Roads to Resilience

Enabling ‘Risk Radar’ Effective risk radar is achieved by ensuring a high involvement of stakeholders, constant vigilance and avoidance of complacency, as well as creating an environment where everything is challenged and questioned. It is also about ensuring open and effective communication throughout the organisation and its networks to avoid the board risk information ‘glass ceiling’ and the ‘glass walls’ between functional areas that results in board risk blindness. Managers need to consider how each of the enablers of resilience, people and culture; business structure; strategy, tactics and operations; and leadership and governance can be utilised in creating and/or enhancing risk radar . involvement and commitment of all employees. Across all the case study organisations, it is clear that risk professionals work with their board members and senior management teams to create an appropriate resilience culture. Some key examples are provided below, but with the caveat that these approaches should not be viewed as a recipe; some ideas will be relevant and applicable to other organisations, whereas some will not. Generating high involvement in risk management is common to all of the case study organisations. At AIG, risk management is the obligation of every employee and is not allocated only to the risk management function: “ … it is everybody throughout the organisation who is involved ” (Chief Risk Officer, AIG). AIG employees are also encouraged to ask challenging questions of their managers and to raise concerns about possible problems. There is an acceptance at the senior levels that posing difficult questions benefits the organisation and avoids the board risk information ‘glass ceiling’ described in the ‘ Roads to Ruin ’ report that results in board risk blindness. At Zurich Insurance, the organisational culture is based on ‘Zurich Basics’; these encourage openness to the extent that “ good news travels fast but bad news travels faster, but whereas some organisations have a culture of punishing bad news – we almost encourage it ” (CEO Global Life, Zurich Insurance). “You’ve got to have the right combination of control frameworks in place coupled with the right people capabilities and a culture that’s prepared to be open and transparent. The mantra I use is when you identify an issue, flag it up the line first and handle it second … (CEO UK General Insurance, Zurich). People and culture Organisational culture is key to generating the

Communication is considered to be such an important issue that AIG has set up a governance forum “ … to ensure that our communication is effective, our communication is well understood, our communication fits what our staff at different levels expect and our communication is diverse, because there is no one communication [method] which is going to be effective [on its own]” (Managing Director, AIG UK). At Drax, the chronic unease that the organisation maintains makes people more vigilant and one manager explained this as: “ Every day you come to work, you come to work believing that this could be the day you get injured and it is your job to work with the teams, with your supervisor to identify what could injure you and prevent it ” (Engineering and Safety Manager, Drax). With a large number of contractors on site, Drax has also realised that its own risk management culture must be shared effectively with these other organisations. This shows that achieving effective risk radar sometimes requires organisations to look beyond their boundaries and this demonstrates the connection between risk radar and another principle of resilience: relationships and networks . Creating a culture of risk management that enhances resilience is an area that IHG has concentrated on for a number of years and “ from our perspective, the success of a business is based around its culture. I know … it can be a bit clichéd ” (General Counsel and Company Secretary, IHG). IHG has been careful to go beyond the cliché and employee workshops are used to define appropriate behaviours that are summarised in the organisation’s ‘Winning Ways’ 1 . Some of the behaviours that particularly support risk radar are: “ We always look for ways to improve ”; “ we take responsibility and take decisions even when they’re difficult ”; and “ we challenge ourselves and encourage those around us ” (SVP Head of Global Risk Management, IHG). Openness and candour are encouraged and in senior management meetings, the CEO expects everyone to share their viewpoint, even if it is critical. Front-line employees at IHG know that fast communication is critical and this is also the case at Virgin Atlantic. For example: “ When the Mumbai bombings happened, our airport manager in India picked up the phone and told us that these bombs had started going off. Literally within five minutes of that happening, we phoned the information through to a number of UK government departments who at that time were not aware that the event was occurring. Commercial entities have a key role to play in the prompt reporting of global incidents ” (Head of Corporate Security and Resilience, Virgin Atlantic).

1 The complete ‘ Winning Ways ’ document is reproduced in the IHG case study in Appendix A.

28

Section 2: Resilience Principle No 1: ‘Risk Radar’