Political risk, cyber security, bribery and oil price and financial market fluctuations are among the chief concerns for businesses being voiced by some of the UK’s leading risk experts as they look ahead to 2017.
Nicola Crawford CFIRM, chair of the Institute of Risk Management (IRM), commented: “2017 is undoubtedly the year where political risk on the global scale will be one to watch. The effect on markets is unknown, with the City of London and the wider stage braced for a hard Brexit. There’s also the fall-out of changes to American and European political leadership to be considered.”
According to Crawford, Enterprise Risk Management has arguably never been higher on the agenda. Organisations need to ensure that risk in the Boardroom is taken seriously to ensure organisational success and longevity.
“Factors in both the micro and macro environment should be constantly scanned against a company’s risk register, business continuity plans tested and stress tests conducted,” stated Crawford. “Reputational risk is also a major factor. Examples of how not to manage this have been widely reported in the media.”
Disruptive business models, the Internet of Things and the impact of a more connected world will all be factors changing the way in which we work. Although these are exciting times, the role of the risk manager has never been more important, with many opportunities and challenges ahead for businesses.
Crawford continued: “As an Institute, we’re well placed to provide the latest in thought leadership, training and qualifications to develop organisations in any sector on the global stage such that they’re absolutely ‘risk ready’.”
Oil prices and Brexit
The global economy continues to pose a risk for a number of reasons including oil prices, Brexit, possible Grexit and a slowdown of the BRICS (Brazil, Russia, India and China) economies.
Alexander Larsen FIRM, president of Baldwin Global Risk Services, explained: “While oil companies have restructured their businesses in line with sub-$50 oil prices, many countries that are reliant on oil as a major part of their GDP could face substantial economic crisis and social unrest. The economic as well as political impact could spill over into neighbouring countries. Potentially, this might have a detrimental effect on the global economy.”
It’s not all doom and gloom, though. “Oil prices seem to have stabilised around the $45-$50 mark for the last six months,” asserted Larsen, “and with oil companies having adapted to this new reality, any increase in the price will see major profits and investment in new projects. Even without an increase in price there’s opportunity to be found, with oil companies already investing in renewable energy. Indeed, they may invest even more heavily into it.”
Brexit is a major uncertainty that could potentially contribute to the damaging of an already struggling EU economy and a British economy that was one of the best performing in the EU. The pound has already been weakened against the dollar, with some currency experts predicting it could even reach parity at some point.
“Both a devalued pound as well as potential EU barriers to trade could have a serious impact on manufacturers importing parts from abroad,” observed Larsen. “It’s not just British companies who may be at risk, however, as any foreign companies selling goods in the UK may find the weak pound hitting their sales as well. This could lead to an increase in prices, in turn having a negative effect on consumers in the UK, or it could even lead to companies pulling out of the UK and relocating to other parts of the EU.”
While there are many risks involved with Brexit, there will inevitably also be many opportunities. A weakened pound would increase exports and encourage British companies with foreign suppliers to innovate or otherwise seek local suppliers in order to reduce costs.
Charting the cyber risk
Cyber risk has been a growing threat in the last few years, and it doesn’t look like 2017 will be any different. A recent report claimed that the risk in 2016 was four times higher than in 2015. Indeed, with technological advances allowing us to take further steps towards a cashless society, companies moving towards a paper-free business model and goods such as vehicles, fridges and televisions – not to mention the home itself – moving towards complete automation or ‘control by phone’, there’s more for hackers to target than ever before.
Last October, Twitter, PayPal, Netflix and Spotify were all downed by a major cyber attack, while an attack on Yahoo that witnessed the theft of 500 million users credentials occurred in 2014, but was only recently reported. These attacks cause downtime, share price drops and reputational damage ensues (worse still if user credit card details are stolen and used). This increase in risk has prompted the UK Government to launch a £1.9 billion National Cyber Security Strategy.
Additionally, the FBI has started issuing warnings to organisations of the increase in cyber criminality, at the same time outlining concerns around the outcome of the recent US Presidential Election.
Some organisations are already spending up to $500 million on cyber security, while those such as the Bank of America have stated their budget is unlimited when it comes to fighting cyber crime. Attacks will keep coming and, now more than ever, organisations need a strong business continuity plan in place that includes media management.
Risk of flooding
Paul May FIRM, chairman of the Concordia Consultancy Ltd, outlined: “The increasing trend of damage and interruption by flood waters is a dead certainty rather than a possibility for the UK and, indeed, many locations in countries around the world. In the UK alone, four out of five of the wettest years on record have occurred since the year 2000. Insured losses in the UK have been somewhere in the region of £5 billion, and there will have been significant uninsured losses. There seems little likelihood that the cost of floods will reduce.”
Also likely is that many organisations, both big and small in stature, will fail to fully prepare for flood damage whether to their own premises or those of their suppliers and/or customers.
Such preparations could include pre-nominated restoration contractors, amended purchase and sales contracts, life-saving equipment at premises, alternate premises and logistics plans pre-agreed and even water craft such as inflatable dinghies on hand at the premises with suitably trained staff.
Many organisations have effective fire drills on site, often supported by internal fire marshals and firefighters. Extending those procedures and teams to be dedicated ‘flood responders’ may now receive a little more consideration within the risk community.
“The assessment of exposure and flood damages by drone and satellite observation will increase,” predicted May. “Most organisations with factories will actively consider having their own drone for ease of inspection. The use of such technology to record the condition of properties before a flood incident can greatly increase the speed of claim settlement. Organisations will probably not invest as much as they should do in flood alterations such as threshold protections, pre-installed pumps and hoses, sandbags or staff.”
“My prediction for risk management in 2017 as it applies to engineering, and in particular to those projects based on engineering such as infrastructure and product development, is that distinct qualitative and quantitative risk management practices will emerge and then begin to diverge,” commented Derek Salkeld FIRM, senior analyst with DS+A Ltd.
“Like the way innovations sometimes become commodified, the qualitative side of risk management will become a general technique project managers and engineers will carry out themselves, and no longer something they will hire a specialist to do. If the data sets become large and the databases complex then they may hire clerical support, but qualitative risk management will become and remain a skill of the project manager and the engineer.”
Salkeld continued: “I think it will be different on the quantitative side. Risk managers with quants skills will be hired by project funders and developers, perhaps before the project manager and engineer have even been appointed. They will be hired to describe and enumerate the exposure of a proposed development to risk, and to put forward how it should be managed in a way that informs the investment decision. This will remain a job for a risk management specialist. A consequence of this will be that the practice of quantified risk management will be started earlier in the development cycle, whereupon it will become an important component of a business case.”
Charities and the third sector
Alyson Pepperill CFIRM ACII, client projects director for Arthur J Gallagher and chair of the IRM Charities Special Interest Group, has focused on risk and how she thinks it will affect the third sector in 2017.
“Fundraising will remain as a major concern and risk area. Charities are working through their responses following revised regulation and a new regulator that the sector now has to pay for. The impact of the changes will be felt throughout 2017, but many are predicting falling income from fundraising and the need to raise funds differently. This will result in new and different risks being identified, evaluated, assessed and managed.”
Part of the new regulatory regime for fundraising, but a risk that goes far beyond just this one aspect, is information governance and cyber security. With the General Data Protection Regulation coming in 2018 and the Information Commissioner’s Office devoting time to provide guidance specific to charities, Pepperill feels this must be a key risk theme for 2017.
“Some suppliers have pointed out that the required information governance is impossible for many charities to comply with in view of the various and non-connecting CRM databases in general use,” added Pepperill, “so this area may require capital expenditure that will detract from delivering the charity’s mission.”
Regulation in general and compliance will be a larger theme for 2017 that will go beyond both of the first two areas and include Duty of Care, Health and Safety and safeguarding (among others). “Trustees will need to be playing a more active role in challenging organisations and how they comply with legislation and regulation,” said Pepperill.
Supply chain risk evaluated
According to the Risk Index produced by the Chartered Institute of Purchasing and Supply together with Dun & Bradstreet, the level of risk faced by global supply chains is moving rapidly upwards as we enter 2017. Firms have long been conscious of the need to manage their supply chains in order to ensure continuity and efficiency, but recent years have seen two significant shifts.
First, the trends towards globalisation, outsourcing, offshoring and specialisation have introduced an additional degree of complexity and uncertainty to supply networks. Second, the widespread adoption of social media and rapid means of communication mean that reputation is constantly exposed.
Carolyn Williams, director of corporate relations at the IRM, said: “One recent tweet by Donald Trump, questioning the cost of the US F-35 fighter jet project, knocked more than £4 billion off the value of the three defence companies concerned in one day, among them BAe Systems. Organisations are increasingly called to public account for their decision-making, which includes the behaviour of those with whom they choose to do business, either directly or indirectly. All organisations need to be alert to issues of supplier viability, robust contracts, disruption from natural catastrophes, fraud, bribery and corruption, slavery and working conditions.”
The recent disintegration of the political consensus in respect of globalisation and trade introduces even more instability. “In Western Europe,” opined Williams, “we will probably wait for some time for clarity on post-Brexit trade arrangements. There’s clear potential for further destabilisation of the EU customs union. Companies with significant international business will need to keep a close watch on trading arrangements and exchange rates, regularly constructing and analysing a range of possible scenarios which must also include opportunities.”
As far as Williams is concerned, the first step towards managing these risks is understanding them. “We would expect to see a rising interest in mapping, quantifying and modelling risk exposures beyond simple supply chains to the complex extended enterprises that deliver goods and services across the world today.”
Psychology and human risk
Geoff Trickey, affiliate member of the IRM, is managing director of the Psychological Consultancy Ltd and a Chartered Psychologist. He has spoken about the impact of psychology and human risk.
‘’In this world nothing can be said to be certain, except death and taxes,” said Trickey (and a widely cited sentiment originally accredited to Daniel Defoe). “If further confirmation on this point is needed, ask Michael Fish, Sir Mark Walport or the Government’s Chief Scientific Advisor or otherwise scan The Financial Times’ article informing us that: ‘The record of failure to predict recessions is virtually unblemished.'”
Estimating the probability of a risk is one thing, but predicting exactly when that risky event will happen is a very different matter. “The best we can do is to reduce those probabilities and be well prepared. In 2017, when the political and economic landscapes are as uncertain as ever, the need to prepare is critical.”
Perhaps surprisingly, one of the most predictable factors in the risk equation is the risk dispositions of the people involved. “These dispositions tend to be stable over time and have a pervasive influence on behaviour. Whether contributing to risk identification or risk prevention, or dealing with the aftermath of a disaster, the personalities of those in a position to impact events will be crucial.”
Risk disposition isn’t something that can be measured on a simplistic linear scale from extremes of risk aversion and risk taking. “More than 20 facets of personality make their contribution to the complex mosaic that defines your position on a spectrum of risk types that reflects both emotional and cognitive factors. By assessing individuals’ risk dispositions, organisations can ensure they put the right people in the right place to prepare for and respond to the unavoidable and unpredictable.”
In summation, Ian Livsey (CEO of the IRM) asserted: “2017 brings its own particular risks with Brexit, political change, cyber crime, security and financial risk. Risk is embedded in all facets of our lives and organisational risk is no different. The nature of risk is changing, as is evident by today’s macro and micro environments. Risk is inherent in everyday lives, and it’s fascinating to see just how far this reaches across industries around the world.”