Enterprise Risk Management Amidst Global Disruptions

Kaveen Bachoo, Lecturer, Australian Institute of Business

 “Greatness is not a function of circumstance. Greatness, it turns out, is largely a matter of conscious choice and discipline.” (Jim Collins)

What Are We Learning From The So Called ‘Black Swan’?

The impact of COVID-19 is still very fresh on everyone’s mind, particularly for the business community. Whilst no doubt globalisation has improved our lives, it is obvious that in a connected world, the impact global disruption can have on businesses and livelihood is enormous. Who would have thought the world would be brought to a stand-still for nearly two years after the COVID-19 pandemic first came to light?

Before COVID-19, a McKinsey study showed that non-economic shocks are increasing both in frequency and in impact. The world has not forgotten BP’s Deepwater Horizon Oil Rig’s explosion in the Gulf of Mexico, Samarco’s dam failure in Brazil, Nokia’s spectacular loss of market share or the damages to Boeing following the. These disruptions have cost billions of dollars to shareholders, reputational damage to the companies, and unquantified damages to broader stakeholder groups. When these types of events are increasing both in frequency and impact, it almost throws the concept of a ‘Black Swan’ away.

A ‘Black Swan’ relates to events that would generally be classed as outliers – mostly unforeseen or rare. Were some of these events really a ‘Black Swan’? And if they were, could a more effective Enterprise Risk Management process, aided by a transforming technological landscape add to the ability to forecast these events more accurately or even minimise their impact?

Moving Away From “The Tick Box Exercise”?

In this Harvard Business Review article, it is noted that despite all the rhetoric and money invested in risk management, it is often treated as a compliance issue that can be solved by drawing up lots of rules. If the Enterprise Risk Management processes were being done in a truly meaningful manner, rather than ‘ticking the boxes’, it can be argued that risks could be better managed.

This does not mean these global disruptions or the so called ‘Black Swan’ events would not have occurred but there is every chance companies would be better prepared in assessing the impact and likelihood of the risks. For example, could a more effective risk management process have identified that at an operational level, the safety culture amidst deep water drilling required an improvement for BP, or perhaps could technology with remote shutoff capability have been better used to have avoided BP’s Deepwater Horizon crisis or drastically reduced the impact which unfolded.

Back To Basics

Going back to the basics of what Enterprise Risk Management was set to achieve, Douglas Hubbard, in his book “The Failure of Risk Management: Why is it broken and How to Fix it”  defines risk management as “the identification, assessment, and prioritisation of risks followed by coordinated and economical application of resources to minimise, monitor and control the probability of unfortunate events”. Notwithstanding the agency relationship between the Board of Directors and Management, and where the accountability of Enterprise Risk Management sits, some of the fundamental steps as identified in Tricker’s Corporate Governance: Principles, Policies and Practices are as follows:

• the corporate risk profile is recognised
• policies are established throughout the organisation that reflect this profile
• significant risks facing a company are recognised
• risk assessment systems exist and are effective throughout the organisation
• risk evaluation procedures are developed and operational
• risk monitoring systems are robust, efficient and effective
• business continuity strategies and risk management policies exist, are regularly updated and are applied in practice.

If these back-to basics approaches are adopted, then there is no doubt that Enterprise Risk Management could be used more effectively to minimise the likelihood and / or impact to businesses. Even better, these risks can be turned into opportunities for many businesses. Consider decarbonisation as a key risk for many businesses. The same decarbonisation if understood properly and managed carefully, can create a new horizon of opportunities for renewables.

Already, some of the moves by Andrew Forrest to invest in ‘green hydrogen’ show that if the risks are understood well, they can be turned into opportunities.  Examples of where Enterprise Risk Management are done really well are not often in the limelight compared to when things go wrong. This does not mean that no one manages risk well. Particularly in energy companies, commodity risk management is prevalent and done relatively well – you have dedicated trading groups or risk managers doing sophisticated analysis to understand the risks, put strategies like hedging in place to minimise price exposure and monitor this very closely.

My observations, in several organisations that I have either worked for or known quite closely, indicate Enterprise Risk Management discussions are becoming more and more common – but, is it enough? Is Enterprise Risk Management well embedded in the business planning cycles? Are the risks really thought through or merely a copy and paste of the risk register from previous cycles? Are the Boards and Risk Committees reviewing the Risk Register when a major risk has manifested or are reviews being done proactively for various time horizons i.e., looking not only at the immediate risks facing the organisation but what may lie ahead in 5, 10, 20 years from now? Who are the champions of risk and how are risks effectively identified, assessed, managed, monitored and communicated?

Enterprise Risk Management: The Journey Ahead

It is often levelled that hindsight is a wonderful thing, but this article seeks to highlight how businesses can aspire to, and look for, greatness in establishing embedded Enterprise Risk Management practices. Risks abound today – the COVID-19 pandemic, ESG (Environmental Social and Governance), supply chain disruptions, geopolitical tensions, digitalisation – including cyber security, demographic changes and many others have the potential to disrupt businesses.

As Togok et al. (2014) puts it, a lack of an appropriate tool to measure the effectiveness of Enterprise Risk Management is not an excuse. It calls for industry and academia to work hand-in hand to help shift Enterprise Risk Management from a ‘Tick the Box Exercise’ to operationalising it in the board room and across the workforce. This investment will enable risk management to go from good (or not quite good as we have seen from the increasing number of what once were ‘Black Swan’ events) to great in the long run.

Explore more AIB review articles.