At a recent conference, Explic8 Director, Ian Nicholls, delivered a keynote speech where he conducted an audience survey on knowledge of and attitudes towards risk. The findings were indicative of a wider issue – namely, that businesses still fail to address risk seriously enough.
The results indicated that organisations are simply not as well prepared as they should be for highly disruptive risk factors. So here are some areas to consider. Ask yourself if you are well prepared enough – or at all.
Do you have a ‘threat register’ for global and national risks?
This category usually involves risks that are considered systemic shocks.’ – those things people did not see coming. Businesses, on the whole, don’t consider these events enough or ask themselves how the big global or national news story could impact their operations.
To navigate these risks effectively, businesses need the capability to identify risk information and spot trends to prepare themselves adequately. An excellent example of when many businesses failed to prepare is the Global Financial Crisis of 2008. The signs were clearly there at least 12 months out, but panicked business reactions across the globe showed that few had been expecting it.
Equally, wars don’t just begin overnight.
Creating a ‘threat register’ will enable you to scan each aspect of a global risk and alert you to anything that will possibly affect your operations. Then, in turn, you can track the data and factor it into your risk and crisis planning.
As COVID-19 was emerging in December 2019, Ian began tracking it. By the time it was declared a crisis, he had supported three of our clients to implement crisis plans. One of them, a school, did not lose a day of teaching (or school fees) throughout lockdown as a result. Another client, a gym chain, prepared themselves for the impending impact by creating online workouts and, today, have 6x more memberships.
Are you managing cyber/data security and supply chain integrity?
An organisation’s cyber/data security and supply chain integrity is indicative of how vulnerable an organisation assumes it is and the areas in which they think they may not be well-defended enough. There is a misconception that these areas are complicated, and while the tool or delivery mechanism might be, the basic governing principles are not.
With growing and ever-emerging threats in this space, it’s critical to consider how you plan for these.
How are you managing your ’employee behavioural’ risks?
Employee behavioural risks are usually heightened by a lack of systems that collect and measure employee behaviour data. While these are often considered ‘soft risks’ and not given enough weight, the reality is that people are your biggest asset, so they are one of your most significant risks.
In many organisations, systems focus on operational requirements (performance objectives), not 360-degree risk.
Take how society and businesses reacted in such fragmented ways to the Black Lives Matter and historic slavery debates and protests lately, for example. The weak reactions of some organisations laid bare considerable gaps in their understanding about how important these issues are to their employees and customers (and society as a whole).
For instance, existing and prospective customers may have felt some ill-will towards businesses or brands that they felt were not forthcoming enough about these important issues and topics of widespread public debate.
Do you take a proactive approach to compliance risk?
Compliance risk is, in short, the potential for losses and legal penalties due to failure to comply with laws or regulations.
Some examples of compliance risk include environmental risks (such as an organisation’s activities potentially damaging living organisms and habitats), workplace health & safety, and quality risk (producing a low-quality product or service that fails to meet due diligence or even breaks laws).
Too often, compliance risk assessment is reactive or occurs after the event – when it’s too late. Organisations must be far more proactive in their risk management approach to prevent problems and potential disasters.
Do you have a crisis management plan in place?
In many organisations, there is limited practical understanding or practice of emergency and crisis management plans.
Take the pharmaceutical market, for example. The counterfeit medicine market is more lucrative than the illegal narcotics business, with the World Health Organisation estimating that counterfeiting costs the global pharma industry USD 75 billion every year.
With that in mind, it’s unsurprising that most pharmaceutical companies believe that the illegal use of their brand name on these counterfeit products threatens the company’s integrity. As more pharmaceuticals are being sold via the internet, this concern is only getting worse.
According to a study conducted by Pharma IQ, only 53% of respondents in the pharmaceutical industry confirm that their organisation has a brand protection strategy in place. However, the more shocking piece of this was that 26% don’t have a brand protection strategy and/or plans to put one in place at all!
Consider what it could cost your business
Not taking risk management seriously enough will cost your business. Most risk manifests itself in unexpected areas, exactly those that are not monitored or assessed by standard risk programmes.
Boards and leadership teams are often too wrapped up in KPIs and tracking data without looking further at what the data tells them about potential risks. In other words, business leaders look at efficiency in supply chains, leakage and other factors vital to good business but, unless you are looking at and tracking data concerning emerging global and national risks, things can and will sneak up on you.
And, unless you can apply a workable Business Continuity strategy, you are going to get whacked – and you may never see it coming.
While there are many procedures you can put in place to manage and mitigate risk, truly understanding and adequately preparing for it requires considerable experience and expertise.