Written by: Christopher Thackray, Executive Contributor
Executive Contributors at Brainz Magazine are handpicked and invited to contribute because of their knowledge and valuable insight within their area of expertise.
We live in an era defined by going from one crisis to another with little time to recover between crises. After two challenging and uncertain years of a widely unanticipated global pandemic, companies have once again been thrust into responding to the severe and lasting impacts of the worst geopolitical crisis since the end of the Cold War era, prompting the end of a market rally that first originated in the aftermath of the 2008 Global Financial Crisis.
The rate of deterioration in global markets throughout 2022 was unexpected for many companies and central banks. The impact of the war in Ukraine, the global economic slowdown, rapid and unprecedented changes in US and European (including UK) monetary policy and accelerating wage and input cost inflation have recast the prominent role of Enterprise Risk Management for companies of all sizes, complexities, and industries. With each passing crisis, tangible objectives of Enterprise Risk Management are becoming further ingrained in corporate strategy planning and governance. Adding to the circumstances is the revolutionary influence of digitalisation and social change on the competitive forces and day-to-day functioning of well-established industries and companies, from Healthcare to Power and Financial Services.
Building forward-looking, data-rich, and integrated practices of Enterprise Risk Management into strategy planning, financial management and operational delivery is a strategic commitment for any company. It often requires a multi-year investment, an unmistakable and unquestionable ‘tone from the top’, and changes to a corporate culture quite often. Whilst the ambition for more advanced practices of Enterprise Risk Management is desirable for most companies, such aspirations are often considered to come with a high cost and, therefore, de-prioritised against the backdrop of capital and resource investments into revenue-generating initiatives.
If this sounds like your company, do not worry.
Practical lessons can be learnt from past crisis events to help all companies, regardless of size, complexity, and industry, to improve the awareness, management, monitoring and governance of enterprise risks. Taking these steps will allow management and board members to optimise the use of existing capital and resource investments to mitigate critical risks considered to present the most significant harm to the company, its investors, clients, customers, and other vital stakeholders.
Taking The First Steps Towards Enterprise Risk Management
A common objective of Enterprise Risk Management is to build, test, monitor, and govern a company’s enterprise resilience. This means a company’s preparedness and ability to detect, prevent, respond to, and recover from all forms of disruptions, whether internal or external, unforeseen or not. This requires an understanding of ‘what could go wrong’, which is a simple way of asking, what are the risks to our company?
A common challenge with many Enterprise Risk Management is the creation of never-ending risk registers containing thousands of risks listing endless possibilities of what could go wrong. To avoid repeating this mistake and focus the company on preparing for the next crisis, narrow the focus to identify ‘critical’ risks, the risks that threaten the continuing viability of the company, its strategy, financial performance, or operational delivery.
Here are some suggestions for anticipating and preparing for the next crisis event.
Identify Critical Risks Of Strategic Importance.
Utilise an existing senior management meeting to brainstorm and prioritise critical internal and external risks to the company. Try to avoid considering the probability of each risk at this stage. Plot each critical risk to one or more strategic objectives within the company’s business strategy and plan. Utilise a simple prioritisation method (e.g., n/3) to identify critical risks requiring more urgent management attention and appoint a management owner to each prioritised risk.
Encourage management members to engage their departmental staff before the meeting. Be clear in setting management expectations to fully understand each new and emerging critical risk's characteristics. It is important to consider potential ‘black swan’ events (events that are unexpected and carry a significant level of harm), though try to encourage an initial focus on practical, high-impact, and visible risks.
Target outcome: critical risks to the company’s strategy and plan and a shortlist of critical risks for management action and ongoing corporate oversight.
Assess And Manage Critical Risks
Undertake a high-level analysis of each prioritised critical risk. Consider the various impacts the risk could have on the company, including the business strategy, business model, financial outlook, and operations. Evaluate whether the risk will likely occur in the next 12 months (or sooner), 24 months or beyond. For critical risks where it is not possible to determine the probability, such as risks that are unpredictable yet potentially detrimental (e.g., a pandemic), consider the speed at which the risk could materialise and for the potential impacts to cause significant harm to the company and its important stakeholders.
For each critical risk, explore the following questions:
Is it in the company’s interests, or the interests of its investors, clients, customers, suppliers, or other vital stakeholders, to enhance management actions intended to improve the company’s preparedness and ability to detect and prevent the risk from materialising?
Could the materialisation of the risk and any associated impacts cause a moral or ethical dilemma for the company?
How could investors, clients, customers, and other important stakeholders respond to the materialisation of the risk or any associated impacts?
Could the materialisation of the risk cause significant or lasting reputational harm or lead to the loss of current or new business?
Are current processes and controls adequate to detect, prevent or mitigate the full extent of the risk or the most harmful impacts of the risk?
Target outcome: an assessment of the potential strategic, financial, business model and operational impacts of each critical risk, combined with a view of required business practices to mitigate the risk.
Assign Action-Oriented Risk Management Working Groups
The art of effective Enterprise Risk Management in any organisation is to embed risk management activities into day-to-day business activities. Companies seeking to achieve a more advanced stature of Enterprise Risk Management often require changes to business planning practices, business model structures, operational processes, and governance frameworks.
To minimise costs and avoid distracting staff from their day-to-day activities, consider establishing working groups for each critical risk, consisting of cross-departmental staff with the required subject and technical knowledge to direct the company’s ongoing management and monitoring of the risk. Establish clear objectives that articulate the company’s desired capability to prevent or mitigate the risk. Set tactical goals for each consecutive quarter aligned with the management’s stated objectives. And encourage each working group to meet regularly, with the frequency defined relative to the nature, complexity, probability, and potential harm caused by the risk.
Essential requirements to guide each working group include:
A short, focused charter setting out the working group’s objectives, composition, roles and responsibilities, and meeting frequency.
A simple project plan setting out the group’s activities and interdependencies. Activities might be divided between tactical activities intended to provide immediate support whilst more permanent activities are implemented.
Defined methods, data sources (internal and external) and activities to periodically re-assess and proactively monitor risk characteristics and probability changes.
Target outcome: a targeted plan of activities to manage and monitor each critical risk, supported by a cross-departmental working group bringing together the required subject expertise.
Integrate Risk Oversight Into Existing Corporate Governance Channels
Allocate or extend by thirty minutes each board meeting to hear from appointed management members the progress made in addressing each critical risk. Encourage management members to report on improvements made in detecting, preventing, responding to, and recovering from the extent of disruption likely to be caused by the materialisation of each risk.
Board members should remember that Enterprise Risk Management is a commitment to continuous evolution. As the understanding of risks evolves, so should the practices deployed to prevent or mitigate such risks. In this vein, the board should challenge management’s understanding of critical risks (including potential harms and impacts) and management’s decision on whether to pivot or persevere with current risk management practices and targeted improvements.
Target outcome: regular challenge of current and planned management actions intended to prepare the company’s strategic, business model, financial and operational resilience to withstand the next crisis.
Conclusion
Every company is in the business of managing risk. As companies embrace the technology revolution, adapt to changes in global markets and adjust to a new normal ‒ defined by going from one crisis to the next – management and board members must explore ways to evolve the integration of Enterprise Risk Management and resilience practices into the functioning of the company.
Building a business model exhibiting the highest standards of enterprise resilience for some companies will require dedicated management focus and continuous capital investments in Enterprise Risk Management. For other companies, particularly those at the beginning of their Enterprise Risk Management journey, starting small and simple will provide a platform to evolve the integration of risk management in a manner that is fit for purpose and embedded into the strategy and functioning of the company. There is always opportunity in a crisis. But it takes being prepared to anticipate and realise it.
Is your company resilient to withstand the next crisis? In the current operating environment, defined by a new normal, it is not a question of if but when disruptions will occur due to materialised risks.
Christopher Thackray, Executive Contributor Brainz Magazine
Christopher Thackray (Chris) is a risk management and resilience professional with 22 years of global industry and consulting experience. Chris is a sought-after thought leader in risk management and a trusted advisor to management and board members across industries. Chris combines his proven expertise in risk management with his strategic, forward-thinking, and analytical abilities to advise and assist business leaders with building tested, commercially competitive, resilient enterprises. Chris has worked across the Auto, Aviation, Financial Services, Oil & Gas and Power & Utility industries to help business leaders confidently anticipate, prevent, adapt, respond to, recover and learn from disruptions caused by changes in internal and external operating conditions.
