Roads to Resilience

Strategy, tactics and operations

Leadership and governance

Whilst many organisations concentrate on putting measures in place to mitigate risks that they have already experienced, they tend to ignore those that came close to causing a problem. The case study organisations, by contrast, recognise the important learning that can come out of considering such types of events. AIG identifies, reports and reviews situations where a risk (and related loss) was narrowly averted. The near-misses are reported up to the board and are investigated to ensure that the organisation learns from these situations. Similarly, AIG aims to learn from the situation where several different small risks can accumulate into something significant. This relates to becoming aware of and responding to the ‘weak signals’ that can indicate that a significant adverse change is about to occur. At Drax, identifying potential risks and communicating them is actually incentivised: “We award vouchers for people who put in near-misses … it is about the accolade of receiving the voucher, it gets publicised with people talking about it” (Generation Manager, Drax). Safety ‘near-misses’ are photographed and the story of how they occurred is documented. The benefits of visualisation are obvious – “because people can relate to pictures” (Generation Team Section Head, Drax). The real value of near-miss reporting is that it also has a predictive angle: “We have got safety statistics and we look at near-misses, they are allocated to plant areas, we look at the safety triangle, if you’re getting lots of near-misses then it is likely that you’re going to have a hit” (Generation Manager, Drax). Over the past two decades, organisations have become more customer-centric, with greater market orientation. The case study organisations are no strangers to this change. This shift has brought with it a revised approach to risk, risk management and resilience, based on market intelligence and measurement of customer satisfaction. It also demonstrates the link between the risk radar, relationships and networks and the review and adapt principles. Zurich Insurance now gathers new types of data and consequently takes a less mechanistic and more holistic approach to understanding risk and resilience. This includes using behavioural data as a way of defining customer segments, rather than relying on ‘cruder’ risk assessment techniques such as credit scoring. This broader approach provides information that can be used to refine strategy, brand management and reputation. Information also becomes available to enable the organisation to develop more successful tactics to implement the selected strategy.

In the ‘ Roads to Ruin’ report, it was found that organisations that experienced problems had a risk information ‘glass ceiling’ hindering the flow of risk information to the board, resulting in board risk blindness. The case study organisations in the ‘ Roads to Resilience’ research appear to have learned from the deficiencies of others and dealt with this problem. At Zurich Insurance, this problem is avoided by a number of approaches. The philosophy of ‘management by walking about’, for example, is an integral part of the way resilience is built into the day-to-day behaviours across the organisation: “It’s an opportunity to connect the top to the bottom of the organisation – it’s about having a real rapport and connectivity with the people that ultimately make up the business” (CEO, UK General Insurance, Zurich Insurance). AIG’s experience from the 2008 crisis had a profound effect on the way it manages its business and particularly on the leadership needed in the management of risk. One of the lessons learned is that the board and executive teams view managing the risks to which the organisation is exposed as one of their most important tasks. The organisation’s CEO, Bob Benmosche, introduced a monthly risk committee meeting, chaired by himself, that brings together the business unit heads, the head of actuarial, head of audit and head of risk management to discuss the main risks “We lay out an agenda of all the things we think are the topical risks, the risks of the month and then we go through and say what do we need to do to deal with them” (CEO, AIG). The case study organisations have also reviewed and adapted their risk management structure to ensure that these are contemporary and up to the job. For example, AIG has reviewed the controls it has to deal with risks and ensures these are fit for purpose. “ We are trying to do this at various levels, we are constantly reviewing the controls we have at business level and provide a regular governance approach within the executive level. We are always trying to improve our control indicators to see clearly that the controls we have implemented are working and within a timescale and that allow us to make key decisions if required ” (Managing Director, AIG UK).

62

Section 6: Resilience Principle No 5: ‘Review and Adapt’