Author: Oluwasegun Sonola
The subject of risk management is relevant not just to corporations and businesses, but for individuals, families, groups, states, countries and international alliances.
This article does not limit the application of risk management to an activity undertaken solely for compliance purposes, in times of disruption, crisis or geopolitical tensions. It captures critical matters that transcend a particular circumstance. Specifically, it postures risk management as a proactive, cultural and continuous process for the identification, assessment, mitigation and monitoring of risks — both negative and positive.
Risk identification should not be solely top-down or bottom-up, but also horizontal and cross-functional, given the interdependencies and interconnectedness of risks. A common issue is the siloed, isolated or narrow view of risks — missing plausible scenarios and the potential cascading or snowball effects when multiple risks crystallise simultaneously. It is therefore important that the identification and assessment of risks are not left only to specific individuals or functions, nor restricted to fixed intervals such as quarterly or annual reviews, but carried out continuously, including after relevant trigger events and changes in the risk environment.
Nevertheless, through horizon scanning and the use of strategic frameworks such as PESTEL (Political, Economic, Social, Technological, Environmental and Legal), businesses can analyse the external macro-environmental factors and threats that affect them, enabling them to identify and anticipate risks and opportunities. This approach can further drive strategic planning, informed decision-making and resilience, rather than merely reacting to crises as they arise.
Scenario thinking is particularly useful for identifying tail risks, assessing plausible combinations of risks and implementing appropriate mitigations or contingency plans. The need for scenario thinking and analysis is further underscored by the current level of globalisation, interdependencies and the velocity of risks — that is, 'the speed at which a risk materialises and impacts an organisation, and how quickly a threat moves from occurrence to consequences'. For instance, geopolitical tensions in one part of the world can rapidly escalate and trigger supply chain disruptions, cybersecurity attacks, third-party risks and increases in the price of energy and goods.
Awareness of such risks alone is not sufficient — appropriate mitigation remains essential. Through scenario thinking, organisations can be better prepared and develop robust crisis management arrangements, contingency and business continuity plans. These may include diversification, alternative suppliers and trade routes, and the maintenance of financial reserves. Such scenarios should be regularly simulated and supported with relevant stress testing.
Embracing emerging technologies, including artificial intelligence, presents both risks and opportunities. Whilst AI introduces certain security risks, it also offers significant potential in addressing cybersecurity threats. More broadly, technology introduces risks such as cybersecurity vulnerabilities and data leakage, but it is equally a valuable tool for continuous and effective risk management. Large sets of internal data can support continuous monitoring, with live data providing real-time insights on risks, key risk indicators and their potential impact. This partly addresses the limitations of static risk registers and supports better-informed decision-making, risk mitigation and strategy.
Ultimately, risk management should be approached in its entirety — encompassing positive risk management by exploiting and enhancing opportunities, rather than solely avoiding or mitigating threats as in the traditional, defensive model. The Committee of Sponsoring Organisations of the Treadway Commission (COSO) expresses this well, noting that 'Enterprise risk management is not a function or department. It is the culture, capabilities, and practices that organisations integrate with strategy-setting and apply when they carry out that strategy, with a purpose of managing risk in creating, preserving, and realising value.'
BDO UAE offers tailored risk and compliance advisory services in the UAE, focusing on corporate governance, regulatory compliance, internal audit, enterprise risk management, IT & audit risk advisory and financial crime prevention. With over 50 years of presence in the region, we help organisations meet UAE regulatory standards.
The subject of risk management is relevant not just to corporations and businesses, but for individuals, families, groups, states, countries and international alliances.
This article does not limit the application of risk management to an activity undertaken solely for compliance purposes, in times of disruption, crisis or geopolitical tensions. It captures critical matters that transcend a particular circumstance. Specifically, it postures risk management as a proactive, cultural and continuous process for the identification, assessment, mitigation and monitoring of risks — both negative and positive.
Risk culture
A positive risk culture is essential for the effective management of risks and the achievement of objectives. This encompasses leadership and governance arrangements, tone at the top, communication and accountability for risks across the organisation. An effective risk culture is further enabled in an environment where there is transparency of information, with people feeling comfortable speaking up about issues and risks, unexpected favourable outcomes, near misses and incidents.Risk identification should not be solely top-down or bottom-up, but also horizontal and cross-functional, given the interdependencies and interconnectedness of risks. A common issue is the siloed, isolated or narrow view of risks — missing plausible scenarios and the potential cascading or snowball effects when multiple risks crystallise simultaneously. It is therefore important that the identification and assessment of risks are not left only to specific individuals or functions, nor restricted to fixed intervals such as quarterly or annual reviews, but carried out continuously, including after relevant trigger events and changes in the risk environment.
External considerations
In practice, organisations tend to be better prepared for operational and compliance risks, including their identification and mitigation through appropriate controls or capital allocation. More challenging, however, are external risks, tail risks and black swan events — those with low probability but high impact — such as macro-economic conditions, geopolitical shifts, natural disasters and supply chain failure or disruption, where direct prevention is typically outside an organisation's control.Nevertheless, through horizon scanning and the use of strategic frameworks such as PESTEL (Political, Economic, Social, Technological, Environmental and Legal), businesses can analyse the external macro-environmental factors and threats that affect them, enabling them to identify and anticipate risks and opportunities. This approach can further drive strategic planning, informed decision-making and resilience, rather than merely reacting to crises as they arise.
Scenario thinking, analysis and planning
According to ISO 31000:2018, risk is defined as the 'effect of uncertainty on objectives'. This means any deviation from the expected — whether positive (opportunities) or negative (threats) — that impacts an organisation's strategic, operational or project goals. The level of uncertainty inherent in a dynamic world poses further challenges to the achievement of objectives and the effective management of risk.Scenario thinking is particularly useful for identifying tail risks, assessing plausible combinations of risks and implementing appropriate mitigations or contingency plans. The need for scenario thinking and analysis is further underscored by the current level of globalisation, interdependencies and the velocity of risks — that is, 'the speed at which a risk materialises and impacts an organisation, and how quickly a threat moves from occurrence to consequences'. For instance, geopolitical tensions in one part of the world can rapidly escalate and trigger supply chain disruptions, cybersecurity attacks, third-party risks and increases in the price of energy and goods.
Awareness of such risks alone is not sufficient — appropriate mitigation remains essential. Through scenario thinking, organisations can be better prepared and develop robust crisis management arrangements, contingency and business continuity plans. These may include diversification, alternative suppliers and trade routes, and the maintenance of financial reserves. Such scenarios should be regularly simulated and supported with relevant stress testing.
Opportunities and benefits
Proactive and continuous risk management offers genuine strategic advantages. By identifying and addressing risks early, organisations can prevent or reduce potential losses and enhance their overall resilience. More importantly, they can identify opportunities that arise from uncertainty. Understanding market trends and customer behaviour, for example, can lead to innovation and competitive advantage — making risk management not merely a defensive mechanism, but a driver of growth.Embracing emerging technologies, including artificial intelligence, presents both risks and opportunities. Whilst AI introduces certain security risks, it also offers significant potential in addressing cybersecurity threats. More broadly, technology introduces risks such as cybersecurity vulnerabilities and data leakage, but it is equally a valuable tool for continuous and effective risk management. Large sets of internal data can support continuous monitoring, with live data providing real-time insights on risks, key risk indicators and their potential impact. This partly addresses the limitations of static risk registers and supports better-informed decision-making, risk mitigation and strategy.
Building a risk-resilient business in the UAE
Risk management should not be an activity reserved for compliance purposes or times of disruption, crisis or geopolitical tension. A proactive and continuous approach to risk management supports strategic planning, decision-making, the achievement of objectives and goals, sustainable growth, resilience, effective crisis management and a positive reputation.Ultimately, risk management should be approached in its entirety — encompassing positive risk management by exploiting and enhancing opportunities, rather than solely avoiding or mitigating threats as in the traditional, defensive model. The Committee of Sponsoring Organisations of the Treadway Commission (COSO) expresses this well, noting that 'Enterprise risk management is not a function or department. It is the culture, capabilities, and practices that organisations integrate with strategy-setting and apply when they carry out that strategy, with a purpose of managing risk in creating, preserving, and realising value.'
BDO UAE offers tailored risk and compliance advisory services in the UAE, focusing on corporate governance, regulatory compliance, internal audit, enterprise risk management, IT & audit risk advisory and financial crime prevention. With over 50 years of presence in the region, we help organisations meet UAE regulatory standards.