Loading page...

Enterprise Risk Management: Planning for Black Swans

15 Nov 2017

In an increasingly volatile corporate environment, businesses need to identify the high-risk situations that have the strong potential to disrupt and endanger their activities. Black Swan events, unexpected occurrences such as terrorist attacks or natural disasters can vastly affect a firm’s performance. Enterprise Risk Management (ERM) is one way to both avert a major crisis and ensure a firm can continue to operate smoothly as well as prevent catastrophes. As former United States Secretary of Defence, Donald Rumsfeld, once remarked, “There are known knowns; there are things we know that we know. There are known unknowns; that are to say, there are things that we now know we don't know. But there are also unknown unknowns – there are things we do not know we don't know.”

Considered the ultimate weapon in crisis anticipation, an effective ERM framework needs to be established effectively at all levels of a firm if it is to be capable of dealing competently with a wide range of risks. Circumstances that occur in one part of the world may pose threats to businesses in another.  In the case of the 2008 financial crisis that began in the United States and spread rapidly to other Western countries, several economists such as Ann Pettifor and Nouriel Roubini, rightly predicted that the recession following the crisis would be the worst since the Great Depression of the 1930s. The average U.S. household lost a third of its net worth during the 2008 recession. Meanwhile the effects of the crisis continued and expanded beyond Western economies into other regions of the world. In the fourth quarter of 2008, GDP in Asia (excluding China and India) decreased by close to 15 per cent if compared to the same period the year before.

In recent times in addition to the on-going economic volatility in the U.S. and the looming financial crisis in Europe, events such as the Brexit vote in the United Kingdom in 2016, and the change in national political leadership in the U.S. in 2017, have also contributed to growing uncertainty in global markets. Furthermore, the increasing interconnectivity in those global markets may also go on to create a strong negative chain reaction and severely impact businesses.

To combat such threats effectively businesses often implement an ERM framework. The Casualty Actuarial Society (CAS) defines ERM as: "The discipline by which an organisation in any industry assesses, controls, exploits, finances, and monitors risks from all sources for the purpose of increasing the organisation's short- and long-term value to its stakeholders." The objective of implementing ERM thus seeks to provide a reasonable assurance that the organisation will achieve its business objectives and enhance value creation.

When building ERM frameworks organisations need to be concerned with three types of risk events: known risks, emerging risks and unexpected risks or Black Swan events. Known risks include operational, financial or strategic risks that firms can identify and analyse. They can then proceed to try to manage or to avoid the event as part of the company's annual risk management evaluation. Emerging risks, such as cyber-crime and climate change, are risks that firms may observe but the extent of which is not completely apparent. Black Swan events are unpredictable events that impact businesses and society at large and take place without warning, such as the 9/11 terrorist attacks in the U.S.

Unknown and unpredictable risks outside the risk management cycle are the most hazardous to organisations. Black Swans are also unknown events that act as an outlier risk, causing extreme impact outside of normal expectations. Such events can only be explained after they have occurred. Given the unforeseeable and unpredictable nature of Black Swans, they also tend to have a devastating impact on businesses facing the incident for the first time.

Examples of Black Swans can be seen throughout history, such as the emergence of World War II, the demise of the Soviet Bloc, the 9/11 terrorist attacks and the financial crisis of 2008. Businesses may elect to not try to predict Black Swan events, or even to understand the extent of the impact from the viewpoint of the management, but instead try to create robustness within the organisation to cope with such negative events and to gain positive opportunities from them. The impact of a Black Swan event depends on the nature of the organisation. What may be a Black Swan surprise for a turkey is not a Black Swan surprise for its butcher, as the saying goes. The objective should be to avoid being the turkey by identifying the areas of vulnerability in order to turn a looming Black Swan into a white swan.

To prepare for a Black Swan event, we must first understand how and why the failures have happened in the past. It is vital to have a resilience system in place, that is, a warning sign to alert the business early if there are failures that are beginning to occur. Firms may not be able to predict the impact of the whole event, but they can use trigger points or alert signs to prepare in advance and take steps to mitigate the consequences.

In 2016, Protiviti and North Carolina State University's ERM initiative explored the top risks global organisations were expected to face in 2017. The study revealed the top five risks faced by directors and top management of an organisation as primarily focused on:

  1. Economic conditions in domestic and international markets, which was considered the top overall risk in 2017.
  2. Regulatory changes and heightened regulatory scrutiny. While this risk showed up continuously over the previous four years, it still remained a major source of uncertainty among the majority of organisations.
  3. Cyber threats, which relates to cyber-security risk that might disrupt core operations. This was also identified as the top operational risk.
  4. Disruptive innovation. This risk is related to an organisation's ability to remain competitive under advances in digital technologies and rapidly changing business models.
  5. Privacy and identity protection. The increasing number of hacking activities that attack sensitive personal information saw it included in the top five risks for the first time.

In 2011, Thailand faced the worst flooding crisis in more than 100 years. Lasting more than four months, the crisis impacted most provinces and presented several unexpected risks to nearly all businesses in the country. One of the success stories in how to effectively manage the risks came from the Petroleum Authority of Thailand (PTT), one of the largest state-owned oil and gas companies listed on the Stock Exchange of Thailand (SET). During the catastrophic event, using the ERM concept, PTT continuously assessed the situation, established an emergency risk management centre and focused on developing a business continuity plan. As a result of the implementation of its ERM framework, PTT’s net income increased by 25 percent in 2011 compared to the previous year, even though the average net income increase of all other SET listed companies was only three percent for the same year.

PTT pursues an effective risk management policy with a high level of corporate governance administered by the Thai Institute of Directors. It uses an ERM framework based on COSO ERM and ISO31000 standards to manage its overall risks. Its business continuity plan was developed based on the guidelines contained in UK Standard BS 25999 and ISO 22301, and considers both the strategies of effective prevention and the minimisation of losses. For further direction and an appreciation of the challenges, it also conducts brainstorming sessions led by top management. The company’s ERM strategy aims to centralise the management of risks within the organisation ensuring that the board of directors takes responsibility for and is held accountable for managing the risks. As a result, in 2011, during the flood crisis, all strategic, external, internal, operational, compliance and reputational risks were analysed jointly at the organisation level. This approach enabled PTT to identify its risk exposure and to include the identified risks in its risk management discussions at company meetings.

Moreover, PTT monitors information from various economic forums and practices constructing scenario analysis techniques to identify and simulate uncertain events as well as to supplement the planning process. Each department, division and business unit is required to conduct risk assessment and to include a set of identified risks in their corporate risk profile.

Black Swans such as 9/11 and catastrophic natural disasters are now part of the modern business world. ERM can help minimise their negative consequences by continuously observing a company's exposure to risks to ensure sound risk management capabilities, enabling companies to tackle potential pitfalls and sustain their business in the long term. Being both an early observer and having a sharp eye to see the trigger points of emerging dangers, or their inherent opportunities, leads to resilience. This effectively means that Black Swans can be managed more in a more systematic and logical way.


Author Juthamon Sithipolvanichgul is Lecturer in the Department of Accounting, Thammasat Business School, Thammasat University Bangkok, Thailand.




Keep up to date with what's happening at the Asian Management Briefs.