Risk management evaluations are central to understanding property risks and the communication of these risks to employees plays a vital role in the overall property risk mitigation process

Appreciating the extent of an organisation’s various property risks is only half the challenge. The other half is determining how this information, and any actions and processes that must be undertaken, can be effectively communicated to employees.

Some of the best tools for communicating property risks are training, drills and exercises, according to Singaporean risk manager Gordon Song. Song says that the purposes of these are to test the robustness of response plans and to ensure that employees are continuously familiarised with business interruption threats such as fire and outages.

“Normally, companies select a scenario, or perhaps a few scenarios throughout the year, and simulate a threat event that blocks access to a facility,” says Song. “Examples [can include:] a facility semidestroyed by an explosion and fire; operations having to run below 100% capacity [following] an event such as a pandemic outbreak where some staff members may be quarantined; or if an alternate site needs to be activated – and such sites are usually not exact replications of the size of the original facility.”

Song says the first step is often the ‘activation’ of the crisis, resulting in what is known as a ‘call cascade’ or ‘call-tree activation’. this is where people contact each other in a cascading fashion via phone or SMS. “The response plan is then activated and some companies do simulate this with the full extent of role-play, set up of the crisis centre and the like,” he explains. “Preassigned observers take notes of what they observe throughout the drill. a debrief is conducted after the exercise has been called to a stop. Following this, normally within a week or two, a formal report will be tabled outlining the good, bad and ugly [elements] of the exercise, with recommendations for improvement. This then normally results in the response plan being revised where necessary.”

Song says this process is known as a ‘full-crisis simulation exercise’, and it can be performed for any kind of risk, such as a pandemic outbreak, fire, it system downtime and flood. “The nature of the test determines what is involved,” he says. “For example, in some countries where power outage is a major risk, the test would include whether the UpS [uninterruptible power supply] kicks in, and how long the backup genset [generator set] can last with the diesel supply. One company ran this test and found out during the drill that the backup genset, which needed to be manually turned on, was locked behind a steel shutter that was opened electronically, which obviously could not be opened since the power supply had been cut.”

Song says exercises can also be run on ‘table top’, a process known as a ‘desktop simulation’. “in such an exercise, there would be an overall ‘exercise in-charge’, this is sometimes outsourced to a consultant or expert,” he explains.

“The simulation is called to a start and involves the senior management team being called to a crisis room. The in-charge then bombards the senior management team with ‘injects’, which adds dimensions to the crisis. For example, if the crisis being simulated was a fire in a warehouse, one of the injects could be that the incident was now going viral on social media, with wild speculations of the company concealing unsecured hazmat [hazardous materials] on its premises. This  would test the senior management’s response to the development of a PR crisis, in addition to the operational crisis. the benefit of a table top exercise is that such side-scenarios can be added to spice up the exercise and test more dimensions of the response plan.”

Culture and communication

To perform effective risk communication, a company must assess its culture through qualitative and quantitative research methods. These can include personal interviews, focus groups, surveys and observations to understand employees’ attitudes, beliefs and values. It is also important to understand the influences on culture, such as people, leadership, policies, procedures and processes.

However, what constitutes company culture? A white paper produced by risk consultancy Protiviti defines it as a “set of shared values, attitudes, goals and practices that characterise any group”. Titled Mitigating Risk Through Targeted Communications Requires Understanding Organisational Culture, the white paper emphasises the importance of comprehending a company culture when communicating risk to employees.

It lists steps that can help to achieve a successful cultural assessment, such as: understanding the problems and issues; understanding what employees believe their role is with regard to these issues; determining what employees would do differently compared to current methods; determining the best methods for educating employees about the desired behaviour(s); and developing the most effective method for associates to receive and be receptive to the information.

The idea is that, once a company culture is better understood, risk managers are more able to provide targeted risk communications that will grab the attention of employees. When communicating property risk, employees  will progress in their understanding of these risks only if they have paid attention to the communications on these matters.

Chief risk officer at Scentre group Eamonn Cunningham says the best approach to communicating property risks to employees is with brevity of messaging. “Messaging to staff [should be] short and straight to the point, described in the manner that people  truly understand,” he says. “Using the examples that are relevant to the audience assists in getting the message home as [does reminding] employees on a regular basis. Short, punchy emails can be very effective.”

Cunningham explains that one of the better ways of being confident that the message is understood is to have employees actively engaged in developing control measures. “These may be new measures or the  enhancement of existing ones,” he says. ”[Employees] own the risk and therefore have to play their part in doing whatever is possible to reduce the likelihood of occurrence or the consequence should it arise.” 

Cunningham adds that self assessment questionnaires remind employees of their responsibilities, but also encourage the adoption of previously agreed protocol. “Certain key employees in our business are obliged to complete self-assessment questionnaires on a regular basis,” he says. “This can then be backed up by compliance checks undertaken by the internal audit department. Self assessments form a part of a workflow system whereby a supervisor or manager will review what [employees] say [they] have done or not done. in addition, audit monitors any lack of adherence to agreed procedures.”

Assessing relevance
According to corporate performance think-tank OCEG, many executives want to know how risk training and communication can be made more effective and efficient. to answer this, risk managers must first ask an equally important question, namely as to how relevant their education and communications efforts are. OCEG  finds that, unfortunately, the answer is often that these are not sufficiently relevant.

An OCEG illustration titled How Should We Educate And Communicate About Compliance Risksstates that: “The problem is that too many compliance and risk education and communications programmes operate according to a one-size-fits-all approach. When all employees, regardless of the degree to which they  encounter potential compliance risks on a daily basis, are dipped into the same vat of education, many employees will find the content to be irrelevant. Those employees not only retain much less of the education content, but they can also become less receptive to future training and communications that are highly relevant to their job roles.”

Not only do too few companies tailor their compliance messages and training, many organisations overload their workforces with less-than-relevant risk content. So how can property risk communications be made more relevant? The OCEG suggests that this process should start with a risk analysis of jobs, as not all job roles – even those that are located in the same function or department – have the same level of exposure to a given risk.

As the Oceg puts it: “Once the risk relevance levels of different jobs have been identified, governance risk management and compliance managers should determine what knowledge each role requires given its risk relevance. In other words: what is the desired level of risk awareness and skill for someone in this job? At that point, the content and delivery method of compliance  training and communications can be tailored to eliminate gaps between actual and desired levels of risk awareness.”

The OCEG also advises that greater attention to delivery methods can help to improve the overall effectiveness  and efficiency of compliance training and communications. “Employees in high-relevance jobs might receive in-depth classroom- based training instruction on a specific risk (or set of risks) while employees in low-relevance jobs might receive computer-based training or, simply, sign off that they have read the appropriate policy and procedure related to the risk,” it states.

“Similarly, employees in highrelevance jobs would receive more frequent communications about the risks – such as e-mail newsletters, blog posts, e-mail reminders and/ or refresher courses. the higher the risk relevance of a job, the deeper the initial compliance training for that job – and the more frequent ongoing compliance communications and support – should be.”