Horizon scanning is an essential capability in any progressive resilience programme.  It helps to answer the question whether the resources employed in support of the resilience programme have been allocated in a way proportionate to the current and potential threats that the company is and will be facing.   By the time questions regarding specific threats are raised in the board room, it is important that resilience programme leaders can demonstrate a level of preparedness.  This was evident at the time of the H1N1 epidemic, where many resilience programmes were indeed “mostly there” by the time a specific threat reached the agenda of the senior management team, thereby underscoring the value of the resilience approach to risk management. Of course, horizon scanning has a broader business intelligence application that can cover industry, market, competitor and customer development in its support of corporate strategy development but this post will focus on its application to resiliency.

Most resilience practitioners agree that the outputs of horizon scanning are helpful to inform a resilience programme.  According to the Business Continuity Institute’s (BCI) Horizon Scan 2013[1], 77% of organisations in which BCI members are employed, perform longer term trend analysis whether centralised within a function such as strategy and risk or decentralised according to departmental needs.  29% are actively involved in the analysis while some 48% use the inputs for their analysis.  However, 21% of Business Continuity (BC) professionals do not have access to this information even though they know it exists.  The most common application of the information is its use in informing exercise scenarios and future capability development.

However, there is a bigger win on offer here with horizon scanning in that it provides resilience programme with the opportunity to help protect the long term strategy and provide assurance that plans and capabilities are in place to effectively respond to a diverse and changing threat environment.  If you want to present resilience capability strategically then understand future trends and how the business might look in 5 to 10 years’ time and use scenarios to help executives think through issues.  With companies embracing the opportunities of globally extended supply chains, for example, the opportunity arises to present resilience as a key business capability.

One of the often cited challenges is to move from an ad hoc approach to a systematic methodology where resilience capability is developed; likewise there is a need to settle on some key concepts and methods that are effective.  This post, expanded upon in much greater detail in an article written by the author in Operational Resilience in Financial Institutions, sets out a definition of horizon scanning, asks which horizon and whose horizon is to be considered, and offers a taxonomy for the analytical model along with advice on sources of information and practical considerations in developing a horizon scanning capability.

The value of horizon scanning

In a hyper-connected world, the real challenge for risk management is ‘time’.  Risks propagate quickly and unexpectedly, so the need for an early warning system to gain time is acute; horizon scanning can support the development of this anticipatory capability.

We can already see that horizon scanning is going to be of value to any organisation that has any of the following characteristics:

• Operating from international locations and conducting business around the world
• Leveraging globally extended supply chains including in emerging markets
• Operating in a highly regulated sector
• Operating in an environment which demands high ethical standards
• Reliant on the Internet and advancing technologies
• Facing the need to meet highly demanding and constantly changing customer needs
• Operating in an industry which is changing dramatically and likely to look very different from what it is today in 10 or 15 years’ time
• Making investments now that will last for 10, 15, 20 or more years

Taking a quick step back, it’s worth reminding ourselves that horizon scanning is a methodology that more broadly supports the business intelligence function and is applied to understand industry, market and the competitive environment.  It is defined as “the systematic examination of potential threats, opportunities and likely future developments, including but not restricted to those at the margins of current thinking and planning.  Horizon Scanning may explore novel and unexpected issues as well as persistent problems and threats.”[2]

As the definition suggests horizon scanning is not just about finding new trends.  Known issues require the application of horizon scanning techniques, specifically around signals that may lead to an impending event or a changing environment – for example, the annual reports of listed companies will list a number of known risk factors, here are three taken form one report[3], by way of example:

• Our international presence exposes us to risks associated with varied and changing political, cultural, legal and economic conditions worldwide
• Our international operations expose us to risks associated with fluctuations in foreign exchange rates that could adversely affect our business
• Political and economic conditions in the Middle East and other countries may adversely affect our business.

Horizon scanning is particularly important for organisations with extended global supply chains, as the firm may not be fully familiar with the exposures that their direct and indirect suppliers face nor the underlying dependencies of the supply chain both in terms of infrastructure, resources, economic and commercial relationships, and the regulatory environment.

The benefits of a systematic approach to horizon scanning become evident when sudden events happen.   The reason why some analysts can quickly provide a well-informed perspective on the origins and likely consequences of an unexpected event is that they are analysing the developments in countries or industries all of the time; it is just that not many other people are interested until it becomes a newsworthy or a board agenda item.  For example, it will always be difficult to predict when a dictator may be removed in a coup or popular uprising, but horizon scanning can help you to understand the consequences of a change in power, whether by natural causes or otherwise, and this work can be carried out well in advance of any social unrest or conflict occurring.   It therefore provides the ability to think through issues in a structured way and prepare for events.  The alternative to a systematic approach to horizon scanning is to chase headlines and make the link to your organisation’s interests on the fly.

Horizon scanning therefore helps to reveal exposures and prompts a discussion on consequences and preparedness in the context of an identified and evolving threat horizon.  As importantly, analysis can be used to provide talking points to engage the organisation and demonstrate the relevance and application of resiliency skills.  Some organisations may well use the input from horizon scanning to develop a vulnerability rating which evaluates and reflects both exposure and level of preparedness to meet the identified risks.  BC specifically provides the “mostly there” capability across a broad range of threats, and provides the foundation for the organisation to refine its final preparations as definition around the threat becomes clearer.

Which horizon and whose horizon?

One of the challenges with horizon scanning is choosing the timeline under analysis and relating available information to the desired timeline.  This can often give rise to a hierarchy of horizons with epistemic fractures between them because linkages across horizons are poorly understood.  The goal of horizon scanning is to provide both the broad picture and the long picture, so the timeline chosen and analytical approach needs to support this.

The timeline under consideration with horizon scanning will likely vary by the questions being asked and the nature of the decisions that need to be made.  There is likely to be a correlation between these criteria and industry sector.  While financial institutions may feel that a structure which rolls out from a 12 month view to a 3-5 year view and ultimately a 10 year one is sufficient, organisations in sectors such as energy and transport need to make much longer term investment decisions and will often look at 20 and 30 year horizons[4].

Working across the time horizons will require comfort in dealing with varying levels of uncertainty.  In the very long term, analysis may consider fundamentals and structures[5] such as demographic change, resource availability and quality of infrastructure, while in the medium term it will be easier to discern and document trends and patterns in demand and supply and changing industry structures, while the near term may require the inductive reasoning skills to relate events such as flooding and cyber-attacks and issues such as corporate responsibility to underlying trends.

It is also worth considering how external stakeholders view your and their own horizon, especially where they may be seeking to influence the environment in which your organisation operates. This may be particularly relevant to the treatment of ‘externalities’ regarding social and sustainability issues.

While the discussion on horizon scanning is rightly focused on the external environment, it is worth touching on whether the principles can be extended to analysing the internal environment:  Changes to the internal and external supply chain which are a result of management decisions can create vulnerabilities that once exposed to the macro environment cause problems that did not previously exist.   Given that larger organisations tend to look at opportunities to re-engineer the organisation on a regular basis then it is necessary to ensure that resiliency policy reflects these changes and the risk assessment is updated.  Managers need to be made aware of the short and longer term implications of decisions which affect business resilience.  For example, vulnerabilities could be introduced through new service delivery models offered by outsourcers or changes brought about by divesting unwanted assets.

What do we mean by scanning?

If we revisit the definition of horizon scanning, we can clearly see the output of the process: “…potential threats, opportunities and likely future developments, including but not restricted to those at the margins of current thinking and planning…”[6] but it is the scanning process which is fundamental to achieving these insights.

Scanning needs to be a systematic process to identify relevant sources of information to support analysis and evaluation of the threat landscape.   The process needs to be systematic in two respects – firstly, it needs to be an ongoing process because of the rapidly evolving threat landscape; an annual activity may well be insufficient – and secondly, a systematic approach introduces objectivity, as it will be possible to get beyond the most publicly talked-about threats or those recently experienced, to ensure that potentially lower profile but highly impactful events are identified and treated.

Another fundamental aspect of scanning is the ability to detect ‘signals’[7]. Depending on the time horizon under consideration, and as explained in the previous section, information is sought on changing structures, known issues or emerging trends.  These sources of information can be seen as signals once they have been transformed to insight and contextualised.   Signals can provide directional insight on an emerging trend or issue.  Horizon scanning therefore allows you to spot weak signals before highly impactful events occur.    Using a simple matrix allows you to gain an actionable overview of known-knowns, known-unknowns, and unknown-knowns[8] to quote the risk taxonomy popularised by Donald Rumsfeld, based on the strength of the signal and its business impact.

If you want to build an anticipatory capability then the skills at identifying signals and making sense of them is clearly a valuable one. Resiliency professionals will need to be proficient at gathering information and detecting relevant signals from what may be a mass of unstructured data.  Once information has been sourced analysis is required to get to an understanding of the potential development of an issue or trend.  This will require creative thinking about how a trend could evolve.

 A taxonomy for horizon scanning

The next step in developing a horizon scanning capability is to agree on the principle risk factors that you wish to include in the scanning process along with a taxonomy that works across the organisation.

In the financial services sector, institutions have a wide range of risks to consider from business and strategy risks to liquidity, capital and market, as well as operational.  BCM programmes may well start from operational risks but the skills involved in contingency planning and crisis response can be extended into other risk domains as part of the development of the programme.

A number of taxonomies are available to frame the analytical model.  One of the considerations in choosing the taxonomy is that it should help to explore the linkages between risk factors and potential cascade effects.  Another consideration is that as we are about communicating internally, it is advisable to use a popular taxonomy rather than create a new one. This also helps others to contribute to your own work.

Here is a brief description of the commonly used terms under the STEEP taxonomy with some examples of application in financial services:

Sociological (S):  Changes in social attitudes, consumer expectations and broader demographic development is an essential component of horizon scanning.   Corporate Responsibility (CR) is a good example of a risk factor that has become more important over time; evolving out of changing social attitudes.

Technological (T):  This risk factor does not require much introduction for financial services professionals, given that risks around technology are the traditional point of departure for many BCM programmes.  While technical outages do not bring big banks down, they do lead to regulatory fines, customer dissatisfaction and re-enforce any extant negative perceptions.

Economic (E):  Economic risk factors cover economic growth and decline, interest rates, exchange rates and inflation rates, wage rates, minimum wage, working hours, unemployment, credit availability and cost of living.  Clearly a critical area for financial institutions but not a familiar area for many BCM programmes.

Environmental (E):  Environmental risk factors are core territory for BCM programmes covering the consequences of adverse weather events, influenza pandemics, earthquakes and volcanic eruptions.  Horizon scanning in this context will look at changing patterns in any of these factors – both in terms of location, source, frequency and impact.

Political (P):  In a heavily regulated sector such as financial services, political and regulatory factors are going to weigh heavily. Political factors, usually influenced by social and economic imperatives, are the precursor to the legislative agenda and changes in the regulatory environment are often quoted[9] as one of the most significant risks that institutions face. 

It is worth reminding ourselves that the widespread adoption of BC in the financial services sector was triggered by a regulatory imperative, and BC’s continued adoption and growth will be dependent on its ability to respond to changing regulatory priorities.

At this point it is worth considering three points of caution before offering a model to apply the STEEP taxonomy:

• It is important to emphasise that the impact of these STEEP factors can be highly contextual – an institution which has already suffered reputational damage is less likely to be able to withstand further incidents without creating a sense of crisis and challenge to the management team.
• The fact that action or inactions, which now attract significant media and stakeholder attention did not do so in the past is testament to the need to monitor the changing environment and context.

• One of the challenges of any simplified taxonomy such as STEEP is that it is difficult to represent systemic risks and cascading risks – in today’s highly efficient supply chains, risk propagation is much faster than in the past, taking advantage of the efficient systems that have been created, and the time to respond is the one resource that is getting ever scarcer in this environment[10].

Trends, issues and events can be considered across three time horizons – long, medium and near term – and categorised according to the nature of the risk – sociological, technological, economic, environmental or political.   Each segment can be taken in turn and signal strength assessed around identified emerging trends, issues or events.  It is important that the analysis considers the full value chain in this macro environmental context.

Sources of information for horizon scanning

So with a taxonomy in place that works for your organisation and relevant planning horizons, where should you look for information?

The good news is that there are a lot of freely available sources of information to provide insight into these environmental risk factors, albeit you might have to pull reports together and glean insights from reading specialist magazines, newspapers and websites.  The challenge is that many of these sources do not present the information through a commercial lens and often it requires a lot of time to read through the reports to find the relevant information – some of these reports can be very long term and beyond the time planning horizons of most commercial organisations, and they are often academic in presentation.  Climate change is often cited as one of those environmental risks, where it is difficult to action a response unless its consequences can be broken down across time horizons.

There are also paid-for services and the advantage here is that the publishing organisation is standing behind the analysis.  Increasingly new services are available that present horizon scanning information in an intuitive and visual manner through online software tools to support planning and bring together diverse sources of information and deliver insight in form that allows a simple calibration of risk appetite and filtering to the information of most relevance.

Regular use of the indicators will help professionals communicate and justify risk-informed decisions and support effective value chain management.

As an example, in one update[11] D&B downgraded Bangladesh by one quartile to DB5d, “due to the deteriorating security situation in the country and increasing frequency of highly disruptive strikes. Minimum-wage negotiations have been one of the triggers of the strikes and riots, but Bangladesh is also holding general elections in January 2014, and we have seen an outbreak of violent protests and demonstrations in the run-up to the polls”.

Are there limits to horizon scanning?

Pressures may force time and resources on to the current state of affairs, especially if a resiliency programme is driven by compliance requirements in isolation from the needs of the business, while some issues may not be seen as resilience matters.   Initially, it may only be feasible to focus on specific threats given limited resources and commitment but it is important to have a roadmap so you can build out from the initial quick wins.  It is also important to consider the opportunities that may be revealed through horizon scanning in a resilience context, for example, the increasing use of social media should be seen as providing new communication channels and a source of information during incidents, while cloud services can provide greater system resilience.

Conclusion

In conclusion, horizon scanning is an essential component of a resiliency programme.   The need for a systematic approach to horizon scanning has become more evident in recent years as supply chains become globalised and organisations are exposed to not only unfamiliar risks, but risks which propagate much faster and in unexpected combinations through highly optimised systems thereby reducing the time available to develop an effective response.  I would strongly recommended that horizon scanning be active and on-going in order to get behind the headline risks, while recognising that pragmatism may dictate the need to start with a limited area of analysis such as operational risks and build out from that point to a broader range of risks and thereby contribute not only to improved resilience, but also increased business performance.

Useful sources of horizon scanning information

• World Economic Forum: Global Risks http://www.weforum.org/
• National Intelligence Council Global Trends 2030:  http://www.dni.gov/index.php/about/organization/national-intelligence-council-global-trends
• The Business Continuity Institute publishes a range of member survey reports which cover top threats, underlying trends and leading causes of disruption www.thebci.org
• Dun & Bradstreet publish in-depth quarterly reports on 132 countries aimed at corporate audiences  http://www.dnbcountryrisk.com/

[1] BCI Horizon Scan Survey 2013, Lee Glendon, The Business Continuity Institute http://www.thebci.org/index.php/download-the-2013-horizon-scan-report (registration required)

[2] Consultative Committee of Sector Councils for Research and cited by DEFRA and by British Chief Scientific Adviser’s Committee.

[3] Amdocs Ltd, Form 20-F (2011 Annual Report, Risk Factors)

[4] Stefan Gustafsson, BCM Executive Forum Report 2011, The Business Continuity Institute

[5] Early Warning: using competitive intelligence to anticipate market shifts, control risk and create powerful strategies.  Dr Ben Gilad, 2004, Published by Amacom (Shell case study)

[6] Refer to footnote #4

[7] Reference to signals in the context of EWS http://en.wikipedia.org/wiki/Strategic_early_warning_system

[8] Donald Rumsfeld, http://en.wikipedia.org/wiki/There_are_known_knowns

[9] Ernst & Young survey http://www.ey.com/UK/en/Industries/Financial-Services/Banking—Capital-Markets/Structural-change-in-European-banking-survey-2013—Key-findings

[10] Dr Helen Peck, Cranfield University, BCM Executive Forum Report 2011

[11] International Risk & Payment Review (IRPR) 2013, Dun & Bradstreet http://www.dnbcountryrisk.com/

[12] BCM Executive Forum Report 2013, Lee Glendon, The Business Continuity Institute

A fuller article on the subject of horizon scanning and how it informs Business Continuity Policy can be found in Operational Resilience in Financial Institutions, A Practitioners’ Guide to Business Continuity, published by Risk Books 2014.