What’s the risk? An inconvenient necessity or a source of competitive advantage?

by David Doughty, Chief Executive, Excellencia Ltd

It is well established in the investment industry that risk and reward tend to go hand in hand – the greater the risk, the greater the potential return on the investment. That’s the positive side to risk – the downside is that the greater the risk, the more likelihood there is that investors may lose some or all of their investment.

Risks, then, are both a source of competitive advantage and a potential threat to success – they can make or break an organisation.

Did Thomas Cook stop taking risks or did they just stop managing their strategic risks?

Its not just important to recognise that risk-taking is an essential part of building a successful business. It’s also crucial that everyone involved in running that business understands what risks are being taken, how they can avoid the downsides, and, more importantly, how they can exploit the upsides.

Successful enterprises worldwide are realising that risks are something to incorporate into their strategy, not avoid. They recognise the dangers of standing still and avoiding risks, and they have made the cultural shift needed to reap the potential rewards of taking more, not less, risk.

A good place to start with identifying risks is with a business’s overall strategy document or business plan – a well-written plan should be based on an analysis of the strengths and weaknesses of the organisation and the opportunities available to it and any potential threats to its success.

Although when people think of risks they usually focus on the negative aspects – what can go wrong – it is also useful to think of the positive aspects of risk, and the opportunities it can present.

Once risks have been identified they can then be prioritised to enable the board to satisfy itself that the organisation’s risks are being managed effectively, with regular reviews and discussion to ensure that the most likely or highest impact risks are kept in sight. There will still be shocks and crises for the board to contend with, but an organisation that has identified and mitigated its key strategic risks will be much better prepared to face them than competitors who have not.

Recent changes in company law and corporate governance, such as those made to the UK Corporate Governance Code, have emphasised the need for companies to have better strategic risk management and change leadership. They must recalibrate their tolerance for well-managed and calculated risk-taking, improve their capabilities in managing risk, have better horizon scanning and the ability to address uncertainties and emerging risks, place more emphasis on culture and behaviour, and their boards need to focus on the things that matter with clear ownership and accountability for risks.

The culture and behaviour of the CEO and the board with regards to risk is key to ensuring effective decision-making, which drives the success of the business.

There is a balance to be struck between taking measured strategic risks involving innovation and the reduction or elimination of undesired negative risks. A manufacturing plant cannot totally eliminate the production of faulty components, for example, but it can ensure that there is a relatively small number of them and they do not get as far as the final assembly line.

In addition to prioritising strategic risks then, we can introduce the concept of risk tolerance where the board clearly defines and articulates the acceptable levels of risk that it will tolerate.

In other words, don’t put all your eggs into one basket. A prudent bank, for example, would not attempt to transfer all its customers from one software platform to another over a weekend – instead it would run pilot phases, using batches of customers to ensure all wrinkles were ironed out before undertaking a mass migration of accounts.

Introducing new products, services or technology, or addressing new markets all require risk tolerances to be set and monitored in order that the board can be satisfied of the likely success of the strategy before an unacceptable level of expenditure has been reached or the organisation has been exposed to an unacceptable level of reputational risk.

Operational risks, which usually arise from internal causes or known external factors, can be mitigated by using a rules-based treatment which ensures that appropriate policies, procedures and employee training are in place.

As a general rule, the higher the level of risk, the greater the number of monitoring and decision points that are needed to allow the board to proceed with the strategy. HS2, for example, has already cost £7 billion, even though there is a high chance that it will be cancelled due to spiralling final costs – more monitoring and decision points would have limited the spend on HS2 and reduced the financial and reputational risks to the project.

Taking or managing identified risks involves costs to the organisation, so the board needs to rank risks in order to focus the organisation’s resources on managing them with the highest likelihood of occurrence and the greatest potential impact to the organisation.

There should be relatively few strategic risks for the board to focus on and it should not be too arduous a task to review the risks at each board meeting – they should be used to shape the board’s agenda as they are inherently linked to the performance of the organisation.

Operational risk management is the responsibility of the executive and the senior management team. The board needs assurance that the operational risks are being managed and that there is alignment with the strategic risks.

BP is now worth half of what it was in 2010, when the Deepwater Horizon oil rig explosion caused one of the worst man-made disasters in history. Oil exploration is inherently a risky business, but it was the mismanagement of the reputation risk by CEO Tony Hayward which caused the most damage to the organisation, rather than the environmental risk. The US investigation commission attributed the Gulf of Mexico disaster to BP’s management failures that crippled “the ability of individuals involved to identify the risks they faced and to properly evaluate, communicate, and address them.”

The speed with which crises go viral on social media means that it is reputation risk which is far more likely to impact on an organisation’s strategy than financial or environmental risks by themselves.

This evaluation of the cause of the failure could equally well be applied to, for example, the failure of many financial institutions during the 2007-08 credit crisis, Volkswagen and the “Diesel Gate” scandal, or indeed any of the high-profile corporate collapses that have occurred in the last few years.

Traditional approaches to risk management use formulaic analysis tools and rules-based systems to produce a risk register and assurance framework, where the board’s discussion focus is too often on the numbers created by the estimates of likelihood and impact rather than the nature of the risks themselves.

Operational risks, which usually arise from internal causes or known external factors, can be mitigated by using a rules-based treatment which ensures that appropriate policies, procedures and employee training are in place.

Strategic risks, on the other hand, are much more likely to involve unknown or unknowable factors and therefore require a different approach.

We also see this in the financial sector with regulation and compliance, which is very similar to the management of strategic risks. Ever-increasing regulations and the excessive costs of compliance are severely impacting the ability of banks and financial institutions to address the rapidly changing needs of customers, while at the same time having very little impact in reducing fraud, financial crime or money laundering.

Rather than continuing to produce more rules and regulations, the alternative approach, as adopted in the case of GDPR and health and safety, is to have a regulation-light regime with punitive fines and even prison sentences for the worst infringements.

For strategic risks, then, the corollary to that approach is to not worry about the causes or likelihood of external, uncertain risks but to concentrate on limiting the impact of the risks themselves.

As reputational risk is potentially the most damaging category of risk, because it can destroy the value of the organisation entirely, many organisations are focusing on ensuring that their communications and crisis management strategies are in place and regularly tested via simulation.

Pre-mortems are a useful tool for boards when considering their strategic risks. The technique imagines a scenario – say, imagining that the liquidator has just been called in, then examining how the company could arrive at that scenario from where it is now, and what could have happened to cause such a situation. Going from the familiar to the unimaginable is easier than just thinking of catastrophic outcomes as abstract risks.

These new ways of categorising risk enable boards to decide which risks can be managed through a rules-based model and which require alternative approaches.

Key to successfully managing existential strategic risks is the ability of the board, its executives and non-executives, to engage in open, constructive, discussions about managing the risks relating to strategic choices, and embedding the treatment of those risks in their strategy formulation and implementation processes.

As reputational risk is potentially the most damaging category of risk, because it can destroy the value of the organisation entirely, many organisations are focusing on ensuring that their communications and crisis management strategies are in place and regularly tested via simulation.

Most importantly for organisations, this includes identifying and preparing for non-preventable risks that arise externally to their strategy and operations, such as significant swings in global markets, trade wars and global conflicts.

George W Bush’s defence secretary Donald Rumsfeld famously talked of “known knowns”, “known unknowns” and “unknown unknowns” during the weapons of mass destruction controversy that led to the Iraq war in 2003. We can map those to the three main types of risks that organisations face: preventable risks, strategic risks and non-preventable risks.

Preventable risks are the internal “never events” that are controllable and should not be tolerated. Avoidable deaths in hospitals should never happen, for example.

The usual cause of preventable errors is that procedures, policies and staff training are either not in place, are inadequate or are not being followed – in extreme cases they are the result of fraudulent, illegal or unethical actions by employees.

By definition, preventable risks should have a very low or zero tolerance as they are, at best, an unnecessary cost to the organisation and at worse a possible source of a much greater failure – particularly if reputation or brand are negatively impacted.

Strategic risks, on the other hand – the known unknowns – are an inherent part of doing business. Without them, businesses stagnate and eventually decline. Banks, for example, take strategic risks when they lend money to customers.

Strategic risks do not lend themselves to a rules-based control model. The aim is not to reduce or eliminate them, it is to manage them in order to achieve the benefits of the adopted strategy.

What is required is a full understanding of the risks that are being taken, and a coherent system to monitor those risks and ensure that they continue to be inside the acceptable risk tolerance. This means that the board has to be comfortable living with a certain degree of uncertainty, ready to take immediate and decisive action if required, to bring the strategy back on track.

The we have earthquakes, hurricanes, extreme weather conditions, trade wars and sanctions, all examples of external risks that businesses have no control over – they are the unknown unknowns.

As they are neither preventable nor created by the company’s strategy, these risks can only be managed by identification and preparation. A business with thorough, well-tested business continuity and crisis management plans is much more resilient in the face of natural and political disasters and major macroeconomic shifts.

Despite the fact that there are tried and tested tools and techniques available for the management of these different types of risk, there are still many boards who find thinking and talking about risk uncomfortable until it is too late to do anything about it.

Close inspection of any of the recent dramatic corporate collapses, such as those of Thomas Cook, Debenhams or Carillion, will show that the warning signs were there many months before the companies’ actual demise. Going back to the financial crash of 2008 and the fall of Northern Rock, analysts had warned that the business models were unsustainable. So why did the boards of these companies seemingly just carry on regardless?

Whether it is ignorance, arrogance or just sheer incompetence, the common factor in these corporate catastrophes is a failure of the board to identify, manage and mitigate the strategic risks. Not only did they take their collective eyes off the ball, it is often unclear whether they actually knew which game they were playing in the first place.

Lack of board diversity is also a factor, with boards often guilty of groupthink, and reinforcing their commitment to a failing strategy without having the will to challenge it or change direction.

A diverse board, with members from other sectors and different backgrounds, is more likely to question actions and challenge its executives, drawing on their backgrounds, experiences and values to recognise when a change to the adopted strategy is required.

Nowhere is this lack of ability to address strategic more evident than in a company’s treatment of whistleblowers – something that has been reported as particularly bad in the NHS, where staff highlighting bad practices are often hounded out of their jobs and prevented from ever working in the NHS again, rather than being congratulated on bringing the issues to the attention of management to be dealt with effectively.

With the increasing emphasis on an organisation’s culture and values comes the need for business leaders to embrace risks, rather than trying to avoid them or deny their existence. A risk-based approach to running a business involves having an open management culture with clear recognition of the risks, mitigations and assurances needed to enable all employees to play their part in the company’s success.

There is also a need for boards to learn from their mistakes. The Banks that failed in the 2007-08 financial crisis had relegated risk management to a compliance function, with their risk managers having limited access to senior management and the board, whereas the banks that survived – such as Goldman Sachs and JPMorgan Chase – had strong internal risk-management functions and leadership teams that understood and managed the companies’ multiple risk exposures.

The future of risk and risk management will be a continuation of the trend to make consideration of strategic risk a key element in the development of corporate strategy – recognising its importance as a source of competitive advantage and a means to avoid the dramatic corporate failures that seem to be occurring with increasing regularity.