Are you really managing risk?
It’s interesting to think about the intersection between Risk and Snow Leopards and the importance of understanding risk but being prepared for any event. I caught Alex Fullick’s Preparing for the Unexpected webcast with Tony Thornton discussing IPEC Risks & Risk Management this week. Tony Thorton defines IPEC as an influence, perpetual, external, and catastrophic risk. It was an exciting idea and reminded me of the concept of Snow Leopards, where an event may be known but not fully anticipated.
Inspired by their discussion, it got me thinking about risk. As I understand it, Thorton argues a crisis is not ever entirely predictable. However, there are ways to prepare for the unexpected. Of course, doing so is challenging, and preparing for this classification of risk is different than conducting standard risk mitigation or business continuity planning. Determining that crisis risk is not predictable is a puzzle for exposure and actuarial experts. However, since none of us can predict every crisis, we have to ask ourselves, are we managing risk?
Connecting risk to business objectives
There are many risk management definitions, but I like that IBM’s is reasonably all-encompassing. Risk management is the process of identifying, assessing and controlling financial, legal, strategic and security risks to an organization’s capital and earnings. These threats, or risks, could stem from a wide variety of sources, including financial uncertainty, legal liabilities, strategic management errors, accidents and natural disasters. So, the goal is to protect the company from damage and limit impacts on the bottom line.
Thanks to its value to business continuity (BC), the process helps us understand and connect threats to business objectives. Traditionally, BC includes a risk assessment to identify vulnerabilities. Post-BIA, that knowledge is analyzed, along with any gaps in dependencies. Combined with an understanding of the impacts, planning for recovery is done by raising risk concerns. Ultimately, the business decides its risk tolerance and puts in controls to reduce the likelihood of impacts. Examples are dedicated planning and exercising.
Sneaky snow leopards
Let’s further consider risks and snow leopards. With risk assessment as a fundamental principle to support decision-making, it makes sense to identify any threat to business goals. The Atlantic Council suggests snow leopards as sneaky, likely unanticipated disrupters. They range from genetic manipulation of mosquitos’ potential health risks to the resurgence of environmentalism. This year’s identified potential future shapers–good or bad– could have future unintended consequences.
Recently, I wrote about the Top Five Disasters that influenced resilience. One of them aligns with Peter Engelke’s 2022 snow leopards, that of the sector of hunger-driven conflict. On-going COVID impacts on our supply chain continue, and the war in Ukraine will cause food shortages. There is a potential for this confluence to become wider-ranging than anticipated. Already, we are warned of food shortages in countries like the US, far from the conflict but influenced by our global economy.
Prepare for the unexpected
Preparing for the unexpected makes sense. Resilience practitioners are shifting from reactionaries to visionaries. Business Continuity and Crisis Management (CM) react to a problem. Today’s resilience practitioners are at the forefront of championing agility and preparedness. Overall, adding considerations of unanticipated events is worthwhile.
Our risk registers can’t identify all emergency events. As Tony Thorton indicates, calibrating risk is tricker than it used to be. Or, we see more clearly that there’s benefit in keeping tabs on the worst-case scenarios or unlikely but high-impact incidents that can cause significant operational damage. We don’t get paid for each event we respond to, but how well our framework works for any crisis–even the ones we never or barely see coming.