Institute of Risk Management - expert Risk Predictions 2018 and the Risk Agenda 2025
Political risk, cybersecurity, bitcoin, BREXIT, GDPR and oil price and financial market fluctuations are among chief concerns for businesses voiced by some of the UK’s leading risk experts as they look ahead to 2018.
Banking & Finance
Nicola Crawford, CFIRM, Chair of the Institute of Risk Management says:
“2018 is undoubtedly the year where political risk on the global scale will be one to watch, the effect on markets is still unknown with the City of London and the wider stage braced for a hard Brexit along with uncertainty and political unrest globally.
Enterprise Risk Management (ERM) has never been higher on the agenda; organisations need to ensure that risk in the boardroom is taken seriously to ensure organisational success and longevity.
The banking and financial services sectors will be facing changes in not only the way that their products and services are regulated, but in the ways that these are delivered to customers and how the value of a customer over their lifetime is managed.
Artificial intelligence / virtual reality are hot topics for the sector at the present and companies are investing heavily in research and software to help predict how these technological changes present both positive opportunities and risks to the business. The implementation of PSD2 lays the foundation for the advancement of open banking, the potential benefits of which include improved customer experience, new revenue streams, and a sustainable service model for underserved markets. While open banking stands to have a plethora of opportunities for end-users and service providers alike, it is also likely to introduce an entirely new financial services ecosystem, in which banks’ roles may shift significantly. It also requires a closer look at risks related to regulation and data privacy, which helps to explain why global markets have taken varying approaches to governance which is likely to continue into 2018 and beyond.
Data breaches are also in the top five risks for the sector along with how companies will manage the incoming General Data Protection (GDPR) regulations”.
Helen Hunter-Jones, MIRM, Head of Group Risk at Network Rail, IRM Director
Key risks for Rail (and similarly for transport) will continue to be managing the disruptive impact of severe weather events. This includes not just continuity of service but also the effect on the integrity of the infrastructure. Risk mitigations such as improving flood defences and managing drainage remain priorities. Maintaining high safety standards and reducing train accident risk will continue to be high on the agenda.
Increasing passenger numbers and changing needs of passengers e.g. restricted mobility is an increasing risk. The reputational impact becomes more immediate and accentuated with social media however the digital world also offers opportunity and is a key area of investment to improve performance and provide a better passenger experience. The increasing use of data mining and improved data analytics will both be areas of increasing opportunity. As with all risks however increasing digitisation can increase vulnerability and impact from a cyber threat so cyber also remains a high risk.
With a continuing gloomy economic outlook attracting investment will continue to be challenging. The effect of Brexit on the broader infrastructure workforce is a big risk. As many major infrastructure projects commence the resource pool is reducing this could delay or push up the project costs.
The interconnectivity of risks is more and more complex and therefore this in itself is a risk to businesses. We need to enhance our ability to understand the connections between risks in order to provide the right mitigations and be more resilient to business disruption. The use of data analytics can certainly help in this as can better visualisation of the risk landscape.
Oil & Gas predictions
Mark Boult, CFIRM, Director, DNV GL Ltd
Theme One: Major Accident Risks
As ever, catastrophic major accident potential and physical asset integrity will, and needs to, remain a major focus in the industry. Such events need to always be at the front of our minds given their impact on people, the environment and the business of the industry. With the lower oil price era continuing producers have continued to look at ways of limiting their costs. While they have done this with the aim of not impacting on major accident risk, the impacts of the changed ways of working on the integrity of assets and hence on major accident events are likely take time to materialise.
Some aspects that illustrate this are:
- With an increased use of floating production systems, there has been a drive to accept marine standards for hydrocarbon systems with a potential de-specification in safety factors. Marine and oil and gas operations have very different risks which need to be managed using their own standards.
- Ownership changes within mature oil & gas fields is resulting in some transferred assets:
- Being managed by new operators/licensees who have lower engineering capacity.
- Having lack of clarity between licensee and operator (dutyholder) over responsibility for risk management. (Company X as the licensee asks Company Y to operate the asset under the management system of Company Y)
- Onshore assets (refineries & petrochemical) are being run harder, and for longer between shutdowns, to take advantage of cheap feedstock prices.
It is therefore important to continually manage and monitor these risks in case there is an unintended upturn.
2018 Theme Two: Rising risk of decommissioning
There has been a trend to postpone decommissioning over the last few years to avoid the costs in the immediate term; however decommissioning will be occurring more frequently in upcoming years. With decommissioning of oil and gas facilities there is the challenge of plugging and abandoning wells with the challenge of the ongoing assurance of their status in “perpetuity”. This is a possible emerging risk where there is a concern that the integrity of older wells is not achieved, with the occurrence of adverse events in the future. Postponing decommissioning has also had the impact of further extending the life of several assets that were already beyond their design life.
2018 Theme Three: Other emerging risks
Based on current forecasts, oil and gas will continue to be a key source of energy for some time to come. There is, however, drive for increased use of low carbon energy sources. The safe operation of older assets (theme one) during the energy transition needs to be maintained and the change could take focus off older oil and gas assets. As we move to a lower carbon / new energy sources future, new risks will emerge. For example, the risks associated with:
- Batteries / transformers.
Just considering hydrogen as a potential for home heating raises issues, for example; it burns with a colourless flame, requires changes to heaters/boilers, must be able to pass through a grid developed for natural gas, etc. The generation of hydrogen needs to be cost effective and if generated from natural gas would require carbon capture and storage, a technology yet to be commercially proven on a large scale.
The transition also raises supply security / continuity risks. The change needs to bring in the new energy sources at a rate to replace the old sources and in a form that can be taken up by the end users, at an acceptable cost.
Finally, as for many sectors, the greater application of IT technology for oil and gas operations is raising the issue of cyber risk. This is a growing risk for the industry with greater use of such technology to; for example, allow remote operations and monitoring of platforms, sub-sea and remote facilities. Recent claims in related industries have also illustrated the potential magnitude of impact were a major event to hit an oil and gas organisation. This is not developed further in this discussion given its relevance to many industry sectors.
Darren Mullan, CFIRM, Chair of the IRM’s Infrastructure Risk Special Interest Group (SIG)
Due to relatively long gestation periods for large infrastructure projects, changes in this sector tend to be evolutionary rather than revolutionary.
The IRM Infrastructure Risk SIG proposes the following predictions for 2018:
- Innovative approaches will be required as to how we address potential near-term shortages in both general staffing resource, as well as specific construction/engineering skills, as we approach the ‘perfect storm’ of several major infrastructure projects ramping up at the same time as residency and economic concerns caused by Brexit
- The increasing influence of the ‘digital transformation’ on infrastructure, in terms of how our infrastructure should be designed and constructed to accommodate how we will live, work and travel in the future
- This in turn is linked to the next prediction, in that the greater the extent to which infrastructure projects embrace digital transformation, they then become increasing exposed to cyber events both during the construction phase and subsequent operation of the assets
- Unfortunately the infrastructure sector is always exposed to the impact of major events (e.g. Grenfell, Fukushima and even the recent extreme weather); in particular, where these projects are already under construction and there is stakeholder pressure to review/change the design, even if the current design meets existing standards
- Increasing global political and economic uncertainty will continue to affect both material availability and their complex supply chain networks, meaning a greater emphasis on building resilience into the supply chains for infrastructure projects, as well as hedging some of the pricing risk.
Alyson Pepperill CFIRM, Client Projects Director, UK Retail, Arthur J Gallagher, Chair IRM Charity Special Interest Group
Regulation and compliance will continue to be a key theme. There will be continued scrutiny of the sector by regulators whether that is Charity Commission, Fundraising Regulator or the Information Commissioner’s Office. Selected charities were hauled over the coals in 2017 by all three and we don’t see this changing in 2018.
The GDPR has been a key focus of many charities’ efforts to be compliant ahead of the May 2018 deadline. This focus will continue up to and beyond the deadline for most.
Linked to GDPR and in line with many for profit organisations the broader context of cyber risks and their management remain a struggle for charities. Charities are innovators and will try new ways of generating funds that can increase their exposure to cyber risks.
A more particular sector risk is the need for charities to measure through evidence based reporting what they do and how successful they are at their delivery. The expectations of how this is reported to key stakeholders has been increasing and for many charities represents a significant risk as if they fail to be accountable the funding could dry up.
And finally we still see financial sustainability as a real challenge for many charities reliant on local government and health service contracts, as well as funding from central government continuing to be cut back. Volunteering has reduced over the past year and this could put further strain on charities to balance the books – they have to care, respond to their mission and create impact, keep costs down, and comply with all manner of regulations. The request for support never goes away but charities continue to be squeezed and squeezed – this is likely to result in some charities having to close, or an increase in mergers perhaps.
Cyber risks and the real world
2018 will be the year when the world recognises that the majority of assets in the modern economy are intangible and the rapid movement to just-in-time and cloud based economies creates significant vulnerabilities. More events will revolve around impacts of cyber-attacks on the real world. It will be less about data loss or ransomware attacks, and but about the ‘real economy’ as we saw in 2017 with Merck Pharmaceuticals and Reckitt production operations including the extended supply chain being impacted. In other words the cyber world and the extended supply chain will merge in terms of risk exposures and this will certain create new challenges for risk professionals.
Bitcoin & CryptoCurrencies Bubble
Alexander Larsen, CFIRM, President Baldwin Consulting and IRM trainer
2018 will be the year that Bitcoin goes mainstream. Having had a meteoric rise in 2017 with an increase of nearly 1000% in price, Bitcoin has been receiving significant coverage (both positive and negative) in the media which has brought it to the attention of the general public. A number of factors are coming together that indicate that 2018 will be the year that big money comes rushing into the crypto currency including the intention of major funds to start investing as well as new platforms being introduced making it easier to trade for individuals.
Bitcoin is already volatile, although a less volatile investment than most cryptocurrencies which are known to swing as much as 30-40% a day and on occasions as much as 1000% in a day. This new money flooding the market will no doubt drive the price up to new heights which leads me to believe that a major crash and correction will be on the horizon for 2018. A lot of people will lose a lot of money although it remains to be seen if Bitcoin will survive or if the bubble will finally have burst.
Something that is certainly likely is major regulations being put in place to control the trading of bitcoin, cryptocurrencies and the issuance of new tokens (ICO’s).
Shift to renewable energy and risk in decision making
A major shift from oil and gas to renewables is already happening on a global scale. This isn’t only happening in terms of power generation but also in terms of transportation. The EU has already targeted 2035 as being a year in which all new cars sold will be electric. Many individual countries like Scotland have announced more aggressive targets whilst many Scandinavian countries are already well on their way to becoming an electric car driving country.
This major shift puts significant pressure on oil and gas companies as well as car manufacturers to reconsider their strategy and business models. Companies in the sector will need to consider their target markets and offerings carefully whilst also thinking seriously about what they want their company to look like in 10-20 years.
Oil and gas companies will need to position themselves for developing economies whilst also making a decision on how heavily they want to get into renewable energies or if there is any appetite to get into mining materials for batteries.
For car manufacturers there will have to be a blueprint for future development work on electric cars and like the oil and gas companies they will need to decide how heavily they want to get involved. Volvo for example has announced it will only be producing electric vehicles to bring it alongside the likes of Tesla.
Decisions made in 2018 could be the difference between success and/or failure in the future.
Ray Flynn, CMIRM, Independent Risk Consultant, IRM Director
Reputations take years to build and can be destroyed in seconds, as they say. The risk of reputational damage to organisations, governments and individuals, appears to be higher than it has ever been and this trend is likely to continue.
A reputation is put at risk when some unethical or incompetent behaviour becomes public knowledge. This can be through the actions of an individual or something more systemic, at an organisational or governmental level (like widespread corruption or sexual harassment). The media has been full of recent examples, in organisations (FIFA, IAAF), governments (Brazil, Angola, and Zimbabwe), companies (VW, Rolls Royce), industries in general (Hollywood) and individuals. The damage caused can manifest itself in the shape of lost revenues, increased costs and, in the case of listed companies, reduced shareholder value. Usually heads roll too! Where a company’s reputation is its main asset, damage can result in failure, as was the case with Arthur Anderson.
So why is this trend likely to continue? Well, the heart of the problem, in each case - complacency and, in the extreme, arrogance - is unlikely to change. The mentality of ‘this will never happen to us’ and ‘we have systems in place to prevent this happening’ etc. is hard to shake off and very few have the foresight to address this particular risk until there is an ‘issue’ that forces them to act. The risk of exposure is also increasing. There is an element of iconoclasm and bloodletting involved, as the gap between the ‘haves’ and ‘have nots’ increases, which supports whistleblowing and puts pressure on regulatory bodies to act.
The frequency of prosecutions for bribery, particularly in the UK and US, but also elsewhere, and the level of fines imposed, are increasing rapidly and this trend is likely to continue. The bad news is that this comes with public battle weariness and shock fatigue and those exposed are likely to suffer less and less damage. The good news is that good risk management is the best way to protect a reputation including, as advocated in the guidance to the UK Bribery Act, having a fresh pair of eyes to carry out an independent review of systems in place!
Our international members also comment on global issues:
Zanele Makhubo: Director Enterprise Risk Management and Business Continuity in Public Sector – South Africa IRM Regional Group Chairperson
Extreme weather phenomenon
The unpredictability of weather patterns due to climate change pose a serious risk across the globe. In the recent years South Africa has been experiencing drought in the major cities (Cape Town and Durban) while Johannesburg is experiencing extreme thunder storms. There are not enough resource to mitigate such risks couple with lack of capacity to deal with the consequences and impact of such.
Lack of business continuity plans which includes emergency plan and disaster management plan renders these cities to be unable to cope with management and coordination of resources and stakeholders during these extreme events.
Looking a year ahead and beyond 2018, climate change will continue to bring about unpredictable weather patterns which pose a threat to human and animal lives and nature destructions. There is an urgent need for Governments and businesses to coordinate resilience strategies and efforts. Preparedness and readiness is key to ensure that mitigation measures and coping mechanisms are able to minimise the impact of such extreme weather phenomenon.
The uncertainty of political leadership has come under scrutiny in the recent past years in South Africa, where the will of the people is pitted against patrimonialism. We have seen the serious threats to the rule of law and governance structures being undermined in 2017. This was characterised by the elected making unilateral decisions outside the party structures as well as outside the country constitution. This has resulted in the economy being downgraded to junk status by the rating agencies. In recent development in the US, We have seen the recent elected president continuously making unilateral critical decisions via twitter and outside government structures. This risk will continuity leading to 2019 elections and beyond and citizens need to speak out more loudly than before to mitigate this risk.
The recent corporate scandal experienced in South Africa in 2017 raging from noncompliance to audit standards, misrepresentation of the financial statements , alleged corruption and state capture. The point in case being KPMG SA and Steinhoff. These scandal has not only damage some of the reputable auditing and accounting firms but also question the integrity of the highly respected people in the profession as well as the executive in the above mentioned organisations.
The risk management profession now needs to also take heed of such scandals, as part of the second line of defence (noting management as the first line of defence and assurance providers asthird line of defence). Our conduct when we engage our clients need to be of highest integrity and ethical behaviour.
An introspection into ethical behaviour across professions such as auditing, accounting and risk management needs to be top of the agenda in order to save our reputation.
It is important to note that more such events are predicated for 2018 – thus the question is how many corporates are still to come out of the closet in 2018 and beyond???
Sonjai Kumar, CMIRM, Vice President (Business Risk), Aviva India Life Insurance Company Limited – IRM Ambassador for India
The key areas to look for in the Indian market are the economic environment, climate change, cyberattacks and changes on the political front due to the 2019 general election and the impact of the developed market on the Indian economy.
The Indian economy is expected to witness cyclical growth recovery, with real GDP growth likely to accelerate from 6.4 % this year to 7.5 % in 2018 and further to 7.7 % in 2019. The expected increase in the GDP growth rate will not be without challenges coming from agriculture sector which is largely dependent on the monsoon. The Indian economy is expecting a slash in the interest rate which is kept stagnant for last two quarters during 2017 with fluctuating inflation. The much-awaited reduction in the interest rate by the central bank has kept the real estate sector on the tender hook. The central bank’s fifth bi-monthly review for the current fiscal in December kept the repo rate unchanged at 6 % and reverse repo at 5.75 %.The inflation predicted by the International Monetary Fund for the year 2018 is 4.9%.
One of the key areas of concern for the Indian banks is high nonperforming assets. As it stands, stressed assets held by Indian banks amount to around $150 million.
The Financial Resolution and Deposit Insurance (FRDI) Bill is the latest attempt by the Government to address the bad loans of the banks. The bill is aimed at using the money of a bank’s depositors in the case of an eventuality where the bank would have to be liquidated. The draft bill is pending with the Standing Committee of Parliament. The impact of such bill could be far-reaching on how do people in India keep their savings.
To a certain extent, the performance of the stock market in India during 2018 may depend on the foreign inflow of money. This depends on tightening of US monetary policy that may hurt portfolio inflows into India. A recent post by International Monetary Fund on tightening of monetary policy may reduce portfolio flows to emerging markets by about $70 billion over the next two years. During 2017, India attracted $7.7 billion of global capital into its financial markets. The risk is any external unprecedented events may impact the mutual fund business and unit-linked business in the insurance sector.
Another risk that may hamper the growth in India is the climate change, during the last couple of years; some parts of the country have observed excessive rain and unprecedented hot weather during summer and lesser cooler winters. The global warming may also adversely impact the Indian rivers like the Ganges which provide essential water for agriculture. This may have an adverse effect on economy.
The Indian politico-economic position to be observed during 2018 in wake of 2019 general election, the anticipation of pro-people announcements by the Government may be first observed in next month budget session. The pro-people measures may have an impact on the growth in the short to medium term.
With the increase in digitalization and focus on the online transaction, there is an increasing risk of cyber-attack and increase in the digital fraud. In fact, the entire world is sitting on the digital explosion time bomb.
Rahat Latif, Head of Enterprise Risk Management, Qatar Gas, IRM Director
Two key themes in the landscape of threats and opportunities in this region (Middle East) are geopolitics and the oil and gas price.
The embargo placed on it by neighboring countries took Qatar by surprise, and was a real test of business continuity for the nation. The immediate concern was to ensure continuity of supply chains and meeting commitments with customers. This led to an initial rise in costs as alternative transport routes and sources of supply were found. On the flip side this situation spurred the need for greater efficiency and self-sufficiency and the development of new relationships, new routes to market etc. Business continuity was largely maintained, but there is heightened awareness of business continuity as an important management process.
Oil and gas price
As a region that benefits from a higher price, any significant lowering has an impact here. Same arguments apply on the supply side i.e. drive for efficiencies. On the demand side this also drives the search for new customers, markets and product diversification. The significant competitive threats in the horizon are the emergence of new suppliers over the next decade.
Again there is a heightened awareness and appreciation of business continuity and risk management in general. There is often a delicate balancing act to be played for example between the efficiency gains through workforce reduction vs the retention of key competencies for long term growth. Expect to see more legislation placed on critical industries in the future, for them to have formal business continuity and ERM processes in place. This has already started.
Gareth Byatt – Principal Consultant, Risk Insight Consulting (based in Sydney, Australia)
As always, there are opportunities to be captured as well as threats to be managed.
Several experts have highlighted that key risks for Australia and Asia-Pacific in 2018 (which are equally relevant to other geographic regions) include the threat of cyber risk, economic risk, and geopolitical uncertainty and instability. Linked to geopolitical uncertainty is the possibility of change to the regulatory environments of many countries in the region. The management of financial, legal and reputational risk will be as important as ever.
As we know, risk represents upsides as well as downsides, and there are certainly upside opportunities for the Australia and Asia-Pacific region in 2018 as growth continues and various industries continue to be disrupted.
The IMF has recently forecast overall regional growth across Asia-Pacific to be in the region of 5.5% in 2018 (led by emerging markets). China is, of course, the dominant player in the region, and its policies and actions in 2018 will affect risks and conditions across the region.
To underpin regional growth, trillions of dollars are being spent across Australia and Asia-Pacific in infrastructure; managing risk on this investment will be key to achieving successful outcomes.
Whilst the threat of cyber risk to both the public and private sectors in the region is clear, an opportunity exists for risk managers to help organisations to harness the power of the 4th industrial revolution in data and AI, to anticipate possible regulatory changes that may take place, and to ensure good practices in business resilience are in place to maximise the rewards of digitisation. Business resilience is also important to mitigate other threats such as disruption to supply chains, impacts of extreme weather and public health events, and other causes.
Tying all of these points together, I think a key feature for 2018 is that we will see a continued focus on understanding and anticipating the interconnectivity of risks, both known and emerging, that may affect organisations as their environment continues to develop in new and dynamic ways. Understanding and anticipating possible threats, opportunities and disruption, and being on the front foot and capable of responding as the world changes, will be key. This may give rise to some innovative approaches to the taking and managing of risk.
Longer Term – Risk Agenda 2025
The Institute has also been involved in a major project entitled the Risk Agenda 2025 led by Clive Thompson, CFIRM, IRM Director and Leader of the Risk Agenda 2025 project and key concerns for the long term include:
Key Board concerns - reputation, risk appetite, scenario planning and emerging risks.
Risk process priorities - risk connectivity, developing benchmarks and designing integrated risk assurance models.
Concerns for risk professionals - risk ownership and accountability, risk culture, risk education and training.
View the Risk Agenda 2025 results: