Apr 282020

The need to identify, measure and mitigate business continuity risks has never been more relevant.

Strategic risks stop businesses achieving their strategic goals – they are the big risks, usually coming from outside the business, that are difficult to anticipate and mitigate for.

Key among them is the risk to business continuity: the ability of the business to continue to deliver its goods or services when the fabric of the business – its people or assets – have been affected by a major external event.

The current coronavirus pandemic is clearly one such major event which has brought into sharp focus the business continuity planning of those businesses which are able to continue to operate during the lockdown period.

Business continuity plans are commonplace in most businesses, and usually involve the technical aspects of running a business, such as making sure that the IT systems and stored data are available and accessible remotely. There are, however, some more fundamental risks to business continuity which are often overlooked until the worst happens.

The biggest risk to any business facing an external threat to its operations is financial – the business simply running out of cash while its operations are disrupted. To mitigate this risk, business need sufficient reserves to weather the storm.

Many businesses (and most charities) in the UK live a hand-to-mouth existence with very low levels of cash reserves – usually no more than would be needed to wind down the company, pay off debts and pay redundancy costs, and in some cases not even that.

When something like a pandemic-triggered lockdown occurs, the immediate plan is for as many employees as possible to work from home. But even large multinational companies have found that this is not as simple as it sounds, with emergency investment required in additional hardware such as laptops and increased bandwidth and server capacity.

The first mitigation for business continuity risk is to ensure that there is a “rainy day” fund in your reserves to cover the additional costs the business will face in order to stay operational.

The second mitigation factor is insurance. Make sure you know exactly what is covered, though – many businesses have discovered that they are not insured for the effects of a global pandemic. It may also take time for insurers to pay out so you will need to go back to your cash reserves or make sure you have sufficient borrowing facilities such as an overdraft in place.

Thirdly, you will need to look at your corporate governance arrangements, particularly your articles of association, to ensure that you are legally able to hold board and shareholder meetings electronically. You may need to hold more frequent, shorter virtual board meetings and they will still need to be accurately minuted to record any decisions taken during the crisis period.

The fourth aspect of managing business continuity risk is communication – make sure your staff, suppliers and most importantly your customers are aware of any new arrangements which may apply, even if it is just to tell them that you are still open for business. The ideal is that any changes which are made to the business as a result of a major external event should appear seamless to the customer or end-user. Where this is not possible, communication is vital to minimise the impact to the business.

The increasing reliance on IT systems, software and digital data has meant that most business continuity plans are the responsibility of the IT department, and will in general have little or no visibility at board level – other than to clarify if there is a business continuity plan in place, and whether it has been tested recently.

In fact, business continuity is highly significant in terms of its impact on the delivery of the business strategy and should be considered in detail by the board on a regular basis.

As will be shown by the current crisis, those businesses which have been able to carry on by finding innovative solutions to the delivery of their goods or services are much more likely to be successful post-lockdown – demonstrating the value of looking seriously at the risks facing the business and, where possible, turning them into opportunities and sources of competitive advantage.

First published in Business Reporter https://business-reporter.foleon.com/business-reporter/risk-management-insurance/the-risks-of-carrying-on-regardless/ 23 April 2020

Nov 282019

Neil Woodford – cautious, conservative, contrarian, high-risk?

These words could all have been used to describe Woodford’s investment strategy at various times during his slow rise and sudden downfall – and they all give an indication of the degree of risk he was taking with his clients’ money.

It is well established in the investment industry that risk and reward tend to go hand in hand – the greater the risk, the greater the potential return on the investment – that is the positive upside to risk – the downside is that the greater the risk the more likelihood there is that investors may lose some or all of their investment.

Risks then are both a source of competitive advantage and a potential threat to success – they can make or break an organisation.

Did Thomas Cook stop taking risks or did they just stop managing their strategic risks?

Not only is it important to recognise that risk-taking is an essential part of building a successful business it is also important that everyone involved in running a business understands what risks are being taken, how they can avoid the downsides and more importantly, how they can exploit the upsides.

Successful enterprises, globally, are realising that risks are something to incorporate into their strategy, not as something to avoid – they recognise the dangers of standing still and avoiding risks and they have made the cultural shift needed to change their business leaders’ approach to taking more risks and reaping the rewards from the greater opportunities available for bolder organisations.

A good place to start with identifying risks is the Business Plan or overall strategy document for the business – a well written plan should be based on an analysis of the strengths and weaknesses of the organisation and the opportunities available to it and any potential threats to its success.

Although when people think of risks they usually focus on the negative aspects – what can go wrong, it is also useful to think of the ‘positive’ risks presented by opportunities.

Once risks have been identified they can then be prioritised to enable the Board to satisfy itself that the organisation’s risks are being managed effectively with regular reviews and discussion to ensure that the most likely or highest impact risks are kept in sight – there will still be shocks and crises for the Board to contend with but an organisation that has identified and mitigated its key strategic risks will be much better prepared to face them than competitors who have not.

No alt text provided for this image

Recent changes in company law and Corporate Governance, in particular the UK Corporate Governance Code, have emphasised the need for companies to have better strategic risk management and leadership of change, to re calibrate their tolerance for well-managed and calculated risk-taking, to improve their capabilities in managing risk, to have better horizon scanning and the ability to address uncertainties and emerging risks, to place more emphasis on culture and behaviour and for their boards to focus on the things that matter with clear ownership/accountability for risks.

The culture and behaviour of the CEO and the Board with regards to risk is key to ensuring effective decision-making, which drives the success of the business.

There is a balance to be struck between taking measured strategic risks involving innovation and the reduction or elimination of undesired negative risks – a manufacturing plant cannot totally eliminate the production of faulty components but it can ensure that there is a relatively small number of them and they do not get as far as the final assembly line.

In addition to prioritising strategic risks then, we can introduce the concept of risk tolerance where the Board clearly defines and articulates the acceptable levels of risk that it will tolerate.This is analogous to the aphorism “not putting all your eggs into one basket” – a prudent Bank, for example, would not attempt to transfer all its customers from one software platform to another over a weekend – instead it would use pilot phases using batches of customers to ensure all wrinkles were ironed out before undertaking a mass migration of customer accounts.

Oil exploration is inherently a risky business, but it was the mismanagement of the reputation risk by CEO Tony Hayward which caused the most damage to the organisation rather than the environmental risk.

Operational risks, which usually arise from internal causes or known external factors, can be mitigated by using a rules-based treatment which ensures that appropriate policies, procedures and employee training are in place.

The speed with which crises go viral on social media means that it is reputation risk which is far more likely to impact on an organisation’s strategy than financial or environmental risks by themselves.The U.S. investigation commission attributed the Gulf of Mexico disaster to BP’s management failures that crippled “the ability of individuals involved to identify the risks they faced and to properly evaluate, communicate, and address them.”

This evaluation of the cause of the failure could equally well be applied to the failure of many financial institutions during the 2007–2008 credit crisis or Volkswagen and the ‘Diesel Gate’ scandal or indeed any of the high-profile corporate collapses that have occurred in the last few years.

Traditional approaches to risk management use formulaic analysis tools and rules-based systems to produce a risk-register and assurance framework where the Board’s discussion focus is too often on the numbers created by the estimates of likelihood and impact rather than the nature of the risks themselves.

Operational risks, which usually arise from internal causes or known external factors, can be mitigated by using a rules-based treatment which ensures that appropriate policies, procedures and employee training are in place.

Strategic risks on the other hand are much more likely to involve unknown or unknowable factors and therefore require a different approach.

We also see this in the financial sector with regulation and compliance, which is very similar to the management of strategic risks. Going from the familiar to the unimaginable is easier than just thinking of catastrophic outcomes as abstract risks.

These new ways of categorising risk enable Boards to decide which risks can be managed through a rules-based model and which require alternative approaches.

Key to successfully managing existential strategic risks is the ability of the Board, its executives and non-executives to engage in open, constructive, discussions about managing the risks relating to strategic choices and embedding the treatment of those risks in their strategy formulation and implementation processes.

Most importantly for organisations this includes identifying and preparing for non-preventable risks that arise externally to their strategy and operations such as significant swings in global markets, trade wars and global conflicts.

Taking Donald Rumsfeld’s Known knowns, Known unknowns and Unknown unknowns we can map those to the three main types of risks that organisations face, preventable risks, strategic risks and non-preventable risks.

Preventable risks are the internal “never events” that are controllable and should not be tolerated. A risk-based approach to running a business involves having an open management culture with clear recognition of the risks, mitigations and assurances needed to enable all employees to play their part in the company’s success.

There is also a need for Boards to learn from their mistakes – the Banks that failed in the 2007-2008 financial had relegated risk management to a compliance function with their risk managers having limited access to senior management and the Board, whereas the Banks that survived such as Goldman Sachs and JPMorgan Chase had strong internal risk-management functions and leadership teams that understood and managed the companies’ multiple risk exposures.

The future of risk and risk management will be a continuation of the trend to make consideration of strategic risk a key element in the development of corporate strategy – recognising its importance as a source of competitive advantage and a means to avoid the dramatic corporate failures that seem to be occurring with increasing regularity.

First published in Business Reporter Online • November 2019


Jul 092019

Risk in business is inevitable – in fact it is essential. A business which does not take commercial risks will not grow, and a business which does not grow is doomed to decline.

Yet, by and large, people in business, as in life, are risk averse, seeking where possible to follow the path which provides the lowest perceived risk.

That is not to say that business leaders should behave recklessly, taking unnecessary risks with little regard to the consequences. Rather, they should take managed risks, and it is the job of the board to ensure that the risks are managed robustly and rigorously.

Businesses need to identify the risks that they face, think of ways in which they might reduce the impact of each risk on the operation of the business and prioritise their focus onto the risks with the highest likelihood of occurrence and the greatest impact to the business.

Strategic, or enterprise, risks are the overarching risks the business takes when it sets or modifies the direction of travel of the business.

With the advent of the internet, social media and digital marketing, the main risks businesses face are no longer purely financial – business failures are much more likely to occur because of reputational, environmental or security risks.

Boards need to satisfy themselves that the business’s risks are being addressed effectively and that they have the expertise available to identify, mitigate and manage risks which are far more important today than they were two decades ago.

As we have seen, businesses which have gained significant market share by delivering innovative products or services can have their share values decline dramatically through an ill-considered tweet (Elon Musk and Tesla) or misuse of customers’ data (Mark Zuckerberg and Facebook) – reputations which have taken years to make can be lost almost immediately, and many boards are ill-equipped to build the reputational resilience for their businesses to survive in the digital age.

Cyber-security is also now a very real threat to the livelihood of many businesses, and it is not just a technical issue. Boards are investing in new technologies such as blockchain and artificial intelligence to supplement their use of cyber-security consultants, penetration testing and ethical hacking to make their data systems more secure, but unless they also tackle their internal security processes there is still the possibility that a disgruntled employee or sub-contractor will leak sensitive data to competitors or publish it on the internet.

We have also seen the rise of state-sponsored cyber-threats which have further damaged the reputations of companies such as Facebook and Twitter, where fake accounts and targeted advertising have been used to influence voters in recent elections.

In addition to these reputational and security risks, boards are also having to contend with the external risks brought about by volatile financial markets. Brexit in Europe and the threat of US trade wars have led to wide fluctuations in world markets and currency exchange rates, which can have highly significant and often detrimental effects on global supply chains – and even if businesses are not directly affected the associated loss of consumer confidence can have wide-ranging consequences.

My experience, based on working with boards of businesses in many different sectors, is that board members are often unprepared or ill-equipped to deal with these strategic or enterprise risks, and chairs should question the make-up of their boards and the effectiveness of the way those boards deals with risk.

Boards often fear articulating risks in the mistaken belief that somehow this will guarantee that they will happen. The reverse is closer to the truth – failure to recognise risks means that the business is not ready to address them and has not put in place the measures, controls or mitigations to eliminate or minimise the effect of the risks.

Risks are also not always negative, and a business that is on top of its strategic risk governance can turn a risk into an opportunity at the expense of its competitors.

If businesses are to avoid the dramatic failures that we have seen with companies such as Carillion, House of Fraser, Patisserie Valerie and, most recently, Debenhams, then their boards need to invest in the expertise to enable them to identify, understand and manage the key risks that they face in the first half of the 21st century.

First published in Business Reporter Future of Risk Issue