Managing Risk and Organisational Resilience in Times of Crisis | Webinar Q&A
On April 22nd, Solvay Executive Education (SEE) hosted a webinar on managing risk and organisational resilience in times of crisis. The event was part of our Leading in Times of Uncertainty free webinar series, a regular feature every Wednesday at 5 pm. This webinar series reunites topics whose relevance we believe is tied not only to the COVID-19 pandemic and its impacts but more importantly continues beyond the immediate time horizon of the crisis.
Risk management and organisational resilience are bound to always be hot topics, and now more than ever. We were thrilled with the high engagement of the audience and the huge number of questions coming in, many of whom we didn’t have the time to address live. That’s why after the webinar we sat down with Michael Malone, guest speaker and adjunct faculty in some of our enterprise risk management to discuss some of your most pressing questions.
How can organisations ensure that the board of directors is both aware of the risks that matter and able to make the necessary decisions in terms of risks management and resilience?
This question goes to the core of what proper risk management is all about: bringing transparency to an organisation’s risk profile and doing so in a way that facilitates risk-informed decision making at all pertinent levels.
It’s not enough for the board of directors to just understand the risk profile. They also need to focus their attention on the top risks (those that matter most), making sure there are appropriate treatment strategies in place. It is also imperative that they ask the ‘what if’ questions related to the occurrence of events (i.e., risks coming to fruition) and understand how resilient the organisation is (i.e., how well it will be able to withstand these events).
All of the above comes down to having a well-designed risk management programme embedded in the business. We looked at this in depth during the webinar, but to refresh your memory, the risk management programme should focus on:
- Identifying risks
- Assessing (identify, analyse and evaluate) risks
- Managing risks
- Monitoring & Reporting risks
These four steps are entirely focused on facilitating “risk informed decision making” at the pertinent level (generally the executive level) of the organisation. Failure to have such a well-structured and embedded programme will result in the organisation “flying blind” not being ready to absorb impacts whenever an event occurs.
When it comes to resilience, the focus should be on bringing transparency to the organisation’s resiliency (with a focus on operational, supply chain and information resilience). One should also make sure there is an effective and tested Business Continuity Plan (BCP) in place and ready to deal with events as they occur.
All organisations face challenging events over their life cycles, so it’s always best to prepare in advance. During the webinar we spent considerable time discussing how to structure organisational resilience. We also walked through the 5C’s that I developed to simplify the end-to-end structure of a resilience programme. As a reminder, the 5C’s are as follows:
- Context: develop a deep understanding of the internal and external context that is relevant to your organisation’s ability to meet its objectives and long-term strategic goals.
- (un)Certainty: gain a deep understanding of what risks matter most to the organisation.
- Culture: without an appropriate risk culture in place (including trust and transparency), it will be impossible to gain a complete understanding of the risks that matter.
- Continuity: design and test a Business Continuity Plan. This should be based on risk assessment, a Business Impact Analysis (BIA) and a clear understanding of what your business continuity objectives are. Ask yourself questions like How quickly do we need to be back to normal (Business as Usual, BAU)? Which products/services are most valuable to us? Which customers are most important to us?
- Continuous improvement: as is the case for many process-driven initiatives, it is critically important to continuously improve as you learn more. Specifically, in the case of Business Continuity Plans, it is imperative to frequently test/drill and gather data. What you learn from these tests will feed into the continuous improvement of the plan.
The above is meant to provide a helicopter view of the structure and processes that will support effective risks management and organisational resilience. Risk management and resilience are a continuum, both supporting risk informed decision making and reducing the magnitude and frequency of surprises.
How can organisations use risk culture as a way to build trust and bring more transparency to the risks that matter?
Organisational culture is critically important to all aspects of managing a business. In the context of risk management and organisational resilience, it’s even more so.
Understanding the organisation’s prevailing culture is the key to managing risks, reacting to crises and implementing an appropriate BCP. The tone taken at the top of an organisation is critical as it enables the (core) values that the organisations strives to live by. It also helps develop trust between leadership and employees. Without this trust, an organisation cannot achieve full transparency on the risks that matter.
All too frequently, lip service is paid to the domain of risk management, leaving organisations exposed when events occur. Organisational culture and risk culture are very much interlinked, and many would argue that they are in fact the same thing. When we consider culture in its entirety, we need to understand both top-down and bottom-up components.
Whilst culture is clearly a broad and complex domain one can simplify it by asking and answering such questions such as:
From a top-down perspective
- Is there a truly board level engagement?
- Does the C-suite support matters of risk, resilience and business continuity?
- What are the core values of the organisation and are they known and lived by everyone?
From a bottom-up perspective
- Are people willing and allowed to ‘speak up’ and bring transparency to the risks that matter?
- Are the right resources in place?
- Is there the right level of education and awareness?
- Do employees trust the leadership?
To ensure that the right risk culture is in place, one needs to consider all of these components: diagnose where your organisation is (current state), define where you need to go, and enact a change management programme that will get you there. Doing so will bring full transparency to the risks (opportunities and threats) that matter most.
In the absence of an appropriate risk culture, organisations will struggle to identify and manage risks, effectively react to crises and ensure business continuity. This will ultimately result in a negative impact on their value and reputation in the eyes of customers. In other words, organisations will lack agility at a time when it matters most.
What are the overarching political risks associated with COVID-19?
As always, we see risks as being both a threat and an opportunity. From a political perspective, there is an opportunity for governments to work across borders to coordinated a global effort to mitigate the pandemic’s health and economic impact. This global coordination would support finding a potential treatment in the short- to mid-term and, ultimately, a vaccine in the mid- to long-term. Economically, it could facilitate a global effort to rapidly stimulate economic recovery and effectively aid the developing world as the virus gains a foothold there.
There is, however, the threat that countries – particularly the most powerful – will retreat to nationalism. Despite the fact this is a global virus that respects no borders, leaders will play to the masses and favour protecting their borders and placing their needs above those of others. In other words, countries would be taking a short-term view despite the obvious long-term challenges of doing so. Over time, this will lead to a localisation or regionalisation of supply chains, with all the associated disruptions. Not only will this create the illusion of being more in control, it could also lead to the development of an ‘us versus them’ mindset.
Unfortunately, the early signs sway more toward the threat side, as the most powerful countries are acting unilaterally and pointing blame at others. This is a space that we need to watch closely.
Interested in risk management? Solvay Executive Education also organises an Executive Programme in Enterprise Risk Management, in collaboration with the Institute of Risk Management in London.