What to expect from IRMSA’s 2021 Risk Report



Since 2014, the Institute of Risk Management South Africa (IRMSA) has released an annual report focusing specifically on South Africa’s risk landscape. Soon to appear in its seventh edition, this report is already widely recognised as the definitive view on South Africa’s different risks, how they impact its people and industries, and what we could prepare for.

Yet the 2021 report comes at a very crucial time, arriving amidst the confusion and challenges caused by the COVID-19 pandemic. The pandemic has boosted topics such as risk management, existential threats and resilience higher on the agenda. This will, no doubt, make for some interesting reading.

As an active participant in the risk industry, helping our customers modernise their risk management systems, thryve pays close attention to IRMSA’s risk reports. To get a better view of what to expect from the 2021 edition – due for release in late February – we chatted to Christopher Palm, Chief Risk Advisor at IRMSA and one of the report’s co-founders.

Here is an edited version of the interview. Hopefully, you find it as insightful as I did – and if you do, feel free to share the conversation and spread the news about this crucial report.


thryve: Which edition of the report will this be, and is there anything special about it?

CP: The IRMSA Risk Report 2021 will be the seventh edition, and this is going to be the most significant report that we have launched. I think it goes without saying that COVID has a lot to do with it, and I think our report will now get a lot more traction. And not just because of COVID, but because the report is also recognised internationally as a definitive examination of South African risks.


thryve: The nature of risk conversations shifted during 2020. You would like risk to be used more broadly and not just focused on negative consequences. Could you elaborate?

CP: When we use the word risk, by implication, it includes opportunity. But because the masses don’t see it as that, we talk about risk and opportunity regularly. Risk management is for everybody. It’s not just for the chosen few. So I think it’s just important to say that the report this year recognises that we can’t just do less of the bad. We must also do more of the good. That is something the 2021 edition will focus on. For example, we have a section in the report that talks about the call to action. What is this call to action? How are we going to change the path that we are on?


thryve: Risk management is still treated as a grudge purchase by many companies. Yet it can be a powerful strategic tool. Why isn’t this message growing faster across South Africa?

CP: The most important part of risk management is knowing your objectives. And then the second part is understanding your context. When I started off in risk management, it was a grudge purchase similar to your car’s short-term insurance. You don’t want to pay for it, but you need it, and therefore you do it, and you don’t smile when you buy it. Risk management is still pretty much like that for many organisations.

One of the reasons for that is because we in South Africa haven’t yet matured risk management to the extent that we can show value. We don’t show that risk management can contribute to whatever your desires are. Desires may not be a good business term, but I don’t want to just say ‘return on investment’, or your share price. It’s about what is it you can leverage that is good for you? So whether that be a positive, maybe a positive environmental label, or whether it’s good health and safety numbers – we haven’t demonstrated enough that risk management can contribute to that.


thryve: The new report pushes for this context. But in truth, the very start of the report back in 2014 had to do with giving people more relevant risk information. Could you expand on that?

CP: Several years ago, I took a World Economic Forum risk report, and I copied those very cool-looking graphs, spider diagrams, and pivot tables onto a PowerPoint presentation. Then I walked into a boardroom, and I presented this as the context for my risk report. And the board – one or two or three of the board members said, “Chris, thank you very much for marvelous plagiarism. But this doesn’t mean much for us, because the World Economic Forum writes about the world and South Africa sits here. So skip to the important part and show us the risk register.”

That’s when I realised that we would not go anywhere unless we’ve got a relevant context of our country. That was the original reason for approaching IRMSA, offering my services and saying, “Look, I’m not a researcher. But I’m prepared to do this, because I bled in a boardroom. And next year, I would like to have some better data.” Of course, without any doubt, as the [report] committee got established, and as new minds came into play, the big benefit of this is for both the public and private sector to understand what South Africa is about. What are these risks? What are these opportunities? And how can we leverage them by using this report? That’s the purpose of the report and the reason behind it.


thryve: Is that helping elevate the strategic role of risk?

CP: This is extremely powerful. The contexts that arise from such conversations give us an opportunity to strategise differently in the way that we might execute our skills. Take as an example SA’s struggles with realising mega projects. Maybe we should get into the project management space instead of project deliveries. It elevates the conversation to a more strategic level, and it allows us as chief risk officers to use information that we might not traditionally have access to.

We are comfortable talking about operational risk and business risk because we know it, that’s the business we are in. But think about COVID’s impact. For example, lots of businesses changed or expanded to do something very different. And I think that is what the South Africa research report is enabling. It enables a window into risk thinking that is now more important than ever before as we go through very uncertain times.


thryve: The COVID pandemic has had an enormous impact on risk management and attitudes towards risk management. Themes that thryve has been driving for a while, such as strategic risk and “sense and respond” risk management, are suddenly more part of business conversations. Would you agree that the pandemic has been a watershed for risk?

CP: Yes, no doubt about it. When we as chief risk officers arrived at a boardroom, and we wanted to talk about pandemics, or climate change, or solar flares, for example, we got laughed out of the boardroom. Such risks are often the white elephants in the boardroom. Everybody knows about them. Everybody knows they can have a potential catastrophic impact. But nobody thinks it will happen to us, so let’s not waste time talking about it.

But I can guarantee you – when we go into the next boardroom and we raise those topics, that’s what they would want to talk about. Because COVID showed us that the white elephant in the room is what we need to spend time thinking about – unpacking, building scenarios, building alternative response strategies. So that’s the first thing that I think COVID taught us.

The second thing COVID taught us was that we were really very lucky that this risk unfolded the way it did. Can you imagine an earthquake or a solar flare – something a lot more immediate and far less forgiving than a pandemic? How would we have dealt with that? So, it showed us our weaknesses, not just in our strategic thinking but in our ability to comprehend mega catastrophes with very low likelihoods because we don’t think it will come to us.


thryve: Is there a risk – no pun intended – that we’ll forget these lessons?

CP: My single biggest concern is that we are already, in our mind space, migrating back. We think this was a once-off, this is not going to happen again – at least to us. Hopefully, the report will help us retain some of that focus. And then, of course, there are the more practical lessons. The report will show what skills we were lacking. It also ponders where we have to think differently about risk management as a profession.

There’s also the conversation around integrating strategy with risk and resilience. We must realise that it’s not just about buying short term insurance for your car for when you’re in an accident. It’s also about thinking which roads you’re going to drive. Thinking strategically, then applying risk management. Good decisions don’t always have excellent outcomes. Sometimes bad things happen. We’ve learned that we also need to be resilient. We need to have good business continuity management, strategies, tested plans.

The report will highlight the integrated strategic risk and resilience mindset. And then, of course, the ability for risk management to get the message across in such a way that we don’t have these white elephants in the room anymore. That we package our information in such a way that is meaningful, impactful and has value.


thryve: How comprehensive is the report?

CP: We didn’t want to take a shotgun approach, so the report doesn’t drill down to specific sectors as such. The report must have focus and relevance for South Africa, without getting too bogged down in the small details.

What we do is we use the South African National Development Plan and its objectives, and we then do this risk assessment against those objectives of the country. The link back to organisations is set in the context of their being part and parcel of delivering against those objectives of our country, both in contribution but also how they are impacted. There won’t be risks specific to an industry or an organisation. But it will be useful and offer valuable information for when they start having their strategic and operational risk discussions.