Emerging Risk: Hic Sunt Dracones

Thomas Frénéhard

Part 13 in the “Controls and Risk Management” series

Hic sunt dracones – here be dragons – is inscribed on some historical maps for uncharted territories.

Even if today it doesn’t appear that this term was as widespread as once believed, it still resonates in people’s imagination about unexplored areas that could hide terrifying threats. As a result, I think it’s a good image to start this post on emerging risks: the ones that pose a vital threat to your organization, should they occur, as they could radically change the context in which you operate. And, in extreme cases, wipe out a complete industry.

Not that I think an exhaustive list is possible, but let me remind you of a few examples:

  • Competitors with different business models: This is what regular taxi companies and hotels are experiencing with the rise of Uber and Airbnb, for instance. These two companies didn’t exist a few years ago, and in less than a decade, both have radically changed the competitive landscape to become more than serious stakeholders; they now lead these trends.
  • Disruptive technologies: I still remember putting film in my camera and forgetting to change it after the end of the roll. But how many of us still do this? The emergence of digital cameras has completely changed the photography industry, and previous market leaders are now struggling to find their place.
  • Alternative financing options: What entrepreneur would have thought some time ago to go to a website to ask for funding to launch a new product? With crowdfunding, financial institutions are now competing against you and me to fund the products of the future.

OK, enough about scary images. The good news is that emerging risks do not have to be fatal for a company. Yes, they do exist, but they do not need to be dragons.

Indeed, no risk happens without prior warning. A change in technology takes years to become mainstream, and the same is true for a change in consumer behavior, the emergence of a competitor, and so on. You have a chance to record these threats on your map and to decide on an appropriate response strategy.

Where to start?

In the different interactions I’ve had with customers who have experienced these serious threats – whether they recovered from them or not – all acknowledged that these risks were known to at least one department within the company, but often not reported to the appropriate stakeholder.

The major issue is that it is difficult for an individual to categorize a risk as a vital threat, and no one really wants to take responsibility for these risks. But there’s a way around this, which is to record them as warnings when they start to manifest.

To do this, ask all employees to record them to your database for incidents and near-losses, because that’s exactly what they are. Focus especially on R&D and sales colleagues, as they are the ones who will know when a new technology is discussed at a conference or that customers are changing their purchasing habits.

I advocate that you should even create a new category in this database called “warning.” These are not really incidents – they have not yet caused any harm – but neither are they near-losses. This may also help colleagues feel more at ease reporting them.

Finally, make sure that your risk management department regularly reviews these warnings with relevant business owners to identify the ones that pose a potential threat to your company. Then enter them in the risk register to be completely documented, assessed, mitigated, and of course, monitored with the C-suite if necessary.

The intent here is not to stop the course of time, but at least to be prepared for when it comes.

What about you? Are you already ready to slay these dragons? I look forward to reading your thoughts and comments on Twitter @TFrenehard.

If you are interested in hearing more about this topic and discussing it, then have a look at the SAP Conference on Application and Information Security – Building Digital Trust, taking place October 20 and 21, 2020, in Dublin, Ireland.

Learn more about SAP software for enterprise risk management. 

This article originally appeared on SAP Community and is republished by permission.


Thomas Frénéhard

About Thomas Frénéhard

Thomas is part of the Global Centre of Excellence for Finance and Risk solutions where he has a focus on Governance, Risk, and Compliance topics. Prior to that, he was a Senior Director in the Governance, Risk, and Compliance Solution Management team. His particular responsibility was with Risk Management but other functional areas of focus were in Internal Control & Compliance Management and Audit Management. He is also a regular contributor on social media and presenter at various SAP and non-SAP conferences on GRC matters.