Artikkeli

Resilient organisations in uncertain times

Once you’ve gone through a period of disruption on the scale that we have in 2020 and seen how you can be more resilient, it really changes you. You see how resilience can make your business more flexible, adaptable, and forwardthinking, and you can’t go back to how it was before.

14.6.2021

 

In our article “Risk management in uncertain times” published in March 2021, we discussed that emerging risks are likely to be global, indiscriminate, and hard to contain once they have started to unravel. These characteristics make them difficult to manage or to anticipate their magnitude.

We also considered the use of scenario planning to evaluate the robustness and the limits of existing risk management approaches. Established risk management approaches could have limitations – and that’s understandable as these are mostly built in response to the risk events of the past.

While we are still in the process of responding to the immediate and future challenges presented by the pandemic, we are not alone in feeling exposed. The recent interview series Director’s Alert 2021 found that prominent board directors felt that the risk manuals that they have did not work or that they had to explore fresh solutions when the pandemic began.

In this article, we take stock of the lessons learnt so far and consider how we can make use of good practices going forward.

Risk that evolves

During the pandemic, the connectivity of otherwise distinct types of risks became apparent and we were surprised by how fast the chain of events unfolded in unexpected ways. Supply chain risks became apparent in the production and distribution of vaccines against Covid-19, and the ongoing problem is still on our minds. But the supply chain disruptions caused by the pandemic also affected the core of many unsuspecting businesses.

Furthermore, the pandemic changed customers’ behaviour, which then affected revenue streams and the cost of operation. Companies are also exploring how to best accommodate new working arrangements and analysing what the future of work may look like. Reduction in ur economic activities has had an effect on national economies that are facing fiscal challenges as well as the need to provide for those who are the most affected. The pandemic has also illuminated the economic disparity globally.

It has been like a stacked domino falling and having multiple consequences. Where a risk event has the tendency to evolve into multiple events, as time goes by the effectiveness of even a well-thought out but single risk response can deteriorate. Furthermore, the characteristics of emerging risks make it difficult for us to prepare in advance for how widely the risk management system needs to engage (e.g. to prepare the human and other resources that a company needs to commit to risk defence and the extent to which they are needed).

All these seem to suggest that companies need to be able to respond to evolving risks flexibly, interrupting a previously decided course of action if necessary or making an adjustment or a new decision. While we cannot hypothesise and prepare for all possible scenarios, scenario planning has reportedly helped those who have anticipated and prepared for what organisations need to survive and thrive in the future. Being prepared for different scenarios can familiarise us with agile thinking. By regularly analysing the environment with the effective use of data – such as using key risk indicators (KRIs) – we can take early actions.

The supply chain disruptions caused by the pandemic also affected the core of many unsuspecting businesses.

Preparing an organisation for a mutable, high-impact risk

If our capability to imagine and therefore prepare for risks is never going to be complete, we need to have a risk management system that is agile and adaptable to the situation. How can we do that?

This requires that the organisation is given permission to be flexible when it is making decisions and acting on them, while making sure to minimise frictions in doing so. In a business context, frictions mean cost: it can range from financial costs to the loss of morale, confidence and loyalty, or even the creation of distrust, which can lead to the loss of the best employees and business partners.

Enablers of such flexibility come from both internal and external sources. Let us look at them in turn.

The connected organisation

The first part of the solution is to create a robust risk management system internally. But what if a risk event starts to unravel and, in the process, starts to affect various parts of the organisation?

Effective risk management will require non-risk experts to be integrated into the process. While they are not experts, they need to know how they are a part of the risk management structure. When a situation calls for it, they need to be ready to adapt their routine business practices to the changing situation.

For example, in the aforementioned Director’s Alert, the CEO of a global premium drinks company told a story of the business turning its attention to its partners in the hospitality industry which was badly affected: the company took back stock that could not be used and put in place a recovery fund to support bars, pubs and restaurants in order to help them pay for the equipment needed for safe re-opening. People around the company were quick to note the changes in socialising patterns, and the company was able to turn its focus onto e-commerce early.

Prompt and efficient internal communication is vital. Information obtained from reliable sources and used in the key decision-making should be made available if it is reasonable to do so and should enhance the credibility of decisions. The purposes and rationale behind decisions help communicate  to those affected that there is consistency between decisions and the changes introduced, even if these are not always straight forward.

It is important to ensure that communication flows both ways. Senior leadership and risk experts may receive privileged information from specialist sources, but the information that the people at the coalface receive can be equally critical. What they hear from customers, suppliers or their own networks can shine a light on an aspect that has so far escaped the risk monitoring system.

When it comes to listening to employees, it is the responsibility of leadership to be interested in the views and concerns of employees. After all, they create the value for the business. During the pandemic, people have adapted to different work arrangements and it has worked better or more effectively for some, although isolation has caused stress and teamwork had to be reinvented. For companies, this can be an opportunity to enhance both employee welfare and productivity. Businesses that have been monitoring the effect are likely to retain (with necessary adjustments) diverse working arrangements – different shifts, part time work and remote working – post pandemic.

Being prepared for different scenarios can familiarise us with agile thinking.

Building trust among stakeholders

The second part of the solution is to create strong relationships with stakeholders. Stakeholders are the people who matter to us, but they are also those whose needs and interests we affect.

Determining who are the key stakeholders is an essential process. We need to prioritise those who can materially affect us and materially be affected by us. However, those who are outside the boundaries can become important in a relatively brief period. People are well-connected by using the internet and social media. Complete strangers can connect instantly and act together, which can create an unimagined momentum, as we have seen in the stock market frenzy triggered by retail investors in early 2021.

In addition to knowing who the stakeholders are, we need to understand what needs and interests they expect from us and what can prevent us from delivering them. We need to manage the risk that jeopardise our relationships with stakeholders.

Trust among stakeholders is important as it cultivates loyalty, commitment, quality and performance. In contrast, distrust increases costs, abuse and waste, and even leads to the risk of fraud. 

The uncertain world calls for something robust and stable. Successful business leaders have noted the importance of building purpose and values into the company’s strategy and increasing their visibility. It is also important to demonstrate that we live by the purpose and values. These are the heart of any company. They tell about how a company wants to be remembered in its 100th anniversary book.

If we succeed in being consistent with the purpose and values, stakeholders will also see us as such, and this gives a real meaning to our brand. Trust ultimately emerges from the sustained effort to be true to the purpose and value because it gives a sense of direction. This is even more crucial in times of crisis. Strategies and operational goals may need to be revised in the short term, but the purpose will stay the same and value should guide us in achieving this purpose.

The board’s contribution to a resilient organisation

Risk management has become a highly technical subject over the years. Established standards have also increased in volume. These are a mere reflection of the breadth and depth of the risk-related concerns which we need to cover that range from finance to cyber, and from health and safety to climate change concerns. The increase in the scope alone has made the job of risk leaders, particularly CROs and CAEs, difficult when interacting with the audit committee and the rest of the board of directors. 

Our Board Practices Report, a survey of over 100 respondents from publicly listed companies, found that only about 26% of CROs attend the board meeting and 29% attend the audit committee. This is surprising, considering that risk oversight is the board’s responsibility. Even where they attended these meetings, communicating a wide range of topics concisely is no easy task. Despite the use of matrixes, scores and other tools developed to help visualise risk approaches and performance, the feedback can be that risk leaders are still speaking the language of risk rather than that of business – they are communicating in ways that fail to illuminate actual risks.

Our Board Practices Report, a survey of over 100 respondents from publicly listed companies, found that only about 26% of CROs attend the board meeting and 29% attend the audit committee. This is surprising, considering that risk oversight is the board’s responsibility. Even where they attended these meetings, communicating a wide range of topics concisely is no easy task. Despite the use of matrixes, scores and other tools developed to help visualise risk approaches and performance, the feedback can be that risk leaders are still speaking the language of risk rather than that of business – they are communicating in ways that fail to illuminate actual risks.

the opportunity to translate their in-depth knowledge of risk into knowledge that supports the strategic direction and execution. Detailed risk knowledge needs to be set within the right context, aligned with the board agenda – such as the purpose, value and strategy. Quantifying the impact of a risk materialising, accompanied by the benefit and savings that can be made by acting on risks early, helps turn an abstract risk into a real risk. Finally, presenting practical steps in the short-, mid- and long-term can help garner board support for turning risk management into actions that can then be shared across the organisation. 

How can boards support the risk leaders in making risk a responsibility (to varying degrees) for everyone within the organisation?

Boards can certainly do more than they do now. The same practice survey reported that only 4% of boards thought of risk as an area of professional experience to consider when recruiting someone onto the board, while industry knowledge, digital and technology strategy and business leadership scored 41%, 34% and 32% respectively. When it comes to board education, there is a strong focus on board and governance processes and, with a notable exception of cybersecurity and cyber risk, risk in general is lower down on the list. With the experience of the pandemic, this should certainly be changing. 

A board-level risk committee is one useful mechanism by which the board can take time to meet its risk-related roles and responsibilities. This should send a powerful message to stakeholders that the company is taking risk seriously, both as a threat to be mitigated and as an opportunity to explore.

Establishing a risk committee

In the wake of the financial crisis in 2007/2008, regulators around the world introduced a range of requirements for financial services. One of them was to establish a risk committee. The purpose was to ensure that a specific board committee oversees companywide risk management as well as finance-related risks. 

Over the last decade or so, more companies have adopted the idea of having a boardlevel committee to oversee risks. It may be a standalone risk committee or the task can be designated to another committee, typically to the audit committee.

The risk committee primarily supports the board in overseeing risk. They should provide a regular link between the executive team, particularly the CRO, and the board of directors, enabling the operational set-up to reflect and be integrated with the company’s strategic thinking.

Conclusion

Acting in times of crisis challenges anyone in business. But resilient organisations come out from the crisis stronger than others. They do so by preparing and monitoring for early signs of threats, both communicating and listening to their people inside and outside the organisation and building trust by demonstrating how they remain consistently true to their values and purpose. The board can also support risk leaders better, which in turn helps the board grasp a risk in the context of the purpose, values and strategy of the company

References:

Gret Tretiak’s lead words were quoted in Deloitte, Building the Resilient Organization: 2021 Deloitte Global Resilience Report, p. 3. This and Rebooting Risk Management: Making Risk Relevant in a World Remade by Covid-19 have provided many of inspirations for this article.

This article was originally created for DIF and published on the 10th of June 2021  - see the original version from here.

Oliko tieto hyödyllistä?