Risk management has evolved over time. As a field that was first developed by the insurance industry, it has gone through various transformations, and today most companies speak of risk management in the same breath as Governance and Compliance, since ‘GRC’ is what good corporate citizens do best – have oversight of governance, comply with regulations, and manage their risks. But risk management doesn’t really belong under this banner – it needs to move away from a compliance function as it is really more a strategic enabler than anything else.
During the pandemic, the focus shifted to the risk management profession, with some risk managers proving to be the heroes businesses need. We have seen the trend of more organisations having executives dedicated to risk management. But how effective are these risk management activities? This is a difficult question for me to ask, as I have dedicated my entire career to risk management and I am very passionate about it.
But my passion is really how to get people to think differently about the way they do business. Should we aim to use risk management to just protect what we have, making ‘survival’ our primary objective? Or should we focus on building value for the communities and customers we serve? If the latter, why do we not encourage risk taking? We should focus on building sustainable businesses that not only survive but thrive, even in uncertain times.
In order to move from risk management to building more resilient organisations, we need to think differently about risk and view it as an opportunity. There is a perception that risk management or business continuity management already make a business resilient – but that they are just a small part of what is required. A more holistic view is important, as viewing these issues within silos removes them from the strategic focus of the organisation. Above all, we need to move away from the perception that they are merely compliance requirements.
Creating a resilient organisation
Of course, resilience doesn’t just happen – it requires intention, action, decisiveness. This doesn’t happen by just updating risk registers on a quarterly basis or exercising a Business Continuity plan every year. We need to enable businesses to take the right risks, focusing more on what they can do than on what they cannot do.
To respond to this fast-changing, uncertain world, organisations should adopt an integrated strategic resilience framework. Resilience in this context refers to the ability of an organisation to adapt, change and grow in response to uncertainty and change, and consists of the following key components, among others:
We need to build resilient strategies, driven by leaders that can direct organisations and have them pivot if necessary, in response to the fast-changing environment in which they operate.
We need to stress-test our strategies by using scenario planning exercises and prepare for ‘different futures’, as well as integrate risk management into our decision-making processes. For example, we should understand the risks involved in appointing third parties who will render their services to the business. We need to understand the opportunities while carefully evaluating viability, impact and risk.
Risk should be viewed as a strategic enabler. Understand your operating environment by monitoring mega-trends from a global, local, industry and interdependent point of view. Track these trends, along with your organisation’s response to them, and think ahead – being able to anticipate what may happen tomorrow is a vital part of effective risk management.
As Peter Drucker has pointed out, “Culture eats strategy for breakfast.” We need to build a culture of ownership, accountability and transparency in our organisations. If our leaders inspire fear in our staff, rather than simply inspiring them, there will be no trust, innovation, or collaboration. The bedrock of any resilient organisation is its ability to create an environment that is highly conducive to learning. It is a truism that the leaders of such organisations foster on-the-job learning and have a ‘fail hard and fail fast’ mindset, encouraging experimentation and fearless risk-taking. Such companies tend to attract and retain talent, put people’s wellbeing first, and create a work environment in which leaders have secured employees’ buy-in. A sense of shared purpose and vision prevails. In fact, the best companies to work for routinely put people first and help them to find and pursue their passions.
We can’t be resilient without building and cultivating strong support networks. These are the people, groups, communities and connections that you can lean on, and which can lean on you. To be most effective, networks should be diverse – more points of view provide different approaches and unique strategies. The more variety there is in the workplace, the more colourful, compassionate, self-reliant, flexible and innovative its employees.
An ecosystemic approach:
Understanding the value chain, the interdependencies and symbiosis is key to building resilience. We need to break down silos and encourage collaboration.
The future of the risk management team
Risk management is not the responsibility of the risk management team – it is that of any person making a decision or engaging in a process. There is far too much reliance on having risk teams define what the business risks are.
I believe that risk teams should be spending 90% of their time supporting and empowering the business to create a more resilient culture and only 10% on admin and reporting. At the moment, the reverse is true in most risk management teams, who are buried in meetings, reporting (mostly updating Excel spreadsheets), and taking care of admin. Risk management teams are not asking the right questions or spending their time understanding and supporting the business. If this continues, I don’t think there will be much of a future for risk management teams.
I always use the analogy of F1 when explaining the role of risk management. At the start of a race, the driver will face various uncertainties as he sets about trying to win, but he will also have many opportunities. His pit crew will update him with valuable information on track and tyre conditions, changes in the weather, competitors’ behaviour, and more. This is useful as he makes quick decisions on the track. This is the role of the risk management team in business – to provide value-adding information to support business decisions and build resilience within organisations. A resilient company is not built through the risk management function alone, or even integrated activities, but through a culture that knows which risks to take and how to create opportunities.
It is one thing to manage risk to survive – but to create resilient organisations that can thrive in uncertainty, risk management must become part of the organisational culture. Ownership needs to shift from the risk management team to the core business team which drives strategy. The role of the risk management team is to facilitate (the word ‘facilitate’ comes from the Latin ‘facilis’, which means ‘easy’). If we think about risk in this way, we will foster a culture that enables organisational resilience.