• A more agile approach to risk management is needed post-COVID.
• Annual risk assessment should make way for continual 'horizon-scanning' for possible business threats.
• This level of preparedness and planning should permeate entire company cultures.
Operating a diversified business portfolio in developing regions means facing a variety of daunting uncertainties – and that was before the current pandemic. These range from global mega-trends and macroeconomic unknowns to geopolitical shifts, regulatory changes, business-model evolution and digitalization, to name just a few.
Surrounded by this heightened uncertainty, a company’s ability to survive, and thrive, has to be built from within. These foundations cannot be created on the spot when the enemy is already at the gates, or the opportunity is so obvious that any market player could capture it. Everything starts with the financial health of the company and the baseline viability of its business model; you need to have your risk framework already working. But these are challenging times: In 2020, more than 50 billion-dollar companies filed for bankruptcy in the US alone.
It will be hard to manoeuvre if you have already stretched your payment cycles, are losing customers on a good day, or are close to hitting your loan covenants. More agile approaches to enterprise-wide risk and crisis management are urgently needed.
The response, for many companies, has traditionally been to list potential challenges in annual risk assessments. They might appear on a matrix, located somewhere on the “impact” and “likelihood” axes, as if anyone truly has a crystal ball that can pick the exact nature of events before they unfold.
This approach looks increasingly outdated. COVID-19 has cut across traditional risk categories, from supply-chain failures and digital disruption, to workforce shortages, cybersecurity and, of course, health. A global pandemic might previously have sat in the low likelihood corner of the matrix. But given the wide-ranging implications of this kind of event, can we really put it – and other such uncertainties – into boxes one by one, in isolation, and only consider the downside, just once or even twice a year?
Is it really acceptable to do so outside the core decision-making agenda of the company, as a pure governance activity? Reform is urgently needed, and this is the moment to seize the opportunity.
1. In a world of accelerating challenges, static annual documents need to make room for continuous horizon-scanning for early indicators of change and associated timelines for action. This calls for a data-driven strategy, adjusting not only processes but culture too. As Arthur D. Little puts it, the goal is “a value-based, dynamic risk management approach”.
2. Risks and opportunities must be assessed holistically. Events rarely emerge from nowhere and disappear without making waves; they tend to have a complex web of potential causes and wide-ranging consequences. Intelligence on these should be gathered by a cross-functional team of experts, both plugged into the C-suite and interacting regularly with the front line.
3. These insights should feed directly into strategic planning, financial forecasting and investment feasibilities, as well as the way decisions on business models and capital allocation are made. This kind of decision-support tends to be more effective when risks are linked to underlying assumptions and their impact ranges are captured in quantified terms.
4. While plans may need to change in turbulent times, making them is still valuable. Planning for continuity and effective crisis response brings key stakeholders together to consider alternative realities and escalation patterns. This is helped by close alignment across an organization, from shareholders, to board level, to our executive leadership, down to business planning and the capital decision framework.
5. As the saying goes, culture eats even the best of intentions for breakfast. As McKinsey observes: “Many of the costliest risk and integrity failures have cultural weaknesses at their core.” Nurturing and rewarding open, healthy debate on risks and risk-taking is critical. A strong tone at the top is the beginning, but the desired culture has to be lived through each day at all levels of management, reflected in decisions around hiring, rewards and misconduct.
At a time when many businesses are struggling, financial resilience has a crucial role to play in a company’s ability to take on more risk in pursuit of opportunities.
But financial resilience doesn’t end at the front door of your business. As KPMG observes, in an increasingly connected world, additional monitoring of the financial viability of third parties is a must, and can be enabled by leveraging co-relationships and technology to strengthen supply chains.
Indeed, the fact that technology is both a source of and mitigation for risks has been made abundantly clear by any number of COVID-19 trends. In 2020, retailers adapted as 30% more consumers globally shopped online for food and household goods. Businesses also shifted online in vast numbers, for example to videoconferencing, and at the same time faced an extraordinary rise in cyberattacks.
These are just some of the panoply of digital risks that must be addressed. As Deloitte highlights, companies need to proactively evaluate a broad range of digital risks in order to build resilience, from data protection to shifting customer behaviour and supplier disruption. This further strengthens the case for data-driven and cross-functional risk teams who can see the challenges from many angles.
COVID-19 has helped Majid Al-Futtaim become more risk-ready; we have discovered new ways to adapt. For example, at one point we reskilled 1,000 cinema colleagues in two days in response to increased demand in our online Carrefour grocery businesses. However, businesses cannot rely solely on events to drive a desired change. Getting buy-in from our teams all the way to the shop floor is essential.
To identify risks, people need to feel free to speak out and any concerns they have must be investigated. This attitude must extend from the bottom to the top; encouraging mindful, reflective behaviour among leadership is also vital to avoid so-called optimism or confirmation biases. This means that we have a tendency to expect the risks of the future will be similar to those of the past.
Additionally, empowerment of people and decision-making at the right level enables faster responses, which in a multi-dimensional crisis can make all the difference. As business leaders we must all drive this cultural change through the way we treat and value people. It’s not only staff who will benefit: risks will be lower and profitability higher.
COVID-19 has overturned planning assumptions and expectations for us all. But it will not be the last crisis to do so.
The type of disruption we are living through right now makes it impossible to continue on any previously planned trajectory in terms of risk protection. Everyone has been forced to reassess how to better protect themselves; 2021 is the year to put those plans into action.
Reshaping your risk management may not ensure you can predict the next big disruption. But it will leave you better prepared to deliver a more effective organizational response, whatever comes your way. Uncertainty may be a source of risk, but embracing the uncertainty with clarity and speed of action is the biggest driver of competitive advantage.
Risk is not something you do after the real business; risk management is part of a successful business model.
This article was first published in weforum.org