How can resilience prepare companies for environmental and social change?

Authors: Lillian Borsa, Peter Frank and Hannah Doran

Why are many businesses struggling with how to manage social and environmental risks? Things like disruption from flooding, crucial materials to manufacturing becoming more and more expensive, struggling to find the right people to grow the business and damage to reputation. The issue is that these are a new, ever-changing breed of risks that need different handling, and risk management approaches haven’t evolved as fast as the changing risk landscape. Consequently, business has trouble identifying, monitoring and managing these new risks effectively.

Risk managers are left to deal with social and environmental risks that are less familiar to them. Even if some risks appear to be certain, the extent of the change, its impact and time horizon are all unknown. This is often not handled well by traditional approaches to risk assessment taken within many enterprise risk management (ERM) programmes. Risk executives and audit committees don’t always have adequate tools to determine the business implications of social and environmental dynamics and include as part of their mitigation strategy.

The good news is that sustainability executives, experienced in monitoring global mega-trends, do have a great deal of knowledge about environmental and social risks. However they don’t always express issues in the language of risk executives, or as risks that fit well into the ERM process. The result is a language barrier between sustainability management and risk management. It’s a barrier that prevents these valuable bases of knowledge creating synergy for their businesses — especially as, more often than not, they are disconnected processes.

Just a year after Hurricane Sandy hit the Eastern United States, Typhoon Haiyan ravaged regions of the Philippines leaving thousands dead and communities destroyed in its wake. It seems like every week, somewhere in the world there is another extreme weather event and we are reminded again that we are living in a world of heightened and changing risks. Resource scarcity, demographic shifts, technological breakthroughs, shifts in global economic power and accelerating urbanisation are all global mega-trends that are increasingly appearing on the business radar screen as sources of emerging risk.

However, there’s growing sentiment that these emerging risks can no longer be classed as “emerging.” They are today’s risks — causing costly disruptions and posing near-term commercial threats.

It was in this context that PwC recently brought together a group of senior risk and sustainability executives. In a round table forum, they discussed the issues at hand and developed ideas on how to go from reactive to proactive when addressing environmental and social risks.

This article captures the insights shared:

  1. Focusing on business resilience creates a common language and drives a more positive outcome.
  2. Understanding the nature of social and environmental risks helps in addressing them appropriately.
  3. Implementing a number of practical actions collaboratively increases business resilience to social and environmental pressures and better positions companies to capture sustainability opportunities.

Resilience: How to start speaking the same language

Resilience is the ability of an organisation to recognise, rapidly respond to and recover from changes in the environment and their resulting risks. Resilience allows businesses to seize the opportunities hidden within those risk events.

One of the participants at our round table event said, “If you ask the question about risk, you think of flow documents. If you ask the question about resilience, you start thinking about how to get it done.” As this participant suggested, enterprise risk management needs a resilience lens to accommodate social and environmental risks.

What does this mean more specifically? ERM programmes tend to try and “predict” possible outcomes through risk assessments. To do this, they use highly deterministic approaches and rely mostly on risk history to guide what is to come. Then they take steps to mitigate. Resilience is not different from ERM, but evolutionary. It tries to apply enhanced risk assessment techniques to deal with the “macro” risks, but also de-emphasises the prediction element. Resilience recognises that the bigger risk events are inherently difficult to predict and tries to prepare companies to deal with them.

Because these risks are difficult to predict, resilience can’t be achieved if risk is managed in silos. Risk, strategy, sustainability and opportunity all need to combine to “imagine the possible” and anticipate change from exogenous factors — those created by social and environmental changes, for example.

Re-orienting the conversation from “risk” to “resilience” better captures the desired outcome state — preparedness. Companies know that a storm is coming, they don’t know how big it will be or exactly where it will hit, but regardless of precise location and severity, they will be prepared and their strategies flexible.

In a previous article, we discussed how boards can judge how well their ERM programme deals with this changing environment, and to what extent they adopt a resilience approach.

A resilience discussion also embraces the possibility of attaining an upside, not simply avoiding a downside. This helps to adjust and align the mind-set of sometimes disparate functional business areas, unleashing the power of cross-functional working. Resilience is the common language that can help sustainability and risk professionals achieve their shared goals.

The different nature of social and environmental risks

The key is not to just consider what might happen to a business, but how a business adapts to a changing world.

Clearly, the nature of social and environmental risks and their undifferentiated and indirect impacts require different strategies than traditional ERM approaches usually provide. What is it specifically about these risks that challenge risk managers’ thinking? Why are they difficult to address in traditional ways?

Traditional risks

Why social and environmental risks need a new approach

Based on a short-term horizon

Manifest themselves over a longer-term and often uncertain time frame

Micro risks, related to discreet areas of the business

Macro risks, multi-faceted and interconnected, affect the business on many dimensions.

Largely within the organisation’s control

Largely outside the organisation’s control

Risk responses often in control of company

Risk responses may rely on the actions of other parties or may require coordinated actions

Largely based on historical analysis

Often difficult to find historical precedence

Impact can be discretely modelled

Impact is undifferentiated and difficult to assess on a company basis prior to the event

Likelihood can be modelled based on historical events

Likelihood difficult to assess and model

Risks are specific and known – e.g., commodity price volatility

Risks may be difficult to define clearly

Risk responses focused on reducing likelihood and impact

Risk responses focused on preparing to manage and recover after an event and trying to capitalise on resulting opportunities

Risk avoidance is often a feasible response

May be difficult to avoid risks completely

Costs to manage risks can be estimated

Managing risks requires making investment decisions today for longer-term capacity building

Responding to risks is business as usual

Mitigation is more complicated, involving buffer capacity in the short term, and building adaptive strategies and flexibility in the long term

Practical steps towards bringing social and environmental pressures into risk management

There’s no doubt that ERM still needs to capture and mitigate traditional risks facing businesses. The challenge is how it can be evolved to encompass and manage social and environmental risks with the same level of robustness. We recommend the following five key steps:

1. Adapt the process used to identify social and environmental risks
Companies need to start with expanding their view of risk and adding social and environmental risks to the risk register. Such risks are identified by monitoring mega-trends, broadening ERM to external events, learning about their indirect impacts, identifying fragility and dependencies in the organisation’s external networks such as the supply chain and extending the ERM time horizon.

It may well be that other functions, in particular in the areas of corporate development, sustainability, strategy and market development, are already monitoring mega-trends to identify opportunities for the organisation. Risk managers can start with finding and tapping into these valuable resources, which is why the evolved approach to ERM has to be a cross-business one.

Adapting the organisational risk assessment surveying process is another way to uncover pertinent social and environmental risks. In addition to sending out standard risk questionnaires for functional heads to complete, the survey can be carried out as personal interviews. Companies can further “seed” the risk identification effort by defining specific scenarios and asking the participants to assess impact “given” these scenarios.

For instance, instead of asking participants to identify potential environmental risks, they can instead be asked to answer a question like, “If global temperatures rise by x degrees and sea levels rise by y feet, how would this impact our facilities and those of our supply chain partners?” Incorporating probability into these questions can help participants really visualise potential risks: “What if this happens at the scale you’re thinking about? What if it happens at a greater magnitude? What if this happens sooner than you anticipate?”

These discussions can bring several benefits. Firstly they help unearth risks that may not have been captured on the risk register. Secondly they are good relationship-building moments between risk and other functions. Thirdly, they can be a means to enabling the culture change needed in building risk resilience.

Risk managers can use these conversations to help colleagues break away from their silo thinking, help them see beyond what is in their area of control and probability, challenge their assumptions and paint a picture of a resilient organisation to enlighten their thinking.

There may also be tools available in other areas of risk management that can be adapted and used for identifying material social and environmental risks. Financial and credit risk management use sophisticated data modelling. Crisis management often involves scenario modelling. A forward looking scenario approach also combats the limited creativity in more traditional risk surveys.

2. Ensure the governance structure supports a new approach to risk
Once risks have been identified, the business has to be able to manage and respond in a coordinated way and at the right levels. Shareholders, investors, audit committees and boards increasingly expect businesses to report on their sustainability, social and environmental programmes. In some cases having a sustainability officer and executive sustainability committees are critical factors for key investors. So who’s responsible for overseeing how the organisation responds and what does governance involve?

If the business seeks to adopt a risk resilience approach then senior management has to own the risk agenda. This allows business strategy to be defined in terms of the expectation of external mega-trends, and both the risks and opportunities they present. More specifically, traditional ERM programmes are often “owned” by Internal Audit or other corporate functions. While this may be appropriate from a process standpoint, resilience requires that companies more clearly assign accountability for risk assessment and response to the appropriate business or operational owner. For instance, while process standards and tools are developed and promulgated by a corporate risk officer, the head of supply chain should be clearly responsible for identifying, assessing and managing risks within the supply chain — including sourcing and procurement, manufacturing, facilities and distribution.

The board is responsible for challenging management’s approach to risk ownership and questioning whether they have a programme in place to identify, assess, manage and monitor risk effectively.

3. Anticipate change and collaborate on risk mitigation
In today’s global economy, seemingly remote risks or forces have become interconnected. Their interaction creates more of a tidal wave than a ripple effect of impact across the world — fast and disruptive. To create resilience to these risks, companies need to anticipate the macro-changes well ahead of time, on an on-going basis, and devise adaptive strategies and operational plans to mitigate them before they unfold.

One way they can anticipate risks from social and environmental change is through scenario planning. However, these macro-risks are complex and broad in nature, and their impacts are all-encompassing. Conceiving realistic scenarios requires a profound understanding not only of the mega-trend, its risks and the underlying processes and factors, but also of other events that may be triggered.

This is where building risk resilience through greater anticipation is a more collaborative model. It requires a broad range of subject matter experts from inside and maybe outside the organisation. Specialists from different risk categories, employees, stakeholders, industry teams and experts will have different perspectives, bring new information, challenge perceptions and assessments of risks, and help anticipate risks that may otherwise be missed.

Also, many companies have begun to rely on third parties to help to catalyse discussions about potential risk events. These may include political, financial, regulatory, economic, industry, media or environmental professionals. Other companies have even relied on “futurists” to help to spark a dialogue with internal stakeholders that incorporates an external perspective into the risk assessment process. Even if you cannot predict the precise causes of future disruption, you may be able to prepare for the consequences of that disruption.

Collaborating on risk mitigation across the organisation like this breaks down silos and creates a sense of shared responsibility and ownership for risk. A more risk-aware culture may evolve as resilience planning gets incorporated into business planning cycles. As employees become engaged, they are more likely to become more effective in risk mitigation and develop a wider view of the risks that need to be managed.

4. Seize opportunities hidden within risk events
As previously mentioned, business resilience better positions organisations to realise the upside of risk and identify opportunities from risk mitigation.

One of the ways this can happen is through the increasing use of data analytics to identify emerging trends and their related risks. Enhanced data analytic capabilities also allow for unique insights that were impractical or impossible to generate just a few years ago. Think how exploring risks posed by demographic changes can also drive the development of breakthrough products, reveal hidden markets, and spark other innovations that give companies a competitive edge.

Mitigating a risk in one area can have multiple benefits. For example, in examining how to reduce water usage in its conveyor belt cleaning processes, one global food manufacturer identified ways to make its water heating systems more efficient, reducing costs.

5. Measure the value of strengthened risk resilience
Efforts are underway to establish “resilience scorecards” that can be used to measure an organisation’s resilience. In the meantime, leaders need to find ways to measure resilience initiatives, because shareholders increasingly expect this information. Businesses need to illustrate value preserved, communicate that the company’s business model is sustainable and tell shareholders a good resilience story about their business.

Conditions are right for a more forward looking risk approach

Conditions are right for reorienting risk approaches towards more risk resilience. CEOs see the need to go beyond merely prioritising risks to the business. They want more focus on building business resilience. And that’s a green light for risk management to evolve so that it helps organisations be prepared for a new breed of risks.

It’s an opportunity for risk management and sustainability management to come to the fore in strategic discussions. These two functions are critical in guiding an organisation towards long-term risk resilience. Separately, they are more limited in the future-proofing they can offer the organisation. Together, with combined resources, knowledge and experience, they can have a far greater impact and turn resilience into opportunity.