Building organisational resilience
Resilience is about more than crisis response. It means learning from past events, forecasting outcomes and anticipating opportunities.
Concluding our four-part series on key elements of enterprise risk management, ERM International founder, Anthony Reardon, applies his risk radar approach to a few sporting scenarios. Exploring hypothetical examples using some of the world’s favourite events, Anthony demonstrates how a risk radar can help all types of organisations understand their risk universe, anticipate emerging and routine risks, and prepare for when things don’t go according to plan.
Imagine you were tasked with coming up with a list of risks for your favourite football team or sporting league. How would you go about it?
As clubs and codes emerge from COVID shutdowns, they will face unprecedented challenges. Like businesses in many industries, sporting organisations were caught off guard by the pandemic. It was a risk event that very few, if any, saw coming – and certainly no-one seemed prepared for. Yet the impacts will be far reaching.
For most businesses (in most industries), this year’s experiences have highlighted a crucial question: what else might we be blind to?
Off the top of your head, how many risks can you come up with for your chosen sport? And once you have a rough list, how would you start to organise it? If you had to present it back to your team tomorrow, how would you structure the information so they could genuinely use it?
In this article, we conclude our four-part series covering some of the key elements of enterprise risk management. We demonstrate how our risk radar approach can be applied in practice – and how it can help with emerging risk planning in any industry or organisation.
Read the other three articles in this series:
To begin, let’s return to our earlier proposition. How many risks could you come up with for your chosen sport?
If we start at the individual risk level, you might fairly quickly have thought about things like player injuries; crowd safety (in a COVID context, in particular); revenue streams; or, perhaps, player behaviour and reputational issues.
So far so good, but writing these down in an ad hoc list doesn’t necessarily help you—or the subject matter experts—dive deeper.
The next step is to organise these initial thoughts into a few major categories of risk. To keep things simple, let’s pretend the below five categories cover all the types of risk a sporting code might face.
Once we have these categories, we can look at how each of our risks fit into this bigger picture. We can summarise the information via sub-categories, rather than trying to define and quantify individual risks in detail at this stage.
For example, ‘player injuries’ could roll up into a sub-category like ‘Physical health’. ‘Player behaviour’ might become part of a sub-category such as ‘Integrity and social value’.
Conversely, we could also use our structure to break down some of the larger initial risks. ‘Revenue streams’ can separate into ‘Merchandise’ and ‘Asset performance’, as a starting point.
By establishing a category for ‘Growth’, also helps to generate some ideas that could deliver upside potential. As you can see browsing the next iteration of our list below, the risks in this category include both threats and opportunities, if embraced and planned for effectively.
In less than an hour, this approach gives us a simple way to better understand the risk universe of our hypothetical sporting code. The table below shows how this can be broken down.
The structure also allows us to identify some nuances that might not have initially come to mind. By creating a category called ‘Health and wellbeing’, for example, we were prompted to think about health in a broader context than simply injuries sustained on the field. Mental health and drug and alcohol were added in.
Mapping our categories to the sporting value chain also helped us to focus on the most relevant risks. For example, the category ‘Brand and matchday quality’ is clearly specific to this industry. But it’s integral to the value the industry delivers.
Applying that lens to our categories gave us a better shot at coming up with as many risks as possible that could seriously impact the organisation’s long-term viability.
We call this initial output our organisation’s ‘risk universe’. It becomes the foundation for all your future risk work.
Could this structure have helped you to see something like COVID coming?
Could this structure help you to think about what else you may have missed?
Could you use this structure guide how you manage and take risk going forward?
Let’s look at the first question above. Could this structure have helped you to see corona virus coming? Realistically, we think the answer is probably not. It might have got you closer, depending on the insights and lateral thinking ability of your emerging risk brainstormers, but based on extensive conversations with risk managers around the world, we have to conclude that few really foresaw pandemic risk, on a global scale, for such an extended period. Having said that, if you look for these things (rather than only looking for risks inside your organisation, and only based on the near term without a view to the horizon), there was plenty of signals and people talking about pandemic risk.
Nonetheless, putting in place this structure now could help identify other gaps in your organisation’s risk universe for the future. As human beings, we have to accept that we will never be able to anticipate everything. But that doesn’t mean we should plan for nothing, either.
Continuing the exercise, therefore, let’s return to our list of categories and sub-categories with fresh eyes. Let’s road test the structure and consider where we might have gaps.
Particularly when thinking about emerging risk, it’s important to consider external forces. You’re asking, ‘what else (like COVID) could appear on the horizon that is outside your control as an organisation?’. These are risks that you wouldn’t necessarily be able to prevent with internal controls, but that you could try to foresee and prepare for.
Using the categories and sub-categories, you can approach the brainstorming process in a rigorous manner.
One gap that became apparent as we perused our first list was ‘technology’. What might this translate to in the sporting world? Ideas included the extensive use of technology for scoring calls – for example, in major tennis matches.
For governing associations and hosts of major tournaments, technology will likely increasingly impact their offering. Does this present a risk in terms of spectator expectations or coach authority? Or, are there cyber security risks that haven’t adequately been considered? What if software was hacked during a final match? Could that influence the ultimate outcome? Do organisations and players all have these risks on their radar? Perhaps not.
Another area that came to mind as we began debating ideas was media rights. What would happen to a league if the TV channel that owned their broadcasting rights suddenly folded or relinquished their interest? Would that league have back-up options? And how quickly could these be enacted?
In fact, no sooner had we hypothesised about this prospect then we came across reports of this exact scenario arising in Australia in the wake of COVID-related impacts to both cricket and AFL.
Again, this event perhaps couldn’t be prevented from happening. But, if it was on an organisation’s radar, they could establish their appetite towards the risk and develop a plan to monitor signs and be able to respond promptly. If this approach can allow a hypothetical example being done by people with no sporting code experience to anticipate it before it eventuated, imagine what would be possible if subject matter experts were involved.
Here’s where the radar shape itself starts to become useful. With a small list like we’re using in this example, it’s relatively easy to cast your eye across the columns and see which categories have several risks and which categories have only a few.
Imagine you were repeating the process with hundreds or potentially thousands of risks, however. Plotting them on a radar could be a handy way of quickly seeing the areas where you’ve got a lot of risks flagged – and presenting that information back to boards or executive leadership.
And if you end up with segments that seem quite empty, that’s a prompt to check back in too – are you missing something here?
Plotting risks is also the first step towards addressing your resource and planning prioritisation. Are you dedicating the right amount of time and effort to the right categories? In the next step, we look at how we could add in velocity and appetite to give us an even clearer picture of which risks matter most.
Here’s our initial sports radar at a glance.
As you can see from our initial radar, plotting risks in categories will help you to spot concentrations
– but it won’t necessarily help you sort out which risks you need to focus on first, or most. To achieve this, we add another layer into our radar, which is timeframes and velocity.
As Anthony speaks about in his first piece of the series, traditional five-by-five likelihood and consequence matrices aren’t always well suited to emerging risk planning. While they may help you to consider the consequences for emerging risks, likelihood is harder to foresee.
For example, if you did have pandemic risk listed on your matrix at the end of 2019, and you asked a room full of people, ‘what is the likelihood of a pandemic happening?’, you would have had a lot of head scratching. Who knows?
Velocity instead invites you to ask the question: when could this risk happen, is it possible tomorrow, or not for ten years? And then, if it happens, will it happen really fast, or will it emerge over an extended period of time? These questions prompt a much better discussion, and let you understand where you need to prioritise your preparation effort.
Consider the risk we raised earlier around broadcasting rights for our sporting code. Who’s to say when is the likelihood of a media producer reneging? But if you’re asking when could a TV station try to tear up its contract? Well, that could happen anytime without warning.
Furthermore, if it did happen tomorrow, how fast and how big would the impact be? This might depend on the exact circumstances. If the broadcaster folds, the impact would be immediate: a loss of revenue and no way to reach mass audiences, potentially with no back-up plan in place.
On the other hand, if the broadcaster announces their intention to renege on the contract, the process might play out over a few months or more. Still not a long time in terms of finding alternatives, but potentially a bit of breathing space.
By adding timeframes into your radar in this way, you can start to plot your risks more deliberately. We’ve filled in just a few examples below.
Before we look at quantifying appetite and developing meaningful metrics for each of your risks, the next step using this method is to simply establish overall appetite positions. Are you risk avoidant, risk seeking or somewhere in between?
Particularly if you are trying to elevate the conversation around ‘risk as opportunity’ with your board or executive, it can be useful to demonstrate where you believe the organisation sits for each risk sub-category.
To achieve this visually, we can again use the radar but extend it out to a 360-degree view. One half becomes your downside threats (unrewarded risks), while the other half shows your upside opportunity (rewarded risks).
Here’s how that starts to work.
As COVID has demonstrated, organisations will inevitably be forced to consider if and how, they can operate outside their appetite from time to time, and particularly during a crisis. Whether this is done implicitly or explicitly, will vary, but it will always be necessary and particularly challenging to get it right in the heat of a crisis. Organisations that have defined their appetite and prepared their responses will be in a stronger position than organisations that have to make it up as they go along.
Clear and transparent appetite statements will help remove ambiguity and guide decisions that need to be made under pressure. If everybody on your board and executive (and the rest of your organisation) is aligned in terms of the appetite position, it can make tough calls quicker and easier, and with much greater chance that everyone will be swimming in the same direction mid-crisis.
Applying this thinking to our sporting examples, we can examine decisions that were made back in March this year around whether or not to delay or shut down seasons, cancel events or relocate players.
How could this risk structure have helped to make these decisions? Well, it would help you to work through all the potential impacts, for one thing. If you’re deciding whether or not to continue a football season, for example, you’ve got to consider risks across most categories.
The physical health of players is paramount. As is the mental, particularly if your solutions start to involve relocation away from family and support networks. Crowd safety is also vital. Then you’ve got less tangible risks like ‘integrity and social value’ or ‘ethics and compliance’.
If you’re risk avoidant across all of these areas, it seems unavoidable that you eventually conclude ‘no, we can’t continue’. And that is what happened for almost every sport in the world.
Interestingly, in the few cases where sports did continue, what does that tell us about those organisations? If they had defined appetite positions, did they stick to them? Or was it that their financial position was too weak that they had no choice but to continue? If that was the case, was this a pure roll of the dice, or was it done with as much control as possible to keep performance within appetite? Or does it simply mean they have a higher appetite for integrity and social value risk?
And what about now, as we emerge from lockdowns? Grand finals are taking place around the world, with audiences and players eager to return to ‘normality’ insofar as possible. This structure can hopefully guide how organisations can take risk (and not just avoid risk). Much like when codes and clubs were deciding to shut down, as they decide to open up again, they would ideally be analysing risks across their categories and using the structure of the radar to spot any gaps they may have missed, or when certain decisions might push them outside appetite in a category they had not even thought of.
As our sporting examples have hopefully demonstrated, risk can add great strategic value to an organisation.
In a challenging year such as 2020, when everything has felt lose-lose many times over, we believe that a rigorous approach to risk management may be able to help businesses get back on their feet, find new opportunities and get ahead of the game.
This article was first published in October 2020 by Risk Leadership Network, a global membership network for risk professionals.
Resilience is about more than crisis response. It means learning from past events, forecasting outcomes and anticipating opportunities.