The kinds of business risks that provoke the worst insomnia — pandemics, cyber ransoms, a CEO who discovers Twitter — seem to explode into reality without warning.
But the truth is, hidden risks are rarely hidden. They are plainly visible when sought. You might just have a hard time seeing them because of certain business conditions and your own human nature.
How does a hidden risk – that is, unexpected volatility in place where it causes more harm than good – creep into an organization? Where do they hide out? What makes them so difficult to see? Are they more dangerous or damaging than risks you can see more easily?
Over the past two years, Riskonnect’s Risk@Work educational webinar series has been diving into the nature, impact, and mitigation of hidden risks with some of the industry’s most respected thought leaders. We’ve distilled their far-reaching conversations, excellent advice, and all-around wisdom into the following nine tips to help you find your hidden risks – and keep them from coming back.
Seek the outliers.
Tail risks – those in the edges of a bell curve distribution – are infrequent, but they have the power to wreak immense damage. When a system is close to absorbing all the stress it possibly can, each incremental increase in stressor size leads to accelerating marginal harm. In other words, an easily dismissed outlying risk can be the straw that breaks the camel’s back.
Know where you are fragile.
Fragility exponentially increases risk impact. The most devastating risks to a company can hide especially well in fragile areas. Not only is it hard to see the triggering event coming, but it’s difficult to anticipate the degree of outsized impact and/or the potential chain reaction of correlated impacts.
Understand how your risks interrelate.
One risk can cause ripple effects that trigger more impacts that trigger still more impacts – a kind of recursive loop that multiplies the effective size of the original stressor. Risks don’t just hide because the triggering event was impossible to predict; they hide because the ripple effects weren’t anticipated.
Strengthen your risk culture.
Devoting time and resources to cultivating healthy risk culture is worth the effort because it gives you more risk-aware eyes and ears on the lookout for change. And that’s important because the earlier you know about something the more time you have to put a plan into action. And remember that risk culture starts at the top. If leadership takes greater risks or skirts rules, others will see that as a sign to do the same.
Manage risk by impact, not event.
Individual risk events are difficult to predict under the best of conditions. That’s why the most successful companies focus on managing common impacts from a variety of events, not on figuring out the event itself. In the end, the impact – and how you manage it – is all that really matters.
Make it easy to collect and share risk intelligence.
Siloed risk functions create problems. It’s an enormous headache to aggregate data and create reports. Documentation and analytical work are unnecessarily duplicated. Information on policies, procedures, and controls live within multiple databases. Employees can’t find necessary information. Functional risk silos not only keep risks hidden, they hide the true impacts and root cause of those events – and the best avenues for response.
Make internal audit your friend.
Your internal audit function is a critical feedback mechanism for risk and compliance. It double checks that your company is in fact doing what it claims to be doing – accountability that’s important even for small or not highly regulated organizations. Just make sure the metrics you’re monitoring measure what they are intended to measure.
Pull together all of the pieces into a cohesive, meaningful story.
Spreadsheets, outdated data, and the inevitable keystroke snafus can cause lots of expensive trouble – especially when those mistakes spider out to other areas. If all risk-related data is in one system, however, it’s easy to see the connections between risk events. Staying in front of your risks is also much easier because data from one risk silo can serve as an indicator for another.
Never rest on your laurels.
To make your organization stronger — and therefore more resilient — you must constantly reassess and actively capture learnings so that the least successful controls, policies, and procedures can be discarded, and the best ones can be replicated. This is an active and ongoing exercise. What processes are no longer serving your company? What things should be expanded? What can you learn from experience?
It may take time and practice to learn to look beyond your comfort zone and seek out those threats, situations, and circumstances that seem too improbable – even ridiculous – to mention. But these are the risks that are silently biding their time, lulling you into a state of complacency before they burst forth and take you down.
Find those risks. Hunt them down and expose them for what they are – something to anticipate, monitor, and plan for. Do that and hidden risks will no longer have the power of surprise on their side. If and when they come, you’ll be ready.