Roads to Resilience

much more difficult to manage from a risk perspective. Reputation, for example, can be arduous to build but can be rapidly and irrevocably destroyed by a broad range of events or scenarios within a business and its extended network. Organisations are recognising this and re-focusing their risk management as illustrated by the following quote from one case study: “ The purpose of risk management is to champion and protect the trusted reputation of IHG and its brands ” (SVP Head of Global Risk Management, IHG) 4 . Brand may be more important for some organisations than others. However, every organisation faces the challenge that its reputation can be seriously damaged if a crisis arises and is not dealt with quickly and appropriately. In the era of social media, news travels almost instantaneously and it cannot be contained. Too many organisations have yet to adapt their risk management approach to this new and changing environment. For risk professionals, the range of assets that need to be protected and utilised is broader than previously. A corollary of this is that risk departments cannot always predict and manage every risk. Rather, the risk function must find ways in which to support and encourage other departments to take full responsibility for managing their own risks, whether they are strategic, tactical, operational or, increasingly, reputational. This is a leadership and facilitation role, but that does not mean it is a simple one, as it depends on an organisation having a culture that embraces risk management and supports the achievement of resilience. The role of risk professionals must evolve from managing risk to helping build the capability of an organisation to become resilient. Risk professionals need to develop business skills in addition to their technical and specialist expertise. The implications for boards are different as their remit is more strategic, while still needing to ensure governance of tactical and operational issues. Boards also need to be more aware of the importance of risk culture. Risk considerations may not be explicit, but boards should ensure greater focus and more analysis of risks in setting strategy, developing tactics, monitoring operations and maintaining oversight of decision-making. Boards need to become more engaged with the resilience agenda and take proactive actions to ensure that business enablers are enhanced to include effective resilience activities. Implications for risk professionals and boards

Although each of the case study organisations operates in a different business environment and has taken a very different approach to pursuing resilience, the research identified some commonalities. For example, the capabilities of everyone within the organisation are harnessed, together with those of key stakeholders, to develop a comprehensive but adaptable approach to risk management. Similarly, each of these organisations has a culture in which everyone has increased risk awareness and fully understands the importance of risk management. Thus, these organisations can be said to be ‘bristling with risk awareness’. To achieve such a level of risk awareness, the case study organisations have taken risk management from a position where it is perceived as only the responsibility of a specialist function, to being integrated throughout every part of the organisation and beyond. Such a change requires risk professionals to take a broader role than they are traditionally used to, or tasked with. Similarly, board members need to take a different attitude to risk and risk management if they want to make their organisations more resilient – that is, more able to deal with the many issues that can negatively impact the success and reputation of an organisation. The array of challenges facing risk professionals and board-level executives is highlighted throughout this report. A major challenge facing risk professionals and boards is the growth in the scope of risk management. Previously, risk management was focused on loss prevention, protecting people and physical assets, ensuring that, for example, manufacturing operatives were safe and quality products could be delivered. Audit and compliance activities were central to this approach. However, as the remit expanded to a wider array of commercial risks, the discipline of risk management developed tools and approaches to identify and deal with key issues, such as matrices to assess the probability and impact of different types of risk and recording the results in risk registers. In resilient organisations, risk management extends beyond physical operational risks to include commercial delivery risks and longer-term risks to strategy, tactics, the business model and reputation amongst stakeholders. Existing risk management tools have been modified and extended to apply to the service industries, although aspects such as the customer experience are less tangible and harder to manage. In recent years, the customer experience, brand and reputation have emerged as key assets for organisations. These intangible assets are Broadening scope of risk management

4 Quote taken from IHG case study, see Appendix A. The other case study organisations had an equally strong focus on reputation.

17

Roads to Resilience: Building dynamic approaches to risk to achieve future success