High Performance Risk Management

LOS ANGELES—Risk managers, whose job once focused on a basic “bucket of risks,” and making decisions about which risks are transferable and which ones the company should retain, have been “migrating along an evolutionary path which is allowing us to be more strategic,” said Chris Mandel, senior vice president of strategic solutions at Sedgwick, at the RIMS ERM Conference 2017.

During the session “The Trouble with ERM,” he noted that risk managers now need to alter their focus. “The question for risk managers now is, how do we get our organizations to focus on long-term success and recognize the link between strategy and risk?” he said.

Erin Sedor, president at Black Fox Strategy, said that personal experience taught her the importance of connecting with the CEO and aligning with the company’s strategy when setting up a program. “You need to know what they are talking about and understand strategy,” she said.

Unable to find a satisfactory definition of strategy for ERM, Sedor came up with her own: A set of decisions made at a given point in time, based on business intelligence, that when successfully executed, support the purpose, growth & survival of the organization.

She added that, unfortunately, enterprise risk is not a term that resonates with the C-suite, but strategy is.

She identified three major problems with ERM that can dampen its prospects:

  1. A limited view of the organization’s mission, growth and survival.
  2. Silos. Breaking through them is a nonstop process, no matter how a company tries to improve the situation—especially in the areas of risk management, continuity planning and strategy, which typically happen in very different parts of the company. “It is important to link risk management and continuity planning in the strategic planning process, because that will get some attention and get the program where it needs to be,” she said.
  3. Size. Because ERM programs are notoriously huge, she said, “the thought is that ERM will cost too much money, take too many resources and take too long to implement. And that by the time it’s finished, everything will have changed anyway.”

Starting the process by “saying you’re going to focus on mission-critical,” however, can help get the conversation moving. “Because as you focus on that, the lines between risk management, continuity planning and strategic planning begin to blur,” she said.

Sedor described mission-critical as any activity, asset, resource, service or system that materially impacts (positively or negatively) the organization’s ability to successfully achieve its strategic goals and objectives.

She said to find out what mission-critical means to the organization, what is the company’s appetite and tolerance for mission-critical, and the impacts of mission-critical exposures on the organization. “Risk managers will often ask this question first, but you have to come to grips with the fact that not every risk is a mission-critical risk,” she said. “And not everything in a risk management program is mission-critical.” Using that context helps in gaining perspective, she added.

When viewing risk management, continuity planning and strategic planning from a traditional perspective, strategic planning is about capturing opportunity and mitigating threats; risk management is the identification, assessment and mitigation of risk; and business continuity planning is about planning for and mitigating catastrophic threats.

Looking at them from a different vantage, however, strategic planning is planning for growth; risk management allows you to eliminate weaknesses that will impede growth, which is why it’s important; and continuity planning will identify and mitigate the threats that impact sustainability. “That is how they work together,” she said, adding, “you are also looking at weaknesses that, when coupled with a threat, will take you out. Those are your high-priority weaknesses. Using a mission-critical context makes it all manageable.”

At this point, if a risk manager can gain enough leverage to talk to executives throughout the organization about what mission-critical means to the company, its impact, and then about tolerances and creating a more integrated program, “all of a sudden, you’ve talked about ERM and they didn’t even know it,” she said. “They thought you were talking about strategy.”

A New Approach to Managing a ‘Classic’ Reputation

coca cola sweetener challenge

A new Coca-Cola-sponsored contest seems to publicly acknowledge its reputational risk, but at a minimal cost that could manage or even reduce it.

In early August, the beverage giant announced its Sweetener Challenge, seeking non-employees (preferably scientists or agriculture or nutrition professionals) who can bring the company a “natural, safe, reduced, low- or no-calorie compound that generates the taste sensation of sugar when used in beverages and foods.” The winner will be announced in Fall 2018 and will receive $1 million.

Taxes on soda, the decline of its consumption, and mounting data that sours on sugar has unquestionably affected the bottom line for the company and put pressure on the broader beverage industry. By initiating the contest, Coke seems willing to try a fresh approach to manage or favorably alter its reputation as a brand founded on sugary cola, while simultaneously attracting and retaining consumers and generating sales. That seems far less risky than not trying new techniques.

“[Reputation risk] is created when expectations are poorly managed and exceed capabilities, or when a company simply fails to execute,” wrote Nir Kossovsky in the 2014 Risk Management article “How To Manage Reputation Risk.” “Managing expectations is all about governance, operations and risk management—the blocking and tackling of running a business. Clearly, there can be perverse brilliance in a business strategy of setting expectations very low.”

Last year, Coca Cola suffered a net revenue decline from $11.5 to $9.7 billion, making the $1 million prize a cost-efficient gamble that, as Kossovsky suggested, can “conceptualize an ideal state and implement a roadmap to reduce reputation risk.”

Other companies have turned to their audiences for new ideas to increase awareness and improve their reputations. Folgers was jonesing for a new jingle this year and paid a songwriting duo $25,000 for a flavorful new take on “the best part of waking up.”

Even the commercial aviation industry sought out-of-this-world innovations from average stargazers. When the X Prize Foundation wanted to inspire the private sector to pursue commercial space flight, it did so with a $10 million prize. The pursuit of the Ansari X Prize generated $100 million in new technologies and was ultimately won by the Tier One project’s ShapeShipOne, which was financed by Microsoft co-founder Paul Allen.

According to Kossovsky, “reputational events are tried in the court of public opinion,” and Coke’s will both there and in stores. The company’s new sugar substitute will be announced in October 2018 and will eventually make its way into supermarkets. With just a few sips, consumers can ultimately decide if the company’s investment and reputation risk management technique was a sweet move.

Can You Have Too Many Coffee Shops?

The collective mood among Starbucks (SBUX) shareholders may have been dark and intense on Wednesday, following a 1% downgrade of the coffee company’s share price by BMO Capital Markets due to “store overlap.” BMO analyst Andrew Strelzik wrote: “There are now 3.6 Starbucks locations within a one-mile radius of the typical Starbucks in the U.S. relative to 3.3 and 3.2 stores in 2014 and 2012 respectively.”

That statistic does not factor in competitors, and implies that too many franchise cafes are located too closely together and are fighting for the same $2 per tall coffee.

The warning signs of overlap were acknowledged and dismissed by Starbucks CEO Howard Schultz in 2010, when he told the Harvard Business Review: “We’re not nearly close to saturation in North America, despite what the cynics or pundits might say…”

At the time of that interview, Starbucks total store numbers neared 17,000 and by the end of 2016, there were 25,085. Was seven years close enough to the saturation point to heed the warnings? Or does the old cliché about hindsight apply?

The overlap may have led to what’s known as risk failure, which Risk Management explored in a 2016 article, “The True Character of Risk.” Article author Michael J. Mazarr would characterize Starbucks’ market oversaturation as a “gray swan”—a danger that is “known, discussed and even warned about, but then discounted.”

Mazarr noted: “When senior decision-makers become immune to outcome-oriented thinking, they will not give serious consideration to risk. They may continue to give it rhetorical emphasis, talking about what could go wrong, but the trajectory of their judgment will never substantially vary.”

McDonald’s learned this same lesson the hard way in the 1990s. Although it had 19,000 worldwide locations, upper management wanted deeper market penetration and kept expanding. Cannibalization didn’t hurt the corporation at first, but investments in new locations outpaced the profits earned from increases in total sales. That led to the fast food chain closing 100 stores and unveiling the popular, but risky, offer of 55-cent Big Macs to attract and retain customers.

Unlike in 2008, when Schultz closed 600 locations overnight because he felt they weren’t meeting the Starbucks vision, the current problem is not reportedly a result of poor management or the inability to offer upscale imbibing experiences. Starbucks has just provided customers with too many options near their homes, workplaces and hangouts to get their next sandwich or caffeine fix.

5 Strategies to Maximize Your Risk Assessments

While risk assessments enable organizations to understand their business issues and identify uncertainties, the best assessments go further. They prioritize top risks, assign risk ownership, and most critically, integrate risk management and accountability into front line business decision-making. Simply put, “checking the boxes” just isn’t enough to achieve an organization’s real objectives.

Effective risk assessments can also give organizations a true advantage. Our sixth annual Risk in Review study–comprising viewpoints from more than 1,500 corporate officers in 80 countries—finds that companies shifting risk management leadership and collaboration to the first line of defense are measurably better equipped to succeed. We call these companies “front liners.” While a majority of companies agree that front line decision-making is ideal, somewhat surprisingly, front liners represent only 13% of survey respondents.

Front liners use effective risk assessment strategies to enable revenue and profit growth, while also creating agility to bounce back from adverse events more quickly than their peers. They also outpace the pack when it comes to using risk management tools and techniques (such as a risk rating system or scenario planning).

Based on the study results, here are five strategies you can adopt to gain a front liner advantage:

  1. Put your risk assessments to use in real-time

For true impact, organizations incorporate risk assessment findings into their business decisions. Assessments should be efficient, and actions should be implemented quickly to address immediate challenges. Annual assessments are a best practice, but our study shows front liners have a robust risk culture, conducting regular assessments. Ongoing collaboration across all three lines of defense, reinforced by continuous monitoring, enables the organization to more effectively align business strategies with risk appetite.

  1. Develop actionable guidance and insights for leadership

Effective risk assessments are relevant and actionable. Be sure to interpret risk information and recommend next steps to help management incorporate the findings into their strategic decisions. Make it easy for boards and senior management to understand the key findings by providing thorough insights. Data will mean a lot more if you identify the recommendations, target outcomes and next steps. Gaining the front liner advantage is best achieved by integrating risk guidance holistically into the organization, including planning, growth strategy and investments to M&A, staffing, disaster recovery and crisis management.

  1. Speak in lay terms

Leaders outside the risk management function may perceive risk assessments as an onerous process loaded with abstract language and a heavy focus on negative outcomes. To help leaders see value in these assessments, define the risks, drivers and consequences in familiar terms using meaningful scenarios that are specific to the organization.

  1. Balance automation with the human touch

While automation enables mass data collection, organizations benefit most when risk assessment surveys are combined with facilitated discussions. Gathering important qualitative information, facilitators can bring together multiple viewpoints and encourage productive debate. Pre-reads may also be a helpful tool to level-set on the organization’s strategic objectives and overall risk landscape.

  1. Adopt a realistic view of risk management

It can sometimes be difficult for management to accept the findings of a risk assessment, especially if they believe there is a low probability such events will occur. To support strategic, risk-based decision-making, risk scenario analyses can spur productive discussions about the organization’s overall risk landscape, while dynamic, engaging tools like a risk scenario dashboard can help to draw in even the most reluctant participants.

Following these strategies can help your risk assessments to not only be relevant, but also essential to your organization’s business strategy and growth objectives.