How Banks Can Confront the Unknown

Financial services firms well understand that they operate in an environment of risk and uncertainty. In recent years, however, a new breed of risk -- more ominous than what banks have historically faced -- has appeared. It can take the form of risks without historical precedent (such as the September 11, 2001, terrorist attacks) or those that exceed commonly anticipated "worst case" scenarios (such as $200-a-barrel oil).


By their nature, emerging risks are not well understood, are linked to other risks, cross multiple geographies and tend to be outside the scope of any organization. Their systemic nature and severe potential impact can, unfortunately, be devastating to financial institutions.


Accenture recommends integrating emerging risks into a firm's existing enterprise risk management framework and embedding emerging risks into an organization's business planning, execution and evaluation process.


While financial firms are usually not in a position to prevent geopolitical disturbances, global resource shortages and worldwide demographic shifts, they can -- and should -- seek to minimize the effects of such developments. Indeed, institutions that anticipate and effectively manage emerging risks may even discover business opportunities.


The potential competitive advantages are not limited to avoiding the devastating effects of the next major event. Rather, leading companies are making gains by moving quickly on opportunities presented when emerging risks have materialized.


A major North American bank, for instance, was able to make a key strategic acquisition during the turmoil following the collapse of the subprime mortgage market and the subsequent credit crisis. The bank did so at a time when other banks were folding or divesting portions of their business as a result of the liquidity freeze.


Similarly, in the early 2000s when the U.S. economy soured, an airline made significant gains in market share -- becoming the domestic market leader -- due to its low-cost business model and the success of its fuel hedging program.


The Rise of Unforeseen Events


It is surprising, if not shocking, to look back a little over 30 years and see the difference between what experts thought would happen and what actually happened -- in society, politics and economics around the world. Some problems -- such as rising oil prices -- were with us then and still remain. But there are so many that few could or would have anticipated: the fall of communism in the Soviet Union and the break-up of that country into smaller republics; the rise of the Internet, mobile telephony, social media and a host of other communications and information technologies; the bursting of the dot-com bubble; a tsunami that killed almost 640,000 people in Asia and Africa; the emergence of pandemics such as AIDS, mad cow disease and avian flu; the near-collapse of the world economy in 2008 and multiple crises for the financial services industry, automobile industry and governments; and the Japanese earthquake, tsunami and nuclear crisis of early 2011.


In almost every case, the increase in relationships and dependencies among countries amplified and extended the reach of these events and trends. Inexpensive air travel, for instance, fostered the spread of diseases. The role of the Internet and social media in encouraging and coordinating political activism is well documented. Mobile telephony has brought modern communications to countries that previously lacked land-line infrastructure.


It seems clear that emerging risks will grow in impact and frequency over the next decade because of several intersecting trends:




Climate change will continue to produce abnormal weather patterns, resulting in more natural disasters. In addition, population and economic growth creates regions that are more heavily affected by such disasters.


Dependence on technology will continue to grow as emerging markets become more mature, as mature markets are further saturated, and as more and more commercial and business activity moves online.


Economic, societal, environmental and political pressures will increase over the next 10 years as the world becomes more interconnected. The impact of friction or major disruptions will be more significant.


The global distribution network will become more complex as suppliers and manufacturers of goods become more interdependent, with greater opportunity for risks to manifest themselves.


Global population growth will place ever greater demand on natural resources.






Identifying New Risks




Traditionally, banks have tended to focus on risks that are financial in nature, more easily measured, and with historical precedents. They evaluate unemployment statistics, interest rates, asset valuation, foreign exchange rates, volatility in energy and commodity prices and other factors to develop scenarios that might unfold. The vast majority of the measured risks have occurred in the past; for others, some consensus develops around the idea that they might occur.




Banks are less proficient at measuring emerging risks and therefore must find better ways to predict their impact, particularly with respect to credit and market risk exposure.




Banks should draw upon multiple resources to identify emerging risks and develop responses. Within their organizations, banks can identify enterprise risk leaders and thought leaders, incorporate perspectives from economists and research analysts, expand the monitored and measured scenarios and factors used for sensitivity analysis and stress testing, and conduct scans of media and other indicators of potential risk. Externally, banks should partner with think tanks and consultants, attend conferences and establish networks in support of risk management efforts.




The key question regarding emerging risk is, of course, how to measure and manage events that have never occurred before. Several organizational, process and technology challenges must first be addressed. 






Organizational challenges include creating a mindset that is comfortable with measuring and monitoring the unlikely, given that most risk management efforts today focus on risks with historical precedents or with a high degree of probability. This requires identifying resources with the capabilities to watch for and flag emerging risks; determining responsibility for emerging risk; balancing resources among emerging, strategic, operational, financial and compliance risk management; and establishing incentives to support the management of risks that may not materialize for many years, if ever.




Process challenges include determining the reliability of information to predict the probability of a specific event, especially in the absence of a historical precedent; deciding when action is needed to mitigate emerging risks; communicating emerging risks through the business units; understanding the interconnectedness of risks to current portfolios, strategies and activities; and allocating capital to address the possible impact of emerging risks.




Technology challenges include maintaining the agility needed to measure a wide variety of scenarios and the flexibility to adjust scenarios that are already monitored; limiting the manual effort involved in conducting stress tests, in part to increase the ability to conduct these tests under time-sensitive conditions; and managing an expanding list of risks and setting priorities for monitoring and measuring these risks.




Managing Emerging Risks




Emerging risks should be integrated into the existing enterprise risk management framework and incorporated into the organization's business planning, execution and evaluation processes.




Getting the emerging risks right involves assessing whether existing and emerging risks are a potential barrier to growth. Key considerations include: how to incorporate emerging risks into corporate strategy; how to identify what the firm doesn't know; and how to better understand the complexity and interdependency of risks.




To incorporate emerging risks into the ERM structure, they should be considered as part of the strategic planning process, with a direct link to top-down risk appetite. To accomplish this, firms can initiate brainstorming sessions to gather input from both senior management and associates closer to day-to-day activities. Once the input is captured, it should be thoroughly scanned and analyzed for relevant risk factors.




To identify risks that do not have a historical precedent, financial organizations should consult such additional resources as academics, industry groups and economists. Once the risks have been identified and analyzed, a bank should develop a risk taxonomy, categorizing emerging risks according to a classification system. Finally, financial institutions should look outside their own industry to challenge the norm and ensure that insights from other industries are incorporated into the new model. Risk tolerances can then be set at either the key risk or at the risk category level.




Assessment Methodology




To incorporate emerging risk assessment and response into the ERM framework, decision makers have several tools at their disposal. For example, periodically conducting scenario analysis workshops will help define risks and determine their likelihood, severity and impact, especially if the workshops apply a consistent risk taxonomy. Additional analysis, and exploration of economic, social, political, and technological risks, can help assess the risks' significance, relationships with other risks and implications to the business and its stakeholders.




A decision whether to respond to the risk should be based on its expected impact and probability, in relation to the organization's risk appetite and tolerance for deviation from stated strategic goals. Since many emerging risks will be unprecedented and require a quick response, a predetermined and preapproved action plan can help to mitigate them. Being purely reactive is not sufficient. Finally, based on the identified risks and the response strategies, the firm should establish a buffer by allocating capital against key risks.




Banks must take several steps to incorporate emerging risks into their business planning, execution and evaluation processes. These can be undertaken using the existing risk management framework:




Objective setting. During quarterly strategic planning, the group responsible for risk management identifies high-level goals related to emerging risk. The group also reviews the current list of emerging risks to set or revise tolerance levels.
Event identification. Brainstorming sessions are held with senior management and with risk managers from the lines of business to review the current list of emerging risks and update as required. Risk managers also list risks identified by individuals in the lines of business and review publications and other external sources to supplement the list of identified risks.
Risk assessment. Scenario analysis workshops and event simulations are conducted with experts to discuss identified risks and assess impact and severity. Interconnections with other emerging risks, and with risks in the existing risk library, are determined.
Risk response control. Risks are assessed either at the risk or risk-category level, and appropriate responses are determined. For risks that should be avoided or controlled, a high-level response is predetermined and submitted for executive approval. Risk management by collaboration is also considered.
Information and communication. Periodic communication of the top emerging risks, monitoring strategies and planned response strategy is provided to management and lines-of-business leads to increase awareness.
Monitoring. Previous events are assessed to ensure an accurate picture of the risk landscape. Allocation of resources is reviewed to ensure that adequate resources (people and technology) are dedicated to managing these risks. Additionally, key emerging risks are quantified by connecting them to known risks or by identifying proxy metrics.


While the task of coming to grips with the full range of emerging risks may seem overwhelming, banks can improve their emerging risk management capability by initiating three, small, manageable steps:


Develop consensus that emerging risk is a critical area to understand, monitor, measure and mitigate.
Determine who is accountable for overseeing and managing emerging risk.
Assess whether current risk management practices account for emerging risk topics, and evaluate the maturity of emerging risk management within the organization.


Several initiatives may follow from these first steps, including emerging-risk gap assessment, operating model changes to enable emerging risk management, reengineering of existing ERM processes to accommodate emerging risk, and identifying metrics, management reports and dashboards to assist in future evaluation. Organizations that take action now will be better prepared for whatever risks emerge in a highly unpredictable world.


Steve Culpis global managing director of Accenture Finance and Risk Services.Chris Thompsonis Accenture's North America lead for risk management.

1. Climate change will continue to produce abnormal weather patterns, resulting in more natural disasters. In addition, population and economic growth creates regions that are more heavily affected by such disasters.


2. 
   


3. Dependence on technology will continue to grow as emerging markets become more mature, as mature markets are further saturated, and as more and more commercial and business activity moves online.


4. 
   


5. Economic, societal, environmental and political pressures will increase over the next 10 years as the world becomes more interconnected. The impact of friction or major disruptions will be more significant.


6. 
   


7. The global distribution network will become more complex as suppliers and manufacturers of goods become more interdependent, with greater opportunity for risks to manifest themselves.


8. 
   


9. Global population growth will place ever greater demand on natural resources.

Identifying New Risks


Traditionally, banks have tended to focus on risks that are financial in nature, more easily measured, and with historical precedents. They evaluate unemployment statistics, interest rates, asset valuation, foreign exchange rates, volatility in energy and commodity prices and other factors to develop scenarios that might unfold. The vast majority of the measured risks have occurred in the past; for others, some consensus develops around the idea that they might occur.


Banks are less proficient at measuring emerging risks and therefore must find better ways to predict their impact, particularly with respect to credit and market risk exposure.


Banks should draw upon multiple resources to identify emerging risks and develop responses. Within their organizations, banks can identify enterprise risk leaders and thought leaders, incorporate perspectives from economists and research analysts, expand the monitored and measured scenarios and factors used for sensitivity analysis and stress testing, and conduct scans of media and other indicators of potential risk. Externally, banks should partner with think tanks and consultants, attend conferences and establish networks in support of risk management efforts.


The key question regarding emerging risk is, of course, how to measure and manage events that have never occurred before. Several organizational, process and technology challenges must first be addressed. 



Organizational challenges include creating a mindset that is comfortable with measuring and monitoring the unlikely, given that most risk management efforts today focus on risks with historical precedents or with a high degree of probability. This requires identifying resources with the capabilities to watch for and flag emerging risks; determining responsibility for emerging risk; balancing resources among emerging, strategic, operational, financial and compliance risk management; and establishing incentives to support the management of risks that may not materialize for many years, if ever.


Process challenges include determining the reliability of information to predict the probability of a specific event, especially in the absence of a historical precedent; deciding when action is needed to mitigate emerging risks; communicating emerging risks through the business units; understanding the interconnectedness of risks to current portfolios, strategies and activities; and allocating capital to address the possible impact of emerging risks.


Technology challenges include maintaining the agility needed to measure a wide variety of scenarios and the flexibility to adjust scenarios that are already monitored; limiting the manual effort involved in conducting stress tests, in part to increase the ability to conduct these tests under time-sensitive conditions; and managing an expanding list of risks and setting priorities for monitoring and measuring these risks.


Managing Emerging Risks


Emerging risks should be integrated into the existing enterprise risk management framework and incorporated into the organization's business planning, execution and evaluation processes.


Getting the emerging risks right involves assessing whether existing and emerging risks are a potential barrier to growth. Key considerations include: how to incorporate emerging risks into corporate strategy; how to identify what the firm doesn't know; and how to better understand the complexity and interdependency of risks.


To incorporate emerging risks into the ERM structure, they should be considered as part of the strategic planning process, with a direct link to top-down risk appetite. To accomplish this, firms can initiate brainstorming sessions to gather input from both senior management and associates closer to day-to-day activities. Once the input is captured, it should be thoroughly scanned and analyzed for relevant risk factors.


To identify risks that do not have a historical precedent, financial organizations should consult such additional resources as academics, industry groups and economists. Once the risks have been identified and analyzed, a bank should develop a risk taxonomy, categorizing emerging risks according to a classification system. Finally, financial institutions should look outside their own industry to challenge the norm and ensure that insights from other industries are incorporated into the new model. Risk tolerances can then be set at either the key risk or at the risk category level.


Assessment Methodology


To incorporate emerging risk assessment and response into the ERM framework, decision makers have several tools at their disposal. For example, periodically conducting scenario analysis workshops will help define risks and determine their likelihood, severity and impact, especially if the workshops apply a consistent risk taxonomy. Additional analysis, and exploration of economic, social, political, and technological risks, can help assess the risks' significance, relationships with other risks and implications to the business and its stakeholders.


A decision whether to respond to the risk should be based on its expected impact and probability, in relation to the organization's risk appetite and tolerance for deviation from stated strategic goals. Since many emerging risks will be unprecedented and require a quick response, a predetermined and preapproved action plan can help to mitigate them. Being purely reactive is not sufficient. Finally, based on the identified risks and the response strategies, the firm should establish a buffer by allocating capital against key risks.


Banks must take several steps to incorporate emerging risks into their business planning, execution and evaluation processes. These can be undertaken using the existing risk management framework:

1. Objective setting. During quarterly strategic planning, the group responsible for risk management identifies high-level goals related to emerging risk. The group also reviews the current list of emerging risks to set or revise tolerance levels.


2. Event identification. Brainstorming sessions are held with senior management and with risk managers from the lines of business to review the current list of emerging risks and update as required. Risk managers also list risks identified by individuals in the lines of business and review publications and other external sources to supplement the list of identified risks.


3. Risk assessment. Scenario analysis workshops and event simulations are conducted with experts to discuss identified risks and assess impact and severity. Interconnections with other emerging risks, and with risks in the existing risk library, are determined.


4. Risk response control. Risks are assessed either at the risk or risk-category level, and appropriate responses are determined. For risks that should be avoided or controlled, a high-level response is predetermined and submitted for executive approval. Risk management by collaboration is also considered.


5. Information and communication. Periodic communication of the top emerging risks, monitoring strategies and planned response strategy is provided to management and lines-of-business leads to increase awareness.


6. Monitoring. Previous events are assessed to ensure an accurate picture of the risk landscape. Allocation of resources is reviewed to ensure that adequate resources (people and technology) are dedicated to managing these risks. Additionally, key emerging risks are quantified by connecting them to known risks or by identifying proxy metrics.

While the task of coming to grips with the full range of emerging risks may seem overwhelming, banks can improve their emerging risk management capability by initiating three, small, manageable steps:

• Develop consensus that emerging risk is a critical area to understand, monitor, measure and mitigate.


• Determine who is accountable for overseeing and managing emerging risk.


• Assess whether current risk management practices account for emerging risk topics, and evaluate the maturity of emerging risk management within the organization.

Several initiatives may follow from these first steps, including emerging-risk gap assessment, operating model changes to enable emerging risk management, reengineering of existing ERM processes to accommodate emerging risk, and identifying metrics, management reports and dashboards to assist in future evaluation. Organizations that take action now will be better prepared for whatever risks emerge in a highly unpredictable world.



Steve Culpis global managing director of Accenture Finance and Risk Services.Chris Thompsonis Accenture's North America lead for risk management.