When my association commissioned Cranfield School of Management to research corporate resilience, it was primarily an investigation into good risk management. As our report Roads to Resilience took shape, however, it became clear that the implications were much more far reaching. The qualities that make companies resilient make them superior in other respects. Among many other things, they have better reputations, loyal staff and suppliers, and strong relations with their customers.
We concluded that resilience should be at the heart of corporate strategy. In too many organisations it is still something you do in case things go wrong or a box that the compliance people have to tick. If that is the position, you are missing a great opportunity to become more competitive.
First, some background. In 2011 we published Roads to Ruin, which looked at 18 individual case studies of catastrophic failures of risk management involving 23 companies; it identified several common failings that can cause crisis, regardless of sector. Roads to Resilience is the other side of the coin; its main purpose was to investigate successful, resilient organisations and whether they also have features in common. The short answer is that they do – and the attitude of the board is invariably pivotal.
To find out what makes a company resilient, researchers from Cranfield School of Management interviewed senior staff with risk management responsibilities, including chief executives, at AIG, Drax Group, InterContinental Hotels Group, Jaguar Land Rover, Olympic Delivery Authority, The Technology Partnership, Virgin Atlantic and Zurich Insurance.
Enterprises become more resilient by being more responsive to their customers and the markets they serve
It soon became clear that resilient companies do not just happen. They have cultural and behavioural traits that encourage all employees to be flexible, customer focused and alert to danger. Just as certain factors crop up repeatedly in failing companies, the resilient organisations we studied adhered to all of five common principles even though they operate in very different environments. The five principles of resilience are:
1. RISK RADAR – the ability to anticipate problems before they develop, partly by seeing things in a different way.
2. RESOURCES AND ASSETS – that are well diversified, providing the flexibility to respond to opportunities as well as adverse or changing circumstances.
3. RELATIONSHIPS AND NETWORKS – that enable risk information to flow freely throughout the organisation up to directors to prevent the “risk blindness” that afflicts many boards.
4. RAPID RESPONSE – to ensure that an incident does not escalate into a crisis or disaster, and that people and processes are in place to restore things to normal as quickly as possible.
5. REVIEW AND ADAPT – the ability to learn from experience, and make the necessary changes so that every adverse event or circumstance is analysed and evaluated, and improvements made to strategy, tactics, processes and capabilities.
Top management at these organisations take resilience extremely seriously. They appreciate that, although risk controls are essential, they are only part of the story. Nurturing the right culture and behaviour is the key to resilience. This requires leadership from the board and a relationship based on trust with staff, suppliers and other key stakeholders.
At Virgin Atlantic, for example, senior executives work in one corner of an open-plan office on the second floor. Colleagues can come to them with their thoughts and there is a no-blame culture.
To quote the head of internal audit, on secondment from a big-four professional services firm: “There is an executive team who do not really have egos. They are happy for you to go and have an honest conversation with them.”
As a result, vital risk information travels around the company and the board make well-informed decisions. This contrasts with the risk blindness evident in virtually every corporate failure identified in our first report Roads to Ruin.
Virgin Atlantic helps to illustrate another of our report’s themes. Although the five principles of resilience are essential, they do not exist in a vacuum. They reflect four aspects of any company, which we have called “business enablers”: leadership and governance; people and culture; structure; and strategy, tactics and operations.
Five principles of resilience and their business enablers
These enablers are central to creating a dynamic and holistic approach to risk management, but they are much more than that. Enterprises become more resilient by being more responsive to their customers and the markets they serve; their staff and suppliers are motivated and loyal; they gain trust by being more dependable; and their reputations benefit. When they do have serious mishaps, they are ready and their stakeholders are willing to give them the benefit of the doubt. Quite simply, they are better companies.
At all our organisations a tremendous amount of hard work had gone on behind the scenes to make them resilient. Invariably, top management provided the oomph, while their risk colleagues gave essential technical input.
It would be interesting to debate whether companies become resilient because they are well managed or whether it is the other way around. I am sure it is a combination of the two. Either way, “resilience” is more than just a word. It is the lifeblood of any successful organisation.
CASE STUDY
RISK LINKED TO REPUTATION AT HOTEL CHAIN
At InterContinental Hotels Group (IHG), a lot of time and effort goes into creating the right resilience culture. To quote the head of global risk management: “You’ve got to have the right culture, otherwise you’re never going to embed anything. Nobody’s going to do the training, nobody’s going to put it on their personal agenda and talk about it.”
IHG has defined a structure that ensures risk management is embedded throughout the organisation. According to their 2012 annual report: “IHG recognises the importance of having in place an effective system of internal controls and risk management to achieve our vision of becoming one of the great companies in the world.”
The hotel chain aims to raise risk awareness at the board, executive committee, throughout the leadership teams in the regions and functions, in every hotel and with all employees. The various processes for dealing with risk are applied across three levels: strategic; tactical; and operational.
The understanding of risk is intricately linked to reputation. To quote the annual report again: “The purpose of risk management is to champion and protect the trusted reputation of IHG and its brands.” The ambition is to foster a culture where risk management becomes instinctive.
Risk governance is established through a cross-function working party that meets four times a year. Risk information is constantly collected, communicated and assessed; the output is used to drive discussions at the executive committee, audit committee and board.
Through having risks identified and plans to deal with adverse circumstances already in place, IHG has developed an ability to deal with unexpected situations. Training and informal discussion groups are used and crisis management scenario planning sharpens the culture. IHG has developed risk awareness, a structure and a culture that allows information to flow freely.
John Hurrell is chief executive of the risk management association Airmic
For more information about Roads to Resilience, by Cranfield School of Management and Airmic, go to www.airmic.com