By Rod Cartwright, Founder and Principal, Rod Cartwright Consulting
At the recent International Risk & Resilience Conference at London's Olympia, I had the distinct honour of interviewing Dr. Jamie Shea – former NATO Deputy Assistant Secretary General for Emerging Security Challenges – on: "A new world order: are businesses shying away from globalisation?".
We explored the nature and extent of de-globalisation and its root causes (across economics, politics, civic society and business itself) – in the context of the emerging, interconnected risk landscape. And we were treated to Jamie’s wisdom and advice on how to build business resilience in a less global world.
However, beyond enjoying Jamie’s incisive, practical counsel, I also took the opportunity to listen to a raft of other fascinating panel discussions across the conference’s two days. These ranged from ESG ‘R’ as a new strategic priority, managing complex risks in an uncertain world and the human aspects of emergency response to the march towards organisational resilience, getting ready for the next big shock and delivering a whole-of-society approach to national resilience.
So, what personal lessons did I draw from my fascinating conversation with Jamie and from a brain-stretching, thought-provoking couple of days?
- Always-on crisis preparedness: We live in a world of fast-evolving and interconnected risks – something I explored in a report earlier this year called ‘Trust, Risk and Resilience: Where Are We Now and Where Next?, which summarised and analysed the five key pre-Davos reports on trust and risk. It is therefore critical for organisations to be in crisis management mode full-time, including conducting regular preparedness reviews and stress testing existing approaches, to ensure that you are truly match fit.
- Know your risks: Regular strategic horizon scanning is indispensable in understanding your risk landscape – both externally and internally (an often overlooked source of risk). At the same time, it’s vital to consider cultural and human behavioural risks, not just operational ones. And of course, knowing the difference between a risk, a threat, an asset and an event is vital.
- … and the barriers to managing them: The siloed nature of many organisations and the tendency to view risk management as a functional, tick-box exercise are just two examples of the very real barriers that stand in the way of enhancing organisation-wide resilience. Identifying and understanding those barriers can be just as important as pinning down and prioritising the risks themselves.
- “Security is like a pair swimming trunks!”: One of Jamie Shea’s most noteworthy gems was to avoid trying to play God by seeking to second guess the next big shock. Like a pair of swimming trunks, security can only ever cover so much at any given time, so no matter how good your horizon scanning capabilities may, they can never guarantee an entirely accurate view round the next corner. This makes it crucial to have in place interchangeable “common response elements” for diverse, overlapping risks and threats.
- From risk management to resilience-building and the rise of the ‘Chief Resilience Officer’: Speaker after speaker returned to a common theme – the evolution from risk management to resilience building and the parallel rise of the Chief Resilience officer. This is a phenomenon that organisations including Deloitte and Marsh McLennan have been championing for a while now and is an evolution set to become ever more widespread. The requirement for a ‘Resilience Statement’ – as part of the proposed changes to the UK Corporate Governance Code – can only accelerate that process, in a UK context at least.
- An opportunity in every risk and a risk in every opportunity: As I say consistently to clients, the true definition and origins of the word ‘crisis’ is that crises are only ever a turning point, as potentially rich in opportunity as in risk. Organisations often ignore the positive face of resilience-building and crisis preparedness (“purposeful optimism” as one speaker put it) and underestimate its potential to unlock positive change – not just “stop bad stuff happening”, to quote another panellist.
- Prepare for the genuine worst case and don’t discount human behaviour: A consistent conference theme was the importance of ensuring that simulations/’war games’ cover the full range of potential worst cases, no matter how uncomfortable they may feel. This means that stress testing should be a creative and intentionally disruptive process, which doesn’t shy away from scenarios based around culture and human behaviour – regardless of how ‘unimaginable’ they seem.
- Resilience is a cultural outcome, not an operational process or a job title: If there was one leitmotif that stood out for me above all others, this was it. As one panellist put it “resilience should be a societal service”. As a result, it is crucial to start with understanding what it is you actually want to protect and make more resilient. At the same time, resilience is fundamentally about your business model and your strategy – and only then about risk management. Consequently, the focus should be on fostering a resilient culture, not just running a resilience process.
- Executive buy-in is critical: For resilience to become an embedded organisational feature that goes beyond risk management, executive buy-in from the top is essential. Securing that support can be a long and winding road, but has to start with what matters to the executive team on their terms – starting with P&L impact (both the downside risk and the upside opportunity of true resilience), but also not forgetting talent recruitment and retention.
- Never forget the human imperative: The Emergency Planning Society shared their work on the ‘Ten Key Human Aspects Principles’ of crisis response – a model backed by detailed guidance on each facet, that I will certainly be studying in far more detail. Understanding people’s values and beliefs in a crisis – not just their functional needs and wants – is a mantra I chant often and has been handily crystallised in that important guidance.
These ten points were my purely personal takeaways from a fascinating two days. But they will hopefully provide food for thought for anyone interested in the evolution from downside risk management to positive resilience-building.