BackgroundRisk management is one of the most important responsibilities that individual Board members have in all companies, irrespective of their size, ownership, or sector. This responsibility must be fulfilled and be visible to all their stakeholders.

This is important on many levels to protect their license to operate, provide comfort to investors, and to ultimately satisfy their customers that they are a long-term partner.

Road to Resilience: Risk Management as a Key Board Leadership ResponsibilityA Lockton Sponsored Report

The traditional risk management approach of relying on a process around the three lines of defence, namely risk and control in operations, centralised oversight functions, and independent verification was found in the previous report “Roads to Ruin” to be flawed when examining a number of the corporate failures that took place over the last ten years.

Of equal concern was that, in a number of organisations, there was a very apparent risk “glass ceiling” between employees, senior management, and boards, where risk management concerns were not communicated to and therefore not understood by those running the business.

The challenge of identifying how to overcome these potential shortfalls in corporate risk management robustness is being addressed by industry and regulators alike. For example, the U.K’s Financial Reporting Council (FRC) has issued a consultation paper on changes to the U.K. governance code to address this very same challenge.

However, the truth is that although a number of companies did fail, or at least suffered significant setbacks through their risk management failures, many companies survived and thrived through the corporate challenges of the economic downturn.

This raises the questions:

• What did those companies do, and what did they know that ensured resilience and created opportunity?

• Are those characteristics of knowledge and action common across the companies, irrelevant of sector or ownership?

March 2014

L O C K T O N G L O B A L SM , L L P

SM

Ian CanhamPartner

+44 (0)20 7933 2122ian.canham@uk.lockton.com

March 2014 Lockton Global LLP

“Roads to Resilience” the reportLockton, along with PWC and Crawford, sponsored a report which was commissioned by Airmic and undertaken by Cranfield School of Management to answer these questions.

Cranfield undertook a detailed review of the process, cultures and behaviours of eight U.K. corporates to gain an understanding of what creates resilience in their organisations. This was achieved not by relying on publically available data, but through in-depth interviews throughout the organisation, not just senior management and risk professionals. This ensured what they were told was not aspirational, but how these companies ran their business on a day-to-day basis.

The findings1. The report found firstly that whilst the companies (due to

the product offering) had a lot of differences, what they all have in common are five clear principles of resilience. These allowed them to become and remain a resilient organisation. The report identified that it was not sufficient to have one or two of these principles; all five must be present to achieve true resilience

2. Secondly companies cannot just adopt these principles and become resilient overnight. The culture and behaviours of the organisation are absolutely key in ensuring success. These principals have been labelled as business enablers in the report and again were all present in each of the companies studied.

The model

The five principles of risk resilienceResilient organisations have exceptional risk radar. Risk radar helps an organisation identify issues before they have developed into major incidents. It acts as an early warning, helps risks to be considered in aggregate, and allows different types of risk information to be collated. This is achieved by ensuring that everyone in the organisation is aware of the importance of risk and the need for vigilance in relation to strategy, tactics, and operations. No one individual and no single function (such as the risk management department) can be as effective at detecting risks as an organisation with high involvement.

Resilient organisations have resources and assets that are flexible and diversified. They establish clear operational risk appetite positions and then identify potential weaknesses through scenario analyses and stress-testing of strategy, tactics, and operations. They use the diversity of resources to reduce risk and develop the necessary skills for risk management throughout the organisation and beyond. This could include avoiding single points of failure or reducing dependence on single critical resources, including suppliers, markets, brands, products, investors, knowledge, and customers. Resilient organisations are aware of intangible assets, such as reputation, and develop proactive strategies to manage these assets.

Resilient organisations value and build strong relationships and networks. Resilient organisations do not just manage risk within their own organisational boundaries. They proactively manage risk throughout their networks of customers, suppliers, contractors, and business partners. A customer-centric approach is crucial, as it shapes the way all types of relationships are formed. Openness with all stakeholders engenders trust and loyalty, as well as a desire to collaborate and share information. This means that when adversity hits an organisation, all stakeholders communicate with each other.

Resilient organisations have the capability to ensure decisive and rapid response. A key characteristic of rapid response is that an organisation not only has defined processes for dealing with predictable risks, but (perhaps more importantly), also the ability to respond to and cope with the unexpected. To achieve this, employees must have the skills, structures, motivation and empowerment to respond appropriately. They are able to respond swiftly to an incident to ensure that it does not escalate into crisis or disaster and to restore the organisation to a perhaps new normal as quickly as possible.

Resilient organisations review and adapt to changes and adverse events. Risk management procedures and staff training are always being tested, refined, and enhanced. This results in employees being self-critical and willing to openly admit mistakes and report near-miss incidents in the knowledge that this openness will strengthen the resilience of the organisation. Every potential adverse event or circumstance is identified, analysed, and evaluated, so that lessons are learned and improvements

SM

March 2014 Lockton Global LLP

Lockton Global LLPAuthorised and regulated by the Financial Conduct Authority. A Lloyd’s brokerRegistered in England & Wales at The St Botolph Building, 138 Houndsditch, London, EC3A 7AG, Company No. OC353198LLP 1498 - Mar 14www.lockton.com

made to strategy, tactics, processes, and capabilities.Business Enablers

The business enablers identified across all organisations are:

• People and culture• Business structure• Strategy, tactics and operations• Leadership and governance.

The manner in which the business enablers lead to increased resilience are context-specific, as they depend on the size, nature, and complexity of the organisation, as well as its business environment and wider capabilities.

All organisations have these enablers in place, but their differing nature indicates why there are different roads to resilience. Each business enabler can be enhanced to change the way an organisation views risk management and the achievement of increased resilience.

Through utilising these enablers, risk management becomes part of the culture of the organisation and reflects in the behaviours of all employees and others in their day-to-day actions.

Where are companies on the road to resilience? Through analysing the eight companies studied and cross referencing to the earlier “Roads to Ruin” report, it was possible to identify four distinct points on the “Roads to Resilience” journey.

These were as follows:

Roads to Ruin: Poorly prepared for foreseeable and adverse events and unable to cope with a crisis.

Risk Compliant: Prepared only for those adverse circumstances identified and evaluated in the risk register.

Risk Responsive: Ready to successfully respond to a crisis, but protection of resources and assets is inadequate.

Roads to Resilience: Robust precautions to protect resources and assets and rehearsed plans to use in a crisis.

The above points are not sequential as a Risk Resilient company will utilise both the risk-responsive and risk-compliant characteristics in a given circumstance where such an approach is required.

Do resilient companies gain from better insurance terms and conditions and pricing?As stated at the start of this paper, through creating a more resilient organisation companies attract investment and customer loyalty and demonstrate the sustainability of their offering. However, do insurers recognise and value the broader risk management efforts?

This research is the first of its kind to so clearly identify the principles and enablers that create a resilient company. The idea of understanding those risk factors that may determine a company’s financial success have long been understood and monitored by the investment community.

The level of clarity that “Roads to Resilience“ provides, creates the same opportunity for insurers to differentiate those companies outside of market cycles that will consistently provide a risk that is better than their peers, therefore, allowing insurers to invest in their partnership with these well-managed companies.

Increasing standard of control to prevent,

protect and prepare for expected risks

Figure E.2 The resilience matrix

      

Increasing ability to respond, recover

and review successfully

following a crisis       

‘Risk Responsive’ Ready to successfully respond to a crisis, but protection of resources and assets inadequate

‘Roads to Resilience’ Robust precautions to protect resources and

assets and rehearsed plans to respond to a crisis

       

‘Roads to Ruin’ Poorly prepared for foreseeable adverse events and unable to

cope with a crisis

‘Risk Compliant’ Prepared only for those adverse circumstances identified and evaluated

in the risk register