Today’s environment is one not only of heightened risk, but of prolonged uncertainty. Blurring the lines between business-as-usual risk management, crisis management, and resilience can enable agility in the face of an uncertain future.
BLANKET statements about the impact of the coronavirus pandemic and its economic fallout may be viewed skeptically. But this much we can say: Risk management failures abounded. Indeed, regardless of how your organisation has been affected, there is much to be learnt about risk management from this still-unfolding crisis.
Even after the past 20 years of continual disruption, risk management is too often either misunderstood or mistakenly thought of as a compliance function. But while compliance regimes may work well for known risks with clear implications and proven mitigations in a fairly static environment, COVID-19 has demonstrated that the environment is anything but static. Risk is not a well-behaved house guest, and the impact of COVID-19 was impossible to predict. And every senior executive, board member, or risk leader whose organisation has prospered in spite of, or even because of, the COVID-19 crisis should clearly understand: Next time will be different. The volatile, uncertain, complex, and ambiguous (VUCA)1 environment virtually guarantees that the next crisis will not be any more predictable than any others have been during the past 20 years.
The chance to upgrade and reposition risk management—to perform a risk reboot—is one of the true opportunities this crisis presents to risk leaders, executive teams, and organisations. Not a reboot in the reset-your-device or restart-the-system sense from the tech world, but in the reboot-the-franchise sense from the moviemaking world. We mean reimagining, refreshing, and re-energising risk management and all of its elements to help address a highly uncertain future. The concrete outcome of this reboot is a risk leader’s agenda and mandate—and a risk management function—geared to the critical risks the organisation faces as it pursues its purpose, mission, strategy, and goals.
The following three guiding principles can help ignite a risk reboot and guide it in productive directions.
Cultivating stakeholders’ trust requires risk leaders to think more broadly and deeply about the organisation’s ecosystem of stakeholders. Relevant risk programmes are designed around the needs and expectations of all stakeholders—customers, employees, the board, vendors, partners, investors, the media, the community, and society at large.
When an organisation and its stakeholders truly trust one another, they become partners in risk management, alerting one another to emerging risks, collaborating on mitigation, and creating greater value for each party. This has been demonstrated through mechanisms such as customer councils and preferred supplier programmes, and among extended enterprise partners, in which key stakeholders are “brought into the organisation” to enhance relationships and build trust.
Viewing stakeholders more broadly and deeply, and cultivating trust with the stakeholder ecosystem, positions a risk leader to:
A reboot elevates the role of risk by identifying new opportunities to deliver value as well as by addressing actual and potential threats. This increases C-suite confidence in the risk function by delivering more relevant information, including predictive information, and solving the compliance conundrum created by the need to continually create controls, processes, and reports in response to new mandates.
A successful reboot also calls for risk leaders who understand not only risk but also business strategies and how they are implemented. These leaders, equipped with eclectic backgrounds and broad business experience, can translate the often abstract concept of risk into concrete impacts on strategies, initiatives, and decisions. They can assist the executive team and the business in risk identification, monitoring, mitigation, management, and response.
Here are some actions that can help elevate risk management’s role:
When a crisis strikes and amid ongoing uncertainty, management needs a clear picture of current and potential developments. Yet the risk leader and the risk function often lack the access to data, the analytical firepower, and the ability to communicate with management and the organisation in real time or near-real time. A successful risk reboot empowers the risk leader with ready access to risk and performance data, analytical tools, and reporting mechanisms such as data visualisation. Equally important, the risk leader and his or her team should be prepared to provide early warnings of emerging risks to further support decision-making—perhaps with an assist from risk-sensing technologies, predictive analytics, and scenario planning—along with actionable insights and recommendations.
Scenario planning in particular can enable risk leaders to clearly portray the impact of potential risk events on specific stakeholders. It enables management to more clearly understand the full range of available options as well as the if-then ramifications of each decision. Scenario planning also enables leaders to define potential signals that, if they were to emerge, might indicate the nature and impact of potential risks as well as the direction of future events.
Some useful questions to ask in the effort to deliver risk intelligence include:
The COVID-19 pandemic has shown organisations that they can make decisions rapidly under conditions of extreme uncertainty. The challenge is to make even better decisions under the conditions that lie ahead. This calls for combating the inertia that may cause the organisation to lose that ability and return to business as usual, and drive risk management to return to former modes of operating. Risk functions have a rare but real opportunity at present. Rather than slowing down decisions, raising only objections, or entering the process too late, risk must be an enabler, not a barrier. That means supporting fast decisions, presenting solutions, and being engaged at the outset.
Read the full report here Rebooting risk management: Making risk relevant in a world remade by COVID-19.
We don’t believe that risk is simply managed—it is confronted. In Advisory, we do not take a defensive crouch. We move forward, defining the unknowns and framing the issues before you encounter them. Whether your challenge is cyber, transactional, regulatory, or internal controls, we can help prepare you to preempt the threat, define what’s vital, and aggressively secure it. So that you can keep pace, get back to the business at hand—and move on what matters.