With complexity changing the nature of risk, simply looking at severity and likelihood is not enough. Factoring in interconnectedness and velocity is one way to see a clearer picture.
Risk is everywhere in the modern business environment, and as organisations steer into an increasingly connected, disruptive and digital future, the likelihood of coming up against unprecedented risks, or clusters of linked risks, is magnified.
Chris Hall, Partner, Audit and Assurance, KPMG, says the world “is a more connected place than we have allowed ourselves to appreciate and manage in”.
“As a consequence, volatility has been something that catches us out. Being able to preempt volatility and dampen down the noise, even just a little bit, brings a competitive advantage.”
Advancing technology is one of the key triggers of risk, with issues arising from the way people manage mobile devices, implement systems and address cyber security. It can lead to competitors disrupting entire industries without warning. It also increases the interconnectedness of risk, and the chances that one issue will have far reaching effects.
"For example, there could be a clustering of risks around innovation and agility," he says.
Hall says in this multilayered environment, reviewing risk from new and unique perspectives is essential to stay a step ahead. He says the Dynamic Risk Assessment's (DRA) methodology is one approach that can help.
"Engineers understand network theory, and doctors understand networks, for example when you look at pandemics. However, it is rarer to apply network theory to organisational risk management," he says.
Hall says the interconnected risks that spiraled into the global financial crisis were the "genesis of our thinking around DRA". DRA is designed to help organisations identify potential risks – not just in the obvious places – but risks that result from connected systems, or social, economic or environmental forces, for example.
"This approach combines data with insights from management to help us see where risks could develop into dynamic risk clusters, or to spread into other risks," he says.
To achieve this, the key is to move beyond the habit of reviewing risk from a two-dimensional standpoint.
"Many organisations look for single points of severity and likelihood. People talk about managing their 'top right' or their 'top left' risks. It is the things that are most likely to happen that will have the biggest impact," he says.
DRA ventures into a third and fourth dimension – interconnectedness and velocity.
"We conduct tailored surveys to ask people who know their subject matter what they think about risk. We ask people to tell us about their risk profile and we measure it through those four dimensions – severity, likelihood, interconnectedness and velocity," he says.
DRA engages sophisticated algorithms, mathematics and advanced data and analytics, to bring the risk hotspots to life in visualised maps.
"The reality is that X never occurs in isolation. Understanding how X relates to Y, A and D, will help throw up how risks are managed, how they manifest themselves, and how they spread within the organisation," he says.
Once risks are identified, Hall says they often fall into one of "two camps".
"Using DRA we can tell you which risks most influence others, as well as which risks are most affected by other risks," he says.
Hall says it is likely a combination of very specific risks to a business's circumstances will be found.
"Depending on the nature of your risk, you have things like climate change, pandemics, or sovereign risks, all playing a part in how a particular risk is managed."
Knowledge leads to preparedness, and can help organisations have strategies in place for overcoming or minimising damage.
"You can come up with how you will respond to, or control, a particular situation," he says.
As DRA is used to help address risk, the ability for organisations to better understand the complexity of their risk profile will grow. Meanwhile Hall says developments are underway to ensure DRA maximises the abilities of data and analytics, and other risk diagnostic tools, to achieve maximum insight.
"We're building databases that enable us to benchmark things like the structure of networks, how organisations perceive themselves, and how they respond to risks. We're also looking to further understand the quantification of individual risks. That is a bold area. We're keen to quantify and analyse individual risks to a greater degree of granularity."
KPMG Dynamic Audit is powered by people and technology to meet today’s and tomorrow’s demands. For more information about Dynamic Risk Assessment and KPMG Dynamic Audit, contact your KPMG professional.