charities-sig-an-introduction-to-emerging-risks-and-how-to-identify

Developing risk professionals

Institute of Risk Management

An introduction to

emerging risks and how

to identify them

IRM Charities Special

Interest Group Report

Contents

About the Institute of Risk Management 3

About the Charities Special Interest Group 3

About this guide 4

Foreword 5

Definitions 6

What constitutes an emerging risk? 7

Why should organisations tackle emerging risks? 9

Why do organisations avoid tackling emerging risks? 9

Who should be involved in the emerging risk management process? 10

Techniques for identifying emerging risks 11

PESTLE Analysis 11

SWOT Analysis 12

Horizon Scanning 13

Appendix One: Example of identifying emerging risks using horizon scanning 14

Appendix Two: Emerging risks identified by others 15

Further reading 18

About the Institute of Risk Management

About the Charities Special Interest Group

The Institute of Risk Management (IRM) is the leading professional body for Enterprise Risk Management

(ERM). We drive excellence in managing risk to ensure organisations are ready for the opportunities

and threats of the future. We do this by providing internationally recognised qualications and training,

publishing research and guidance, and setting professional standards.

For over 30 years our qualications have been the global choice of qualication for risk professionals and

their employers. We are a not-for-prot body, with members working in all industries, in all risk disciplines and

in all sectors around the world. In 2019, the IRM welcomed the Institute of Operational Risk (IOR) into the

IRM group

The IRM Charities Special Interest Group (SIG) was established over 15 years ago to provide practical

guidance for charities about managing risk and opportunities for sharing knowledge, tips and best practice

amongst sector professionals.

Our overall aim is to increase the sector’s knowledge of risk management best practice, explore practical

solutions for managing sector challenges, and provide a forum where risk professionals can meet (virtually or

face-to-face) to learn from one another and share up to date risk management practice.

To join the Charities SIG or for additional information, please look at our web page: www.theirm.org/charities

If you have any questions about IRM Special Interest Groups, please send an email to

[email protected]

This guide is a companion to our guide Getting Started with Risk Management, which follows ISO31000 as

the international standard for managing risk.

This publication is the rst of a series (issued separately over a period of months) exploring how to identify

and tackle emerging risks, as well as embedding the process of emerging risk management within an

organisation. As always, our emphasis is on developing practical tools and techniques to support the person

with responsibility for risk management, whether risk practitioners or individuals with risk management

responsibilities.

Our authors

The following risk practitioners have authored this publication as members of the Emerging Risk Working

Group, a part of the IRM Charities SIG.

> Ahmed Salim, Deloitte & Football Beyond Borders

> Alyson Pepperill CFIRM, Gallagher Insurance and Chair of IRM Charities SIG

> Charles Mitchell, Cancer Research UK

> Charlotte Candy CMIRM, AECOM

> Jill Long, Teenage Cancer Trust

> Marilyn Acker, Interim Finance & Audit Management

> Paula Karlsson-Brown, University of Glasgow and SIG team member

> Roberta Beaton IRMCert, NMC and SIG team member

> Sarah Nolan, Charity Risk and Assurance Professional

> Sophie Walsh, Oxfam

> Steve Brown GradIRM, Alzheimer’s Society and SIG team member

> Steve Grifths, Alzheimer’s Society and SIG team member

> Tracey Lumsden, Cancer Research UK

About this guide

Foreword

Welcome to our sixth guide designed to help charities make sense of risk management, and the rst of a

series (published over several months) on the topic of emerging risk.

People often view risk management as a complex discipline – but we beg to differ and offer practical

information to help your organisation manage risk.

Our Getting started leaet, and supplementary guidance demonstrated that risk management is something

often undertaken intuitively. With a little structure risk management can be embedded into an organisation

to help it achieve objectives, support successful strategic planning and reassure people at all levels within

and outside the organisation that uncertainty and risk are being considered and managed appropriately.

Integrating risk management into strategic planning can also result in the identication of new and different

opportunities.

In this series of guides, we tackle the management of emerging risks and how to identify, assess, manage

and embed techniques to develop an ongoing emerging risk management process.

If you are looking for further guidance about risk management, please refer to our other publications:

> Getting started: How to set up risk management framework

> Getting better: Understanding your risk maturity

> Setting your risk appetite: Understanding your appetite for risk

> Risk governance for charities: How to structure your organisation to make risk management successful

> Tools for providing assurance on regulatory compliance: Assuring your legal and regulatory compliance

regime

The world does not stand still for any organisation. Those that have processes ready to respond to change

are generally more resilient than those that do not.

The world of risk management is continuously evolving and adapting to change. Our aim with this

publication is to support the sector to survive and thrive, enabling charities to innovate and react with agility

to change rather than to stagnate and rely on the ‘same old, same old’.

Some may ask why you need to manage emerging risk differently than ‘business as usual’ risks. It is true

that the risk management process detailed in ISO31000 remains valid for the management of emerging

risks.

Nevertheless, the general atmosphere of fear and/or mystique around an emerging risk that remains just

over the horizon, makes us feel uncomfortable. There is often little or no data on which to base the risk

response. Emerging risks may appear more challenging to identify, assess and manage.

The use of different tools and techniques in addition to traditional methods, will help you work through

these difculties. It is clear that for an organisation to perform successfully and be resilient, there needs to be

an appropriate approach to managing emerging risks.

This is why we selected this topic for our 2020 and 2021 publication guides. The choice feels appropriate

given the uncertain times we are living in, and the challenges presented to many of the assumptions that

underpin traditional risk management thinking and techniques (e.g. our ability to predict risks).

Denitions

Term Denition

Emerging risk A risk that is evolving in areas and ways where the body of available knowledge is

weak.

External risk A risk outside of the organisation and outside its control.

Horizon Scanning A systematic examination of information to identify potential threats, risks,

emerging issues, and opportunities.

Internal risk A risk from within the organisation and within its control.

Magnitude The enormity of a risk in terms of its impact.

Resilience The ability of an organisation to anticipate, prepare for and respond to change to

survive and prosper.

Risk Effect of uncertainty on objectives.

Risk management Any activity undertaken to identify and then control the level of risk.

Stakeholder A person, group or organisation with an interest in the charity.

Time Horizon The period during which risks are considered. This may be 1-3 years, 3-5 years, and

longer.

Volatility A measure of the uctuation of a risk over time.

Emerging risks have characteristics that differentiate them from ‘business as usual’ risks. These

characteristics of emerging risks are reviewed using the Covid-19 pandemic as an example.

Emerging risks may arise and evolve quickly, unexpectedly, or both. The emerging risk may never happen at

all. Emerging risks may have a massive economic loss potential at a macro level for society and subsequently

may impact charities directly or indirectly.

There are generally three categories of emerging risks

1. A new risk in a known context: Risks that emerge in the external environment and impact the

organisation’s existing activities. For example, you were aware that regulations relating to your activities

will change next year.

Hopkin, P. (2018) Fundamentals of Risk Management: Understanding, evaluating and implementing effective risk management.

5th edition. IRM. Kogan Page: New York.

What constitutes an emerging risk?

Characteristic Notes and examples

Ambiguous The risk itself is difcult to dene.

Covid-19: Experts recognised that a pandemic was likely but could not describe how,

when or even if before the event occurring.

Chaotic Emerging risks are constantly changing.

Covid-19: As the risk and our understanding develops, government handling of

Covid-19 has changed around lockdowns, face coverings and social distancing,

creating a chaotic economy and social environment.

Complex Emerging risks can affect a large number of factors simultaneously.

Covid-19: The effect of the pandemic on economies may lead to recession

amplifying the impact of falling income levels and unemployment.

Time-horizon can

change

Emerging risks sometimes seem a long way off, but the time-horizon can change

very quickly.

Covid-19: A pandemic seemed a long way off to many, and then Covid-19 started

to spread from continent-to-continent over a relatively short period of a few

months.

Uncertain The lack of knowledge about what an emerging risk will become and how it will play

out makes them difcult to consider with certainty.

Covid-19: Pandemic risk is an excellent example of uncertainty leading to many

taking a few steps to consider the risk, despite experts warning for decades that the

risk existed.

Uncontrollable Emerging risks are often external to the organisation, and outside direct control, so

the need is to adapt and respond, rather than to control.

Covid-19: Organisations have had to adapt working practices and the work

environment to survive.

Volatile Signicant changes in the risk within a short period.

Using the 2020 Covid-19 pandemic as an example:: In the UK during the summer

months life was relatively ‘normal’ whereas in November we had to return to

lockdown.

Hardy, C. & Maguire, S. (2020) Organizations, risk translation, and the ecology of risks: the discursive construction of a novel risk.

Academy of Management, Vol. 63(3), 685-716.

2. A known risk in a new context: The management of a risk may need to change if you venture into a new

activity. For example, your charity already works with vulnerable adults and decides to start running a

crèche for the children of employees and volunteers by the end of their current strategy.

3. A new risk in a new context: Risks not previously considered because the risk is new to the organisation.

Emerging risks may be difcult to manage as the assignment of risk ownership can be complex and unclear.

What organisations can do is translate the vagueness of an emerging risk into an organisational risk that

they are more familiar with, e.g. regulatory, strategic and operational risks. This makes it easier to take action

to tackle the risk, as it means that responsibility for the emerging risk can be redistributed to appropriate

levels and people within an organisation.

This document explains the benets to organisations that recognise emerging risks. In short, following

through on preparing for emerging risks – not just identifying them – can make your organisation more

resilient and condent in the face of an uncertain future and can allow charities to adapt and thrive.

Whilst traditional risk management focuses on supporting an organisation to achieve its objectives and

plans, tackling emerging risks enables an organisation to build and maintain resilience to ensure that it will

survive and even thrive in uncertain times.

Resilience can enable the organisation to:

i. Anticipate possible adverse scenarios or events, prepare for them, withstand or absorb their impacts,

recover from the effects and adapt to the changing conditions;

ii. Respond and adapt to opportunities and take prompt and informed decisions with condence.

Emerging risks are risks, and the usual risk management processes remain relevant. However, it is often

impossible to quantify likelihoods and impacts with certainty for emerging risks. The ‘ambiguous’

characteristic of emerging risks and the lack of information available to understand the risk make it difcult

to take decisions on a timely basis.

Historically many charities have side-lined emerging risks into the ‘too difcult’ bucket because they tend

to sit in the ‘low likelihood / high impact’ arena and fall beyond the short-term objectives that many

organisations prioritise.

If your senior management or Board are inexperienced in strategic planning or risk discussions, this can

present an additional challenge. Added to this are the pressure on leadership time and the tendency to

discuss only current issues as there is more information available. Adaption to General Data Protection

regulations serves as a reminder as to how embedded ‘current issue only’ behaviour can be.

We examine these challenges in more detail in our separate publication ‘The Leadership Conversation’.

The challenge of focusing on ‘current issues only’

The General Data Protection Regulation came into effect in 2016; the compliance deadline

was May 2018. Yet with almost two years to prepare, and known nancial penalties, many

organisations worked to the May 2018 deadline – a just-in-time response which put the

organisation at the risk of non-compliance.

This response was attributed to several factors including a sense of being overwhelmed by the

technical requirements to enact the change – considered as ‘negative panic’; a sense of myopia

when faced with the exponential nature of data and who holds it; and possibly also the ‘herd

instinct’ where organisations looked to their peers and followed whatever they were or were not

doing.

Why should organisations tackle emerging risks?

Why do organisations avoid tackling emerging risks?

We outlined in our publication Risk Governance for Charities the types of governance structures that support

the development and embedding of risk management within different sized charities.

The Charity Commission publication CC26 states “Charity trustees should regularly review and assess the

risks faced by their charity in all areas of its work and plan for the management of those risks”. Therefore,

Trustees also need to be engaged in the process as they bring a broad outlook and experience to the table.

Bringing in external experts may also be benecial in helping the organisation to identify emerging risks.

These experts, who may provide advice on a pro bono basis can include accountants, technology experts

and representatives of umbrella bodies such as the IRM.

The conversation may not be an easy one, but it is essential to try and may work best if anchored in strategic

planning.

Who should be involved in the emerging risk management

process?

Kaplan, R. & Mikes, A. (2012) Managing Risks: A New Framework. Available at:

https://hbr.org/2012/06/managing-risks-a-new-framework

Identifying emerging risks can be difcult, but techniques exist to help, such as PESTLE, SWOT and horizon-

scanning. A charity can adopt one or more of these techniques as well as looking at external sources.

Please see the Appendix for some examples of output from authoritative bodies such as the World Economic

Forum (WEF) and the IRM. In addition, bear in mind that other organisations and umbrella bodies such as

the Institute of Chartered Accountants of England and Wales (ICAEW), Deloitte, and individual accountancy

rms may also have information available.

This section explores three popular techniques for identifying emerging risks. You may not need to use all

three. Some can be undertaken simultaneously as they are complementary, whereas others are most useful

as stand-alone exercises. We recommend you select one or more that works best within the context of your

organisation. We stress that all work best when a range of stakeholders and subject matter experts are

brought together to provide a broad range of insights and inputs.

PESTLE Analysis

What is it?

PESTLE Analysis helps you to identify external factors in the following categories:

> P - Political

> E - Economic

> S - Social

> T - Technological

> L - Legal

> E - Environmental

It can also provide a structure for horizon scanning.

Why use this technique?

The technique enables an organisation to think about potential emerging risks within categories. This often

helps people to think more broadly around specic topic areas.

How do you use this technique?

Techniques for identifying emerging risks

Step Process

Identify key

stakeholders

Gather relevant people to work together who have insights to make from a political,

economic, social, technological, legal and/or environmental perspective. See below

for more details on who should be involved.

Brief them Explain the context of the work, your strategic and project objectives so they can

prepare for the Review Meeting.

Review meeting Share, gather and review insights under each heading considering both internal and

external risks.

Meeting output Document the insights in terms of themes, issues and risks, e.g. using a table with

the PESTLE factors as headings. This is the current list of potential emerging risks to

monitor.

Reect and review After a suitable period of reection, bring the group back together to review and

conrm the emerging risks identied.

Stakeholders to involve:

A large organisation could bring together stakeholders in roles such as Government Adviser (political),

Economics Adviser (economic), Policy Adviser (social), Data Protection Ofcer (technological), lawyer (legal)

and an environmentalist (environment) to share their insights.

Smaller charities may not have the range of employee roles that would enable a broad representation. To

overcome this, they might bring together the most relevant stakeholders from their trustees, professional

advisers and pro bono resources. These contacts may well provide additional external insights not considered

by employees.

SWOT Analysis

What is it?

SWOT analysis is a technique that can help an organisation understand its strengths, weaknesses,

opportunities and threats.

Why use this technique?

SWOT analysis is a simple and recognisable approach that can be a useful framework for thinking about

the PESTLE factors. SWOT supports the identication of risks providing a broader perspective on factors that

could affect strategy or operations.

SWOT assists you in developing a good understanding of the impact and what can be done to minimise

adverse effects and maximise potential opportunities.

How do you use this technique?

Bring together relevant stakeholders and capture their insights, in a simple table. For example, if you are

focusing on the strengths, weaknesses, opportunities and threats in relation to a particular PESTLE factor,

such as Legal, you would want to involve stakeholders with legal expertise.

Example scenario: We know of an emerging risk because the government has announced a critical

regulation that applies to our charity is going to signicantly change in a year’s time. This announcement

was made following some high prole cases of non-compliance with existing regulation and harm to

beneciaries. However, we don’t know any of the detail when we undertake our PESTLE/SWOT analysis.

The SWOT summarised below identies one of our key weaknesses, i.e. we are not good at complying with

the existing regulations and don’t have systems in place to monitor our compliance.

We suggest that those stakeholders relevant to the component of PESTLE under consideration be involved in

the discussion.

Strengths Weaknesses

Trustee board has recently appointed a trustee

champion for risk and compliance issues.

Our poor record on compliance with existing

regulations and lack of governance and assurance

systems.

Opportunities Threats

Use the upcoming regulatory change to improve our

compliance with all relevant regulations by setting

up an assurance system, which could be used for all

other rules that apply to our activities.

Stricter future regulations with increased nes for

non-compliance and negative media coverage.

Horizon Scanning

What is it?

Horizon scanning is a technique used across a wide range of sectors to help identify a range of potential

issues and risks that could impact the organisation in the future as a result of the complex and connected

world in which the organisation operates.

We dene horizon scanning as a systematic examination of information to identify potential threats, risks,

emerging issues, and opportunities.

Horizon scanning can help an organisation foresee and examine risks immediately ahead of the

organisation, within timeframes, e.g. where is the emerging risk in the short, medium, and long term?

Why use this technique?

Horizon scanning can help an organisation:

> Deepen their understanding of the driving forces affecting future policy and strategy development;

> Identify gaps in understanding and risk areas for research to better understand the driving forces;

> Build consensus among a range of stakeholders about the issues and how to tackle them as well as

mobilising stakeholders to take action;

> Identify and clarify some of the difcult policy/strategy choices and trade-offs that may be needed in

the future;

> Create a new strategic approach that is resilient because it is adaptable to changing external conditions.

How do you use this technique?

The table and gure below are from the IRM Innovation SIG’s Horizon Planning publication. See their

publication for more in-depth workings.

Just like PESTLE and SWOT, horizon scanning needs to involve key stakeholders to work to an agreed timeline

in small groups or as individuals.

Concluding Note

We hope that, in the future, the charity sector will collaborate and work together to share best practice to

make emerging risk identication more manageable in terms of available resources, delivering higher levels

of analysis and insight than a single organisation can achieve on its own.

Background to the example:

We are a national UK animal charity providing rehoming services, running charity shops and offering

education and advice about animal care.

When we considered emerging risks, we quickly realised they tended to sit in two camps:

1. Those that were inevitable but far away in terms of time although of a high impact if they happened.

2. Those where the timescale was probably shorter and would have a high impact.

Identication and Assessment:

Using horizon scanning as a tool, we identied a number of emerging risks, and through scenario testing and

a quick brainstorm, we assessed that the following risks are vital for us to consider further:

Appendix One: Example of identifying emerging risks using

horizon scanning

Topic Considerations

Climate Disaster and

Climate Change

> Weather changes could impact our operations and have a direct effect on how

we care for animals

> Changes to living patterns could help protect animals including strays

> Changes in the economic environment could put people off rehoming pets, i.e.

there would be fewer afuent people available

> Changes in the economic environment could be an opportunity if people have

more time and recognise the positive mental health aspects of having a pet

Articial Intelligence > What sort of job roles might disappear if AI takes off in our sector?

> What sort of people skills will we still need?

> What about people unable or unwilling to adapt to the new situation?

Microservices > Could a disruptive new way of offering animal rehoming emerge at a micro-

business level – will this be positive or negative for us?

> What opportunities might arise if we can harness this shift to online adoption

and recruitment of adopters?

Animal Pandemic > A series of animal pandemics could put people off rehoming and leave our

resources over-stretched if people don’t want to take on sick animals or animals

that may become sick

> Animal pandemics could stir up a high level of support and donations from the

general public, and possibly even the government if the strain was aggressive

and linked to pets rather than wild animals

Retail is changing > Online sales are rising, and the High Street is dying/changing in part driven by

uneconomic rents. How quickly do we need to change our charity shop strategy?

> Do we understand why people visit our shops? Can we make a visit to our shops

more of an experience?

If you are interested in some topic areas to get the discussion started within your organisation, the table

below may help. Please see the Further Reading section for additional helpful reference sources.

Appendix Two: Emerging risks identied by others

Topic Considerations

Climate Disaster and

Climate Change

> These are sources of risk rather than a risk in themselves

> You need to think about how these affect you/matter to you

> This could be due to general security issues – could mass protests disrupt you?

Can you anticipate negative media attention because of what you do?

> What would the effect be on you?

> Weather-related damage

> Changes to living patterns (less ying, more recycling, etc.)

> Economic factors (reduced GDP, the effect on jobs, tax, etc.)

Articial Intelligence > AI will ultimately have an impact on jobs of all kinds

> AI will impact how future talent is developed

> Risks to social liberty and safety are associated with the increased use of AI

> There is potential for increased social exclusion with the increased use of AI

> AI may impact your organisation both positively and negatively

5G and Internet of

Things (IoT)

> 5G and IoT will enable machines to talk to other devices at rapid speed,

presenting opportunities for automation and increased programme capacity

> Unveried 5G concerns around radiation and possible health risks may impact

adaptation

> IoT risks around security and privacy may impact adaptation

New political

landscape e.g. Brexit

> There has been a clear shift in the political environment; nationalism is on the

rise

> Trade wars can affect countries and business within them

> Fake news inuences individual and collective decisions

> Shifting policies and strategic orientation give rise to stranded assets and staff

Microservices > Increasingly complex rms and services are emerging which operate wholly

online

> Apps to assemble new products and services are developed and launched

rapidly

Cyber Crime > Protecting data and nances is becoming an increasingly complex risk which

requires signicant expertise

> There is an increased incidence of ransomware attacks

> Criminals are developing and changing attacks; this is an emerging risk area

> Email scams are becoming more sophisticated

> The risk of cybercriminals accessing control systems, e.g. power and utilities,

ships and factories are increasing

> Criminals are currently focusing on data – as well as extortion

Retail is changing > Online sales are rising, and the High Street is dying/changing in part driven by

uneconomic rents

> Mall shopping in the US is changing to be more of an experience

> Fraud in online shopping is changing; abuse is a developing risk

> People re-using/re-wearing clothes; this is suppressing demand

Future of nance? > Microservices are beginning to have a signicant impact, e.g. online-only banks

> Financial technology developments are creating new ways for people to pay for

goods and services

> Financial developments are focussed on new, young customers and how they

want to buy or use things

> New nancial models = unknown risks

Urban migration and

city living

> Globally there has been growth in people moving to cities and leaving rural

areas

> Support for rural populations is dwindling

> The impact of Covid-19 on city centres has changed city living and may change

urban migration patterns

Quantum devices/

computers

> The development of quantum computers will transform what we can do on a

computer

> Computers will become more problem solvers than merely programmed to do

tasks

> Security and privacy risks remain

Reputational risk and

intangibles

> Many risk professionals believe reputational risk is a consequence and not a risk

in its own right; nevertheless, reputation is hard-won and easily lost

> Intangible risks include the loss of public goodwill, patents, copyright, datasets,

licenses, trademarks, brand, equity and knowhow

> Dataset leakage leads to cyber-crime

Source: Emerging Risks 2020 webinar by Dr. Keith Smith 27/03/2020

Source: IRM Innovation SIG Horizon Scanning publication

The two risk maps presented here may provide additional topic areas for consideration, as well as

demonstrating visual ways of showing where risks sit in your organisation.

Source: World Economic Forum: 2020 Global Risk Report

BSI Organisational Resilience. Available at:

https://www.bsigroup.com/en-GB/our-services/Organizational-Resilience/

IRM (2015) Risk management for charities. Getting better. Available at:

https://www.theirm.org/media/9167/irm-getting-better-yer-nal-march-2016.pdf

IRM (2015) Risk management for charities. Getting better: Risk Maturity Framework. Available at:

https://www.theirm.org/media/4512/irm-charities-sig-risk-maturity-framework-nal.pdf

IRM (2016) Risk management for charities. Setting your risk appetite: supplementary guidance. Available at:

https://theirm.org/media/4519/irm-charities-sig-setting-risk-appetite-nal-updated-051016.pdf

IRM (2018) Horizon Scanning: A Practitioner’s Guide. Available at:

https://theirm.org/media/7423/horizon-scanning_nal2-1.pdf

IRM (2018) Risk governance for charities: How to structure your organisation to make risk management

successful. Available at: https://www.theirm.org/media/7412/risk-governance-for-charities_web.pdf

IRM (2018) Risk management for charities. Getting started: supplementary guidance. Version 2.0. Available

at: https://theirm.org/media/4513/irm-getting-started-v20-guide-2018.pdf

IRM (2018) Tools for providing assurance on regulatory compliance: Assuring your legal and regulatory

compliance regime. Available at:

https://www.theirm.org/media/8657/tools-for-providing-assurance-on-regulatory-compliance.pdf

IRM (2018) Tools for stakeholder mapping. Available at:

https://www.theirm.org/media/4516/stakeholder-mapping-2018.pdf

ISO (2018) ISO 31000 Risk management. Available at:

https://www.iso.org/iso-31000-risk-management.html

ISO ISO 31050 - Guidance for managing emerging risks to enhance resilience. Available at:

https://committee.iso.org/sites/tc262/home/projects/ongoing/iso-31022-guidelines-for-impl-2.html

The Charity Commission (2010) Charities and risk management (CC26). Available at:

https://www.gov.uk/government/publications/charities-and-risk-management-cc26/charities-and-risk-

management-cc26

World Economic Forum (2020) The Global Risks Report 2020. Available at:

http://www3.weforum.org/docs/WEF_Global_Risk_Report_2020.pdf