Identifying Emerging Risks Can Help You Future-Proof Your Firm

09.06.23 in Cybersecurity & Enterprise Risk

Estimated Reading Time: 5 Minutes (960 words)

Pencil and blocks showing progression from orange to green, insinuating positive change

How do you manage the risks you're aware of while also identifying emerging risks and preparing for the unknown? Apply the same principles you use with your clients in financial planning: Look for new risks, both threats and opportunities; study these risks to understand their impact; and develop a plan to manage them.

What You Don't Know Can Hurt You

Imagine you're on vacation. You receive a video message from a friend in a canoe paddling down what used to be your street. They're checking to see if your home has flooded like the rest of the area.

A flooded house in an oceanside community in New England shows the strength of Hurricane Sandy, a powerful storm which crashed into the Eastern USA. The gate was barricaded with sandbags, but the force of the water was too strong.

This may sound like a scene out of a movie, but unfortunately, it was a reality for my family when torrential rain and flash flooding devastated areas of New England. Living in a mountain town, I never thought about flooding—it was something that happened to other people in other parts of the country. Boy, was I wrong.

What if a flood, hurricane, or tornado destroyed your office? How would it affect your business? How long would it take you to get back up and running? How would you service your clients during this time?

Identifying emerging risks like these should be an integral part of any business strategy and resilience planning.

What Is an Emerging Risk?

According to the International Risk Governance Council, an emerging risk is "a risk that is new, or a familiar risk in a new or unfamiliar context or under new context conditions (re-emerging)."

Emerging risks are conditions, situations, or trends that may affect an individual or a wider community. They're often complex, may evolve or change rapidly, and can be tough to identify and assess due to their high level of uncertainty.

In some cases, they remain unknown because the nature of the risk and its potential impact are also unknown. There may be inadequate information about the risk, and the organization may need more time to assess it thoroughly.

Going back to my earlier flooding example, while weather forecasts have come a long way, meteorologists still can't accurately predict the precise location or total impact of a weather event. Does that mean we should ignore severe weather alerts? Absolutely not. We can use these tools to identify the risk of extreme weather.

Techniques and Tools for Identifying Emerging Risks

One way to identify new risks is through "horizon scanning." This process involves examining external information to uncover potential opportunities and threats. You can use this information to support strategic decision-making and business preparedness.

At Commonwealth, we combine horizon scanning with the following tools to help us gather the information we need:

For a broader picture of global risks across industries, we use the World Economic Forum's annual Global Risk Report.
For a more domestic view, we use the quarterly Gartner Emerging Risk Report.
For timely insights on the markets and economy, we use The Independent Market Observer, written by our chief investment officer, Brad McMillan, and his team.

Simulation exercises are another tool Commonwealth uses to help us identify the what-if scenarios that could impact our business.

There is no one-size-fits-all approach. You can choose the best techniques for identifying and assessing emerging risks based on the size of your organization.

Emerging Risks Specific to the Financial Services Industry

We've discussed the danger of extreme weather, but advisors should also be vigilant about other risks. InsuranceNewsNet recently reported on several risks that could affect your business.

These risks include recession; technology; environmental, social, and governance (ESG) investment strategies; and regulatory compliance and fiduciary responsibility:

Managing client expectations can be challenging in the face of a recession. Some clients have high expectations for interest rates and investment returns. And this is especially true for those who rely on their investments for income. No business is completely immune to a recession, so it's crucial to remain mindful of the possibility, whether it occurs soon or in the coming years.

Developing Your Risk Response Strategy

Once you've identified the emerging risks that could affect your business, it’s time to develop a risk response strategy. Be sure to consider the risk to your business before controls are in place (inherent risk) and the risk after controls are in place (residual risk).

You should also consider the severity of the risk in terms of business context and associated business objectives as you decide which of these actions to take:

Accept it. Analyze the risk and decide there is no action needed.
Transfer it. Pass risk ownership to a third party (e.g., insurance, performance bonds, warranties, or guarantees).
Mitigate it. Apply activities (controls) that seek to reduce the impact and likelihood of a risk to an acceptable tolerance (e.g., having a conversation with your client to confirm that the request is valid).
Avoid it. Use an alternate approach that eliminates the risk driver or impact (e.g., ceasing a product line, declining to expand to a new geographical market, or selling a division).

When a risk becomes an incident. You may want to consider developing an incident response plan (IRP). This is a tool that can help you with recovery when a risk becomes an incident. While many IRP examples are specific to information security, you can use them to create a template more specific to your business. An IRP typically includes communication plans, group and individual responsibilities, reporting and documentation requirements, controls, and specific actions to help resolve or protect against the issue.

There are typically four phases to an incident response lifecycle:

An infographic that depicts the incident response lifecycle. The life cycle consists of four phases. Phase 1: Preparation, Detection, and Analysis. Phase 2: Containment. Phase 3: Eradication and Recovery. Phase 4: Post-incident Activity.

The emergence of AI technology may increase the likelihood of a cyber incident. Having an IRP will allow your business to quickly respond to and recover from an incident.

Future-Proof Your Advisory Firm

By their nature, emerging risks are varied, difficult to quantify, and often even more difficult to identify. Because of their possible detrimental impact on business operations, it's important to look past today's risks and thoroughly analyze the emerging trends of tomorrow to help your firm prepare for what the future may bring.

Download our white paper for help identifying the next steps.

FREE DOWNLOAD

7 Key Risks to Avoid in Your Financial Advisory Practice

Actionable tips to help you evaluate your firm’s potential liability.

Get Started

Editor’s Note: This post was originally published in October 2018, but we’ve updated it to bring you more relevant and timely information.

Carrie Lorenzo

Senior Enterprise Risk Analyst

Carrie is a senior enterprise risk analyst at Commonwealth. With the firm since 2021, she helps to formalize internal risk management processes, manages risk assessment cycles, assists with reporting, leads departmental meetings, helps manage the Commonwealth insurance portfolio, and works to create a risk-aware culture through in-house training. She is also responsible for expanding Commonwealth’s privacy program by creating internal and external educational resources and updating current privacy content in line with regulations.

Information about securities-registered professionals may be found at FINRA BROKERCHECK.