Editor’s Note: This is the third in a series exploring the board’s role in corporate resilience. Click here to read the first installment and here to read the second.
Enterprise risk management (ERM) has been defined as “a plan-based business strategy that aims to identify, assess and prepare for any dangers, hazards and other potentials for disaster—both physical and figurative—that may interfere with an organization’s operations and objectives.” Beyond physical and financial risks it includes reputational, operational, legal, and human resources risks, as well as those associated with governance.
In a recent article citing NACD research, corporate banking and securities lawyer Benjamin Butterfield compared ERM with “traditional” risk management. He noted six primary differences, namely that ERM:
- takes a holistic approach, versus segmented ones focused on departments;
- uses strategies that need to come from the “top,” usually from the board;
- maintains a broad perspective on organizational risks, which can’t be addressed by subordinate levels;
- focuses on lowering risk, increasing sustainability, and providing savings or value across the entire organization, versus preventing loss within tactical business units;
- assesses the entire asset portfolio, including intangibles such as customers, employees, suppliers, innovative processes, and proprietary systems, versus focusing on physical and financial assets; and
- aims to mitigate risk based on strategy-setting across the entire organization, versus silo-focused approaches.
Resilience is broader than the elements enumerated here, however. As noted in part 1 of this series, resilience includes two critical components: organizational capacity and the ability to “adapt and grow from a disruptive experience.” It is more than strategies, plans, and processes, and hence is more integrative than risk management alone, and even more so than ERM.
Resilience-building approaches almost always will include ERM principles to strengthen the components that contribute to business resilience, but they also must strengthen the organization’s cultural resilience at all levels—management, the collective workforce, and individuals.
These processes need to adapt to changing risks. Richard Smith-Bingham of Marsh & McLennan noted in a recent report on risk that “Carrying out traditional risk management well is no longer enough. New risks have swung into view, senior-level demands are changing, and new capabilities are forming.” That new approach is the practical application of resilience.
The Scope of Resilience
Since business resilience depends on technology and systems, this capacity can be built into all the company’s components. For example:
- Cybersecurity is about making digital systems and networks more resilient.
- Critical infrastructure protection increases the resilience of the organization’s physical and economic underpinnings.
- Business continuity may focus on restoring pre-crisis levels of operations after the shocks of natural and man-made disasters, but a resilient organization will seek to adapt them at performance points better suited to the post-crisis environment.
- Strengthening the company in the face of long-term stresses like the loss of jobs to automation and artificial intelligence, emergent technologies, workforce skills mismatches, and other risks is the essence of resilience.
Ultimately, diverse components will need to be integrated, which will always be harder than it seems. Cross-functional teams can be effective ways to work across isolated departments. Additional steps will be needed to prepare for adaptive approaches with entities outside the company as described in part one, especially since other communities may use different terms and processes that may not align with commercial risk management, reinsurance, and return-on-investment calculations. Nonetheless, cross-cutting collaboration is essential to anticipate the rapid, interconnected changes that result in enterprise risk.
A healthy corporate culture will promote broad, long-term resilience. The opposite may also be true. As Israel Martinez, chair and CEO of Axon Global Services, has said, “Culture can kill strategy.” If the board and senior corporate leadership are focused on containing incidents and minimizing bad press to preserve reputation and stock value, it may lead both to inappropriate responses in crises, and to inappropriate strategies to prepare the company to bounce forward better.
Strengthening the firm beyond the leadership levels, the development of a resilient labor force, and the corporate culture are all essential facets of developing cultural resilience. Even as automation and artificial intelligence challenge job availability and workforce structure in the mid-term, companies are having a hard time today hiring skilled people even for existing jobs. Intangible assets such as corporate reputation, relationship with employees, and image as a good place to work can affect the company’s overall resilience in tight or turbulent labor markets. The workforce also needs to be trained to handle adversity.
This leads to the importance of individual resilience. During emergencies workers may have to support business continuity operations, but many crises are also likely to affect their families. What efforts are being made before a crisis to help workers ensure that their families will be prepared if they have to be absent? The effectiveness of the company’s response may depend on it.
A rich collection of research shows that every complex problem involves parts of other interlocking problems, so addressing one part will affect others. This means that the problem will change as you try to solve it and that solutions almost always will be iterative.
An essential first step is to document original assumptions about the risk at hand. These include not only tactical assumptions like “if we do X, we can expect Y result in Z timeframe,” but also strategic questions like: “Is this business model still relevant?” and “What business should we be in tomorrow?”
Once a course of action or a business plan is chosen, a review should be scheduled after a suitable interval. Diverse, unvarnished feedback is essential. If the plan is converging toward the desired outcome, continue. If not, re-examine the basic assumptions and adjust. This can be facilitated if the alternative approaches have been kept up-to-date as options.
The iterative approach poses leadership challenges both up and down the chain of command. The project advocate needs to get buy-in from leadership and the board alike that they will view adjustments as a sign of strength, not weakness. The advocate also must explain to their team that the review is built into the program and, while they expect full support in executing the chosen plan, if the assessment indicates a need for change, that again is a sign of strength, not weakness.
Challenges for the Board
The board needs to help management develop the capacity for both cultural and business resilience in complex, adaptive environments, and ensure that it is supported, incentivized, and exercised frequently. These exercises need to address interdependencies among disparate functions and infrastructures—communications, power, transportation, and others, to understand how the disruption of one affects the ability to perform the mission.