August 17, 2018
August 17, 2018
Enterprise risk management (ERM) has been defined as “a plan-based business strategy that aims to identify, assess and prepare for any dangers, hazards and other potentials for disaster—both physical and figurative—that may interfere with an organization’s operations and objectives.” Beyond physical and financial risks it includes reputational, operational, legal, and human resources risks, as well as those associated with governance.
In a recent article citing NACD research, corporate banking and securities lawyer Benjamin Butterfield compared ERM with “traditional” risk management. He noted six primary differences, namely that ERM:
Resilience is broader than the elements enumerated here, however. As noted in part 1 of this series, resilience includes two critical components: organizational capacity and the ability to “adapt and grow from a disruptive experience.” It is more than strategies, plans, and processes, and hence is more integrative than risk management alone, and even more so than ERM.
Resilience-building approaches almost always will include ERM principles to strengthen the components that contribute to business resilience, but they also must strengthen the organization’s cultural resilience at all levels—management, the collective workforce, and individuals.
These processes need to adapt to changing risks. Richard Smith-Bingham of Marsh & McLennan noted in a recent report on risk that “Carrying out traditional risk management well is no longer enough. New risks have swung into view, senior-level demands are changing, and new capabilities are forming.” That new approach is the practical application of resilience.
Since business resilience depends on technology and systems, this capacity can be built into all the company’s components. For example:
Ultimately, diverse components will need to be integrated, which will always be harder than it seems. Cross-functional teams can be effective ways to work across isolated departments. Additional steps will be needed to prepare for adaptive approaches with entities outside the company as described in part one, especially since other communities may use different terms and processes that may not align with commercial risk management, reinsurance, and return-on-investment calculations. Nonetheless, cross-cutting collaboration is essential to anticipate the rapid, interconnected changes that result in enterprise risk.
A healthy corporate culture will promote broad, long-term resilience. The opposite may also be true. As Israel Martinez, chair and CEO of Axon Global Services, has said, “Culture can kill strategy.” If the board and senior corporate leadership are focused on containing incidents and minimizing bad press to preserve reputation and stock value, it may lead both to inappropriate responses in crises, and to inappropriate strategies to prepare the company to bounce forward better.
Strengthening the firm beyond the leadership levels, the development of a resilient labor force, and the corporate culture are all essential facets of developing cultural resilience. Even as automation and artificial intelligence challenge job availability and workforce structure in the mid-term, companies are having a hard time today hiring skilled people even for existing jobs. Intangible assets such as corporate reputation, relationship with employees, and image as a good place to work can affect the company’s overall resilience in tight or turbulent labor markets. The workforce also needs to be trained to handle adversity.
This leads to the importance of individual resilience. During emergencies workers may have to support business continuity operations, but many crises are also likely to affect their families. What efforts are being made before a crisis to help workers ensure that their families will be prepared if they have to be absent? The effectiveness of the company’s response may depend on it.
A rich collection of research shows that every complex problem involves parts of other interlocking problems, so addressing one part will affect others. This means that the problem will change as you try to solve it and that solutions almost always will be iterative.
An essential first step is to document original assumptions about the risk at hand. These include not only tactical assumptions like “if we do X, we can expect Y result in Z timeframe,” but also strategic questions like: “Is this business model still relevant?” and “What business should we be in tomorrow?”
Once a course of action or a business plan is chosen, a review should be scheduled after a suitable interval. Diverse, unvarnished feedback is essential. If the plan is converging toward the desired outcome, continue. If not, re-examine the basic assumptions and adjust. This can be facilitated if the alternative approaches have been kept up-to-date as options.
The iterative approach poses leadership challenges both up and down the chain of command. The project advocate needs to get buy-in from leadership and the board alike that they will view adjustments as a sign of strength, not weakness. The advocate also must explain to their team that the review is built into the program and, while they expect full support in executing the chosen plan, if the assessment indicates a need for change, that again is a sign of strength, not weakness.
Challenges for the Board
The board needs to help management develop the capacity for both cultural and business resilience in complex, adaptive environments, and ensure that it is supported, incentivized, and exercised frequently. These exercises need to address interdependencies among disparate functions and infrastructures—communications, power, transportation, and others, to understand how the disruption of one affects the ability to perform the mission.