Risk management is now firmly on the C-suite agenda and is increasingly recognised as central to a successful business. And yet despite this, time and time again, businesses are finding themselves exposed by a crisis, often resulting in significant financial and reputational damage.
Very often, it is not the event itself that causes the most harm, but the response of the organisation. Crises unfold and enter the public domain with terrifying speed. This is one of the defining changes in risk management in recent years, but most executive teams are still failing to react quickly or decisively enough when a threat or incident emerges.
What is going wrong? Most traditional risk governance and identification processes presuppose that the operating environment is relatively stable, predictable and slow moving. The typical focus for risk mapping and planning is therefore on compliance and rigour. Boards might visit their risk register on a quarterly basis or review their risk management procedures once a year, for example. The result, however, is that board-level engagement with risk management is based only on a series of snapshots.
This unfortunately does not reflect real life. Worse still, it can result in a false sense of security as organisations feel they have risk management covered. Compliance and structured risk mapping are important, but will not equip boards to deliver an effective real-time response when a crisis unfolds.
Take, for example, the incident in April when a passenger was filmed being dragged off an overbooked flight. Within hours, the video was shared globally via Twitter to widespread criticism and even calls to boycott the airline. The chief executive’s initial decision to defend the actions followed by a belated apology only fanned the flames, and made the leadership look indecisive and insincere. Within hours, the organisation was facing a legal battle, a tarnished reputation and a drop in share price.
Ten years ago, this event would probably not have even surfaced, but today social media lays bare corporate shortcomings in an instant. Board leaders will be asked for instant responses and will need to appear prepared, transparent and in touch with both their business and the expectations of their stakeholders, including the public.
Most boardrooms today are not empowered with the right risk knowledge to respond effectively in this pressure-cooker environment – what is missing for so many is agility. Instead of receiving static risk information at predetermined intervals, boardrooms need to view risk as a series of continually evolving threats, any of which could erupt at any moment. It is therefore essential that senior management have the information and rehearsed crisis plans to respond quickly.
Moreover they must have the authority and understanding to adapt those plans as needed. According to one of Britain’s most experienced generals, Sir Richard Shirreff, some boardrooms are now looking at how the military handle fast-moving crises and how they rapidly switch gears when the situation dictates. According to Sir Richard, on the front line, as in business, you can never predict the future or control chaos, you can only adjust strategy to take into account unforeseeable events.
None of this is easy, but boards will have a significant head start if they continually have a finger on the risk pulse of their organisation and operating environment, even when it feels benign. Boards therefore should explore ways to bring risk evaluation into all aspects of the business and build agility into the management culture of the organisation.
This requires a different way of thinking because it is about culture as much as processes. But the rewards are clear. Research by Airmic has shown that an ability to adapt and respond quickly to a changing environment is a key pillar of a resilient business. Too many company directors think it will not happen to them, but it could happen today and in a matter of hours.