Risk resilience: How your business risks can create strategic success
Risk management is more than just a legal exercise: it can bring competitive advantage, says John Hurrell
Law firms, like all organisations, are devoting increasing time and resources to risk management. This is an inevitable response to the growing complexity of global risks, combined with more onerous compliance demands and the absolute imperative to protect their reputation.
But is risk management really making your firm a more successful business, one that is truly resilient? If your risk management processes are designed principally to address compliance needs or to focus only on core operational risks, then your business may be risking a trick and leaving itself exposed.
Most law firms have sound procedures in place to deal with the risks associated with the profession (most notably malpractice) and, as a matter of course, will purchase professional liability insurance. The remaining risk management effort may be addressed through buying other lines of insurance, such as property and casualty or general liability.
However, for risk management to be truly effective - to protect a firm and its reputation from unforeseen as well as foreseen risks - it needs to take on a wider meaning and be embedded in the firm's culture from the very top to the bottom. Businesses that do this successfully - and it is by no means easy - achieve resilience.
Being resilient is about much more than the ability to avoid disaster. It is about linking sound risk management to achieving strategic success in all areas of the business. Resilient businesses are more likely to prosper and increase profitability. Firms that are confident in their risk management are able to be more enterprising and entrepreneurial - to seize opportunities.
Figure 1 illustrates different approaches to risk management. Your firm is very unlikely to be in the bottom-left box. But, many firms unknowingly sit in the 'risk responsive' or 'risk compliant' boxes. This is the 'ok' approach to risk management. However, to be truly robust and commercially successful, firms need to challenge themselves and ask what they need to do to move into the top-right box, the road to resilience.
Figure 1: Risk resilience matrix
Roads to ruin
Every so often, the corporate world is rocked by a high-profile crisis or failure. Whether it is the collapse of Northern Rock, Independent Insurance and Enron, or BP's Texas City explosion, the reasons may at first seem diverse and unique to the individual circumstances of the company.
Our research has identified that there are some common underlying causes.1 All too often, for example, the problems emanate from an inadequate grasp of risk at the very top of the organisation. Indeed, in all of the above-mentioned crises, there was a failure by boards to engage with important risks to the same degree that they engaged with reward and opportunity.
We found that the weaknesses which led to corporate crises or even failure stemmed from seven key risk areas, as follows. Strikingly, these risks are beyond the scope of insurance and traditional risk management techniques.
-
Board skill and NED control. This refers to risks arising from the limitations of board competence or relevant experience. For example, the non-executive directors (NEDs) at AIG prior to its near-collapse in 2008 were selected for their connections and prominence, rather than for their ability to understand and challenge the workings of a complex financial institution driven for many years by a dominant CEO.
-
Board risk blindness. This refers to board failure to properly recognise and engage with risks inherent in the business, including risks to the business model, the organisation's reputation and its 'licence to operate'.
-
Failure of board leadership and implementation of ethos and culture. After the explosion and fire at BP's Texas City refinery in 2005, it was found that the company had failed to respond to repeated warnings about safety failures and a series of near misses.
-
Defective internal communication. Another risk is the defective flow of important information within the organisation, including up to board level. In the case of the serious delay to the production of the EADS Airbus A380 starting in 2004, it turned out that middle managers kept the problem of non-matching aircraft sections from senior managers for six months.
-
Risks from organisational complexity and change. In the case of the near-collapse of Northern Rock, the board appeared not to have even considered the complexity of the financial markets on which its business model depended or how this might affect the bank's access to liquidity.
-
Risks from incentives. This refers to the effects of both explicit and implicit incentives on behaviours. For example, senior Shell executives had a personal incentive programme linked to the company's oil reserves prior to the embarrassing series of overstatements of oil reserves between 2001 and 2004.
-
Risk 'glass ceiling'. The inability of risk management and internal audit teams to report risks to and discuss them with their C-suite and NEDs have resulted in risks emanating from high levels of organisations. French bank Society Generale provides a good example. In 2008, it discovered a rogue trader had lost an amount now determined at €5bn. It turned out that over 70 oddities with his trading had been reported internally, but the compliance officer had been unable to challenge the trader or to get the attention of his seniors.
Roads to resilience
If these risks cannot be addressed through standard risk management techniques, how should firms tackle them? How can you ensure your future success against the growing array of risks?
Our research into successful firms has found there are several common features that underpin resilience and that organisations can turn themselves around through excellent risk management, as AIG has demonstrated.2 But, the overarching lesson is that the key to achieving resilience is to focus on behaviour and culture. In all of the successful organisations we identified, resilience was at the heart of strategy.
The following five traits were identified at all levels of successful organisations:
-
an exceptional 'risk radar';
-
effective internal and external networks;
-
willingness to review and adapt based on excellent communication;
-
the ability to respond rapidly and flexibly; and
-
diversified resources.
It also became clear that the most successful organisations build resilience from the client outwards. Most risk events can be handled effectively and without lasting damage, provided the company's reputation is intact (or at least well protected). This will always involve putting the client first.
The case studies provided (see case study boxes) highlight just that. TTP fully understood that technical expertise alone would not bring it success: this needs to be matched with excellent client relationships. By comparison, Maclaren failed to understand its customers when faced with a product recall and, although it acted according to the letter of the law, its reputation was significantly damaged.
Case study 1: The Technology Partnership –The client is king
The technology development projects that The Technology Partnership (TTP) conducts for its clients are extremely complex, involving significant uncertainty. Managing client relationships is therefore crucial. In each project, risks are managed by peer reviews and by establishing a fast response if problems occur, rather than trying to predict every potential problem.
The project leader and key members of the project team will be well known to the client, who they will meet regularly. Key decisions will be discussed with the key client contact, so there are no surprises.
Culture is also very important. The ability to explore, improvise, work autonomously and in a team are key attributes for every employee. And, in the words of its chair: “Culture is very important and the definition I like is that culture decides what people do when you’re not around”.
Case study 2: Maclaren –Upheld the law but still suffered reputational damage
Pushchair manufacturer Maclaren issued a major product recall in the USA after reports of child injuries. Although the range of pushchairs in the UK and Europe were comparable, it did not conduct a similar recall exercise.
This provoked a strong reaction from the UK media and customers. The company quickly admitted its mistake and made repair kits available outside the US, but reputational damage had already occurred.
Maclaren had taken advice from appropriate safety agencies and followed generally-accepted procedures on both sides of the Atlantic, but failed to put its clients at the heart of its response.
According to its CEO: “Our mistake was that we did not apply our own knowledge of our customer base and our common sense to be physically present. In my view, we were also too shy about commutation.”
It is presumed that Maclaren had product liability and possibly product recall insurance. However, this would not have compensated for reputational risk and damage to brand.
Changing attitudes
While it is possible to find glowing examples of truly resilient businesses, many organisations continue to approach risk with a compliance mentality, or the risk management function operates within a silo. This is changing, though, and guidance published by the Financial Reporting Council (FRC) in September 2014 will only serve to raise the profile of risk management and encourage an enterprise-wide approach to risk.
According to the FRC guidance, "ultimate responsibility" for risk management should lie with the board of directors. This very much resounds with our own research. According to the FRC, not only will boards need to lead by example and set the risk culture throughout the business, but they will also have to demonstrate that the business model and strategy are linked to key risks.
In other words, risk must be at the heart of all business decisions. The FRC guidance is specifically aimed at listed companies, but it is a good guide to best practice in risk management for all organisations.
Culture of resilience
Traditional insurance techniques, while essential, will not in themselves create a culture of resilience. So what can your firm do to ensure it is sitting in the top right hand box of the risk matrix?
The box 'Five steps to improve your firm's risk resilience' draw together the key lessons learned from the dozens of case studies, both good and bad. They are grouped around the five traits of a resilient organisation highlighted above and, while not exhaustive, represent the basis of a strong risk management framework and a successful organisation.
Before any of this can be achieved, it must be understood that effective risk management is not just about compliance: it is much more positive than that. Risk should be at the heart of strategy and effective risk management should be an enabler and a potential differentiator. Most important of all, when done successfully, it will protect your firm's most important asset - its reputation.
John Hurrell is CEO of Airmic (www.airmic.com)
Five steps to improve your firm’s risk resilience
1. Ensure you have an effective risk radar that not only mitigates known risks but, crucially, provides an early warning system for emerging risks.
-
Lead by example. Senior management are responsible for setting – and demonstrating – values, culture and risk appetite across the business.
-
Ensure all employees are aware of their responsibilities to raise a risk, report an incident or near miss, or signal early warning signs of an event.
-
Constantly update your risk register to reflect the current situation and any changes outside the business.
-
Establish cross-functional reviews: managing risks within silos can mean that risk is not appropriately understood.
2. Prioritise resources and assets to protect business priorities in the face of unexpected risks.
-
Run stress tests and scenarios: identify critical individuals, tasks or processes that are vital to operations. Eliminate single points of failure and external dependencies (such as customers or suppliers) wherever possible.
-
Ensure resources are flexible so that they can adapt to changes to the business strategy or to the external environment.
3. Build relationships that have a common purpose and allow for rapid and open conversation if an issue arises.
-
Engender trust between departments, levels of management and between internal and external stakeholders. Open and honest conversations allow for rapid responses when necessary.
-
Ensure knowledge is shared and all employees feel able to raise questions and openly discuss risks. Consider whether your firm’s structure supports the communication of risk.
-
Create a no-blame culture to ensure bad news is not withheld.
4. Ensure you can respond rapidly and appropriately to any situation.
-
Look for early warning signals and have plans in place to respond.
-
Create plans for dealing with all risks on the risk radar: these should be tested and roles and responsibilities in a crisis should be clear. The initial response to a crisis is key for reputational protection, so consider how best to communicate with stakeholders.
-
Plan for business as usual: a cross-functional emergency response team may be required to react to the crisis, leaving management free to continue with business as usual. The team should be multidisciplinary, self-organising and autonomous.
5. Review and adapt.
-
Continually enhance risk management processes to reflect internal and external changes. Risk management should be independently reviewed regularly.
-
Make changes post-event. Following an event or a near-miss, senior management must have the ability and willingness to make changes to improve risk management, even when these are significant. The risk manager must be sufficiently empowered to ensure these changes take place.
References
-
See Roads to Ruin - A study of major risk events: their origins, impact and implications, Cass Business School on behalf of Airmic, 2011
-
See Roads to Resilience - Building dynamic approaches to risk to achieve future success, Cranfield School of Management on behalf of Airmic, 2014