As the concept of enterprise risk management emerges, the corporate perception of risk is evolving with it. How do you view the risks businesses now face?
Chris Frost: The perception of risk is the nub of the issue. There is, for example, a clear mismatch of data collected in surveys of how top teams perceive risk. When asked about sources of corporate risk, fairly traditional areas emerge such as finance, competition, and marketing. There are no surprises here. However, when directors are asked about what they need to do in order to put things right, the order of the categories changes. For example, people-related issues are often cited as the most important category.
The overall conclusion is that, at a high level, there is little difference between the traditional view and the emerging view. However, at the lower, finely-tuned level, new things emerge. Clearly the business context is changing. The emerging risks here concern the management of information, time cycles, and the need for getting measurement right (hence the growth in scorecard approaches over the last few years). Coincidentally, risk managers have been getting better at gathering cross-functional data. With this comes an increased ability to measure risks and quantify the impact of risk management. These trends have meant that risk management and the broad categories of risk are higher up most boardrooms’ agendas than five years ago.
There is also a mismatch between traditional risk categories and emerging risks. The latter are often seen as mainly technology-related risks, though the main classes of risk outcome remain unchanged: fraud, theft, and business continuity. There has also been a focus on intellectual property and the risks related to intangible assets.
From a commercial view, and arguably from a risk manager’s perspective as well, the impact of the ‘I don’t know what it is I don’t know’ syndrome applies here. This has increased businesses’ dependence on specialist advice and expertise, thereby introducing other types of resource, skill, and dependency risks.
What are the fundamental approaches to coping with the risks arising from change?
Chris Frost: The adoption of formal approaches to change management has been a noticeable trend over the last five years. Most businesses have realised that there are important risks involved in poorly managed change. Hence change management is now a recognised discipline in its own right. Formal change programmes contain a range of recurrent themes which embrace many of the basics of management itself, such as communications, leadership, managing attitudes and developing culture.
A recurrent need is for sound measurement. Recently-developed techniques can ensure there is an effective relationship between the change programmes and the realisation of benefits. The management of change is often implemented on a programme basis. This in turn directly depends on the quality of a business’s programme and project management, senior sponsorship, and the effectiveness of a range of management disciplines. Many businesses regard the management of change as a core skill. They manage their risks by learning and by regarding change as the norm. In this respect risk management and change management are two sides of the same coin.
Basic business activities, such as new projects, M&A activity, and regional expansion, bring risk with them, but obviously they cannot be side-stepped for that reason alone. Do you have a general strategy for managing such risks?
Chris Frost: Other than a strategy focused on specific factors such as finance or operations, there is no general risk strategy that can be applied to every situation. There are, however, some general principles. From a risk management perspective there are recurrent issues such as measurement, defined business benefits, effective communications, sound programme and project management, and a defined failure containment strategy. One of the key lessons from the review on mergers, acquisitions and expansion programmes is the need to have a clear grasp of the business benefits to be realised, and a model for making the connections between them and decisions to be made throughout the project or merger.
Do external risks require a fundamentally different approach?
Chris Frost: Consumers, customers, users, employees, investors and public opinion all increasingly judge companies on the degree of their social responsibility, not only at home, but also abroad. Recent surveys among consumers around the world have shown that a majority believes that global companies should not just focus on economic goals. They should also contribute to a better society. There is a strong demand that private companies should assume a social responsibility.
Global branding may create new opportunities, but it brings more vulnerability and responsibility in its wake. Protection of the corporate image becomes even more important. The increased use of communication technology and the willingness of the media to use stories about corporate misdeeds increase public awareness.
The competitive advantage to a company which shows global responsibility is obvious. It enhances brand value. But it is also a way to manage risk by avoiding social unrest, combating pollution and creating goodwill.
The management of ethical risk is now becoming a key issue, but adding an ethical component to a risk management framework involves a balancing act. Ethics logically involve the consideration of every action, not to mention the character and intent of the actors, the consequences of their actions, and the nature of the relationships between stakeholders. No effective corporate risk management could encompass that range of factors. The key is to recognise ethical concerns while defining the practical limits of what a business can and should manage.
Much has been written about the obvious risks arising from companies’ increasing reliance on information technology. Do the solutions on offer address the situation ?
Chris Frost: The increasing reliance placed on information technology by businesses has increased the impact of technological failure. The difficulties faced by businesses in building resilient information systems are always given sufficient attention. As the complexity of interconnected systems increases, so the complexity of solutions to ensure their resilience increases exponentially. Most resilient systems have built in redundancy, able to operate if one element fails. It is this redundancy, and the effort needed to build and test resilient systems that generates the additional cost. Businesses need to assess the impact of technological failure and ensure that they have appropriate levels of resilience.
With the constantly evolving mix of business risks, how can companies and their risk managers cope?
Chris Frost: One of the key goals of an effective risk management programme is to be able to forecast risk. This is achieved by assessing both the likelihood and the impact of risk occurrences in the context of the known business environment, both current and future. Recent events in the US have increased the likelihood of terrorist action occurring, and prudent business leaders are now taking steps to ensure that appropriate contingency arrangements are in place to protect people and property. Effective forecasting is dependent on having knowledge of patterns of past events that can be used to predict the likely future. Risk quantification is a form of forecasting, and like any forecast, can provide information about possible future events. Of course. not all risk assessments will provide the right answer.
However, as our understanding of the causes of risk increases, the level of accuracy of forecasting will improve, and the level of uncertainty will decrease. In some engineering contexts, risk forecasting is very advanced. Individual component failure rates can be calculated, allowing for timely replacement of components just before they are due to fail.This is most effectively achieved when component failure is linked to the operating environment in which the failure could occur. In a business environment, levels of operational stress can be measured and action taken before critical levels reached. For example, increasing staff sickness rates, coupled with an increase in staff turnover rates in a call centre could be a predictor of a pending drop in customer service levels.
Is there one step that you would want every UK business to take in terms of its risk profile?
Chris Frost: Effective risk management is achieved by developing an environment in which individuals are able to take risks. Risk taking is an essential element in successful businesses. The skill is in knowing which risks can be taken, and in having the information needed to make a decision.
--
Adrian Leonard is insurance market correspondent, StrategicRISK
