On April 18, prime minister Theresa May announced a snap general election. On May 11 recruitment website Hired.com published figures suggesting that the UK’s foreign technology talent pool, which draws heavily on workers from the European Union, has halved since the June referendum last year.
The following day, on May 12, a computer virus was unleashed which spread quickly across the world, crippling corporate systems and, in the UK, disrupted NHS networks.
These events and hundreds more show how, in the space of a few short weeks, the business environment can alter radically. Seismic events happen suddenly or can percolate gradually and in a connected world the impact is often widespread and profound.
Risk strategies have moved with the times. The best ones are fluid, agile and incorporate the understanding that threats appear with a regularity you can depend on. Small businesses, as well as corporates, understand this and on the whole attitudes to risk have matured.
Proactive people
A crucial part of an organisation’s defence is its workforce’s alertness; people’s ability to contain risk and move decisively should something unforeseen happen. A crystalised strategy is one thing, empowering people to act is another.
Transparency, then, is all-important. It is a buzzword thrown around by C-suite executives, but in private some underplay its significance, says Stephen James, partner at law firm Clarkslegal.
“Risk management must be more than a box-ticking exercise. Organisations at the centre of recent corporate scandals had risk structures in place, but they were not followed in practice,” he says. “There must be allocation within the organisation for primary responsibility for risk management and from this central point must flow a clear chain of responsibility, to cover risk across the entire organisation.”
Kevin Lester, managing partner at Validus Risk Management, believes the number of out-of-the-blue threats, so-called unknown unknowns, is growing in the current climate. The situation requires a highly developed strategy with multiple touchpoints across the organisation.
Creating such a strategy begins with setting out clear objectives that everyone can understand, incorporating company goals and appetite for risk. This is to be enshrined in a formal policy, but must also flow informally through the organisation’s culture.
Risk management should have a strong link to the commercial strategy with areas of responsibility given to individuals who are charged with “owning the risk”. These individuals must be equipped with the resources and power to manage change.
Risk profile
Top executives should create mechanisms for risk reporting up and down the chain of command. Risks must be reported in an intuitive way and qualified where possible, says Mr Lester. Lastly, cost-benefit must be measured and reported regularly, to gauge whether the system works and is value for money.
Val Jonas, chief executive of Risk Decisions, agrees each organisation’s risk profile should be embedded rather than offered up as a fringe exercise. In particular, she says it’s vital for individuals to be clear on how much risk the management team is willing to take.
People working on the ground are uniquely placed to comprehend and communicate the specific threats they face
“Build this into your risk management targets and establish the mitigated level you need to achieve for your risks. This includes not over-managing risk that might be beneficial. After all, companies are in business to take some risk to maximise their returns,” she says.
“In large organisations, each division, department, business unit, functional area, programme and project team will tend to have its own identity. So the challenge is to combine those identities together into a shared, holistic organisational culture.”
What transparency means in practice
In essence, transparency means imbuing an organisation to enact change. Those with well thought out risk procedures will nevertheless blunder into problem areas when a crisis looms unless people in the right areas are kept abreast of policy and feel confident acting on initiative.
Business throws up a vast tapestry of risk and managers at the very top of the chain have neither the time nor the competence to keep it all in check. People working on the ground are uniquely placed to comprehend and communicate the specific threats they face.
Each department – finance, human resources, marketing, IT – has a different profile. People in charge must recognise the fact and open channels of communication so information can flow freely, says Emma Carr at law firm Gowling WLG.
“At senior management and board level, an organisation must be clear and transparent about risk strategy and governance, provide adequate oversight and be accountable for risk management practices,” she says.
“At an operational level it is key that those risk management practices are implemented and adhered to, regularly monitored and regularly appraised with results fed back up the chain.”
This structure’s importance is summed up in the so-called Noah Rule coined by the world-renowned investor Warren Buffet. It states: “Predicting rain doesn’t count. Building arks does.” At the end of the day, execution is everything.
“A risk strategy is only as good as the organisation’s ability to act upon it,” says Campbell Macpherson, author of The Change Catalyst.
“Execution risk is arguably the greatest risk of all, because without the ability to implement, the most comprehensive risk strategy is not worth the paper it’s written on. Your ability to execute will boil down to the capability of your people and the culture of your organisation,” he says.
By empowering employees, organisations can insulate themselves from the nasty surprises that block progress. Conversely, by walling up responsibility for risk prevention, the C-suite deny themselves a robust defence against the future’s volatility.