Dealing with New and Emerging
Risks in an Ever Changing World
Paul J. Sobel
Vice President/Chief Audit Executive –
Georgia-Pacific, LLC
Vice Chair – Professional Development for
The Institute of Internal Auditors
Presentation Outline

The Changing World

Impact of Emerging Risks

Evolving Risk Assessment Approach

Dealing with Risks in a Dynamic Business
World

Summary
2
The Changing World

Global and organizational change

Stressed financial structure and cash availability

Bankruptcy and restructuring

Fraud from many fronts

Legislative imperatives and pressure

Technological innovation

Competition for market share

Shareholders demanding increased accountability

Client’s changing expectations

Pressure/expectations from stakeholders and citizens

Strategic alliances

Mergers and acquisitions
3
Impact of Emerging Risks

New risks keep emerging

Risk interdependencies are creating almost
unimaginable risk scenarios

Speed of change has rendered static, annual risk
assessments almost meaningless

There seems to be very little tolerance for
ineffective risk management
4
Evolution of Risk Assessments

In the 1980’s a formal risk assessment was an
uncommon, somewhat unsophisticated practice

In the 1990’s risk assessment became a “leading practice”
◦ While it was more structured and sophisticated, it still left many
“blind spots”

In the early 2000’s, annual risk assessments were a
standard practice
◦ Some were updating risk assessments more frequently
◦ Still had “blind spot” issues

The financial crisis beginning in 2008 caused many to
question the value of risk assessments
5
Risk Identification Approach

Continually scan the risk environment
◦ Check available public documents
◦ Search for specialist publications
 A lot of good stuff from outside the United States
◦ Deeper knowledge sharing with competitors

Brainstorm previously unimaginable risk scenarios
◦ Disciplined structured process
 Embedded in strategic planning (60% of failures relate to strategic risks)
◦ Extensive consideration of interdependent risks
◦ May need to bring in specialists (e.g., economists, analysts, deal
makers, regulatory experts)

Consistently challenge the completeness and veracity of
all risk assumptions
6

Tends to be single point
outcomes as opposed
to range of outcomes

A good foundation, but
is it robust enough in
today’s business world?
Low
Traditionally focused on
Impact and Likelihood
IMPACT
Medium

High
Risk Assessment – The Past
Remote
Possible
LIKELIHOOD
Probable
7
Other Risk Assessment Factors
Velocity
 Readiness
 Capacity
 Controllability
 Monitorability
 Interdependencies
 Frequency of occurrence
 Volatility
 Maturity
 Degree of confidence

8
Risk Velocity

This has become the risk assessment “criteria du jour;”
however, there are different types of velocity

Speed of onset
◦ How quickly does the risk descend upon us?
◦ Do we have much warning?

Speed of impact
◦ Do we feel the effects right away, or does the pain slowly
increase?
◦ Does it spread and impact us in other ways; e.g. reputation?

Speed of reaction
◦ Even if we see it coming, do we have the agility to timely react?
9
Risk Readiness

Given that risk represents uncertainty, how
ready are we to deal with a risk event?

Focus is on an organization’s ability to:
◦ Recognize the onset of the risk
◦ Respond timely and effectively

Must also consider 3rd parties’ ability to
respond timely and effectively

Risk readiness is really the response part of the
risk velocity criteria
10
Risk Capacity

Decisions regarding risk readiness must
consider an organization’s capacity to absorb
or take on risk

First consider organization’s appetite and
tolerance for the risk outcomes (before
sustainability is impacted)
◦ Resilience to consequences
◦ Cost/pain to manage

Also consider recovery time – i.e., how long
until the outcomes/effects are no longer felt
11
Other Risk Characteristics

Controllability – Do we even have the ability
to mitigate/control the risk?

Monitorability – Can we monitor:
◦ Risk signposts to anticipate risk onset?
◦ Risk impact to understand how much we’re bleeding?

Interdependencies with other risks
◦ Vulnerability to other risks being triggered
◦ Correlation with other risks (Charles Kindleberger)
12
Other Risk Characteristics

Frequency of Occurrence – Will a risk occurrence
likely be a single event or will it occur multiple times?

Risk Volatility – Does the risk lend itself to an
infrequent assessment (e.g., annually) or should it be
re-assessed on a regular basis?

Risk Management Maturity – Is our risk
management mature enough to trust our initial
reaction to a risk event?

Degree of Confidence – How confident are we in
our risk assessment judgments?
13
How Do You Make Sense of all This
Information?

Mapping Multiple Dimensions Won’t Work!
14
A Possible Approach?
1. Start with traditional impact/likelihood
assessment
2. Determine which Other Risk Assessment
Factors are relevant and meaningful
3. Assess whether those factors will
significantly, moderately or negligibly affect:
• How the risk is managed
• How the risk is prioritized relative to other risks
• How the risk is monitored and reported
15
One Example
Risk
Impact
Likelihood
Factor A
Factor B
Priority
AAA
High
High
1
BBB
High
Medium
2
CCC
Medium
High
3
DDD
High
Low
4
EEE
Medium
Medium
5
FFF
Low
High
6
GGG
Medium
Low
7
HHH
Low
Medium
8
III
Low
Low
9
16
One Example
Risk
Impact
Likelihood
Factor A
Factor B
Priority
AAA
High
High
1
BBB
High
Medium
3
CCC
Medium
High
5
DDD
High
Low
2
EEE
Medium
Medium
4
FFF
Low
High
6
GGG
Medium
Low
8
HHH
Low
Medium
7
III
Low
Low
9
17
A Few Cautions

Don’t make it too formulaic – it’s still primarily
about judgments!

Never lose sight of the fact that risk
assessment must tie back to strategy

Plan ahead for how you’ll respond to significant
risk events
◦ Decisive decision vs. consensus building
◦ Initial response may differ from long-term response
18
Dealing with Risks in a Dynamic
Business World

No one-size-fits-all or simple answers

Starts with good risk information
◦ Identify risk events early
◦ Initiate risk actions quickly
◦ Monitor effectiveness of risk actions

Must have a good escalation process
◦ Who needs what information and when?

Don’t just treat the symptoms; cure the disease

Be flexible to change; don’t become too
attached to what worked in the past
19
In Summary

We live in a dynamic, ever changing business world
◦ The speed of change will continue to increase
◦ The impact of mistakes will become even greater

Identifying possible emerging risk scenarios will be
critical to success
◦ In particular, scenarios among interdependent risks

Risk assessment must consider criteria beyond Impact
and Likelihood
◦ But don’t make it too complex; it’s still about judgments

Dealing with risk events requires a structured and
disciplined approach; an ad hoc, reactionary approach
won’t cut it
20
QUESTIONS?
[email protected]
21