Roads to Resilience

IHG has invested a lot of time and effort to create a structure that ensures that the recognition of risks is embedded throughout the organisation. With an open system of 4,600 mainly franchised hotels, IHG aims to raise risk awareness, risk capability and culture through its leadership and training. IHG continues to invest heavily in a growing suite of management tools and learning solutions that target different roles in the organisation and address specific and general risk topics. Different corporate functions support this and they meet on a regular basis to decide how to further improve the whole risk management / resilience process. At all of the organisations studied, there is a clear structure for the management of risks. Typically, each area of a business is responsible for creating its own risk register but, in managing their registers, a cross- functional review ensures that no important aspects are overlooked. AIG’s risk registers are reviewed first by the level at which they were generated. Typically, this might be on a monthly basis with input from different functions (for example, a risk management committee and a technical risk committee at Drax). At The Technology Partnership (TTP), risk assessment is focused at the project level and projects are peer reviewed monthly to ensure that all the risks inherent in a highly uncertain R&D environment are identified. At Drax, risk registers are then collated and are overseen by the audit committee. A common feature of the case study organisations is that they do not treat the risk register as a static document, but use it to drive actions to improve resilience. At the Olympic Delivery Agency, a standard reporting format was used to increase the level of vigilance. This showed the status of each project, the current level of risk and the financial impact of those risks. ODA used a scoring mechanism that considered impact on cost, time, reputation and some secondary objectives that allowed them to prioritise their efforts. The risk management method was designed to be proactive and forward looking: “ We encouraged the project managers to keep an active log of what we called ‘Trends and Issues’, so we could see trends emerging and issues arising ” (Chief Risk Officer, ODA). IHG’s strategic risk radar includes extensive use of in- house and external specialists in consumer insights, market research and horizon scanning as shown in a recent publication on future trends in the travel sector in a publication called ‘ The New Kinship Economy’ 2 . Tactically, risk radar includes keeping a finger on the pulse Business structure

of the industry including competitor activities, industry performance metrics and analyst reports. This is combined with internal management information and performance metrics. Operational risk radar is vast and includes IHG’s social media listening and response capability, which is available for all hotels and employs a central team to monitor and respond to customer issues through various social media channels. Within the operational risk radar , IHG also leverages its network of safety and security specialists from hotels across the globe – its ‘eyes and ears’ on the ground. The company works with these risk champions to further embed the right level of risk awareness and specific capability across staff in all their hotels. These internal resources complement a vast number of intelligence sources outside of the organisation and a specialist central risk team to synthesise, assess and onward communicate the incoming risk information. The Major Risk Review is IHG’s process for identifying, managing and ongoing monitoring of the key strategic, tactical and operational risks across the business. This process leverages the extensive risk data available and enables IHG leaders to proactively manage all risks. TTP is an organisation that deals with uncertainty. R&D projects, by definition, have a high level of risk and project schedules are uncertain. To manage project schedules, TTP relies heavily on the experience of its staff. In addition, to keeping everyone vigilant, all project metrics, such as the time required for a particular task, are quoted with a tolerance, reminding those responsible for a project that timescales are estimates that need to be carefully monitored. Risk radar not only scans at the operational level but also at the project and strategic levels. It was found that the case study organisations constantly monitored risks related to their business strategies and main projects. For example, Drax analyses the upside and downside of its chosen business strategy. Similarly, IHG uses a triangular diagram to remind people to think broadly across three types of risks: strategic risks related to the Group’s brands, business model and reputation across key stakeholders; tactical risks that impact the delivery of strategy, commercial targets and plans for change; and operational risks that affect the safety and security of physical assets, people, systems and processes. To support their risk radar , the case study organisations use various processes to facilitate the identification, analysis and sharing of risk information. The tools and techniques used for risk analysis provide information for the risk registers of different areas of the business, which are then Strategy, tactics and operations

2 See http://www.hotelnewsresource.com/article69905.html

29

Roads to Resilience: Building dynamic approaches to risk to achieve future success