Organisation-wide risk management in action
Jenny Roper, January 23, 2018
Risk management principles are embedded throughout the entire business at SSE
Energy supplier SSE has always had its eye firmly on regulatory and political risks – as you’d expect for a firm in a sector so highly dependent on the mood music of both. But recent political events have certainly focused minds around this, reports director of HR John Stewart.
“There’s been a reset on people’s perspective on risk and moving it away from things like disaster recovery, financial fraud, failures of systems, and far more into a wider, socioeconomic piece on the impact external events can have,” says Stewart. “Certainly in our sector we’ve seen an adjustment on people starting to look at risk and saying: what if? They might not all be risks but it’s scenarios such as: what happens if a Labour government comes in and renationalises us? The wider political picture is becoming more and more relevant.”
Risk management is very much embedded in the wider business at SSE, says Stewart, with various committees of department and functional experts regularly convening to discuss risks in their area.
“We sit and debate the direction the risk might be going in and why, then we’ll independently complete a self-assessment, then look at a scenario to ask: is that a realistic risk scenario that could happen to our organisation and is our means of dealing with it effective?” he says.
“That will create a really good debate,” he continues. “With each risk we’re accountable for we’ll be asked to give an overview of: is the risk getting better, worse or staying the same? Our risk team then synthesises that and sits down as a workshop to say: here’s a range of views, let’s talk about our controls. Then we’ll take it up to the exec committee for debate and produce a scorecard of what we think are our top 10 risks. We’ll map them out in terms of likelihood and impact. Then we’ll have the debate about whether we’ve assigned enough resources and whether we’re worried enough.”
A culture of risk right across the organisation is key, says Stewart. “We’ve done a big ethics programme over the last few years, talking about business reputation, business ethics, risk appetite and the protection of our culture.
“That goes all the way down to our legal responsibilities around the competition and bribery act and whistleblowing. We do monthly modular e-learning refresher training with our senior leadership team about things they need to aware of.”
He adds: “Culture is about: what standards do the leaders set? Then it’s the reputational piece around driving people’s moral compass regarding what’s right.”
Stewart says engagement with risk at the very top of the organisation is also critical, and a growing area of focus at SSE: “Our board has started to get really engaged with culture and risk,” he reports.
He adds: “I think organisations have had to wake up and almost take a step back from risk being the extreme scenario planning of aircraft going into buildings, to seeing things they didn’t expect to happen that came up on them quite quickly. Brexit and Trump have stopped organisations and made them think they need to look at things they didn’t necessarily believe would happen.”