GRC Tuesdays: Emerging Risks – Hic Sunt Dracones
Hic sunt dracones – or here be dragons – as inscribed on some historical maps for uncharted territories.
Even if today it’s believed that this was not a widespread term, as once believed, it still resonates in people’s imagination for unexplored areas that could hide terrifying threats.
As a result, I think it’s a good image to start this post on emerging risks: the ones that pose a vital threat to your organization should they occur as they could radically change the context in which you operate. And, in extreme cases, wipe out a complete industry.
Not that I think an exhaustive list is possible, but let me take this opportunity to remind you of a few examples:
* Competitors with different business models
This is what regular taxi companies or hotels are experiencing with the rise of Uber or Airbnb, for instance. These two companies didn’t exist a few years ago and in less than a decade both have radically changed the competitive landscape to become more than serious stakeholders, they now lead these trends.
* Disruptive technologies
I still remember putting a film in my camera and forgetting to change it after the end of the roll. But how many of us still do this? The emergence of digital cameras has completely changed the photography industry and previous market leaders are now struggling to find their place.
* Alternative financing options
What entrepreneur would have thought some time ago to go to a website to ask for funding to launch a new product? With crowdfunding, financial institutions are now competing against you and me to fund the products of the future.
OK, enough about scary images. The good news is that emerging risks do not have to be fatal for a company. Yes they do exist, but they do not need to be imaginary dragons.
Indeed, no risk occurs from one day to another without prior warning. A change in technology takes years to become mainstream and the very same is true for a change in consumer behaviour, the emergence of a competitor, and so on.
You do have a chance to record these threats on your map and to decide on an appropriate response strategy.
Where to Start?
From the different interactions I’ve had with customers who have experienced these serious threats – whether they recovered from them or not, they all acknowledged that these risks had been known to at least one department within the company but often not reported to the appropriate stakeholder.
The major issue is that it is difficult for an individual to categorize a risk as a vital threat and no-one really wants to have responsibility for these risks. But there’s a way around this, which is to record them as warnings when they start to manifest.
To do this, ask all employees to record them to your database for incidents and near-losses, because that’s exactly what they are. Focus especially on R&D and sales colleagues as they are the ones who will know when a new technology is being discussed during a conference or that customers are changing their purchasing habits.
I would advocate that you should even create a new category in this database called “warning”. These are not really incidents – they have not yet caused any harm – but neither are they near-losses. This will also most likely help colleagues feel more at ease reporting them.
Finally, make sure that your risk management department regularly reviews these warnings with relevant business owners to identify the ones that pose a potential threat to your company. Then enter them in the risk register to be completely documented, assessed, mitigated, and of course, monitored with the C-suite if necessary.
The intent here is not to stop the course of time, but at least to be prepared for when it comes.
What about you? Are you already ready to slay these dragons? I look forward to reading your thoughts and comments either on this blog or on Twitter @TFrenehard
Originally published on the SAP Analytics Blog