Economic slowdown and uncertainty caused by Brexit are the biggest risks facing UK organisations in the next three years, according to business leaders polled by Management Today on behalf of DuPont. These risks have already cost half of the organisations surveyed between £10k and £500k, yet only one in five has a structured enterprise-wide risk identification process and more than 45% of British businesses admit they could be better at managing emerging operational risks.
Organisations face a host of daunting challenges driven by both external and internal factors in today’s globally interdependent environment. While new risks such as cybersecurity and Brexit uncertainty have emerged, established risks such as business interruption, damage to reputation and operational risks to internal procedures, people and systems are taking on new dimensions and complexities.
These constantly evolving and interconnected challenges have made risk management across the enterprise a necessity for survival and a key driver for success. To help gain a better picture of how UK organisations are identifying and managing the challenges and opportunities facing them, Management Today and DuPont surveyed more than 350 business leaders across a range of industries, from manufacturing and technology to construction and professional services.
Clear and present dangers
When asked to rank the three main risks facing their organisation at present, respondents identified uncertainty in the market (cited by 57%), increasing competition and failure to innovate or meet customer needs as their key concerns.
However, 65% conceded that they have lost income in the past 12 months as a result of uncertainty in the market. More than half (52.5%) say they have lost between £10k and £500k in the last 12 months – one in five say they have lost more than £500k.
The shock waves of the Brexit vote in 2016 will likely be felt for some time, with informed guesses aided by analysts and commentators the best organisations can hope for in terms of gauging what impacts the departure from the EU may have on their business.
When asked to name the risks they consider will be the most relevant to their organisation in three years’ time, the business leaders surveyed declared their biggest preoccupation to be economic slowdown/slow recovery, followed by (and perhaps linked to) uncertainty over Brexit and increasing competition.
Advice: An effective risk management programme is able to quantify and prioritise the identified risks, enabling mitigation efforts to be targeted in the most effective way. Managing an optimised risk management programme requires that risks are quantified in terms of probability and severity, as well as the calculation of costs and benefits of mitigating a risk versus allowing the risk to remain as is. It is this multi-faceted calculation, which helps determine the mitigation action (if any) that needs to be taken.
When asked for which risks their organisation is most prepared, respondents said they were most comfortable facing increased competition, challenges to innovate and meet customer needs and maintaining their reputation and brand.
If 2016 taught us anything, it was the importance of planning for the unexpected. Yet, despite continued uncertainty, this new research suggests the risk management function in UK organisations continues to suffer from lack of investment and attention.
‘Experience has shown that risk management needs to be integrated into strategic business processes if it is to be successful,’ says Mieke Jacobs, global practice leader risk management, DuPont Sustainable Solutions. ‘In our risk-consulting work with companies around the world, we have repeatedly seen that approaching risk in a silo brings with it the danger of sidelining risk management and therefore means it is less likely to be effective.’
However, less than 20% seek external support to help them to manage and mitigate risks, even though only 54% rate their organisation as good or very good at managing emerging operational risks.
Advice: Without buy-in at the corporate level, firms are unlikely to be effective in rolling out an enterprise wide risk management programme. At the same time, this senior level support is only one ingredient for success. Employees across every level of the organisation need to be trained to incorporate risk-based thinking into their day-to-day jobs. They need to be accountable for the risks within their immediate area of control.
Only 53% of respondents said their organisations redefine their risk profiles on an annual basis – 20% don’t have a policy at all on redefining their risk profile. Following a year in which the global news agenda was dominated by shock referendum and election results, it may be a good time to recall the advice of Benjamin Franklin, one of the founding fathers of the United States, who warned that ‘by failing to prepare, you are preparing to fail’.
Advice: Ensuring risk assessments are completed on a timely basis is a key component in any risk management strategy. These risk assessments help to ensure firms stay on top of new compliance requirements and prevent risk management from slipping off the agenda. The required frequency of the audits should be determined by the precise characteristics of each firm and its footprint.
More than half of the organisations surveyed rely on senior management judgment and experience to identify and assess major risks. Only one in five has a structured enterprise-wide risk identification process. More than 30% admit that they do not measure the effectiveness of their risk management at all.
Advice: Establishing the correct risk monitoring metrics and KPIs is one of the most important steps in the risk management programme. By establishing metrics, firms can ensure that the appropriate effort and resources are expended based on the risk profile of the business.
And while 40% of respondents said risk awareness is linked closely with the business decisions that are taken, 22% admit that risk has only slight or no bearing at all on business decisions.
Advice: Linking the impact of risk management to broader programmes, such as operational excellence, will boost engagement by making the benefits of risk management more tangible.
The responsibility for risk management is very fragmented – in 36% of organisations it rests with the chief executive or president, in 16% with the chief financial officer and in another 16% of organisations with the chief operations officer. Only 5.7% have a dedicated chief risk officer and just 9% say they are considering the creation of such a role.
Advice: A risk management programme will only be effective if championed at the very top of the organisation. Senior leaders in the corporate function need to be accountable for risk management and drive this approach down across the organisation.
Some 22% have a risk management department, but only 12% of organisations say they plan to create one. In terms of operational risks, organisations say their top priority is employee safety, followed by security and regulatory – and they expect to have the same priorities in another three years’ time.
‘Operational risk management has a wider role to play than mere damage limitation or improving workplace safety,’ Jacobs points out. ‘If used correctly, operational risk management can significantly help in establishing a cohesive company culture that has a positive ripple effect on productivity and quality as well.’
Misunderstanding of risk management by senior executives, lack of recognition of risk management as a discrete discipline, and competition with other initiatives all create investment challenges for risk managers.
However, it is vital for organisations of all sizes across all sectors to continually monitor the potential risks to their business and ensure a strategic plan is in place for the years ahead.
To develop and implement a successful risk management strategy, organisations must secure approval, consensus and leadership at board level, before introducing risk accountability across the enterprise. They must undertake timely risks assessments, quantify and prioritise risks, and at the same time establish appropriate metrics and KPIs to monitor and assess performance. Finally, organisations must implement consistent, well-documented and cost-effective controls, reinforcing the importance of risk management through regular communications with employees.