person looking over a cliff edge
PHOTO: Nathan Shipps

It seems that “emerging risks” are a topic du jour. 

“Emerging risks can be new and unforeseen risks whose potential for harm or loss is not fully known,” stated Marsh & McLennan's "Ahead of the Curve: Understanding Emerging Risks" report.

“Emerging risks are those risks an organization has not yet recognized or those which are known to exist, but are not well understood. To quote Donald Rumsfeld, former US Secretary of Defense, ‘There are known knowns. These are things we know that we know. There are known unknowns. That is to say, there are things that we know we don’t know. But there are also unknown unknowns. There are things we don’t know we don’t know.’ An ERM program that does not address the potential challenges created by the existence and development of emerging risks will not meet its goal of protecting, and generating opportunity for, the organization,” from a  RIMS report, "Emerging Risks and Enterprise Risk Management."

“Emerging risks are ‘newly developing or changing risks that are generally characterized by major uncertainty.’ This uncertainty is ‘partly derived from the lack of historical data that characterizes them, but also from scientific-technological, socio-political or regulatory changes that can create discontinuities in their evolution'" as defined in AXA's recent emerging risks survey.

I have no problem with any of these definitions. But what I do find interesting is that each of the sources say that assessing emerging risks is more difficult than previously identified risks, generally because there is less historical data.

But who should be alert and watching for emerging risks: things that might happen (a better expression than the ‘R’ word — risk — because of its negative impression) that might affect the achievement of enterprise objectives?

Related Article: Effective Risk Management Starts With Better Decision Making

Whose Responsibility Is it to Identify and Respond to Risks?

Richard Chambers, CEO and president of the IIA, recently published "Internal Audit and Emerging Risks: From Hilltops to Desktops." He draws an excellent distinction between hindsight, insight and foresight — although those of us who chose ‘insight’ as an important word to include in the IIA’s Mission for Internal Auditing and in the Core Principles for Effective Internal Auditing might assert it is forward looking.

I also like his turn of phrase (with a word or two added by me): "Stakeholders seek to navigate the future more than revisit the past or dwell in the present. It is time for internal auditors to focus our telescopes ahead. We need to concentrate on the risks of today and tomorrow if we are to not only protect but enhance value for our organizations."

Where we disagree is in the role of internal audit in identifying or responding to emerging risks. Chambers writes: “… stakeholders are generally unimpressed with our acumen at detecting emerging risks. In a 2016 KPMG survey of chief financial officers and audit committee chairs, only 10 percent agreed that their internal audit function adequately identified and responded to emerging risks that threatened their companies.”

It is not internal audit’s responsibility to identify, assess or respond to risk.

It is a management responsibility.

As you can see, I want to shout that from the rooftops.

If I were a board member or CEO, I would be aghast if an executive told me that he or she relied on internal audit to identify, assess or respond to risks, whether existing or emerging. That’s his or her job. If they are not up to doing it, they should be fired.

Related Article: What Are the Core Competencies of an Effective Risk Officer?

What Roles Do Internal Audit and Risk Practitioners Fill?

So where does that leave internal audit? Internal audit must:

  1. Provide assurance on management’s ability to understand and address what might happen on the path to achieving the enterprise’s objectives.
  2. Provide additional advice and insight that will help stakeholders understand the current situation and take actions as appropriate.
  3. Act as evangelists across the organization for risk management (or the ability to make informed and intelligent decisions, which is a more advanced expression and a tougher challenge).
  4. Provide assurance, advice and insight on the internal controls relied upon to manage risks to enterprise objectives.
  5. Be agile in their planning and execution so they can shift their focus as ‘risks’ change.
  6. If internal audit sees a new or growing risk that appears to have been missed by management, find out why: help them improve their process, teaching them to fish for new or changing risks.

What about the risk practitioner? What is their role?

Chambers references an interview with a vice president of internal audit and risk management. Reading the transcript of the interview, the vice president appears to own the responsibility for identifying emerging risk at his organization. Again, I think is totally the wrong approach.

The risk function can help, but it is a management (and by that I mean operating) management responsibility to keep their eyes open and on the road ahead. When I was chief audit executive (CAE) at Business Objects, the board, with the concurrence of the CEO, asked me to act as chief risk officer (CRO) as well. I was willing to do so, but made sure I was only the facilitator and not the one identifying and assessing risks.

No CAE or CRO can ever know as much about the business as those running it day in and day out. (If they do, there’s a problem.)

That’s my strong opinion. What's yours?