Building organisational resilience
Resilience is about more than crisis response. It means learning from past events, forecasting outcomes and anticipating opportunities.
COVID-19 prompted organisations around the world to ask: what else are we blind to? We run through our risk radar approach that will help you see what you don’t see.
I haven’t spoken to a single person since the outbreak of COVID-19 who’s said to me “yes, we were prepared for this. It was a risk we anticipated”, says consultant and former senior risk executive, Anthony Reardon.
With the immediate crisis management period now over, companies are considering their next steps. More than likely, risk managers are going to be asked:
Research suggests that we haven’t typically dedicated a lot of time to answering these questions.
For example, Harvard Business Review published some analysis in 2015 that looked at the amount of time spent managing different types of risks within organisations. It then compared this time spent to the level of exposure or ‘danger’ those risks truly represented for the business.
The research claimed that 86% of top organisations that had experienced significant market value decline had done so due to mismanaged strategic or emerging risks.Yet, only around six per cent of time was spent planning for those types of risks.
The other 94% of time was taken up in managing routine risks, like financial reporting, legal or compliance risks.
Ninety-four per cent of your time is spent on 14% of your exposure, in other words. When you look at that ratio, you can clearly see it isn’t optimal.
But how do you shift priorities? And how can you encourage your risk team and your executive to expand their horizons, while not losing focus of the risks that are important in the here and now?
In a nutshell, you need a method to organize and view your risk information so that it enables you to glean meta intelligence and insights.
Most organizations have some form of risk register, where all their risks are collected in a database (be it software or spreadsheet). Probably, this database is searchable or maybe even filterable, so you can view risks by category, likelihood or various other factors.
Long lists of risks will only generate so much insight, however. Ideally, you want to visualize your overall risk picture.
What is needed is to determine an organization’s unique set of risk categories, mapped to its value chain. These risk categories can then be represented as a 180-degree, semi-circle risk radar.
You then divide that radar into a number of wedges. These wedges represent the unique risk categories based on the value chain of your organization. You might have a health and safety category, a credit and liquidity category, a technology and innovation category, and so on.
When I’ve done this previously, I’ve found that 10 categories (give or take, depending on the size and complexity of an organizations) is a good guide. You can see these in the example radar below (you can also download the slides in the PowerPoint presentation on the right of the page).
Sitting beneath each wedge, you then plot your individual risks. Depending on the size of your organization, this could be hundreds, or even thousands, of risks.
Once you have all your individual risks plotted on the risk radar, you’ll immediately be able to see areas where you have large concentrations of identified risks.
More importantly, you will be able to see areas where there are few or no identified risks. You are painting in black and white where the organization has blind spots.
In my experience, most businesses will discover they have up to 90% of their material risks sitting in one or two categories. In mining, manufacturing and construction firms, for example, the dominant category is likely to be health and safety.
Now that’s good, because health and safety is absolutely a priority for these businesses. This isn’t about ignoring the risks in those categories. Rather, it’s about using the radar as a map to show the business where it does have and doesn’t have a good understanding of its risks.
I find the predominant thinking tends to be quite internally focused. By which I mean, companies are very good at looking internally and asking, ‘what are the existing, internal risks we need to control?’. But they are less practised in considering external factors and disruptors. As risk managers, we also need to be asking ‘what do we need to see coming and be ready for?’.
This idea about ‘seeing what is coming’ ties into the second step, which involves deepening your view. You want to understand how far into the future your current risk picture extends. The radar works well for this step, too, as you can add in different time horizons, fanning out from the centre.
Showing the 180-degree radar example again below, you can see I’ve typically labelled these horizons as current, near-term, mid-term, long-term and distant. They might correspond to five-year, 10-year, 20-year and 50-year periods – or whatever timeframes seem sensible for your industry and organisation.
Again, once you plot the risks visually, it will become apparent where your concentrations lie. Continuing the theme from above, most organization typically find 90% of their material risks are sitting in one or two categories – and, those risks are sitting in the current or near-term horizon.
Using this radar view with different timeframes provides a framework to help businesses explore their longer-term view. What could be on the 10- and 20-yearhorizons? What kinds of changes may be coming that the business needs to prepare for?
Once you start looking at these medium- and longer-term horizons, the next step is to build out a view of your upside risks or opportunities.
You can do this by extending the radar so that it forms a complete circle or 360-degree view.
Your risk categories then have mirror images in both upside and downside risk, as you can see in the second radar image below.
As soon as you represent an organisation’s current risk register to them in this format, the situation typically becomes clear. Not only are the majority of their risks in one or two categories, and in the near-term, but they also tend to be almost exclusively on the downside.
Risk is looked at mainly from the perspective of threats, rather than opportunities. This means risk, as a discipline, is held back from realising its full strategic potential.
Consider the word ‘risk’ itself, which can in part be traced back to the root verb ‘rysigo’, which is often translated as ‘to dare’. The contemporary application of risk in a corporate context has lost sight of this element. Bringing it back into the conversation could open up a range of possibilities for organisations.
Having established these gaps, you now need to fill them – or at least, have the conversation about what could be on the horizon. Depending on the type of organization you are, and the nature of collaboration that typically takes place, you will likely do this via one of these methods:
When working with organisations to apply this framework in a workshop setting, I usually start by asking ‘what are the points of fragility in your value chain?’. Rather than trying to purely predict the future, it is helpful to understand the points of vulnerability and focus efforts on protecting these weak underbellies.
Then, based on this, you can work backward from your imagination, rather than working forward from your experience. I’ve found that these two techniques can really help people to overcome some of the natural biases of human nature.
Once you’ve used the radar to reveal your blind spots and you’ve done some work deepening and broadening the view, the third part of the process is to say: ‘okay, what do you do about it?’.
How do you analyze all these new risks and priorities your resources so that you’re not jumping at shadows, but you are putting sufficient effort into the emerging risks that might really matter?
The typical approach to risk management is using a standard, five-by-five, likelihood by consequence table. However, the concept doesn’t necessarily translate here.
If we take an event such as a pandemic, you can see what I mean. The consequences side of the equation comes together okay. If you’d had the foresight, you could have arguably anticipated many of the consequences of COVID-19, for example.
We have previous examples of disease outbreaks such as Ebola or SARS from which to create hypotheticals. There’s historical evidence of mass shutdowns. There were influential people who were speaking about the possible effects of an uncontained virus on society. In short, you could find enough material to have a factual, informed discussion.
If you’d started asking people the likelihood of such an event occurring, however, you’d have likely got a lot of head scratching. I mean, who knows what to say?
The five-by-five matrix is not a good way to help organizations analyze and priorities their efforts in these cases. To be clear, I believe it is still a very useful tool for many traditional risk management tasks. I’m not saying get rid of it. What I am saying is that it’s proving to be an inadequate tool for some of the risks we face. It’s too blunt to handle some of these complex, emerging possibilities.
What you can do instead is to assess each of your individual risks by looking at two key variables alongside consequence: timeframe and velocity.
You’ll recall we had those five horizons of current, near-term, mid-term, long-term and distant. And we’d correlated these to time periods that made sense for the individual business. Say: immediate, five, 10, 20 and 50 years.
You take a risk like a pandemic and you ask not ‘when will it happen?’, but ‘when could it be possible?’. And the answer is it could happen tomorrow. When you look at it through that lens, it is an indication that organisations should look deeper.
Here are a couple of other resource industry examples to illustrate what I mean. Consider a risk like market concentration. Given China has recently imposed tariffs on beef and barley, and also announced inspection procedures for coal and iron ore, if you’re a supplier of a raw commodity, and you’ve got only one country or company at the other end of your trade, that’s a significant risk.
If you were to try and work out the likelihood of that buyer suddenly flicking a switch and saying, ‘no more’, it might be hard to establish. However, if you ask yourself when could it happen, the answer is straightforward: it could happen tomorrow.
Compare this to the shift towards clean energy and renewable resources. This also presents a risk for resource businesses, but what is the timeframe? Very few economies are ready to suddenly turn off the tap on fossil fuels tomorrow. It will happen, but it’s going to take five or 10 years, or more, to get there.
It is a very real risk to the resources industry, and companies need to dedicate time to assessing it, but they don’t have to come up with a solution by the end of the month.
You then combine your timeframe data with velocity. By which I mean, for each risk, you look at ‘how fast will it happen?’. Will the consequences emerge immediately? Or will it be a slower burn?
In the market concentration example, you would say that risk has a high velocity. It could happen tomorrow and, if it did happen, the impact would be pretty much immediate. Revenue would grind to a halt without a buyer.
In the renewables example, that risk has a slower velocity. The transition from fossil fuels is going to unfold gradually and you’re going to be able to see the ramifications coming.
If you go through this process for your emerging risks, you will automatically gain clarity around your priorities:
Although it is true that the traditional risk management approach isn’t well suited to emerging risks, it doesn’t mean that the traditional approach is broken and needs to be thrown out – and it equally does not mean that these approaches need to be two separate things.
In fact, it is critically important that an ‘apple for apple’ comparison can be made between emerging risks and traditional risks. After all, they are competing for the same finite resources a company has at its disposal.
To do this, the first step is to make sure that the timeframe and velocity scales can be equated to the likelihood or probability scales being used. For example, does a ‘near term’ timeframe and ‘high’ velocity equate to ‘highly likely’?
The second key step is to ensure both the emerging risks and traditional risks are consistently mapped beneath the risk categories from your risk radar.
Once you have ‘broadened and deepened’ your risk radar, and have all your risks mapped to your organizational value chain, you can then move to true enterprise risk management.
Now, you can start to understand where many small things add up to something much greater than the sum of the parts. You can understand the aggregation and interconnectedness of your risks, and what would be likely to cause a domino effect.
Consider the very real impacts now emerging from the COVID 19 crisis. The immediate impacts to people’s health and wellbeing were clear, as are the questions around how to safely return to work. But how much have you considered the macro-system and impacts to the value chain of your business?
Entire countries are now asking themselves how vulnerable they are to overseas suppliers of technology, medicine, food, water, energy or security. Do these same issues threaten your value chain or supply chain? Or do they perhaps create golden opportunities? How does the initial health risk now link to ratings from credit agencies, which in turn link to your ability to access capital to service your debt? How is your overall liquidity risk affected?
From these analyses, you might end up with entirely new, additional risks created. Or, you might totally change your understanding of a pre-existing risk. One of those key questions we posed at the start of this article was ‘what else have we grossly underestimated?’. Once you start doing this type of planning, you can start to discover the answers.
This is also the stage, however, when it becomes difficult, yet again, to know whether you’re chasing shadows or using your resources wisely.
Which risks warrant this extra level of incredibly deep analysis? We’re all used to looking at risks in terms of materiality and most companies have some sort of guidelines in place for what constitutes a material risk – it could be a fatality, a certain trigger point of financial losses, those kinds of criteria.
For this second- and third-order impact analysis, I propose you go one level deeper in terms of determining risk significance. You need to be asking: what can actually kill a company?
What are those five or 10 or 12 risks that, if they eventuated, could really finish a company off?
Those are the ones you need to spend the extra time on, so you can ultimately comprehensively understand your top exposures.
To re-cap, you’ve now reached a position where:
The final stage – looking beyond the focus of this article – is the treatment of these risks. Here, the goal for companies needs to be to think beyond internal controls and compliance.
Again, that method works well for a lot of traditional risk management. But it isn’t that helpful for these kinds of risks. There are no internal controls that will prevent these risks from occurring.
Instead, companies need to think about resilience and preparedness. Ask yourself – did you have a plan to respond to pandemics? If you did, how good was it? If it was good, when did you last test it? Similarly, what could be next? Building off the examples given above, what if your major consumer suddenly became unreliable? Do you have a plan? How good is it? When was the last time it was tested? Organizations test fire drills regularly, but in my experience, they never drill plans for risks that could threaten their very existence.
You can’t be prepared for everything, but being prepared for nothing is not the right answer either. The approach outlined here gives you a practical way to consciously know what you should accept, and to know what you prepare for. This is resilience.
Even better is when you can extend this to consider the upside of risk. How can companies get on the front foot with some of their large strategic risks? What actions can they take to turn disruptive events into opportunities?
Because if you get risk management right, you’ll be ahead of your competitors. You’ll be ready and willing to act when the moment comes along, and you’ll see the potential before everyone else does.
This article was first published in June 2020 by Risk Leadership Network, a global membership network for risk professionals.
Resilience is about more than crisis response. It means learning from past events, forecasting outcomes and anticipating opportunities.