When the UK’s Association for Insurance and Risk Managers (Airmic) commissioned Cranfield School of Management to research corporate resilience, it was primarily an investigation into good risk management. As the resulting report entitled ‘Roads to Resilience’ took shape, however, it became clear that the implications were much more far-reaching. The qualities that make companies resilient also make them superior in other respects. Among many other things, they have better reputations, loyal staff and suppliers and strong relations with their customers.
We concluded that resilience should be at the heart of corporate strategy. It is vital, though, to understand that this is not the same as risk management. Risk controls are essential, but resilience is a much wider concept. For risk and financial professionals, one of the key messages is to see the bigger picture and engage actively with colleagues right across the organisation.
Firstly, a little background detail. In 2011 Airmic, in partnership with Cass Business School, published ‘Roads to Ruin’. This earlier report looked at 18 individual case studies of catastrophic failures of risk management involving 23 companies. It identified several common failings that can cause crisis, regardless of sector.
‘Roads to Resilience’ represents the other side of the coin; its main purpose was to investigate successful, resilient organisations and whether they also have features in common. The short answer is that they do, and the attitude of the board is invariably pivotal.
To find out what makes a company resilient, Cranfield’s researchers interviewed senior staff with risk management responsibilities, including chief executives (CEOs), at the following organisations: AIG; Drax Group; InterContinental Hotels Group; Jaguar Land Rover; Olympic Delivery Authority; The Technology Partnership; Virgin Atlantic and Zurich Insurance.
It soon became clear that resilient companies do not just happen. They have cultural and behavioural traits that encourage all employees to be flexible, customer-focused and alert to danger. Just as certain factors crop up repeatedly in failing companies, the resilient organisations studied for the report adhered to all of five common principles (see below) even though they operate in very different environments.
The Five Principles of Resilience
- Risk radar or the ability to anticipate problems before they develop, partly by seeing things in a different way.
- Resources and assets that are well diversified, providing the flexibility to respond to opportunities as well as adverse or changing circumstances.
- Relationships and networks that enable risk information to flow freely throughout the organisation up to directors to prevent the ‘risk blindness’ that afflicts many boards.
- Rapid response to ensure that an incident does not escalate into a crisis or disaster and that people and processes are in place to restore things to normal as quickly as possible.
- Review and adapt the ability to learn from experience and make the necessary changes so that every adverse event or circumstance is analysed and evaluated, and improvements are made to strategy, tactics, processes and capabilities.
Top management at these organisations take resilience extremely seriously. They appreciate that nurturing the right culture and behaviour is absolutely essential. This requires leadership from the Board and a relationship based on trust with staff, suppliers and other key stakeholders.
At Virgin Atlantic, for example, senior executives work in one corner of an open plan office on the second floor. Colleagues can come to them with their thoughts, and there is a ‘no-blame’ culture.
To quote the head of internal audit, on secondment from a Big Four professional services firm: “There is an executive team who do not really have egos. They are happy for you to go and have an honest conversation with them.”
As a result, vital risk information travels around the company, and board members make well-informed decisions. This contrasts with the ‘risk blindness’ evident in virtually every corporate failure identified in our first report, ‘Roads to Ruin’.
Virgin Atlantic helps to illustrate another of the report’s themes. Although the five principles of resilience are essential, they do not exist in a vacuum. They reflect four aspects of any company, which we have called ‘business enablers’: leadership and governance; people and culture; structure; and strategy, tactics and operations.
The Five Principles of Resilience and their Business Enablers:
These ‘business enablers’ are central to creating a dynamic and holistic approach to risk management, but they are much more than that. Enterprises become more resilient by being more responsive to their customers and the markets they serve; their staff and suppliers are motivated and loyal; they gain trust by being more dependable; and their reputations benefit. When they do have serious mishaps they are ready, and their stakeholders are willing to give them the benefit of the doubt. Quite simply, they are better companies.
At all our organisations a tremendous amount of hard work had gone on behind the scenes to make them resilient. Invariably, top management provides the drive and focus, while the company’s risk professionals give essential technical input and provide education and advice. It is more important than ever that the company’s financial professionals and risk managers, however defined, talk and listen to colleagues across the organisation.
Case Study: InterContinental Hotel Group (IHG)
At InterContinental Hotels Group (IHG) much time and effort goes into creating the right resilience culture. To quote the head of global risk management: “You’ve got to have the right culture; otherwise you’re never going to embed anything. Nobody’s going to do the training, nobody’s going to put it on their personal agenda and talk about it.”
IHG has defined a structure that ensures risk management is embedded throughout the organisation. To quote the group’s 2012 annual report: “IHG recognises the importance of having in place an effective system of internal controls and risk management to achieve our vision of becoming one of the great companies in the world.”
IHG aims to raise risk awareness at board level and executive committee level, throughout the leadership teams in the regions and functions, in every hotel and with all employees. The various processes for dealing with risk are applied across three levels: strategic; tactical; and operational.
The understanding of risk is intricately linked to reputation. To quote the annual report again: “The purpose of risk management is to champion and protect the trusted reputation of IHG and its brands.” The ambition is to foster a culture where risk management becomes instinctive.
Risk governance is established through a cross-function working party that meets four times a year. Risk information is constantly collected, communicated and assessed; the output is used to drive discussions at the executive committee, audit committee and board.
Through having risks identified and plans to deal with adverse circumstances already in place, IHG has developed an ability to deal with unexpected situations. Training and informal discussion groups are used and crisis management scenario planning sharpens the culture. IHG has developed risk awareness, a structure and a culture that allows information to flow freely.
We have been witness to a series of significant security events recently around payment execution, from Leoni in Germany through to ABB in South Korea and SWIFT in Bangladesh to name a few of the major headlines.
The revised Payment Services Directive regulation, regarded as one of the most disruptive in Europe’s financial services sector, will begin to make an impact on January 13, 2018.
The cost of compliance efforts for banks has increased exponentially in recent years. This is especially true for those banks that are active in the global trade finance domain, where the overwhelming expectation is for compliance requirements to become even more complex, strict and challenging over time.
This year promises to further the regulatory compliance burden imposed on financial institutions. How are firms in the sector responding to the challenge?