Corporate crises leading to scandals have one common theme – poor risk and people management, especially at executive level.
This past year has provided excruciating examples of executive risk-taking, such as Barclay’s CEO Jes Staley attempting to identify a whistleblower, Harvey Weinstein allegedly abusing staff for years; Ryanair’s pilot roster debacle, resulting in 2000 flight cancellations; Wells Fargo’s employees creating hundreds of thousands of fake customer accounts and Uber’s CEO Travis Kalanick standing down, after allegations of sexism and trade secret lawsuits.
Organisations need to become more resilient to flourish, especially as technology advancements speed up the complexity of risks. Many boards can fool themselves into believing they have sufficient risk management policies and practices in place (eg ERM systems, and ISO 31000), but that will not safeguard them from an avalanche if skiing off piste.
Risk management processes are necessary to ensure a fine balance between a culture of safety and openness is developed and maintained. However, poor people management can occur at all levels in organisations, even those with good risk practices. People risks are wide ranging from human error (eg someone opening a virus-infected email), deliberate fraud, failure to follow procedures (eg applying the latest software patch), sabotage and failure to raise obvious red-flag issues.
Cranfield School of Management conducted research on behalf of Airmic (a UK association of corporate risk and insurance managers), into what makes an organisation resilient, and found five key success factors:
- The ability to anticipate problems
- Having adequate resources to respond to changing conditions
- A free flow of information up to board level
- The capacity to respond quickly to an incident
- A willingness to learn from the experience
Leaders need to invest time and effort into defining corporate ethics, management training, embedding policies and practices (eg The Bribery Act) and sourcing new technology to prevent cyber attack and predict patterns of risk behaviour.
Ethics policies should also cover cyber bullying, as we depend more on remote electronic communication, and the need to ensure trust among customers, suppliers and employees is maintained.
Willis Towers Watson reported organisations have rich sources of data that can be harvested to predict risks and issues, such as employee psychometric testing and employee surveys, but rarely utilise it effectively.
Hersh Shefrin, Professor of Finance at Santa Clara University, reminds us of the subjective nature of risk assessment, where leaders with overconfident, overpowering personalities can often lead to collective biases (known as “groupthink”) in the boardroom. Groupthink, if not challenged regularly, can result in fear-based cultures, where employees are encouraged to stifle views out about potential risks, and not to blow the whistle. This can only lead to trouble.
Boards should make time to learn from the reported mistakes their competitors and peers have made and, finally, as the annual tradition of the office Christmas party draws nearer, it can be used as a reminder these events are not just a great opportunity to improve employee morale, but also to reinforce corporate ethics (eg offsite conduct, behaviour and tweeting guidelines) to leaders and employees. It could prevent a corporate hangover.
One response to “Mitigating Corporate Risk – Five Key Principles For Business Resilience”
Exactly right Kath. There is far too much boardroom complacency.