How to Build a Focus on Resilience into Board Risk Oversight
In the face of COVID-19, the ransomware epidemic, and climate threats, organizations have experienced increasing calls to become more resilient. But what does “being risk resilient” actually mean and what are the implications for boards in terms of risk oversight responsibilities? We drew on survey research involving risk functions at nearly 1,000 organizations and interviews with directors at leading companies across all sectors to explore the issue.
Resilience includes the ability to adapt and respond to a proximate event. But resilient cultures also move beyond business continuity planning and the capacity to absorb a negative event—they build the capacity to dynamically manage risk. In this way, organizations gain a unique strategic competitive advantage when the seas are calm and can then foresee upcoming threats and capitalize on growth opportunities during times of operational and financial stress.
Now more than ever, organizations must adopt a forward-thinking risk management approach to keep pace with an increasingly complex and hyper-connected risk landscape. Indeed, as one director stated in an interview conducted with Marsh McLennan to inform this article, “The new era of risk oversight is to think of risk in terms of risk resilience.”
Below, we outline four key levers that boards should consider when diagnosing their organizations’ risk resilience, drawn from our recent survey report on the topic.
Cross-Organization Collaboration on Major Risk Issues
2020 highlighted the need for management teams to better examine how risks interact and cascade across value chains and organizational strategy. Organizations must identify, understand, and prepare for the impacts of systemic and emerging risks across the enterprise. Collaboration across diverse business functions, including risk management functions, is key to increased transparency on potential exposures and to enabling management teams to bring a holistic, integrated view of risk and the entity into the dialogue with the board.
Most organizations are challenged by a lack of cross-functional collaboration, however. Without such collaboration, organizations will likely struggle to work across silos to anticipate risk impacts, and this will impair their ability to develop effective organization-wide response plans. As another interviewed director said, “You need people with different sets of skills to actually rethink your basic business proposition and assumptions.”
It is also vital to consider whether the senior leaders responsible for organizational strategy are fully integrated into resiliency planning. This integration helps companies better identify risks and design and execute responses. Connecting risks to long-term strategy helps organizations move forward and mitigate their financial exposure, reputational damage, business interruption, and other losses.
Testing and Building Organizational Resilience
Resilient organizations regularly assess the risk terrain and test whether they have the necessary resources to navigate it. Companies need an accurate view of organizational preparedness, as they often overestimate how quickly and effectively they will be able to respond to (and sustainably recover from) a given risk or they focus on actions around a short-term crisis.
Building risk resiliency and agility goes beyond having a crisis management plan in place. Scenario-based financial stress-testing and planning are vital to understanding potential events and incorporate data and analytics into management thinking. Is the organization doing enough to stress-test, measure, and model the financial, operational, and other impacts of critical risks? How do these risks connect with the growth strategy?
Testing the risk terrain can also include management and board “deep dives” into a risk or event to fully assess organizational vulnerabilities across the complete value chain. The results can be used to examine the organization’s capacity to respond and its resilience to impacts as an event plays out over various time frames.
The ability to assess and forecast different shock events and to understand how a risk or an event cascades across the entity is critical, and this analysis provides meaningful, actionable insights into potential exposures. However, it is worth noting that these efforts aren’t meant to predict the future but rather to clarify uncertainties in the operating environment. This includes helping the management team and board develop a common perspective on critical response actions, which involves identifying actions the organization can adopt to build resiliency (such as reducing redundancy in supply chains) and pinpointing the depth and strength of the organization’s resiliency.
Forecasting and Anticipating Emerging Risks
Anticipating risks means expecting the unexpected—that is, looking further and deeper. Organizations must build the capacity to forecast and anticipate future impacts of various risks—including pandemics, cyberattacks, regulatory changes, geopolitical threats, and the effects of climate change—on their tangible and intangible value.
Simply put, organizations must apply tools and methodologies that enhance their ability to “see around corners.” Much like finance functions produce forecasts for quarter-close or year-end, companies should forecast risk to provide visibility into how risks might impact organizations over a multiyear period.
As the pandemic has shown, even organizations with robust business continuity plans have struggled because they failed to fully anticipate the extent of COVID-19’s impacts. In our risk resilience survey, only 25 percent of the risk function leaders responding said that they use scenario-based modeling across their enterprise or comprehensively to evaluate the potential impact of emerging risks. Only 45 percent use scenario-based modeling somewhat, on selected exposures, or in a limited way.
Boards must ensure their organizations have an energetic, exploratory approach to scenario planning. This will help stretch the organizational mind-set in developing and analyzing possible future outcomes. Characterizing the dynamics of disruptive forces and delineating touch points help determine where impacts might be felt, and well-crafted scenarios act as a tangible frame for detailed analyses and stress-testing.
Organizations must investigate evolving issues or fundamental trends that may shock or gradually undermine their growth, profitability, and business models. Doing this effectively requires an array of perspectives and asking “what-if” questions to keep the focus on possible consequences rather than likelihood.
“You need people with a breadth of experience that have been successful in looking around the corner,” a director interviewee noted. “People that have that skill set are incredibly important to a risk structure because they’re not rooted within the singular business of one company or industry.”
Risk Resilience Metrics
Our survey results indicate that consistently applying risk metrics is a stumbling block for many. Too often, known risks are tracked far more than unknown or potentially highly disruptive risks. In other instances, organizations track a huge number of metrics—simply because the data is available—that do not provide the board with a clear view of the organization or of the factors impacting its performance in the broader ecosystem.
Boards and management teams’ thinking is evolving on how to gain visibility and intelligence on the impacts of current and future risks. This requires moving beyond many commonly used tools. As one director observed, “I need more quantitative measures for risk oversight and not a dot on a heat map.”
Several directors said they have worked with management teams on what information to present to the board and how to present that information. The goal is to move beyond sheer siloed volumes—that is, to information that identifies risk drivers and impacts across risk categories and that uses metrics that support board-level decisions around the dynamics of systemic and emerging risks across the complete value chain.
Boards and C-suite executives should ensure their organizations are deploying an effective range of metrics to measure exposures in their journeys to resilience, understand risk implications for their businesses, and enable board and management decisions. These metrics include:
Measurements of risk aggregation and interdependencies across the value chain
Resilience metrics—those that will help determine how much stress the organization can withstand and at what points in the value chain
Early-warning crisis event metrics, which can provide guidance for navigating a crisis during its initial days
Metrics on essential supply chain partners to help evaluate counterparty risk
Developing more insightful risk metrics and information for the organization and the board will require a courageous process of trial and error.