// . //  Insights //  This Is The Best Approach To Identify Risk In Your Company

From environmental damage to infectious diseases and debt crises, the World Economic Forum’s most recent Global Risks report presents a stark picture of the most severe risks the world will face over the next decade. More than ever, businesses need to quickly identify the ones that are most dangerous and immediately get ahead of them.

Because every institution has its own very specific set of emerging risks, there’s no one-size-fits-all playbook for dealing with them. Further, current methods of risk identification can be improved, at times leaving companies struggling to derive real benefits. Most attempts take weeks or even months to execute and respond to risks only after they have materialized rather than proactively anticipating them. They also focus too much on simply ticking boxes for compliance purposes and fail to challenge established wisdom.

Until a company’s risk identification techniques produce more thoughtful takeaways and greater buy-in, its mitigation efforts will have limited success. That’s why we have developed a process that broadens the responsibility beyond the usual inner circle of risk professionals to senior executives from throughout the organization. The centerpiece is a co-creation workshop that empowers the group to find the most important new and existing risks affecting the company and prepare actionable recommendations.

Key steps in the risk identification process 

Preparation begins weeks in advance to ensure that a critical mass of senior personnel will be available. Ideally the group will comprise of about 50 executives representing all the relevant functions of the organization. The three-hour workshop starts with a brief introduction from the client’s chief risk officer (CRO), but the bulk of the time is dedicated to a robust conversation involving the entire group. It must be clear that everyone is expected to contribute and that all ideas are to be respected regardless of who submits them. The company’s usual hierarchy has no place in the conversations to come.

The discussion centers around a curated list of risk-related topics and trends that are particularly relevant for the client — changes in birthrates around the world, increasing rates of employee resignation, or fluctuations in cryptocurrency value, to name just a few examples. These are presented to the full audience, which then separates into seven- to eight-person discussion groups. Typically, one participant is chosen to facilitate the small-group conversations.

After an hour each breakout group selects a spokesperson and returns to the plenary session to present their key takeaways. One benefit of this approach is that often these takeaways are unconventional and prove surprising and challenging to the larger audience. To illustrate, in a recent engagement one breakout group sparked a healthy debate about whether the company was properly allocating environmental, social, and governance (ESG) funds, and if it should even continue making investments aimed at slowing climate change at all. In another firm’s workshop, a group questioned whether the level of investment in digital put the bank at risk of falling behind competitors.

Prioritizing your risks and charting a course of action

Following the conclusion of the workshop, our team compiles a list of the most trenchant comments and organizes them into a handful of overarching themes. We then meet with a small team of executives from the client side, including the CRO, to decide which of these to prioritize and determine next steps.

There are a few different ways the client may decide to proceed. Some choose to integrate the conclusions drawn at the workshop into their regulatory compliance efforts. Our European banking clients, for example, have used their new-found risk knowledge as part of their Internal Capital Adequacy Assessment Process. A company also may adjust its internal risk appetite framework to include some of the identified risks. Alternatively, it can set up a new risk management framework for any emerging risks that don’t already have a suitable one.

No matter what course of action they choose to pursue, businesses that go through the co-creation exercise are far better equipped to mitigate risk moving forward. For example, in one workshop prior to the COVID-19 pandemic a banking client highlighted the risk of not investing enough in digital, especially if the environment or competitive landscape changed. Afterward it began to observe exogenous changes more closely so it would be prepared to react quickly. In part, because of that effort, it was the fastest bank in its country to respond to the pandemic, getting all of its employees working remotely in a few days and building a quasi-digital credit process that was executable without anyone going to a branch.

“The workshop has become part of our standard risk identification process,” said another client’s head of enterprise risk management, whose most recent session identified five key initiatives that had material impact on the success of its risk management strategy. “Every year non-obvious ideas pop up.”