In an era marked by unprecedented challenges, a significant number of organisations have come to the realization that their preparedness for crises is insufficient. These crises and emerging risks could potentially destabilize them and, in extreme cases, force them out of business. This article delves into the crucial role of the board in ensuring readiness for such existential risks and provides a roadmap for effective risk management.
Understanding the Current State of Risk Management
Recent surveys of corporate directors and board members worldwide have painted a somewhat concerning picture of the current state of risk management. A significant number of respondents expressed dissatisfaction with their performance in this area. A mere fraction of those surveyed believe that their boards have been most effective at risk management. Furthermore, less than half of the respondents expressed confidence in their organisations’ preparedness for the next large crisis and continually emerging international risks.
This data underscores the urgent need for boards to reevaluate their approach to risk management. It’s clear that the traditional methods are falling short in the face of modern challenges. Boards must now ask themselves what they should be doing to prepare for future crises and emerging international risks and how they can revamp their approach to crisis and risk management.
Identifying and Prioritizing Risks
When it comes to risk management, not all risks are equal. High-consequence, low-likelihood events, although rare, can cause long-term economic impact, significant reputational damage, and leadership changes within companies. These are the types of risks that boards should focus their energy and time on, without forgetting the “predictable surprises” (high likelihood and low impact events that companies should be managing as part of business continuity activities. The board’s focus on effective risk management, and the right types of risk is crucial.
However, identifying these risks is only half the battle. The next step is prioritizing them. This can be a complex process, as it involves weighing the potential impact of each risk against its likelihood. Boards must strike a balance between addressing immediate, high-likelihood risks and preparing for less likely but potentially devastating events.
Assessing the Impact of Risks
While it may be tempting to assess risks on an individual basis, there are significant benefits to considering scenarios where multiple risks could occur simultaneously. This approach allows for a more comprehensive understanding of the potential impact of each risk and how they could interact with each other. For instance, businesses that take on significant financial risk should also consider the operational risk. If a company with high leverage suddenly faces operational disruptions, it could face bankruptcy due to a combination of risks rather than individual risks.
Furthermore, it’s important to consider the potential cascading effects of these risks. A single event can trigger a chain reaction of crises, each with its own set of challenges. By considering these potential scenarios, boards can better prepare their organisations for a wide range of eventualities.
Pressure-Testing Risks
Once the major risks have been identified, it’s crucial for boards to pressure-test these against the organisation’s operating model and core values. This is often a great opportunity to bring in trusted external advisors who can help exploring how each identified risk might impact the organisation and considering the first, second, and third order consequences of the risks. One effective approach to this is a premortem, where you imagine a worst-case scenario and work backwards to identify potential weaknesses and areas for improvement.
Pressure-testing is not a one-time event but should be an ongoing process that must be systematically included in the yearly planning cycle. As the business environment evolves, new risks may emerge while others become less relevant. Regularly revisiting and updating the pressure-testing process can help ensure that the organisation remains prepared for a wide range of potential risks.
Investing in Resilience
Once the major risks have been identified, it’s crucial to ensure that the company is investing in resilience. This involves two key considerations: do the measures in place help protect the organisation during an incident, and do they preserve its ability to invest and grow when coming out of the crisis?
Investing in resilience is not just about having a contingency plan in place. It’s about building a robust organisation that can withstand shocks and recover quickly when they occur. This requires a proactive approach to risk management, including regular risk assessments, ongoing monitoring of the risk environment, and timely updates to risk management strategies and plans.
Companies that are more resilient are usually more flexible, agile, and able to pursue opportunities faster than their peers.
Mitigating Risks
Risk mitigation involves a combination of strategies, including insurance, operational changes, and process improvements. While insurance can provide financial protection in the event of a crisis and realised risk, operational changes and process improvements can help prevent crises from occurring in the first place. For instance, in the face of earthquake risk, changes can be made to buildings and operations in order to withstand a certain level of earthquake and the second and third order impacts.
It is important to remember that risk mitigation is not a one-size-fits-all solution. The best approach will depend on the specific risks faced by the organisation, its risk tolerance, and its strategic objectives. Therefore, it’s crucial for boards to work closely with management to develop a tailored risk mitigation strategy that aligns with the organisation’s overall business strategy and risk appetite.
Monitoring Risk Indicators
One cost-effective strategy for protecting against risks is to track relevant risk indicators. These risk indicators are early warning signs that a trend is not favourable to your operating model or strategic plan. By monitoring these indicators, business leaders can act proactively when the trend reaches a certain point, rather than reacting after a crisis has already occurred.
In addition to tracking relevant risk indicators, boards should also consider implementing trigger-based actions. These are predefined actions that the organisation will take when certain conditions are met. For example, in the event of a ransomware attack, the organisation might have a decision tree of factors that would lead it to pay the ransom versus not. Having these plans in place can enable the organisation to respond quickly and effectively during a crisis.
Risk Mitigating Biases
All individuals, including board members, are subject to cognitive biases that can cloud their judgment and decision-making. These biases can be particularly problematic in the context of risk management, as they can lead to an underestimation of risks or an over reliance on past experiences. Scenario planning—considering multiple eventualities—can help mitigate these natural biases within a board and facilitate the consideration of risks and their impact that might not otherwise come out during planning activities..
In addition to scenario planning, boards can also benefit from seeking diverse perspectives and challenging their own assumptions. This can involve bringing in outside experts, encouraging open debate and discussion, and fostering a culture of critical thinking and continuous learning.
Understanding Core Business Risks
In order to effectively manage risks, boards must first understand them. This often involves seeking input from experts who can provide an external perspective and deeper insights into the risks faced by the organisation. Most high-performing boards have expert advisors with specialist knowledge in risk management, crises, public relations, and legal matters, on retainer on retainer so they are available in case of a crisis.
Understanding risks is not just about identifying potential threats. It also involves understanding the organisation’s vulnerabilities and how these could be exploited in a crisis. This requires a deep understanding of the organisation’s operations, its strategic objectives, and the broader business environment in which it operates.
Preparing for the Next Crisis and New Emerging Risk
After experiencing a crisis, it is crucial for a board to ensure that the organisation has learned from the most recent crisis, and is better prepared for the next crisis. This involves conducting a thorough and independent postmortem analysis to identify what went wrong, what went right, and what can be improved. Boards should consider the skills and training they need, ways to adopt agile decision making, and the right operating cadence.
In addition to learning from past crises, boards should also be proactive in anticipating future ones. This can involve regularly updating risk assessments, monitoring emerging trends and threats, and continuously improving the organisation’s risk management capabilities.
The role of the board in preparing for extraordinary risk is crucial. It involves understanding the current state of risk management, identifying and
prioritizing risks, assessing the impact of risks, pressure-testing risks, investing in resilience, mitigating risks, tracking leading indicators, mitigating biases, understanding core business risks, and preparing for the next crisis. By taking these steps, boards can ensure that their organisations are better prepared to face and overcome future challenges, and be positioned for faster capitalisation on new and emerging opportunities.
