk registers will need to be sent to the stakeholders for review. This is also an opportunity to include some suggestions to cover topics raised in the workshop which are outside the general scope. After the risk register is agreed, the final stage is to monitor the implementation of the risk treatments and to determine the timeframe for the next review of these risks.