High Performance Risk Management

LOS ANGELES—Risk managers, whose job once focused on a basic “bucket of risks,” and making decisions about which risks are transferable and which ones the company should retain, have been “migrating along an evolutionary path which is allowing us to be more strategic,” said Chris Mandel, senior vice president of strategic solutions at Sedgwick, at the RIMS ERM Conference 2017.

During the session “The Trouble with ERM,” he noted that risk managers now need to alter their focus. “The question for risk managers now is, how do we get our organizations to focus on long-term success and recognize the link between strategy and risk?” he said.

Erin Sedor, president at Black Fox Strategy, said that personal experience taught her the importance of connecting with the CEO and aligning with the company’s strategy when setting up a program. “You need to know what they are talking about and understand strategy,” she said.

Unable to find a satisfactory definition of strategy for ERM, Sedor came up with her own: A set of decisions made at a given point in time, based on business intelligence, that when successfully executed, support the purpose, growth & survival of the organization.

She added that, unfortunately, enterprise risk is not a term that resonates with the C-suite, but strategy is.

She identified three major problems with ERM that can dampen its prospects:

  1. A limited view of the organization’s mission, growth and survival.
  2. Silos. Breaking through them is a nonstop process, no matter how a company tries to improve the situation—especially in the areas of risk management, continuity planning and strategy, which typically happen in very different parts of the company. “It is important to link risk management and continuity planning in the strategic planning process, because that will get some attention and get the program where it needs to be,” she said.
  3. Size. Because ERM programs are notoriously huge, she said, “the thought is that ERM will cost too much money, take too many resources and take too long to implement. And that by the time it’s finished, everything will have changed anyway.”

Starting the process by “saying you’re going to focus on mission-critical,” however, can help get the conversation moving. “Because as you focus on that, the lines between risk management, continuity planning and strategic planning begin to blur,” she said.

Sedor described mission-critical as any activity, asset, resource, service or system that materially impacts (positively or negatively) the organization’s ability to successfully achieve its strategic goals and objectives.

She said to find out what mission-critical means to the organization, what is the company’s appetite and tolerance for mission-critical, and the impacts of mission-critical exposures on the organization. “Risk managers will often ask this question first, but you have to come to grips with the fact that not every risk is a mission-critical risk,” she said. “And not everything in a risk management program is mission-critical.” Using that context helps in gaining perspective, she added.

When viewing risk management, continuity planning and strategic planning from a traditional perspective, strategic planning is about capturing opportunity and mitigating threats; risk management is the identification, assessment and mitigation of risk; and business continuity planning is about planning for and mitigating catastrophic threats.

Looking at them from a different vantage, however, strategic planning is planning for growth; risk management allows you to eliminate weaknesses that will impede growth, which is why it’s important; and continuity planning will identify and mitigate the threats that impact sustainability. “That is how they work together,” she said, adding, “you are also looking at weaknesses that, when coupled with a threat, will take you out. Those are your high-priority weaknesses. Using a mission-critical context makes it all manageable.”

At this point, if a risk manager can gain enough leverage to talk to executives throughout the organization about what mission-critical means to the company, its impact, and then about tolerances and creating a more integrated program, “all of a sudden, you’ve talked about ERM and they didn’t even know it,” she said. “They thought you were talking about strategy.”

A New Approach to Managing a ‘Classic’ Reputation

coca cola sweetener challenge

A new Coca-Cola-sponsored contest seems to publicly acknowledge its reputational risk, but at a minimal cost that could manage or even reduce it.

In early August, the beverage giant announced its Sweetener Challenge, seeking non-employees (preferably scientists or agriculture or nutrition professionals) who can bring the company a “natural, safe, reduced, low- or no-calorie compound that generates the taste sensation of sugar when used in beverages and foods.” The winner will be announced in Fall 2018 and will receive $1 million.

Taxes on soda, the decline of its consumption, and mounting data that sours on sugar has unquestionably affected the bottom line for the company and put pressure on the broader beverage industry. By initiating the contest, Coke seems willing to try a fresh approach to manage or favorably alter its reputation as a brand founded on sugary cola, while simultaneously attracting and retaining consumers and generating sales. That seems far less risky than not trying new techniques.

“[Reputation risk] is created when expectations are poorly managed and exceed capabilities, or when a company simply fails to execute,” wrote Nir Kossovsky in the 2014 Risk Management article “How To Manage Reputation Risk.” “Managing expectations is all about governance, operations and risk management—the blocking and tackling of running a business. Clearly, there can be perverse brilliance in a business strategy of setting expectations very low.”

Last year, Coca Cola suffered a net revenue decline from $11.5 to $9.7 billion, making the $1 million prize a cost-efficient gamble that, as Kossovsky suggested, can “conceptualize an ideal state and implement a roadmap to reduce reputation risk.”

Other companies have turned to their audiences for new ideas to increase awareness and improve their reputations. Folgers was jonesing for a new jingle this year and paid a songwriting duo $25,000 for a flavorful new take on “the best part of waking up.”

Even the commercial aviation industry sought out-of-this-world innovations from average stargazers. When the X Prize Foundation wanted to inspire the private sector to pursue commercial space flight, it did so with a $10 million prize. The pursuit of the Ansari X Prize generated $100 million in new technologies and was ultimately won by the Tier One project’s ShapeShipOne, which was financed by Microsoft co-founder Paul Allen.

According to Kossovsky, “reputational events are tried in the court of public opinion,” and Coke’s will both there and in stores. The company’s new sugar substitute will be announced in October 2018 and will eventually make its way into supermarkets. With just a few sips, consumers can ultimately decide if the company’s investment and reputation risk management technique was a sweet move.

Increasing Risk Complexity Outpaces ERM Oversight

More organizations are recognizing the value of a structured focus on emerging risks. The number of organizations with a complete enterprise risk management (ERM) program in place has steadily risen from 9% in 2009 to 28% in 2016, according to the N.C. State Poole College of Management’s survey “The State of Risk Oversight: An Overview of Enterprise Risk Management Practices.”

Yet this progress may lag behind the increasingly complicated risks that need addressing. Of respondents, 20% noted an “extensive” increase in the volume and complexity of risks the past five years, with an additional 38% saying the volume and complexity of risks have increased “mostly.” This is similar to participant responses in the most recent prior years. In fact, only 2% said the volume and complexity of risks have not changed at all.

Even with improvements in the number of programs implemented, the study—which is based on responses of 432 executives from a variety of industries—found there is room for improvement. Overall, 26% of respondents have no formal enterprise-wide approach to risk oversight and currently have no plans to consider this form of risk oversight.

Organizations that do have programs continue to struggle to integrate their risk oversight efforts with strategic planning processes. “Significant opportunities remain for organizations to continue to strengthen their approaches to identifying and assessing key risks facing the entity especially as it relates to coordinating these efforts with strategic planning activities,” the researchers found.

According to the study:

Many argue that the volume and complexity of risks faced by organizations today continue to evolve at a rapid pace, creating huge challenges for management and boards in their oversight of the most important risks. Recent events such as Brexit, the U.S. presidential election, immigration challenges, the constant threat of terrorism, and cyber threats, among numerous other issues, represent examples of challenges management and boards face in navigating an organization’s risk landscape.

Key findings include:

Creating a Strong Defense and Offense in Your Risk Management Program

Stakeholders demand that companies grow, but at the same time, they expect growth to be managed to make sure the brand is not tarnished. That means enabling value as well as protecting value, which comes down to striking the appropriate balance between risk agility and risk resiliency.

For many years, risk management has focused on protecting the brand and keeping the company out of trouble. But if it’s done right, risk management is about playing not only defense but offense as well—it’s about value protection and value enablement.

Defensive Risk Management

Defensive risk management is mostly about risk resiliency, enabling a company to either prevent bad things from happening or recover more efficiently from disruption. Defensive tactics include setting up a risk appetite statement and framework that are approved by the board on down. Next, the risks should be aggregated across the enterprise and mapped against that appetite along with related risk tolerances and limits. Defensive risk management is also about developing a set of very specific key risk indicators (KRIs) to look for. This includes having a solid business continuity management strategy that will quickly get things back on track after a risk event. These activities keep the company out of harm’s way, and may be the easier part of risk management.

Offensive Risk Management

The more difficult part is thinking about risk management offensively—leveraging it for strategic advantage and growth. The first offensive tactic is to align your risk management process with strategic planning so you can drive those priorities forward in light of all the risks you are facing. That’s not an easy thing to do because even though companies may think they’re aligned, many of them actually run two very distinct and separate processes. Another offensive tactic involves giving some of the risk management activities back to the business units—so they can run faster and drive risk-adjusted decisions and revenue plans.

Risk agility lets a company flex and grow by making the risk management process adaptable to changes in the business model or to external changes affecting the company. It is also something that has to be thought about more formally so that it does not become counterintuitive to the growth agenda, but actually supports it and even helps drive it.

If a company is being held accountable by its stakeholders to grow—and they all are—that growth has to be pursued in a controlled manner so the brand doesn’t become tarnished. That is about striking the appropriate balance between risk agility and risk resiliency—playing offense and defense.

The simple fact is that companies that use their risk management activities to play both sides are more likely to see sustainable growth and better performance patterns because they are balanced between moving the business forward and keeping the business in check.

PwC’s study 2016 Risk in review: Going the distance highlights how companies can achieve this important balance. For example, companies that structure their risk management programs to play both offense and defense are more likely to see sustainable growth and better performance patterns. In addition, these companies are nearly as likely to report that they expect significant revenue and profit margin growth (greater than 5%) as companies that are focused only on growth—and they are better positioned for sustainable success. Such companies are balanced between having the agility to move their business forward and the resilience to prevent bad things from happening and/or recover more efficiently from disruption.

High-risk growth

Some companies with aggressive top-line growth targets decide not to invest at the appropriate levels in their risk management programs, which can allow their growth to outpace their infrastructure. Following this course can bring more risks—vulnerability peaks and risk events become more crippling to the brand. In the end, more capital is spent on investments to take risk management activities to the next level after something bad happens to the business.

The mindset across industries is that immediate growth is great, but longer term, sustainable growth is better. Companies are building up stronger and more relevant second-line (risk and compliance) functions, and holding the first line more accountable on risk because they see that will help them achieve sustainable growth.

Adapt or get left behind

As the business landscape continues to evolve, companies need to adapt or find themselves in deep distress. The key to creating an effective risk management program is to find the right balance that allows for growth at a comfortable pace relative to the risk appetite and risk tolerance levels set by management, and accepted by the board. When that is done, your risk management program truly becomes a strategic asset, supporting both offense and defense.