It’s time for a risk management reality check

Risk is unavoidable, and it’s everywhere. 

As individuals, we learn how to live with it, establishing boundaries that define who we are. 

In business, management has the task of inherently establishing risk tolerance and a risk management framework for an organization, identifying, categorizing, prioritizing, and putting systems and processes to mitigate risk. In turn, the Board focuses on the significant risks, providing the necessary oversight and direction that helps the leaders and employees understand how to proceed and operate with integrity, preserve the company’s reputation, and maintain all of the necessary regulatory compliance.  

But here’s the thing about the new reality of today’s risk management, you can’t treat the risks as something static and liberally apply formulaic solutions that will make them go away. You also can’t play a waiting game hoping that things will go back to the way they were before the pandemic. If that’s your game, you’re going to be left behind.

There’s been a significant categorical shift in risk focus over the past six years

What organizations need now is a Board of Directors experienced and knowledgeable about the complexity and diversity of risks that continue to emerge based on the focus of today’s reality for investors and consumers. The World Economic Forum’s Global Risks Report surveys a wide range of people to take the temperature of where people’s concerns lie. For example, the 15th Edition of The Global Risks Insight Report for 2020 assigns risks to one of five main colour-coded categories: Economic, Environmental, Geopolitical, Societal, and Technological.[1]

Between 2007 and 2014, economic risks commanded a significant amount of attention globally, and as a result, much more focus what dedicated to managing those risks.

However, it’s been environmental, geopolitical, societal and technological risks that have completely dominated the global risk landscape for the last five years. Has your organization recognized and been responsive to this shift? Do your risk management strategies that are currently in place align with this shift in focus?

And now, the reality check

In early 2008 I was engaged with an organization that created carbon calculators that we sold to early-adopting companies concerned about their environmental footprint.  From first-hand experience, the sale to corporate Canada at this time was a tough one.    

It’s now a dozen years later. Seeing the trends towards ESG, hearing about exposures and potentially devastating impacts should be a wake-up call for companies and their Boards. Companies have to consider if their Boards are equipped with the necessary expertise to cover all angles in this environment. 

With the pervasive nature of social media, Boards today are facing incidents that could happen in the blink of an eye.

Think of the number of companies in recent years who have faced extreme vulnerability and heightened anxiety because of cyber-crime breaches:  SolarWinds, Facebook, and LifeLabs, to name a few. There have also been increasing frequencies of ransomware attacks on public and private sector organizations. Alarmingly, many of these exposures are not being reported regularly during the pandemic. When they are leaked to the public, they could result in a crippling loss of consumer trust. 

We’ve also been living in an era where because of Public Health regulations, businesses deemed non-essential have been forced to introduce e-commerce platforms rapidly so they can continue to operate. But, in their quest to stay in the game and offer online shopping, take-out and curbside pickup, are they completing a full evaluation of how safe, secure, and stable their chosen software is? 

The truth is, we’re living in an age where IT security is not the only area demanding urgent attention. Supply chains, attracting and retaining top talent, and even organizational health are concurrent exposures that are all bubbling to the surface.

Lack of expertise in any and all of these areas could mean that your organization is on the precipice of crises that give PR, Legal and Compliance teams nightmares. 

Getting ready to act

Given the seriousness, urgency and growth potential of these new risks, what is an organization to do?

1. Examine your Board charters and update them. Now.

Analyze them and look for distractions and dissonance. Historically, Audit committees alone bore the burden of risk ownership. With the shift from Financial to Non-financial, a dedicated committee is warranted to supplement the oversight of the complexities of ESG risk. Board Charters delineate the ownership of appropriate oversight. The world has changed, and we need to redefine risk. Involve people with the right competencies, expertise, experience, and education who can offer the required dedication, research, inclusivity and prioritization. Sometimes, a consultant is an excellent investment to get tactical since they are bound by focus and precision. They maintain the right amount of distance to avoid becoming mired in trying to do too much. Have them do the heavy lifting to make decisions more rapidly. The most important thing is to ensure everything is viewed under the ESG lens. Your updates will allow you to spread the risk and determine the response:  avoidance, transfer, mitigation, or acceptance. 

2.  Create a comprehensive map of your organization’s risks and find the hot spots.

Responsiveness demands that management’s time is invested in creating a risk map that acknowledges the rapidly developing slate of influences and assesses both the likelihood of the risk occurring and the impact it could have. Determining the major risk factors that will carry forward into the 2020s and how these will relate to the business is paramount. There will be a natural tendency to focus on risks associated with finances, operation, strategy, compliance, reputation, third-party involvement, and corporate culture. But sustainability, environmental, social, and governance risks need to be included and prioritized. 

3. Ensure that the Board understands the key risks they need to focus on to act.

A Director needs to have insight, foresight and oversight to be effective. As we’ve seen in the World Economic Forum report excerpts, your Board Members need new a whole new set of skills and competencies to make an impact. Consider what the organization should look like over this decade. What will exemplify that insight? Bring the right people with the proper knowledge to the discussions to propel the Board with purpose.  It may mean seeking new expertise. It could also require assessing the most desirable traits that Board Members need – courage, competency, and curiosity – to effectively manage their oversight accountabilities. If your Board Members cannot act and lack the knowledge and deep understanding of the risk issues, there’s a higher probability of failure. You must get tactical to invigorate the Board and be proactive, not reactive.

4. Look at risk as part of a hierarchy and over a continuum  

Committees play a distinct role in risk management, which can bring clarity to the decision making process. 

• The Audit Committee looks to actions in the past. They pass judgement on fairness and can offer confirmation of results. 
• The Compliance Committee is grounded in the present. They focus on what is happening now and ensure adherence to policies, laws and regulations. They also must monitor compliance with your organization’s Code of Conduct, an important risk management element. 
• The very nature of risk means that it anticipates the future. Your entire Board needs to be forward-looking, anticipatory, and operate with unparalleled responsiveness to protect the organization and influence every leader and employee’s actions.

Full-circle sustainability 

The last part of this reality check recognizes how sustainability wraps around all of the work that Boards are involved with today. As the driver for all risk management activities, sustainability influences growth potential and helps an organization keep the lights on. If it’s not top of mind, then your board cannot be successful in its responsiveness, and it will lack the resiliency necessary to succeed. You can’t ignore stakeholders’ influence, nor can you avoid the global community’s evolving expectations. Isn’t it time for you to retool your board matrix to fill in the necessary competencies for the future, which is clearly now? 

[1] World Economic Forum, (15 January 2020), The Global Risks Report 2020. Figure 1:  The Evolving Risks Landscape, 2007-2020:  Top 5 Global Risks in Terms of Likelihood, Top 5 Global Risks in Terms of Impact.  Retrieved from https://www.weforum.org/reports/the-global-risks-report-2020