Over the past few weeks I have been thinking about the world as we move into 2016. Most of that thinking is not about daisies and pixey dust, but about the changes over the past few years, many of which seem to be leading either to crisis, trouble, or the slow boiling of the frogs. Personally I'm hoping for a few crises that will, although probably fairly terrible at the time, actually bring about some fundamental changes that will create real change and improvement, at least in the medium term.
What's a Risk Manager to do? Below I contrast "the Usual Suspects" that we are (or should be) watching every day as Risk Managers, and then "the Big Stuff" and implications for Risk Managers now.
We are going to see the world change through 2016 and 2017, potentially dramatically - and not necessarily positive change. That is my view. Of course, I could be very wrong, and we could see a world that "muddles along". At heart are our individual answers to the question "how do we best help our businesses manage the coming risk world?"
I am not confident, but that is my view.
So let me suggest, based on my view, the potential impacts on Risk Managers for the coming couple of years. Two years is a very short time in a world of potential regulatory change and economic cycles. Anything shorter than two years would fail to consider the potential impact of major business and economic cycles such as the current commodity depression, the US (and China) manufacturing recession, and the very serious systemic debt and migrant issues that Europe may or may not manage through the coming year.
The Usual Suspects:
Of course the world of Risk will be both immediate and longer term, local or specific as well as systemic and international. We'll start by reminding ourselves of some basic risks that have no direct link to the wider situation.
1. Cyber threats. This category of risk continues to be on the rise, and can be an existential threat to companies from a data-loss or damage perspective, while civil and regulatory sanctions continue to increase. This is a threat that has been growing, and increased access and growth in skill sets will increase the number of hackers and the breadth of tools and techniques they will use. Companies will be taken down by Cyber attacks. Companies can prepare for and attempt to limit the impact of Cyber attacks, but can do little to reduce the likelihood of such attacks (as exogenous threat likelihood is not subject to risk reduction activities on the part of the company). Reducing the impact requires planning, careful review of the potential threat (what are the data-crown jewels, and how are these protected?) and remediation where infrastructure is not adequately protected. Reputation damage limitation if an element of planned responses, and finally, consideration should be given to Cyber Insurance.
2. Fraud, Bribery and Corruption. If the economy continues to grow and unemployment continues to fall, there will be little impact on the likelihood of Fraud, internal or external, though of course these risks remain. However, if we see a degradation in economic conditions, this will probably lead to an increase in fraudulent activity, starting with external fraud and followed by an uptick in potential internal fraud. Of course, some fraud, bribery or corruption is simply due to greedy people, and has no linkage to economics. Exercise skepticism.
3. Solvency. For the insurance industry in Europe, this is the year Solvency II fully comes into effect, and insurers across the continent are getting their reporting houses in order. Yet the risk is not simply that companies may or may not be solvent, it is a question of the quality of internal processes supporting production and maintenance of the ORSA (Own Risk and Solvency Assessment). As risk managers we can learn from companies that have been through the process, such as the importance of the quality of documentation of the process, effectiveness of systems of control (nothing new there), and the ability to demonstrate how the ORSA contributes directly to business decision-making.
4. All Your Risks. Every risk on your Risk Register will remain as critical (or otherwise) through 2016 and 2017 as they are today. Some will increase in potential impact, many will eventuate in actual issues or problems. These risks will become incidents, and you will manage them through to resolution - or not. There will also be a host of issues and incidents that will result in you reviewing the Risk Register, and probably adding risks to the Register.
You can never go wrong keeping your eyes on the day-to-day risks, and ensuring that the business either has effective controls in place, or is building a control environment that can actually be monitored to indicate areas of existing or emerging risk.
Now for the Big Stuff:
A global correction may be underway, with no sign of a low for some time to come. Certainly there may be up days or weeks, but it appears that there is more likelihood of a longer down trend for the coming months. The questions now are "how far, how fast, how long, and how much stimulus"? There are no serious commentators calling for a near-term renewal of a global bull market. The IMF recently downgraded their expectations for global growth from 3.8 (July 2015 forecast) to 3.4 (January 20016) with developed economy growth downgraded from 2.4 to 2.1, the same level as 2015.
The US markets are down 15% from their highs (DJIA - 15,900 from 18,200 in 2015), and China is at 2014 levels (Shanghai is at 2750 from a high of 5100 in 2015). [as at 26 January 2016] Where will they go?
Total global debt has continued to rise all through the supposed deleveraging after the Global Financial Crisis (GFC), increasing by $(US)57 Trillion since 2007 to almost 200 $(US) Trillion. The majority of this increase has been government debt, yet corporate debt (and personal debt) has also risen through that period. This also cannot continue without impact.
At the same time in developed countries we see a close to stagnation in growth in real incomes. Personal income in the UK has finally (May 2015) caught up with where it was before the GFC, and the strong employment growth has been reflected in falling unemployment and increased wages. The introduction of a "living wage" will also increase personal incomes (although some worry that imposed minimum wages reduce employment growth). All good news, but will the UK continue to grow as the rest of the world slows down, if the UK votes to leave the EU, or if markets continue to fall (the FTSE is now at 5800 from just over 7000 in 2015, and continues to fall). [as at 26 January 2016]
In the US, employment growth appears to be strong, at the same time that the labor participation rate continues to fall. The unemployment rate is around 5%, a level that is close enough to full employment that we should be seeing serious upward pressure on wages. Yet the continued fall in labor participation indicates that there remains a (growing) untapped pool of labor. The picture remains murky.
Recommendations for Risk Managers
The current economic situation is, in my view, as scary as it has been since the GFC. Fear has an impact on risk and companies' and individuals' perceptions of appropriate levels of acceptable risk. How do we translate this into meaningful decision-making by companies, and counsel from Risk Managers?
1. Risk Appetite. There should be no better time than now to review (or write) the Risk Appetite for the business. Risk Appetite will provide a construct for decision-making by management that is in line with the level of risk that is acceptable to the Board and through them the shareholders. Risk Appetite is not a single statement, but needs to be broken into key business activities or processes, and potentially high level business units / companies. When reviewing (or writing) the Risk Appetite, speak directly with the directors and in private companies, with the key shareholders.
2. Identify your Key Risk Indicators (KRIs). These are the indicators whose movement provides insight into the potential increase or decrease in the likelihood of the materialization of any particular risk. For example, this may include items such as average days receivables (expanding may indicate deteriorating customer business conditions), or less obvious indicators such as unplanned staff turnover rates (with falling unplanned turnover being a surrogate for a degrading jobs market for your employees).
3. Stress tests (EKRIs). Build the models, and then test them beyond what your CFO/Finance Director thinks are possible. Build in extremes such as cost of fuel for distribution networks, cost of capital, internal project huddle rates. Stress until the model breaks, then look at why the model broke. That will give you a strong indication of the most important factors to be watching on a daily basis - your External Key Risk Indicators (EKRIs). I know of a very large manufacturing company that failed to hedge fuel costs, resulting in significant business costs when oil did spike. While that may not be the case today, if cheap oil turns out to be transitory, will cost-reduction based profits evaporate?
4. Outside-In. Having built or reviewed the Risk Register, the KRIs and the EKRIs, how are the risks identified reflected in the Risk Registers and risk reporting? Is the current risk environment too inward looking, focusing on the specific risks, controls, actions and people that are within the organization and therefore "observable" to management? How strong is the monitoring of external factors, and how can this be built into risk reporting?
5. Regulation Watch. Times of crisis almost always breed new regulation, or changes to existing regulation. I'm not going to opine on the benefits or otherwise of regulation, but as Risk Managers we must ensure that our organizations has fully considered the potential impact of such changes. When SOx (Sarbanes Oxley) and the section 404 requirements were passed, who predicted $170/hour for bulk standard Internal Auditors spending thousands of hours documenting mundane financial reporting processes and identifying controls - followed then by the massive increases in compliance costs to test those controls? Something like this is in our collective futures.
These are a few of the considerations for Risk Managers today. Are these different from what Risk Managers should be doing or concerned with in good times or steady global growth? No. And that is the rub, and the message; times like today provide strong reminders of what we should be doing every day. The increased fear do however provide us with the energy to get this done.
What's a Risk Manager to do? Below I contrast "the Usual Suspects" that we are (or should be) watching every day as Risk Managers, and then "the Big Stuff" and implications for Risk Managers now.
We are going to see the world change through 2016 and 2017, potentially dramatically - and not necessarily positive change. That is my view. Of course, I could be very wrong, and we could see a world that "muddles along". At heart are our individual answers to the question "how do we best help our businesses manage the coming risk world?"
I am not confident, but that is my view.
So let me suggest, based on my view, the potential impacts on Risk Managers for the coming couple of years. Two years is a very short time in a world of potential regulatory change and economic cycles. Anything shorter than two years would fail to consider the potential impact of major business and economic cycles such as the current commodity depression, the US (and China) manufacturing recession, and the very serious systemic debt and migrant issues that Europe may or may not manage through the coming year.
The Usual Suspects:
Of course the world of Risk will be both immediate and longer term, local or specific as well as systemic and international. We'll start by reminding ourselves of some basic risks that have no direct link to the wider situation.
1. Cyber threats. This category of risk continues to be on the rise, and can be an existential threat to companies from a data-loss or damage perspective, while civil and regulatory sanctions continue to increase. This is a threat that has been growing, and increased access and growth in skill sets will increase the number of hackers and the breadth of tools and techniques they will use. Companies will be taken down by Cyber attacks. Companies can prepare for and attempt to limit the impact of Cyber attacks, but can do little to reduce the likelihood of such attacks (as exogenous threat likelihood is not subject to risk reduction activities on the part of the company). Reducing the impact requires planning, careful review of the potential threat (what are the data-crown jewels, and how are these protected?) and remediation where infrastructure is not adequately protected. Reputation damage limitation if an element of planned responses, and finally, consideration should be given to Cyber Insurance.
2. Fraud, Bribery and Corruption. If the economy continues to grow and unemployment continues to fall, there will be little impact on the likelihood of Fraud, internal or external, though of course these risks remain. However, if we see a degradation in economic conditions, this will probably lead to an increase in fraudulent activity, starting with external fraud and followed by an uptick in potential internal fraud. Of course, some fraud, bribery or corruption is simply due to greedy people, and has no linkage to economics. Exercise skepticism.
3. Solvency. For the insurance industry in Europe, this is the year Solvency II fully comes into effect, and insurers across the continent are getting their reporting houses in order. Yet the risk is not simply that companies may or may not be solvent, it is a question of the quality of internal processes supporting production and maintenance of the ORSA (Own Risk and Solvency Assessment). As risk managers we can learn from companies that have been through the process, such as the importance of the quality of documentation of the process, effectiveness of systems of control (nothing new there), and the ability to demonstrate how the ORSA contributes directly to business decision-making.
4. All Your Risks. Every risk on your Risk Register will remain as critical (or otherwise) through 2016 and 2017 as they are today. Some will increase in potential impact, many will eventuate in actual issues or problems. These risks will become incidents, and you will manage them through to resolution - or not. There will also be a host of issues and incidents that will result in you reviewing the Risk Register, and probably adding risks to the Register.
You can never go wrong keeping your eyes on the day-to-day risks, and ensuring that the business either has effective controls in place, or is building a control environment that can actually be monitored to indicate areas of existing or emerging risk.
Now for the Big Stuff:
A global correction may be underway, with no sign of a low for some time to come. Certainly there may be up days or weeks, but it appears that there is more likelihood of a longer down trend for the coming months. The questions now are "how far, how fast, how long, and how much stimulus"? There are no serious commentators calling for a near-term renewal of a global bull market. The IMF recently downgraded their expectations for global growth from 3.8 (July 2015 forecast) to 3.4 (January 20016) with developed economy growth downgraded from 2.4 to 2.1, the same level as 2015.
The US markets are down 15% from their highs (DJIA - 15,900 from 18,200 in 2015), and China is at 2014 levels (Shanghai is at 2750 from a high of 5100 in 2015). [as at 26 January 2016] Where will they go?
Total global debt has continued to rise all through the supposed deleveraging after the Global Financial Crisis (GFC), increasing by $(US)57 Trillion since 2007 to almost 200 $(US) Trillion. The majority of this increase has been government debt, yet corporate debt (and personal debt) has also risen through that period. This also cannot continue without impact.
At the same time in developed countries we see a close to stagnation in growth in real incomes. Personal income in the UK has finally (May 2015) caught up with where it was before the GFC, and the strong employment growth has been reflected in falling unemployment and increased wages. The introduction of a "living wage" will also increase personal incomes (although some worry that imposed minimum wages reduce employment growth). All good news, but will the UK continue to grow as the rest of the world slows down, if the UK votes to leave the EU, or if markets continue to fall (the FTSE is now at 5800 from just over 7000 in 2015, and continues to fall). [as at 26 January 2016]
In the US, employment growth appears to be strong, at the same time that the labor participation rate continues to fall. The unemployment rate is around 5%, a level that is close enough to full employment that we should be seeing serious upward pressure on wages. Yet the continued fall in labor participation indicates that there remains a (growing) untapped pool of labor. The picture remains murky.
Recommendations for Risk Managers
The current economic situation is, in my view, as scary as it has been since the GFC. Fear has an impact on risk and companies' and individuals' perceptions of appropriate levels of acceptable risk. How do we translate this into meaningful decision-making by companies, and counsel from Risk Managers?
1. Risk Appetite. There should be no better time than now to review (or write) the Risk Appetite for the business. Risk Appetite will provide a construct for decision-making by management that is in line with the level of risk that is acceptable to the Board and through them the shareholders. Risk Appetite is not a single statement, but needs to be broken into key business activities or processes, and potentially high level business units / companies. When reviewing (or writing) the Risk Appetite, speak directly with the directors and in private companies, with the key shareholders.
2. Identify your Key Risk Indicators (KRIs). These are the indicators whose movement provides insight into the potential increase or decrease in the likelihood of the materialization of any particular risk. For example, this may include items such as average days receivables (expanding may indicate deteriorating customer business conditions), or less obvious indicators such as unplanned staff turnover rates (with falling unplanned turnover being a surrogate for a degrading jobs market for your employees).
3. Stress tests (EKRIs). Build the models, and then test them beyond what your CFO/Finance Director thinks are possible. Build in extremes such as cost of fuel for distribution networks, cost of capital, internal project huddle rates. Stress until the model breaks, then look at why the model broke. That will give you a strong indication of the most important factors to be watching on a daily basis - your External Key Risk Indicators (EKRIs). I know of a very large manufacturing company that failed to hedge fuel costs, resulting in significant business costs when oil did spike. While that may not be the case today, if cheap oil turns out to be transitory, will cost-reduction based profits evaporate?
4. Outside-In. Having built or reviewed the Risk Register, the KRIs and the EKRIs, how are the risks identified reflected in the Risk Registers and risk reporting? Is the current risk environment too inward looking, focusing on the specific risks, controls, actions and people that are within the organization and therefore "observable" to management? How strong is the monitoring of external factors, and how can this be built into risk reporting?
5. Regulation Watch. Times of crisis almost always breed new regulation, or changes to existing regulation. I'm not going to opine on the benefits or otherwise of regulation, but as Risk Managers we must ensure that our organizations has fully considered the potential impact of such changes. When SOx (Sarbanes Oxley) and the section 404 requirements were passed, who predicted $170/hour for bulk standard Internal Auditors spending thousands of hours documenting mundane financial reporting processes and identifying controls - followed then by the massive increases in compliance costs to test those controls? Something like this is in our collective futures.
These are a few of the considerations for Risk Managers today. Are these different from what Risk Managers should be doing or concerned with in good times or steady global growth? No. And that is the rub, and the message; times like today provide strong reminders of what we should be doing every day. The increased fear do however provide us with the energy to get this done.