Two managers shot through glass wall

Managing Emerging Risk 

How should the role of risk governance and assurance change?

Vincent Marke, Partner, Social Purpose and Non Profits
08/03/2024
Two managers shot through glass wall
Each year the Regulator of Social Housing (‘RSH’) publishes its “Sector Risk Profile” which sets out the regulator’s view of the most significant risk to providers’ ongoing compliance with the regulatory standards. This includes existing stock, service delivery and development and finance and treasury management risks. It helpfully sets out the context of global or macro-level risks facing the sector and is a useful framework for Registered Providers to consider their individual risk maps.

The 2023 Sector Risk Profile did reveal some areas of potential risk arising from the new Social Housing (Regulation) Act. This includes forthcoming requirements in relation to Tenant Satisfaction Measures, and risks arising from reinforced autoclaved aerated concrete. These issues were included within existing risk categories, and no “new” risk headings were identified in the publication.

Given the prolonged and continuing uncertainties, one area of focus for Board and management is identifying and having processes in place to manage “emerging risks” and “horizon scanning” to identify new risks.

There is no standard definition for what constitutes an “emerging risk”. The Charities Sector Special Interest Group defines emerging risks as “a risk that is evolving in areas and ways where the body of available knowledge is weak”. The Chief Risk Officer (CRO) Forum defines emerging risks as “risks which may develop or which already exist that are difficult to quantify and may have a high potential loss”.

Characteristics of emerging risks include:

  • large scale events
  • often arise from global trends
  • can cross geographic borders, industries and sectors
  • difficult to quantify the impact
  • hard to predict
  • high-risk velocity (more on this later); and where
  • traditional risk management identification and assessment processes may not work.

The Institute of Internal Auditors’ Risk in Focus global summary survey 2024 asked over 4,000 organisations to assess both their current top five risks, and the top five risks they expect to face in three years’ time. Digital disruption and climate change were identified as key risks now, as well as being rated substantially higher in the forecast rankings (figure 2). The difficulty organisations face is developing a risk management approach, that can identify potential future risks that are currently not known.

As we explain in our insight 'COVID-19: what planning should charities be undertaking?' most organisations and governments are good at capturing ‘known knowns’ and ‘known/unknowns’, it is more difficult to identify ‘unknown/knowns’ and ‘unknown/unknowns’. ‘Unknown/unknowns’ are unpredictable events, where the risk is inconceivable, and preparation is nearly impossible. These are known as ‘black swan’ events and include events such as September 11 2001. Some suggest the pandemic and Russia’s invasion of Ukraine are examples of ‘unknown/unknowns’ but they are actually great examples of an ‘unknown/known’. This is because we were aware of the risk, although we were not able to assess the full impact. The pandemic was identified as a risk in the UK’s national risk register as early as 2008, it was the subject of the famous Ted Talk by Bill Gates in 2015 and it was cited by numerous others in their assessment of the high impact/highly likely global risks. The uncertainty was large, and the risk was underestimated as a result of fear, irrational bias or wishful thinking.

In an organisational context, an unknown/known is information that the organisation (or an individual in it) has in their possession, but the existence or relevance has not been evaluated. From an organisational perspective, turning ‘unknown/unknowns’ into ‘known unknowns’ is difficult but probably one of the best things the board and management of any organisation can do. There are two ways this can be done while acknowledging, it is not possible to know all the unknowns.

Critically it’s about ensuring there is better situational or organisational knowledge of the impact, of the global and local contexts and the impact on the individual organisation. Firstly, the management team must have a broad view of the economy and the organisation's operating environment, and this external knowledge and perspective is shared within the organisation. Secondly, it is about having an organisational culture that allows the free flow of information, to encourage people in the business to share information instead of hoarding it.

So why have past events been so difficult to identify and manage? In many instances, these risks are less structured, and require a principle-based response rather than a quantitative “risk-issue-action” approach. Furthermore, managing ‘known/unknowns’ and ‘unknown/unknowns’ is harder than managing ‘known/knowns’ such as welfare reform or counterparty risks as set out in the sector risk profile.

As seen in the diagram below, anticipating and exploring uncertain futures is more difficult than where risks are more familiar.

Anticipating vs exploring uncertain futures [source Walker, W.E., Marchau, V.A.W.J & Swanson (2010)]

Management of emerging risk – a potential risk management framework

One potential framework for the management of emerging risk;

Design a process to understand the present and explore the future. (requiring framing of risk discussion and innovation).

Develop or use various scenarios to explore and evaluate the emerging risk that could affect the organisation in the future.

Generate risk management options & formulate a strategy for implementation. This requires a focus on controllable factors that contribute to risk, developing precautionary approaches, reducing vulnerability and exposure, or modifying risk appetite in line with the risk. Implement the strategy by creating supportive conditions for the organisational, technical and cultural shifts required for the effective deployment of risk management options.

Review risk development and decisions (including reviewing systems by which emerging risks and opportunities unfold.

How do current internal audit programmes typically deal with emerging risk?

Each year The Chartered Institute of Internal Auditors (IIA) produces a useful analysis of the top risks to organisations, coupled with where internal auditors spend their time. This study is cross-sectoral and provides a useful barometer to sense check internal audit coverage and risk analysis.

Both following charts indicate a continuing focus at an organisational level and by internal auditors on cyber and data risks. However, internal auditors have indicated a lower priority on “Macroeconomic and political uncertainty”, “Human capital, diversity and talent management” plus a higher focus on “Organisational governance and corporate reporting”. This potentially demonstrates that internal audit is in some cases focusing on “known/knowns” rather than the emerging strategic risks.

IIA Risks in Focus

Where internal auditors

In applying this to Registered Providers we should reflect on whether there is adequate consideration of the global ephemeral risks. For example, “macroeconomic and geopolitical uncertainty” and “human capital, diversity and talent management”, which can be more difficult to clearly identify, manage and govern. It is also worth reflecting on whether the current internal audit programme, applies the appropriate level of resource to the risk. In particular, noting the areas of human capital, climate change and macroeconomic and political uncertainty.

What is the role of assurance in this changing context?

The role and approach of assurance providers needs to adapt to reflect the changing risk landscape, for example:

  • There is a need to elevate the role and remit of internal audit, coupled with a move away from routine compliance and assurance activities.
  • There is a need to balance the assurance role with advisory and forward-looking / proactive identification and risk assurance. The Audit Committee should also assess whether the current risk, governance and internal audit processes have been outpaced by the rate of change in the risk environment, and how this can adapt going forward.

How Crowe can help

Crowe supports organisations in developing, refreshing and embedding leading risk management practices. For more information on our services please contact Vincent Marke or your usual Crowe contact.

Contact us

Naziar Hashemi
Naziar Hashemi
Head of Social Purpose and Non Profits
London
Julia-Poulter
Julia Poulter
Head of Social Housing
London
Vincent Marke
Vincent Marke
Partner, NFP profit
London