By Steve Culp
In the world of risk management, the continuing increase in volatility, uncertainty, complexity and ambiguity has given rise to a new acronym—VUCA—and the increased recognition that new and previously unconsidered risks are emerging all the time.
Cyber-crime is a prime example: Essentially unheard of 20 years ago, it now presents threats to large corporations and governments, as well as individual citizens. Similarly, the shift to contract manufacturing can create new exposures to reputational and operational risks as companies extend their supply chains and become more dependent on external parties for processes that used to happen inside the company.
Over time, even the most risk-aware organizations can experience low-probability but high-impact events that can fundamentally change businesses and even entire industries. Companies typically have, under the banner of “resilience,” put measures in place to respond to such events. These include business continuity and crisis management, disaster recovery and emergency response.
We are finding, however, that traditional resilience management is often inadequate for dealing with extreme events. Efforts tend to be tactical and not integrated with other core risk management activities, meaning they often are not scalable and can be slower than required to effectively respond. Even fewer organizations seem to actively prepare themselves to benefit from the upside of extreme events.
In our most recent “Global Risk Management Study,” which included interviews with risk executives at 446 organizations around the world, we found that leading companies, dubbed “risk masters,” are more focused on strategic and emerging risk than their peers are. These firms are more likely to integrate resilience programs into core risk management activities and to position themselves to take advantage of rare but significant events.
We believe that, when a business integrates the management of acute events and disruptions into a comprehensive view of risk categories and exposures, it will be better positioned to protect its ability to grow and achieve its objectives. The risk masters we have studied are seeking ways—not just to respond to and recover from such events—but to gain some competitive advantage from them. They are seeking to go beyond resilience.
Several characteristics distinguish organizations that are exploring new ways to deliver value to their company through risk management:
· They have playbooks for unthinkable events that map out ways to take advantage of major opportunities. These might include a major acquisition, a strategic divestment or a rapid entry into a new market.
· They have a business model designed to minimize the downside of rare events and to move quickly to maximize the upside.
· They challenge their supply chains to account for, and respond to, rare events.
· They have comprehensive, advanced resilience plans in place that encompass all their business-level resilience plans and incorporate resilience into financial planning and performance. What’s more, they test these plans on a regular, real-time basis.
Not all types of risk can be forecast, so a risk management function should account for uncertainty. Advanced practitioners of risk management closely integrate risk management and business continuity planning into enterprise risk management (ERM) programs.
The reverse is true, as well, ERM criteria and risk profiles can help support crisis management and business continuity plans. This may take the form of characterizing crisis management objectives that are defined by target risk-migration levels coming from the company’s ERM framework.
Advanced resilience programs tend to be closely aligned with overall company strategy and financial performance. For example, they provide a clear understanding of what assets are to be protected in the event of a crisis event or acute disruption. This strategy directs resilience planning, and the potential impact on cash flow and other financial metrics also plays a major part in the plan’s development.
Some critical aspects of the business are quantified using financial metrics such as cash flow, earnings and gross margin at risk. Advanced performers also aggregate business unit plans up to the enterprise level, just as they would do with other core risk-management processes.
In practical terms, this means that, while the risk function may facilitate the development of crisis management and business continuity plans, these plans are developed by and for the business units. The business units “own” the risks that concern them, and they lead the planning and testing of the resilience measures.
Advanced companies also may innovate when it comes to the execution of these plans. They use technology to monitor events and identify issues, and they engage in scenario-neutral planning to simulate various events and outcomes. They use real-time stress tests to help identify discrepancies between plan assumptions and how things could play out in case of an actual disruptive event.
VUCA is here to stay, and organizations should approach it directly. In addition to planning to protect themselves, organizations that decide to move beyond resilience can explore how to seize the opportunities presented by the unexpected. If your organization does this, be prepared for success because of, not just in spite of, whatever the future may hold.
Steve Culp is the senior managing director of Accenture Finance & Risk Services. He is based in London and has more than 20 years of global experience helping organizations define strategy and execute change programs in many risk management and finance disciplines.