Is risk management strategically fit for purpose when it is too reactive and compliance-focused? asks Adrian Clements
As has been demonstrated so starkly through the COVID-crisis, decision making has become more difficult in a world beset by rapid change, growing uncertainty and volatility. The speed of change is inevitably faster than our understanding of the consequences, particularly when it comes to emerging risks and shocks.
Traditional and emerging risks are accelerating and being amplified in so many different directions that the risk manager, who is supposed to always keep one eye on the future, will be too busy reacting and responding.
None of this is going to get any easier, particularly given that the challenges we now face - including climate change - are so fundamental and long-term in nature.
StrategicRISK has brought together a select group of risk experts from different industry sectors to put their ideas on where the future lies into words. The aim is to encourage a constructive dialogue on what is needed to animate change, particularly at a senior level.
Building on the #ChangingRisk campaign, which launched in 2019, the new #ChangingRisk Thinktank will seek to answer the following question through a series of thought-provoking articles: What will make risk management fit for purpose now and into the future?
It is unlikely that the approach to risk management that we current have will be sufficient for the future, as it is mostly based on the past. And the future looks completely different.
As a result, it is no longer sufficient to use the past as a proxy for the future.
Where do the decision-makers turn?
As the world changes and risks become more interconnected, complicated and uncertain, decision makers are looking for a safe harbour. Places they can go to for risk insights and advice.
But are those safe harbours safe? Are they unbiased? Are we prioritising the right things or are we missing the bigger picture?
Some examples of these safe harbours were crisis management plans and business continuity strategies. They were the use of mathematical models for simulation, insurance policies for transfer and audit reports and recommendations for governance. And when we look back at 2008, 2012 and 2019 we might need to ask, “what did we miss and why?”
We are now in 2021 and looking at COP26 and the emergence of ESG. We see consulting companies adding staff with specific skill sets, we hear of companies placing experts on governance boards and we find that the financing of certain activities is becoming more challenging as funding is increasingly focused on a bigger picture goal.
Even practices such as the purchase of forests in Brazil as a carbon offset is coming under scrutiny as this now appears to be a negative investment.
So what has changed? Actually nothing. The information was there all along, but perhaps we were too focused on the trees that we missed the forest.
If the information was already there, then firstly, what might have been missing, was the speed of the change taking place, and the amplification of this risk or opportunity. By taking this acceleration of change into consideration, it might have risen up the importance scale and we could have done something sooner.
What has also been blindsiding us is a strong bias on internal processes, company results (from an inside-out perspective) and succumbing to the ongoing pressure to be compliant with common regulation and legislation, which is out-of-date at best and typically well behind what is happening in the wider world.
Decision-makers therefore need to adapt to become more opportunity-driven and focused on future needs. The good results will be a consequence of doing the right thing.
No matter who we are or what our position is in this world, we are looking to obtain insight. Help in developing and formulating a vision, establishing a strategy and implementing a system that is effective and efficient to attain personal and company goals.
But increasingly, these goals are not enough and we need to aim to satisfy the needs of a broader group of stakeholders. The current resonance from industry following COP26 is, “its not enough! Goals are set to low!”
So what is the role of risk management when we consider these macro-trends, and is it - in its present form - still fit for purpose?
Time for a broader view
When seeking to provide decision-makers with insight there is a natural need to look at how risks and opportunities directly impact your organisation, but also how these changing elements pose risks and opportunities within the wider ecosystem.
The COVID-19 pandemic and the Suez Canal blockage, for instance, demonstrated how major, systemic events have ripple effects across supply chains and impact customers, as well as entire industry sectors.
For these wider impact events ask, have you sourced in the same countries or with the same suppliers as your competitors? Are your customers all located in a geocentric area subject to one bottleneck? If yes, then are you a customer of choice or are your stock levels sufficient for longer duration events? Is it your material logistics or workforce that is exposed to these events?
Such an outside-in view, identification of sector aggregation points, logistical bottlenecks and loss of key sector functionality can make the difference between your organisation being resilient through a crisis or losing key clients or markets.
When considered through an ESG or stakeholder capitalism lens, it is clear we are being asked to consider actions and make decisions that not only improve outcomes for our own organisations, but also those which preserve the future sustainability of the planet and its ecosystems as well.
Previously the goal was to help the company achieve its own strategic goals, with these other elements being deemed of lesser significance. But this is no longer the case.
Resilience and sustainability
As we look to future opportunities, we must consider that 80% of a company’s value is now made up of intangible assets. This clearly will play a significant role in future decision-making.
How, for instance, are you measuring and monitoring the value of reputation or ESG? Far from being just a reporting exercise, these metrics are essential for benchmarking future success.
We also see that traditional ways of categorising the risk universe are no longer effective. Finance, operations, strategy and “other” are the top level categories, but they do not adequately reflect the world of today.
Human capital, business model capital and innovation capital are playing a more significant role in behaviour and growth. So do we need a new set of risk ‘buckets’?
Looking deeper, it becomes clear that behaviour and company culture play a significant role in an organisation’s success.
Does your culture go beyond public declarations of “openness, trust, honesty and integrity”, and actually seek to embody these values through consistent actions and behaviours, with the tone set from the very top?
Time to challenge
It is time to challenge the approach that has been taken for many years and has led us to the situation we are currently in. So what should the future hold?
It is time to go beyond the many guides and standards which were once used as guiding principles within risk management and think more critically. And to capture the key elements needed for the future purpose of advising and supporting decision-making, an approach which ensures all stakeholders are adequately served.
Presently, as organisations continue to navigate the current set of challenges, we see far too many sectors clinging to their comfort zones, fine tuning what already exists with the aim of not rocking the boat. But such an approach will not allow us to build resilience in the face of an uncertain and more volatile risk landscape.
In this series of articles, by-lined by a line-up of seasoned and well-respected risk professionals, we will shine a light on some areas where change is most needed in order to better prepare for a more volatile and interconnected world.
And we will consider the ways in which the role of risk management must adapt to ensure we adequately address the future needs of stakeholders.
Adrian Clements is president and CRO at AT-IPIC
Next in the series: When to think about risk.