With 2020 having thrown up a number of complex challenges for business due to the coronavirus pandemic, Paul Whitney, MD of Stockport accountancy firm Hallidays, discusses five steps a company can make to ensure it is resilient in the face of future challenges and risk-taking.
2020 and the start of 2021 has thrown the need for risk management into sharp relief. But the truth is, companies that embraced it effectively in previous years have undoubtedly weathered the storm better than their competitors.
A strong risk culture enables companies to navigate an unpredictable, fast-changing future – but what are the core elements of dynamic risk management?
We all need to be a bit more nuanced in our approach than simple prevention and mitigation. Risk is not a binary issue, and if we don’t quantify it, we’re merely frightened of shadows.
So it’s crucial to clarify which risks matter most and build a risk matrix scaling from low to high probability and low to high impact – identifying which risks could have the most deleterious effect and mapping out storylines of how the most likely might unfold.
A Dynamic Risk Strategy therefore gives you a precision approach – a layered and shaded risk appetite, informed with key data that tells you exactly how scared to be, why and what can be done about it.
Knowing the power of data and how to harness is one of the key cornerstones of corporate resilience in the modern world. Rich and granular data streams are available both from traditional sources, (e.g. ratings agencies), and non-traditional ones (social media etc), giving us unprecedented visibility.
One global pharmaceutical company used advanced analytics to prioritise clinical-trial sites in quality audits. They identified the highest-risk sites and modelled the most likely risks at each site. Not only has this enabled them to identify problems which would have been missed under their old manual system, but it has also freed up almost a third of its quality control resources.
In whatever field we look, data gives you the power to plan for failure before failure becomes a problem. Predictive analytics can help you foresee component failures and supply shortages, natural-language processing can help mitigate customer complaints, employee allegations, internal communications, and suspicious-activity reports – if you know what problems to expect, data can help you plan for them.
Recognising the limitations of risk analysis enables companies to avoid the pitfalls of being data-driven rather than data-informed. Allowing data to make decisions for you leads to the risk categories becoming the end rather than the means.
The possible permutations of high-consequence, low-likelihood risks is too vast for any company to build an all-encompassing risk model – and reliance on such a thing would be self-defeating, since it would lead to the complacency that all risks are planned for.
As propitious as the data revolution has been, the uncomfortable truth is that multiple risk factors are often impossible to assimilate – causes and correlations are tough to nail down, crucial data can’t always be accessed and past effectiveness is no guarantee of continued success in a kaleidoscopic world. What’s more, you’re dealing with the biggest variable of all – human beings. Leaving honest human error aside, outcomes are also affected by personal preferences, unconscious bias, positive and negative experiences and character traits of those making decisions.
These limitations should not be taken as barriers to risk planning – they’re part of the real world and the same for every company. But they should at least tint the spectacles of the astute risk manager.
Optimising your risk intelligence is one thing. But to react effectively demands agility – which means people dealing with situations on the ground need to react as you would react. So (bearing all the above in mind) you need impart that intelligence to the right people with the right skills and knowledge in real time. Information must be freely available in real time. Your risk managers must be well trained in data, analytics and the relevant technology. You need to build cross-functional teams and authorise them to make rapid whole-business decisions, innovating practices and managing risk on the hoof.
Of course, this demands bravery – but not nearly as failing to put these measures into place.
Who should be on these teams and how they work will be informed by your analysis of the nature, probability and impact of each risk. To deal with rapidly-unfolding, high-impact risks, for instance, you might need to set up fast-track decision machanisms. One way of doing this might be to create specific playbooks, assigning temporary decision-making power and accountability as appropriate.
Most crises are not freak events. Like the COVID pandemic and environmental disasters, they often change the business environment and become part of the “new normal”.
So while a great risk culture enables you to move at speed without breaking things, it must also feed back into the learning loop and changes assimilated into cultural norms. It’s crucial that adopted emergency behaviours are linked with the day-to-day activities, expectations and planned outcomes of the business.
Reporting needs to be fast and formalised. Mistakes have to be analysed. Successes must be built upon and culture and vocabulary need to be organic and fast-growing.