Trend 4: Dynamically managing risk From risk registers to strategic risk management
5 minute read
04 February 2020
As global volatility rises, mining companies should no longer solely rely on their risk registers to identify critical risks. Systemic issues—such as insufficient risk sensing, a “tick the box” mentality, and complex operating models—are forcing them to predict the impact of emerging events and prioritize key risks. It’s time to embrace more strategic risk management practices.
Learn More
Download the full Tracking the Trends 2020 report or create a custom PDF
Join the conversation: #TTT2020
Learn about Deloitte's Energy, Resources & Industrials services
Go straight to smart. Get the Deloitte Insights app
It is at present almost an understatement to say that global volatility is on the rise. From Brexit, US/China trade discussions, and instances of rising nationalism and xenophobia to disease outbreaks, environmental disasters, and climate change, the world faces significant uncertainty. Market anxiety about the world’s economic outlook and, in particular, China’s trade situation with the US and uncertain growth trajectory seem to be weighing on trade and commodity prices. Some investors have become risk averse and are unwinding their positions in base metals, with valuations suffering as a result.
At the same time, traditional mining sector risks—in areas such as health and safety, strikes and social activism, regulatory compliance, stakeholder relations, cybersecurity, data privacy, finance, and operations—remain firmly in place.
And there is an entire new range of risks as technology sweeps ahead. Increased automation brings a host of new security risks, such as managing the rise of artificial intelligence and addressing sophisticated cybersecurity threats. At the same time as aging infrastructure is heightening safety concerns, some nontraditional competitors are changing formerly staid market dynamics, and the growing prevalence of social media means reputational damage can be inflicted in minutes.
The problem with risk registers
Mining companies have long relied on risk protocols, risk committee oversight, and detailed risk registers. Yet, confronted by the plethora of new risks, these traditional tools do not seem to be working:
- Risks at the mine site often don’t make it to the boardroom or are buried in voluminous reports that fail to prioritize the most significant emerging risks.
- Risk reviews are tacked on to the end of board meetings, allowing members to fulfill their fiduciary duties without providing true strategic oversight.
- Key risks, such as those presented by cybersecurity breaches or the convergence of information technology (IT) and operational technology (OT), are being downplayed.
- “Black swan” events—catastrophic events with a low likelihood of occurring that generally can’t be predicted in advance—are met by an ostrich-like response: If we can’t see it, we don’t have to deal with it.
Insufficient risk sensing
“It’s not that mining companies lack data about emerging risk events,” explains Patricia Muricy, Global Risk Advisory Leader, Mining & Metals, Deloitte Brazil. “It’s that the data they’re relying on is often outmoded. Typically, they’ll ask what industry insiders are saying about risk, what economists are saying about commodity prices, what the markets are saying about investment trends, what analysts are saying about geopolitical threats or labor issues or environmental risks. But they often lack the methodology to use this historical data to predict what may be coming down the road.”
So how is it that these risks keep being missed?
People have an inherent bias; they don’t like to focus on negative things being said about them. Mining companies may be ignoring engineering deficiencies, or regulatory non-compliance, or weak oversight in corrupt jurisdictions.
A “tick the box” mentality
Insufficient risk sensing isn’t the only problem. A “tick the box” mentality can be equally damaging.
In jurisdictions prone to corruption—which are often where mining companies operate —companies can place little or no reliance on the local regulatory framework to protect them. It’s up to management and the board to challenge the compliance framework appropriately and put enhanced protocols in place.
Complex operating models
There’s another reason traditional risk and assurance processes can only go so far in alerting global mining companies to hidden risks: the complexity of their operating models. Andrew Swart, Global Mining & Metals Leader, Deloitte Touche Tohmatsu Limited, explains: “For a common risk, like failure to maintain critical assets, seven or eight functions within the organization have some kind of accountability for managing that risk—engineering, maintenance, safety, assets, finance, specific commodities. All these different stakeholders are setting expectations and controls around how these activities should be done, and business units don’t have a clear sense of their roles or responsibilities.”
This dispersed functional control over risk prevents many organizations from developing a common risk language. This means that although dozens, or potentially hundreds, of risk registers are being generated across the enterprise, there’s no reliable methodology for identifying even the top ten risks that merit board attention. As a result, miners tend to apply the same standard to common risks across all their sites (e.g., how they manage tailings dams), even though some sites could require more rigorous oversight than others.
How about black swans?
All of these challenges—insufficient risk sensing, a “tick the box” mentality, and operational complexity—typically have a direct impact on how mining companies deal with risks they believe are out of their control, such as black swan events. On analysis, however, it seems that many black swan events can in fact be anticipated—if you know the red flags to watch for.
“Most black swan investigations blame poorly trained staff or equipment failure, but it’s more,” says Kevin Bin Xu, Mining & Metals Leader, Deloitte China.
When an organization enjoys a successful track record for months or even years, staff tend to become overly confident, which can result in a deterioration in risk culture.
“Black swans happen due to the incapacity of companies to foresee and prepare for downturn scenarios,” Xu continues. “Sometimes they lack the risk methodology or the methodology fails to take all scenarios into account. Lack of training, long working hours, cost cutting, tight deadlines, and equipment failures play a role, but so do governance, inappropriate performance metrics, siloed approaches, lack of independence, the wrong tone at the top and safety culture, and insufficient crisis management.”
To counter these challenges, it’s time for mining companies to consider transitioning from risk registers to more strategic risk management.
The elements of strategic risk management
- Integrate risk, control, and assurance. While the independence of the three lines of defense (management, compliance/internal control, and internal audit) clearly needs to be preserved, it is possible to rationalize assurance activities and achieve efficiencies by bringing the planning, execution, and reporting of assurance activity under a common governance model. This means sharing risk maps and priorities across the organization; using digital technologies linked to the governance, risk, and compliance (GRC) system to monitor performance of both staff and contractors; and standardizing risk and control language across the organization so people understand the actions they should take to manage and mitigate risk events.
- Go back to basics. Miners should take time to redefine their risk appetite, identify gaps in their risk and control framework, and ensure their risk management methodology covers strategic, operational, financial, cyber, regulatory, and environmental risks. Agile routines can help by automating control testing, monitoring and reporting, and leveraging artificial intelligence (AI) to manage the controls library. It can also help to revisit governance practices to ensure board members have a sufficient risk management background, are capable of prioritizing top risks, and can confirm that appropriate delegation and escalation protocols are in place.
- Explore alternate futures. Although many companies use scenario planning to help guide their decision-making, they don’t consistently explore worst-case scenarios. To strengthen their response and mitigation plans, miners should be willing to monitor even unlikely trends and test improbable scenarios—from cyber breaches, terrorist attacks on their industrial controls, liability from third-party misconduct, and treasury/cash management concerns to vulnerabilities associated with extreme weather events, supply chain disruptions, geopolitical shifts, and community unrest.
- Leverage better data. Truly robust risk-sensing solutions typically combine leading-edge technology with the insights of industry analysts to synthesize large volumes of data and deliver intelligence on the global issues most relevant to an organization. By scanning hundreds of thousands of data sources in multiple countries and languages, these solutions help companies monitor intelligence about events as they’re occurring, analyze social conversations to predict how they’ll evolve over the next 72 hours, and scan the horizon to identify risk events that may emerge over the coming year. This allows organizations to respond proactively to preempt issues and capitalize on opportunities to enhance their brand and reputation.
- Learn from the past. To build a risk-intelligent culture, businesses should systemically learn from past failures. To operationalize this, miners should give employees confidence to speak up—empowering them to report risks before they spiral out of control.
Energy, Resources & Industrials
Deloitte’s Global Energy, Resources & Industrials specialists provide comprehensive, integrated solutions to all segments of the Oil, Gas & Chemicals, Power & Utilities, Mining & Metals and Industrial Products & Construction sectors. Offering clients deep industry knowledge and a global network.
Learn more
Get in touch
- Andrew Swart
- Global Mining & Metals Leader
- Deloitte Canada
- aswart@deloitte.ca
- +1 416-813-2335
Explore the collection
-
Trend 1: The social investor Article4 years ago -
Trend 7: Modernizing core technologies Article4 years ago -
Trend 8: The intersection of talent and community Article4 years ago -
Trend 9: Leadership in an Industry 4.0 world Article4 years ago -
Trend 10: Tax tribulations Article4 years ago
