1. Adapt the process used to identify social and environmental risks
Companies need to start with expanding their view of risk and adding social and environmental risks to the risk register. Such risks are identified by monitoring mega-trends, broadening ERM to external events, learning about their indirect impacts, identifying fragility and dependencies in the organisation’s external networks such as the supply chain and extending the ERM time horizon.
It may well be that other functions, in particular in the areas of corporate development, sustainability, strategy and market development, are already monitoring mega-trends to identify opportunities for the organisation. Risk managers can start with finding and tapping into these valuable resources, which is why the evolved approach to ERM has to be a cross-business one.
Adapting the organisational risk assessment surveying process is another way to uncover pertinent social and environmental risks. In addition to sending out standard risk questionnaires for functional heads to complete, the survey can be carried out as personal interviews. Companies can further “seed” the risk identification effort by defining specific scenarios and asking the participants to assess impact “given” these scenarios.
For instance, instead of asking participants to identify potential environmental risks, they can instead be asked to answer a question like, “If global temperatures rise by x degrees and sea levels rise by y feet, how would this impact our facilities and those of our supply chain partners?” Incorporating probability into these questions can help participants really visualise potential risks: “What if this happens at the scale you’re thinking about? What if it happens at a greater magnitude? What if this happens sooner than you anticipate?”
These discussions can bring several benefits. Firstly they help unearth risks that may not have been captured on the risk register. Secondly they are good relationship-building moments between risk and other functions. Thirdly, they can be a means to enabling the culture change needed in building risk resilience.
Risk managers can use these conversations to help colleagues break away from their silo thinking, help them see beyond what is in their area of control and probability, challenge their assumptions and paint a picture of a resilient organisation to enlighten their thinking.
There may also be tools available in other areas of risk management that can be adapted and used for identifying material social and environmental risks. Financial and credit risk management use sophisticated data modelling. Crisis management often involves scenario modelling. A forward looking scenario approach also combats the limited creativity in more traditional risk surveys.
2. Ensure the governance structure supports a new approach to risk
Once risks have been identified, the business has to be able to manage and respond in a coordinated way and at the right levels. Shareholders, investors, audit committees and boards increasingly expect businesses to report on their sustainability, social and environmental programmes. In some cases having a sustainability officer and executive sustainability committees are critical factors for key investors. So who’s responsible for overseeing how the organisation responds and what does governance involve?
If the business seeks to adopt a risk resilience approach then senior management has to own the risk agenda. This allows business strategy to be defined in terms of the expectation of external mega-trends, and both the risks and opportunities they present. More specifically, traditional ERM programmes are often “owned” by Internal Audit or other corporate functions. While this may be appropriate from a process standpoint, resilience requires that companies more clearly assign accountability for risk assessment and response to the appropriate business or operational owner. For instance, while process standards and tools are developed and promulgated by a corporate risk officer, the head of supply chain should be clearly responsible for identifying, assessing and managing risks within the supply chain — including sourcing and procurement, manufacturing, facilities and distribution.
The board is responsible for challenging management’s approach to risk ownership and questioning whether they have a programme in place to identify, assess, manage and monitor risk effectively.
3. Anticipate change and collaborate on risk mitigation
In today’s global economy, seemingly remote risks or forces have become interconnected. Their interaction creates more of a tidal wave than a ripple effect of impact across the world — fast and disruptive. To create resilience to these risks, companies need to anticipate the macro-changes well ahead of time, on an on-going basis, and devise adaptive strategies and operational plans to mitigate them before they unfold.
One way they can anticipate risks from social and environmental change is through scenario planning. However, these macro-risks are complex and broad in nature, and their impacts are all-encompassing. Conceiving realistic scenarios requires a profound understanding not only of the mega-trend, its risks and the underlying processes and factors, but also of other events that may be triggered.
This is where building risk resilience through greater anticipation is a more collaborative model. It requires a broad range of subject matter experts from inside and maybe outside the organisation. Specialists from different risk categories, employees, stakeholders, industry teams and experts will have different perspectives, bring new information, challenge perceptions and assessments of risks, and help anticipate risks that may otherwise be missed.
Also, many companies have begun to rely on third parties to help to catalyse discussions about potential risk events. These may include political, financial, regulatory, economic, industry, media or environmental professionals. Other companies have even relied on “futurists” to help to spark a dialogue with internal stakeholders that incorporates an external perspective into the risk assessment process. Even if you cannot predict the precise causes of future disruption, you may be able to prepare for the consequences of that disruption.
Collaborating on risk mitigation across the organisation like this breaks down silos and creates a sense of shared responsibility and ownership for risk. A more risk-aware culture may evolve as resilience planning gets incorporated into business planning cycles. As employees become engaged, they are more likely to become more effective in risk mitigation and develop a wider view of the risks that need to be managed.
4. Seize opportunities hidden within risk events
As previously mentioned, business resilience better positions organisations to realise the upside of risk and identify opportunities from risk mitigation.
One of the ways this can happen is through the increasing use of data analytics to identify emerging trends and their related risks. Enhanced data analytic capabilities also allow for unique insights that were impractical or impossible to generate just a few years ago. Think how exploring risks posed by demographic changes can also drive the development of breakthrough products, reveal hidden markets, and spark other innovations that give companies a competitive edge.
Mitigating a risk in one area can have multiple benefits. For example, in examining how to reduce water usage in its conveyor belt cleaning processes, one global food manufacturer identified ways to make its water heating systems more efficient, reducing costs.
5. Measure the value of strengthened risk resilience
Efforts are underway to establish “resilience scorecards” that can be used to measure an organisation’s resilience. In the meantime, leaders need to find ways to measure resilience initiatives, because shareholders increasingly expect this information. Businesses need to illustrate value preserved, communicate that the company’s business model is sustainable and tell shareholders a good resilience story about their business.