Time to take the lead on managing risk

In a fast-moving and competitive environment, businesses must be prepared to take far-reaching steps to identify and deal with risk

It is 31 years since the FTSE 100 stock market index was launched as part of the preparations in the City of London for the deregulation which became known as Big Bang. It comprised the biggest stock market companies of the day. Today only about ten of the original 100 survive.  Bankruptcy, takeovers and growing irrelevance have taken care of the others.

There is a similar pattern in the United States. According to Yale Professor Richard Foster in the 1920s, the average age of the companies in its main index, the S & P 500, was 67 years. By 2012 the average age had shrunk to just 15 years. Now it is even less.

It seems clear that public companies don’t survive and prosper like they used to. Modern business life does not allow them to.

Technology has changed how businesses compete. Even traditional firms are dependent on modern technology for design, innovation and marketing, and this makes them vulnerable to the scourge of cyber crime.

Twitter
Social media demonstrates every day how the world has moved on, but many businesses are still stuck in their silos

People risk is a similar though a less modern phenomenon. The real value of the business is often lodged in soft skills more than traditional production processes. But because these skills are knowledge based and people oriented they are much harder to patent, to keep secret or control. People move jobs and the business’s competitive edge goes with them.

Then there is the pace at which things happen and the speed with which management is expected to react. Social media demonstrates every day how the world has moved on, but many businesses are still stuck in their silos.

Risk control systems in business almost entirely follow the pattern of traditional hierarchies in their approach to potential problems and their reporting lines. For good measure they are rooted in middle management. It follows, therefore, that the changes in business structure precipitated by the arrival of social media are going to require a fundamentally different approach.

Any command-and-control hierarchy struggles to respond fast enough. This is even more the case because so many of today’s challenges are social-media driven and reputational; witness the recent problems of Thomas Cook and the Corfu holiday gas death case. Risk management is usually numbers driven, prone to box ticking, and often out of its depth when it seeks to identify and deal with softer intangible risks, supply chain weaknesses and reputation.

There is probably more money being spent on risk management than ever before, but things still keep going wrong

Business structures are also a problem. Businesses organised in silos can be poor at cross fertilisation. Threats and risks are reported upwards, but they are seldom reported across. Similarly risk control specialists are trained to look downwards and sideways, seldom to look over a wall and never to look up.

Up matters because there is a lot of people risk in the upper echelons of business. Directors under pressure may be as prone to rogue behaviour as employees further down the pecking order, but they are too far up the food chain to be tackled by those in charge of monitoring risk who suspect, often correctly, that they will simply be fired for their candour.

There is probably more money being spent on risk management than ever before, but things still keep going wrong. So you either believe that the modern organisation is so vast, fast moving, interdependent and complex no one can have any real idea what is going on in detail across the whole group – what you might call the HSBC defence. Or instead you think that a lot of money spent on risk management is wasted partly because it is not organised in the right way.

Airmic, the UK association for risk and insurance management professionals, and the think-tank Tomorrow’s Company take the latter view and recently called for firms to appoint a senior executive to take on responsibility for risk leadership. It will be his or her job, with or without a team, to go anywhere in the organisation, to assess cultures and to understand how performance is achieved. They will know no boundaries.

If the business model, the culture and the results are out of alignment, this leader should say so; their internal and external sources should alert them to problems which have not yet shown up in the numbers. They must avoid being trapped in a silo of their own and see instead how events in one silo could destabilise another. And it would be for them to report to the board if they thought the chief executive was pushing too hard and forcing people to cut too many corners.

We cannot tell at this stage how many companies will be prepared to take such far-reaching steps or how many will find an executive willing to take such a job. But companies that refuse to think along these lines are themselves taking a big risk.