In today’s globally interdependent environment, new risks such as cyber security have emerged, while established risks such as business interruption, damage to reputation and operational risks to internal systems are taking on new dimensions and complexities. MT, in partnership with DuPont, conducted research among more than 300 business leaders, and found that the risks they think will be the greatest over the next three years will be: economic downturn, Brexit uncertainty and competitive pressures.
Ian Wylie, special projects editor, Management Today: What are the key risk challenges and opportunities for your business?
Andre Katz, group director of enterprise risk management, BT: Technology is clearly a source of great opportunity to BT but it also brings some fairly seismic risks. The other element that’s very topical this year has been around political risk and uncertainty. Deeply held assumptions around our view of the world haven’t held up to be true, from Brexit to Trump. Understanding what that uncertainty means for our organisation is a challenge because it takes us into a different space to where we were before.
Charles Clayton, vice-president, internal audit, RB: We’re moving from being a household product business to being a healthcare business, with a very different set of risks. That’s a really big challenge. And we’re growing very rapidly – transitioning from being a teenager, shall we say, to a young adult. Our infrastructure needs to follow suit – from systems and processes to data. That brings a whole set of new challenges in order to build the skeletal structure sufficient to support an increasingly large business.
Pictured: Ian Wylie, special projects editor, Management Today; Andre Katz, group director of enterprise risk management, BT
Mieke Jacobs, global practice leader, DuPont Sustainable Solutions: In the past we have managed enterprise risks and operational risks separately, also for companies in different high-risk industries with whom we work. However, as operational risks have become an increasingly important part of enterprise risks, there is an opportunity to look at them in a more inclusive way that includes the operational risks and dynamic factors such as geopolitical unrest and volatility. The challenge is connecting both and there’s a real opportunity to be more inclusive and integrated.
Andy Hastilow, operations director, Stannah Stairlifts: With the advent of the internet, customers have much more choice now and the ageing population means that our marketplace is now a lot more attractive to some big players. That means that we need to change. Time to market has decreased, product life cycles have decreased, but all our systems and processes have been built up around compliance and maintaining the status quo. We have a tried and tested recipe for success, but the challenge for us is to do something new.
Wylie: How can organisations foresee and manage risks as unexpected as Brexit and Trump?
Alison Hill, head of enterprise risk, Centrica: Risks evolve, and when you capture risks at a point in time there will always be unknown unknowns. We have a group looking at Brexit and working out the implications on a business-by-business basis, because every business is different. Exchange rates, the cost of imports and how the electricity market will change are key issues for us. But at the moment we don’t know a huge amount so we’re trying to capture implication on current risks and what our new risks might be. We just need to make sure we continue to listen to what’s going on externally, adapt and reflect that in our risks.
Katz: We have found risk management to be the perfect way for the organisation to understand the issues. For Brexit we started our planning last year, looking at all the different aspects of our organisation and how different scenarios could impact us. That helped us understand where BT should sit. We took a position with our unions and communicated it to staff. It’s helped us be on the front foot in engaging with industry groups, other organisations and government in terms of knowing what our priorities are. It’s a great opportunity for risk management to shine.
Hastilow: We don’t have a centralised risk function and the danger for medium-sized businesses like ours is paralysis. If you don’t understand the risks, you don’t make decisions. We have to work very hard to make sure that doesn’t happen.
Mohan Sodhi, professor of operations and supply chain management, Cass Business School: There’s a story about a monkey who puts his hand in a glass jar to get the peanuts, but can’t get his hand out until he lets go of the peanuts. Companies want to put their hands in narrower and narrower glass jars to look for where the value is to be added and don’t consider the fact that they will get caught because they can’t take their hand out. Organisations must improve at connecting the risk upside with the downside to help the monkey get its hand out of the jar in good time.
Pictured: Andy Hastilow, operations director, Stannah Stairlifts; Mohan Sodhi, professor of operations and supply chain management, Cass Business School
Nicola Crawford, chair elect of the Institute of Risk Management: And we can’t assume that everyone knows about risk management. I’ve just come back from a trip to Turkey where I was talking to a business industrial group and leading a seminar on risk management. The first thing they asked me was, ‘Well, what is risk management and how do we use it?’
Wylie: Are we happy with the visibility that we have of the risks in our organisation and outside?
Hill: Businesses can become very insular, and myopic. So we find it very helpful to talk to our peers in the sector about how they’re handling their issues and risks. There is so much data available, but we also operate in a very complex world, so having a wide network is massively helpful.
Jacobs: Over the last few years we have dared to take a differentiated risk approach. Previously, we had many different businesses but homogeneous risk profiles. We simply applied the highest health and safety, compliance and legal standards to everybody – in every business process. But by taking a differentiated risk approach, we can invest more time and resources in really tackling our highest risks. That was a real mindshift for us.
Clayton: I get the most richness from talking to our board members – individually, separately outside of the board – and to non-execs who have different portfolios. That helps me get perspectives on the major risks in the organisation. Trying to join up what’s happening lower down in the organisation is not so easy. Finding the right mechanism for capturing all the routine risks and operational risks is the one I find hardest to solve.
Crawford: We mustn’t forget about small businesses. One of the biggest issues is ensuring they have the capabilities within their organisations, because they’re usually strapped for money. Compliance, health and safety and legal risk have been mentioned – these are the key risks for any small business.
Wylie: If budgets weren’t an issue, what would a proper risk function look like?
Katz: Ownership for risk management can’t sit with a small team. And if the risk function grows too large, the organisation would expect it to manage risk, not support risk management. I see risk management as both an art and a science. We need technical people who have the rigour to be able to understand a process and start to quantify risk to help the business. But we also need imagination – the business may focus on x and y, but what if z happens? We’re a small team trying to have a very large reach through coaching others in risk management. And that means working with partners in other functions, such as HR for example.
Clayton: I don’t think there is an ideal risk function. Much depends on your industry sector and the rate of change that surrounds it. It also depends on the culture of an organisation and how it best operates. We have a very risk-embracing, stretch culture at RB, driving for high targets consistently. I think the culture of RB would be undermined if we had a separate risk function.
Hastilow: At Stannah we have a modest appetite for risk, and that’s ingrained in our culture. But we want our people to be entrepreneurial and to grow the business. If you try to minimise every risk, it stifles innovation by encouraging people to make the most conservative decision they possibly can.
Sodhi: Ownership is key. If you make the decision you should be able to take the consequence. Not just the upside but also the downside. In small businesses, owners accept both the upside and downside.
Pictured: Alison Hill, head of enterprise risk, Centrica; Nicola Crawford, chair elect of the Institute of Risk Management
Katz: To return to the example of the monkey, I see the role of the risk function as helping managers understand how best to get the nuts out of the bottle. A risk function brings something in terms of a discipline approach or a mindset that actually helps deliver.
Jacobs: For me the process comes before the organisational design. Both can work but the risk function needs to be integrated into the processes. Understanding supply chain risks is so different from understanding financial or operational risks. One risk function can probably never own all of these competencies so it needs to be embedded and included in all the processes, and then centralised or decentralised.
Hill: A risk function needs to also encourage businesses to take more risk. At Centrica we’re quite risk-averse and probably mitigate most risks too much. That’s been our culture, our DNA. As risk practitioners we need to be encouraging more risk-taking, as opposed to reining people back.
Crawford: Agile businesses are good at ensuring risk management doesn’t stifle decision-making. But I’ve seen a lot of cases where it does. ‘Oh we’ve got to update the risk register and report on it just for the sake of it.’ It’s about making staff understand how to recognise and report risks to the right person at the right time. And then understanding what gets circulated up to the audit and risk committee so the board can have a look at those risks.
Pictured: Charles Clayton, vice-president, internal audit, RB; Mieke Jacobs, global practice leader, DuPont Sustainable Solutions
Wylie: What are the challenges of finding the right risk capabilities and talent?
Hill: At Centrica, we’d like to see more people with commercial experience, who can speak the language of the businesses, understand their concerns and get to the nub of what the key risks are.
Katz: We find ourselves fishing in an extremely small pond. We only look for two things – the technical capability around risk management, and that ability to engage and explain in a commercial way. It’s so hard to bring in mid- to senior-level people who have both skills. We end up with very short short-lists. But in five years’ time, I think we’ll be having a very different conversation. More senior executives will have gone through pain and will understand the value of risk.