· Features

Risk management in an age of uncertainty

Risk is not an exact science, so HR needs to help create cultures where all employees embrace the unknown

A new year is a chance for a fresh start: for organisations to take stock of what they do and how they could do it better, to return to work after Christmas re-energised and optimistic about the success the next year could bring…

This might not, however, be quite the mood in many workplaces across the UK currently. The question of ‘what now?’ won’t be far from any future-gazing and media speculation around the year ahead. 2016 brought Brexit and Trump, 2017 a hung parliament no-one anticipated… not to mention numerous unexpectedly populist election results across Europe and the globe. So what might 2018 bring?

To say we live in an increasingly uncertain world has become something of a cliché – no less accurate for its repetition. What the fallout of Brexit particularly will be is still far from clear for organisations. And it’s not just the wider political climate that seems increasingly difficult to predict.

“We’re in a world of unstable business models, business models that we’ve taken for granted really, they’ve all been stood on their head within the last 10 to 20 years,” says Denis Sullivan, founder of IdeaStudio and lecturer at the Manhattanville School of Business. “The meltdown of 2008 changed the landscape. There’s an arc that started post-war, an era of prosperity and stability, and we felt that arc would extend forever. But we’re now seeing it on its downward side.”

What Brexit will have crystallised for many, however, is the need not to be so blindsided again – to make contingency plans for highly unlikely but potentially seismic events. Which is leading eyes across business and organisational communities to turn to one function in particular: the risk management department.

But what many are seeing as they look to what’s now widely known as enterprise risk management (ERM) isn’t quite what they’d hope to reassure themselves that their organisation is equipped and ready to tackle an ‘age of uncertainty.’ This could, as in potentially any business-critical area the business isn’t excelling at, be an opportunity for HR.

Room for improvement

Forgetting our age of uncertainty for a minute, risk management at many organisations generally isn’t up to scratch, say some. The overarching problem is that it’s too compliance- and process-driven, and siloed from the rest of the business. As a result the risks getting the most attention aren’t always the right ones.

“I think the problem is that in most organisations it is just a process that is followed, and too often it’s a tick-box exercise,” says Nick Holley, director of learning for the Corporate Research Forum (CRF). “All good project methodologies have a risk register and they have a set of actions. But to me that’s missing the point.”

“Risk management doesn’t always have the best reputation – it’s often known as the babysitter, the compliance manager who slaps people on the wrist,” says Spencer Knibbe, former head of risk at ICAP and at Bridgewater Associates, and now partner at MBK Search. “There’s a lot of room for improvement. Every quarter a consultancy comes out with a study: does risk management exercise power in the boardroom? But the jury’s out on that, it depends on the firm.”

“In every organisation I’ve worked in there’ll be an annual risk portfolio and it gets reported because part of managing risk is regular reporting,” says Angela O’Connor, former HRD at the National Policing Improvement Agency and the Crown Prosecution Service, and CEO and founder of the HR Lounge. “But it’s the bit where eyes glaze over, because people look at it and say ‘that has nothing to do with the real world, it doesn’t connect with me’.”

This formality and lack of credibility doesn’t bode well for an increasingly volatile world where risk must be much more reactive and open-minded about the issues that could come along, says Peter Cappelli, George W. Taylor professor of management at The Wharton School, and director of Wharton’s Center for Human Resources. “The tools for managing this have gotten better but I don’t think knowledge of them has spread that far,” he says.

“There’s been greater awareness since the financial crisis of managing exposure on the financial side but it hasn’t spread much past finance. Another problem is that we have short memories. After the SARS epidemic organisations were doing all kinds of planning for various kinds of epidemics, but they just stopped doing it. Someone decided it was too expensive and cut the budget.”

The danger is that risk management slips into a routine of logging the same, perennial risks (IT, supply chain, health and safety risks…) at every review, without thinking more broadly and laterally about external and internal events that could threaten the organisation.

This was reflected in Deloitte’s 10th Global risk management survey, released in March this year and looking specifically at the finance sector. It found that roughly 80% of respondents said their institution is extremely or very effective at managing traditional risk types, such as liquidity (84%), underwriting/reserving (83%), credit (83%), asset and liability (82%), investment (80%), and market (79%). But far fewer rated themselves well on managing newer risks. Only 32% rated themselves highly on data integrity and only 28% on geopolitical risk (a sharp drop from 47% in 2014).

For Julia Howes, principal of strategic workforce planning and analytics lead, Europe and UK at Mercer, worryingly absent from most risk registers are mega trends such as globalisation, automation, digitisation and AI.

“There’s a whole element around digital, automation, data analysis – so to what extent will we be able to adapt, which of our workers will go? What skills will we need?” she says.

“These mega trends haven’t before hit as fast and have been something businesses have been able to deal with in bite-sized pieces as part of business strategy. But more and more these disruptions are coming so fast that they’re actually also a risk if we don’t respond. In the past if we missed the boat it’s not the end of the company. Whereas now things are changing so fast that if we’re not on top of these mega trends that could have a disastrous impact.”

The main issue for risk management in a fast-moving and volatile climate is one of psychology and approach, she adds, where even the language used suggests risks can be ‘managed’ to the point of mitigation and elimination. “This is where the traditional risk management register approach gets put at a compliance level; it’s a process of trying to get rid of every risk possible,” she says. “But going forward you can’t manage away all of the risks.”

“I would question whether risk management is the language we should be using nowadays given how increasingly unstable our operating environments are,” agrees Catherine Shepherd, development consultant at Roffey Park Institute. “I think even the language suggests very much that it’s possible to know what the risks are and then you can put some good management procedures in and hey presto, all will be well.”

Agile risk management

So many feel risk management needs to progress to something much more nuanced, thoughtful and agile – where various competing probabilities and risks are continually weighed up.

“Risk is essentially always about trade-offs,” points out Rupert McNeil, chief people officer at the Civil Service. He highlights the value of rigorous debate in weighing these up: “A common way of displaying risk is through RAG: red, amber, green. A whole debate people have is ‘your idea of red might not be mine’. You might say something’s red because something external could knock it off course, but I’m saying ‘there’s nothing internally that would knock it off course; that’s why it’s not red’. So this is really about people having informed conversations about what could happen and how we prevent it.”

Cappelli agrees that the value lies in having the debate more than being so prepared for a potential risk that it ceases to be one. “You get enormous value from just getting people to think about things, and returns from additional planning start to decline pretty quickly so the fact you can’t do it perfectly shouldn’t matter,” he says.

He adds though that scenario planning informed by such debate is still useful: “I’m a big proponent of scenario planning. It’s nowhere near a perfect exercise but it’s an awareness-building exercise. What you’re doing is looking for overlapping risks.”

“I think the challenge is that if you try to develop a strategy for every single risk every time anything changes you end up with something far too complex to communicate and keep up-to-date,” agrees Steve Pierce, chief HR officer at Hitachi Europe, regarding the need to get away from risk management as a highly formalised process.

“Management wants to quantify things, and put things in nice reports and metrics, and be able to budget on that. But the reality is it’s very difficult to plan for all eventualities,” says Knibbe “That’s where risk management is more art than science.”

HR can play a crucial role in working with risk management to help transform the mentality and culture in this function, Knibbe continues: “HR can be a critical element in the management of risk and it faces the same problems of gaining trust and respect in the C-suite, not being viewed as a cost centre… When I ran risk in my past life HR was one of my biggest allies. Because we could use each other to help protect the business.”

“There is a parallel evolution between the risk and HR function; the risk function is probably following a similar experience in getting up to speed,” says Sullivan, in agreement that HR will hopefully find most risk functions receptive to being supported to achieve greater strategic clout.

Transforming the risk management function itself is by no means where HR’s role should end, however. The crucial factor that will enable risk management to become more of an agile, continuous debate rather than a definitive list or register is getting many more people involved. And this is where HR should really come into its own.

“HR is the one function that touches everybody in the organisation,” points out Cappelli. “So if you think about who is going to pull people together and has a logical way to do it, it’s HR – especially if you’re thinking about who deals with the inside of the organisation. Because lots of people compete to deal with the outside [but not the inside].”

“Risk needs to be more involved in the business in terms of understanding what the business does and getting a level of trust and respect from the business managers so they can act as a valued business advisor,” says Knibbe, regarding the holy grail of how risk and senior leaders should typically convene. “That means the head of finance, the head of technology etc. have a trusted relationship with someone in risk so that risk understands their business, and accurately conveys what could go wrong so the business manager can make a decision.”

McNeil adds that senior leaders and risk professionals should meet regularly at appointed times: “Every organisation should have a forum where they regularly, monthly, discuss organisational risk,” he says.

This will involve HR not just in its capacity to convene various groups, but on a talent and capabilities front as well, points out Knibbe. “There are different sorts of risk manager,” he says. “There’s the quantitative financial type. But I think what we’re seeing the need for more of these days is a business expert who can face off with senior executives, who can synthesise technical issues to non-technical audiences, not just give a litany of terms. That’s really what I think is lacking.”

Everyone a risk officer

HR helping to bring risk out of the risk function and off the page of the risk register should go far beyond involving more senior executives and departmental experts, however, feels Chris Roebuck, visiting professor of transformational leadership at Cass Business School. For him risk management agile enough to react to an age of uncertainty means every employee must become “their own risk officer”.

Even senior leaders and department heads won’t know as much about some elements of the day-to-day life of the organisation as those at the frontline, he explains. So empowering more junior staff to spot risks coming over the horizon can be powerful.

“The fundamental problem is that the risk function is not seeing what’s going on everywhere, particularly when operating in a multi-site, global organisation with many different departments,” explains Roebuck. “The problem is that, just as HR is left to HR professionals and finance to finance professionals, everybody thinks risk should be left to risk professionals. As a result people tend to take it out of their mind and think ‘I’m not a risk professional’.

“The average employee knows nothing about risk until someone starts talking to them about it,” he adds, regarding HR’s crucial role in rolling out risk training. “So it’s creating awareness of the types of risk that might exist. Then it’s creating awareness of how does it potentially occur, how can we mitigate it, and what do we do if we see it happening?”

HR’s role must extend far beyond training for risk management to truly become an organisation-wide activity, however, states Roebuck. “The critical question is: will they [employees] bother to do it?” he says, stressing the importance of cultures that inspire and empower all employees to take ownership. “If staff genuinely care about the organisation because their leader cares about them they’ll go the extra mile…”

“I think this is much bigger than training,” agrees the CRF’s Holley. “To me this is an organisational development intervention… Because you might train someone but the reward or performance management system might suggest totally different behaviours. Training needs to be part of a wider organisational intervention around culture.”

“There are three lines of defence in a classic risk management setup: business, compliance and internal audit, but culture is almost your first line,” agrees Tim Payne, head of people and change at KPMG UK.

Culture can play a strong role in its other, geographic, sense, Holley points out, with British culture not predisposed to voicing concerns or highlighting the negative. “In the UK particularly we are very polite; we don’t challenge each other enough because we take it as a personal affront… no-one wants to be the negative person.”

Holley points to a helpful technique used at a charity he worked with where there were six thinking hats of different colours. The person wearing the black hat was tasked with being the voice of challenge. “Everyone was saying ‘thank you’ because it was never personal,” he reports.

Much of this goes back to debates around whistleblowing, and cultures of empowering and protecting junior staff, points out McNeil. HR at its most fundamental but also most effective is after all about giving employees a voice – even where the point raised is an uncomfortable, disruptive one.

“One of the characteristics of high-reliability organisations is that when things go wrong anyone can raise their hand and say ‘we need to stop doing this now’,” says McNeil. “That’s why whistleblowing is really important. There are so many examples if people are in any doubt – the Challenger disaster for example” (when, in 1986, a NASA shuttle orbiter broke apart 73 seconds into its flight, killing all seven crew members. The subsequent investigation found NASA’s culture and decision-making processes had been key factors, with the agency violating its own safety rules).

Accentuate the positive

But as Roebuck points out, employees of all seniorities have to care enough to take this extra responsibility on. For Mercer’s Howes the key is to much more positively reframe the mindset with which risk is approached: “How do we inspire people around this topic? Can we make them see it as something that will build the business? There’s a real advantage to that positive mechanism,” she says.

This comes back, she points out, to eradicating any sense that in today’s world risk management can ever be about eliminating risks completely. The biggest risk to most organisations today, she asserts, isn’t an unexpected disaster scenario but rather failing to capitalise quickly enough on an opportunity, such as to digitise or deploy AI.

Holley agrees that reframing risk as opportunity is both much more motivating, and more meaningful, in today’s VUCA world. Cultures of risk must help employees embrace the fact that risk is now unavoidably inherent in every decision, and so must be embraced for its positive potential to be turned into gain, he says.

“I think the underlying problem is that we have a culture, not just in business but in the media, where if someone takes a risk and they’re wrong they’re punished for it,” he says. “That creates a culture where you don’t take a risk and that’s even worse, because in a world of disruption you have to take risks… So we need people not to be driven by emotions like fear; because risk management needs to be not a process you go through but a way of thinking about how you do business.”

“The biggest risk is that we don’t change fast enough, because then we as an organisation fail,” agrees Hitachi’s Pierce. “There’s certainly risk from political uncertainty but the biggest risk is that we don’t respond fast enough to opportunities. It’s being slow and conservative that’s the biggest risk.”

Dimitris Tsouroplis, group head of HR at shipping, hospitality, real estate and financial services conglomerate Libra Group, points out the power of galvanising the younger generation around horizon scanning for risks – something overlooked by most organisations.

“For Millennials and Gen Y this environment is the norm; they grew up in that environment and have had to adapt really quickly,” he says, regarding how much more comfortable younger employees can be around embracing risk. “For us it’s uncertainty, but for them it’s business as usual.”

Crisis management

So getting people at all levels of the business to continually assess the risks and opportunities of their operating climate will go a long way in ensuring the organisation navigates increasingly choppy waters. But the uncomfortable reality of unpredictable, uncertain times is that it’s likely there will be crisis situations that couldn’t have been avoided. Which brings us to risk’s even less palatable, less popular cousin: crisis management.

It’s important to help people reframe risk more positively as opportunity, reasserts Howes. But when it comes to crisis planning HR needs to help senior employees adopt quite a different psychology. Here it’s about helping people think realistically and pragmatically about the worst-case scenario and how they and the organisation will cope.

“People want to be optimistic so they set business strategy in a very optimistic way,” she says. “With Brexit, for example, people are still unwilling to plan for the worst scenario because they want certainty and to be optimistic… So there’s a cultural dimension where HR needs to stress that just because we’re working through the implications of a crisis doesn’t mean we’re defeatist and accepting things will inevitably not go to plan.”

Carrie Birmingham, former HR director at News UK and director of Carrie Birmingham Consult, agrees that if we can’t spot and negate every external risk the importance of robust crisis planning and management comes to the fore. This is not something currently done well in most organisations, she says.

Organisations are again much keener to tick off a list of specific disasters and formulate very specific logistical plans. But they should instead look to the deeper leadership and cultural implications.

“Business continuity and crisis planning typically focus on steps a to z,” she says. “So you’re preparing for a to z but that won’t happen. The plan shouldn’t be the process you go through. That type of training doesn’t have enough emphasis on leadership – the ability to be able to stand in the middle of a tsunami of stuff and cope. You need to focus on how to be, and that isn’t really what we talk about when we talk about extraordinary events.”

“This is about coaching, building confidence and working through with people to say ‘these things will happen’,” says The HR Lounge’s O’Connor. “What you have to plan for is your reaction.”

She adds the importance of senior teams discussing what their dynamic is likely to be like in a crisis in terms of how each individual will cope. “In a crisis someone will step up to leadership, while someone else will fall apart… So it’s honest conversations at the board to say ‘what do we know about each other that will tell us something about how we’ll react?’”

Preparing intelligently in this way for crisis scenarios will in turn then positively inform how leaders approach risk in unsettled times, says Shepherd. “I think the behaviours that help you respond well in a crisis are exactly the behaviours of resilience that underlie coping and thriving in general uncertainty,” she points out.

People risk

O’Connor qualifies, however, that organisations mustn’t lose sight of the fact that, amid the many unpredictable risks and events of today’s climate, some certainly can be spotted if risk management is geared up correctly. She points to last year’s Ryanair saga, in which the company announced in September that it would need to cancel up to 50 flights every day for a six-week period after it “messed up” the planning of pilot holidays.

“That’s an interesting one because you can guarantee that wasn’t on their risk register. It sounds like they just hadn’t worked out it was a possibility,” she says. “But you think ‘hang on, what are you measuring as risks then?’ Because it’s a pretty basic one that they won’t have a business if they don’t have people to fly the planes.”

This is a classic instance feels O’Connor of people risks – as explored by HR magazine back in our April 2013 cover piece – still not factoring anywhere near as highly as they should in risk conversations. The situation doesn’t seem, unfortunately, to have changed much since 2013.

“I think generally worldwide people are still far more cavalier about people risks than financial risks,” says the Civil Service’s McNeil. “For example, people would never say ‘I know better than to follow this financial approval process’, but people are willing to think they know better in the hiring process.”

And yet one of the key risks in the people space is that of “hiring someone who is an insider risk because they’re a fraudster or saboteur,” he says, adding cyber security, workforce planning, and inaccurate employee data and so pensions liabilities, to the list.

These people risks continue to constitute some of the biggest risks organisations face, says Cappelli. Which can act as a handy ‘in’ to broader conversations around improving risk management and instilling cultures of risk intelligence. “HR can convene people around workforce planning, for example, and then from there you can broaden out to other kinds of risk,” he says.

What this bridge into risk management more generally will also help prove is the ultimate unknowability of risks, with humans often the most unpredictable entity of all. “When risks go wrong a lot of the time it’s the human aspect that’s created that risk,” says John Stewart, director of HR at SSE. “I’d have a boring life if I could predict every day what people would do…”

Educating the organisation around people risks can be an excellent way of highlighting the fact that – much as compliance-orientated risk management might like to think otherwise – navigating risk has perhaps never been a definite science, even when external factors seemed more certain.

Cappelli goes further, stressing the importance of HR connecting their organisations with the fact that external risk has also never been that much more predictable – it was just easier to maintain it was. “These events remind us that we can’t actually ever predict very well,” he says in relation to Brexit, Trump et al.

Given the unavoidably unpredictable nature of human behaviour, getting everyone involved with risk management isn’t, points out KPMG’s Payne, just about ‘risk spotting’. It’s critical every single individual takes some level of responsibility for risk, he says, because it’s their actions that will often exacerbate, or ultimately even create, a threat in the first place.

He points to cyber security as a classic example of where employees present the greatest risk factor. “By far the biggest risks around cyber breaches come from internal people,” he says. “So let’s not forget about those.”

“There’s a piece around driving people’s moral compass around what’s right,” says Stewart. “Typically if you have say 10 people a couple will be predisposed to do the right thing, a couple won’t, and a couple will sit in the middle – they’ll be swayed by the mood music in the organisation, so it’s setting the right mood music.”

Ready for anything

So people risk is a crucial area organisations overlook at their peril in contemplating today’s new, non-traditional risk climate. This, as with all varieties of risk, will encompass the knowable and predictable (contracts ending, new regulation such as the National Living Wage coming into effect…), and the ultimately unpredictable dimension of human nature and behaviour.

But as with all seemingly unpredictable risks, there’s still a real opportunity to exert control – to weigh up the probabilities when it comes to employee actions and take steps to influence what these might be. Because though people might in some scenarios prove the most unpredictable variable of all, they’re also potentially an organisation’s greatest asset in intelligent, truly agile and VUCA-climate-ready risk management.

It’s undeniable that today’s world seems much more uncertain and volatile than yesterday’s – particularly when it comes to politics and disruptive trends and innovation. But HR helping to turn risk management from a traditional-risk-focused, compliance-driven activity into something much more cultural, continual and organisation-wide could go a long way. It could be vital to ensuring risks are not only mitigated but turned into positive gain; and in ensuring an organisation is truly ready for anything.