Risk management is not often a topic that finds itself in headlines, but the last 18 months in Australia and beyond has been like no other.
We’ve all witnessed or experienced continued pandemic-related disruptions, increases in unpredictable natural disasters, and a rise in corporate controversies, all of which have forced a redefinition of operational best practices and business continuity planning.
Organisations have understandably acted in a reactive manner to these disruptions, but this can no longer be the case moving forward. The pandemic signalled a warning shot to businesses that risk management needs to be a priority in order to survive.
Historically, the practice of risk management was often undertaken as a series of ‘box-ticking’ protocols, rather than an evolving, prioritised framework deserving of space on boardroom agendas. However, despite the newfound focus on the practice, it’s still not entirely clear whether businesses are now more prepared as it relates to assessing, mitigating, and addressing risks, or whether they’re simply following their pre-COVID-19 playbook.
How the perception of risk management evolved
Broadly speaking, the management of emerging risks and crises was often siloed (e.g., a physical security risk addressed by an on-the-ground employee may not be communicated to the communications team) and underinvested in as a function. Recent events—such as 2020’s wildfires and this year’s massive flooding in the east—have induced a paradigm shift, not only in how risk management is viewed within the Australian enterprise landscape, but how it’s managed. Critical decision-makers were forced to evaluate whether they had the right tools and processes to anticipate and respond to the next crisis.
While some may agree that the worst of COVID-related downturn is over, it’s crucial that businesses don’t dismiss this pandemic as a once-in-a-generation disruption. Widely impactful disruptions can happen anywhere, at any time. And they’re growing, both in scale and type, due to increased economic interdependence and technological advances.
For example, the Suez Canal disaster was not predictable, yet its impact can be felt across Australian industries, dependent on trade. You can also look at this year’s risk management failures, to see that deficient risk management processes can have a catastrophic effect on both a company’s bottom-line and reputation.
It’s evident that the sophistication and variety of risks that businesses now face has never been greater, but what are decision makers doing about it?
Proactive shared responsibilities
A recent study commissioned by Dataminr and conducted by Forrester Consulting asked 410 risk and compliance decision makers at companies with more than $500 million in annual revenue to reflect on their risk management priorities and practices. The study revealed that 42 per cent of businesses are still improvising when it comes to risk management — confirming the notion that more can be done proactively.
Something that we have certainly seen and advised against within organisations is a siloed approach to holistic risk management. But in order to proactively manage and mitigate emerging risks and crises, enterprises must adopt a flexible and coordinated approach. This means that ownership of risk would be shared across the enterprise.
To start, individual departments should have clearly defined and mapped spheres of responsibility, so that when a risk occurs, the response across the enterprise is orderly and efficient. Then, function leaders should create flexible plans that anticipate probable risks that their organisation will likely encounter in the future, and regularly simulate these risks with stakeholders.
The connective tissue that supports this kind of overarching, agile crisis response framework are advanced technologies, such as real-time information platforms.
Evaluate your critical information system
For an enterprise, nothing is more critical in crisis response than the ability to have access to relevant information in real time in order to alert you and other frontline leaders to potential risks, and protect against those risks.
A critical first step is to survey the team to determine how it’s detecting and communicating emerging threats. Do they have the tools needed to effectively do so? What are the gaps and which technologies can fill those gaps and/or better support response efforts?
For example, global security operation centers (GSOCs) need relevant, up-to-date information to effectively mitigate risks. For these security teams, getting an accurate picture of the scope and potential impact of a crisis is critical to making better-informed business decisions, quickly and efficiently. Within an agile crisis response framework, a SOC would receive critical, real-time information at the same time as other key stakeholders and then coordinate an integrated response.
The number of Australian businesses that will face a company crisis at some point has been heavily inflated in the last 18 months. This is because recent crises have thrust risk management into the spotlight and shown how poor planning for such disruptions can damage an organisation’s reputation, operations and profitability. Clearly, there is now no excuse to not have a proactive strategy in place. Organisations must be prepared to act in an accurate, timely and confident manner. The time to implement protocol has firmly arrived.