“Roads to resilience” – how to avoid corporate catastrophe

How can businesses ensure their future success against the growing array of risks? To answer this key question, Cranfield School of Management and Airmic studied a number of leading organisations that have managed to create a resilient culture in order to protect their business, brand and reputation.

Roads to Resilience follows the highly acclaimed Roads to Ruin report, published by Airmic in 2011. This looked at high-profile crises involving 23 companies, which left their reputations in tatters. The main objective of this later report is to help companies avoid corporate catastrophe by learning from those who are leading the way in creating resilient organisations.

For boards, the incentive to become resilient goes well beyond merely avoiding disaster. Companies that are confident in their risk management have the confidence to be more enterprising and entrepreneurial, thereby not only identifying risks but also seizing opportunities.

The research found that the qualities embedded in resilient organisations enable them to succeed in other respects. They are more responsive to their customers and the markets they serve, their staff and suppliers are motivated and loyal, they gain trust by being more dependable, and achieve better results for shareholders.

In short, resilience should be at the heart of strategy and part of the overall vision of every organisation. Resilience enables organisations to deal more effectively with both expected risks and unexpected ones.

Behaviour and culture are key

Cranfield researchers interviewed executives, management and staff with risk management responsibilities, including CEOs, at eight chosen organisations. They found overwhelmingly that the key to achieving resilience is to focus on behaviour and culture. This may involve fundamentally rethinking and challenging prevailing attitudes towards risk. Traditional risk management techniques, while essential, do not in themselves create a culture of resilience.

“You’ve got to have the right culture; otherwise you’re never going to embed anything. Nobody’s going to do the training, nobody’s going to put it on their personal agenda and talk about it, the networks aren’t going to happen, the network is where your culture lives” — SVP, Head of Global Risk Management, IHG

“It has got to start at the top of the organisation, with supportive language that shows we are more interested in how we learn and move forward, than holding an individual accountable” — CEO, UK General Insurance, Zurich

The five principles of resilience

Although the case study organisations are very different and have different ways of achieving resilience, the research found five capabilities or principles in common. The report refers to them as the five Rs. It is not sufficient to have just one or even most of them; an organisation must seek to have all five to achieve resilience. They are:

• Risk radar: the ability to anticipate problems and see things in a different way will help an organisation develop an early warning system and be able to seize new opportunities.
• Resources and assets: well-diversified resources and assets provide the flexibility to respond to opportunities as well as to adverse or changing circumstances.
• Relationships and networks: risk information flows freely throughout the organisation up to directors, to prevent the risk blindness that afflicts many boards.
• Rapid response: capability that prevents an incident escalating into a crisis or disaster, because people and processes are in place to quickly restore things to normal.
• Review and adapt: learn from experience, including near misses, and make the necessary changes and improvements to strategy, tactics, processes and capabilities.

The four business enablers

These resilience principles do not just happen; they reflect the fact that companies have nurtured a resilient environment through:

• people and culture
• business structure
• strategy, tactics and operations
• leadership and governance.

The report refers to these organisational qualities as “business enablers”. While all organisations have these enablers, in some organisations they are better developed than in others. As with every aspect of resilience, the board must take responsibility and provide leadership by setting the tone from the top, such that each business enabler supports the resilience agenda.

The findings of the research are captured in Figure 1 below. Achieving increased resilience delivers benefits, and these enhanced capabilities are shown as proactive “prevent, protect and prepare” and reactive “respond, recover and review” outcomes. The research found that resilient organisations are characterised by having the five resilience principles in place in a way that enhances the four business enablers.

Figure 1: Resilience outcomes, principles of resilience and the business enablers

Key actions and challenges

The report deliberately refrains from dictating how boards should respond to the challenge of strengthening the business enablers, but the research identified eight hallmarks or action points normally found in resilient organisations. While facilitating them may be the responsibility of the risk manager or risk committee, board oversight, leadership and governance are essential. In particular, the organisation must ensure that employees and other stakeholders understand what these activities mean and buy into them.

• Raise risk awareness, with relevant lead and follow indicators to identify trends, emerging risks and opportunities.
• Avoid board risk blindness, by encouraging the sharing of information and bringing uncomfortable truths to senior management, so that board decisions are well informed.
• Develop risk architecture, including involvement of representatives from the supply chain, contractors and business partners to evaluate risk exposures.
• Plan crisis management and develop crisis management teams, separate from normal management, to be activated at predetermined trigger points.
• Determine risk attitude and develop risk appetite positions for each of the main types of operational risk for the guidance of managers.
• Undertake risk assessment by developing a dynamic approach, so that the risk register becomes more than just a list of risks.
• Establish resilience agenda, including a board mandate to increase resilience and protect the reputation and brands of the organisation.
• Ensure risk governance, by establishing an appropriate version of the “three lines of defence” model to provide proactive assurance for the board.

Figure 2 summarises the findings of the research by plotting increasing standards of risk control against increasing ability to respond to a crisis. The conclusion is that a resilient organisation can both proactively plan for the expected and reactively cope with the unexpected. However, being either “risk compliant” or “risk responsive” is not sufficient to achieve resilience; an integrated approach that combines both is required.

Figure 2: The resilience matrix

Complementary roles of boards and risk managers

In organisations that achieve resilience, boards and risk professionals have complementary roles. The board provides strategic leadership, sets the tone and establishes the governance structure. The risk function works closely with operational management to create an effective framework and culture within which the organisation can achieve resilience. This will require both the technical expertise traditionally provided by risk managers and also a committed style of leadership to ensure that all levels of the organisation are fully engaged in this process.

Although technical resilience expertise will continue to be essential, it is just part of the picture; softer skills such as communication are also essential. The report concludes that risk managers have a vital role in driving resilience, implying a broader remit than has traditionally been the case. They have to decide where they aspire to be in this broadened risk scenario and identify the wider business skills required to play a leading role.

For boards, achieving resilience demands a concerted corporate effort. It should be a dynamic and never-ending process, focused on creating a genuine understanding of risk to make an organisation more enterprising and ultimately more successful. By bringing together the comprehensive insights and experiences of those who have succeeded, this report challenges businesses to measure themselves against best practice, take the necessary actions and achieve the benefits of becoming resilient.

“If you can explain why it will help that person achieve their objective, they will buy into it … some risk managers make it too academic.” — Chief Risk Officer, Olympic Delivery Authority

Summary of the main resilience benefits

• Optimal protection and utilisation of resources to take advantage of opportunities.
• Supportive relationships and networks to build successful brands and reputation.
• Knowledge of emerging risks to develop crisis plans to respond to adversity.
• Identified lessons and amended business model to gain competitive advantage.

For advice on how to create a resilient culture in your organisation, contact me by email or call me on +44 (0)20 7099 2621.

Terry Irwin is a management consultant with international experience in strategy development, business turnarounds, venture capital, M&As and project management. He is a founder director of TCii Strategic and Management Consultants and has helped a broad portfolio of international clients to achieve profitable, sustainable business growth.

The above article is from TCii's library of best business practice snapshots.