Originally posted on Raconteur by Nick Easen.
The aftermath of a global corporate scandal is a very messy affair. Firstly, there’s the breaking news, then the media frenzy, the plummeting share price, the evaporating confidence, the damage-limitation exercises and finally the groveling executives. We live in a super-charged, hyper-connected environment, answerable to the 24-hour “churnalism” cycle and social media chatterati. Boeing, Uber, Nissan, Huawei, Airbus or Purdue Pharma, to name but a recent few, have all had to step up like Winston Churchill to their darkest hour. “Crisis management can be like dealing with an explosion,” explains Jo Willaert, president of the Federation of European Risk Management Associations.
Be quick, honest, open and, in such circumstances, be compassionate in communications, these are the key principles of crisis management
And with any explosion, corporate or otherwise, everyone ducks away from the line of fire for fear of getting hit. Damage limitation can trump open communication. Slow and myopic group-think can stymy a crystal clear, crisis management plan because the stakes can be excruciatingly high and the fallout unthinkable. No one really wants to spark the next Lehman or Enron crisis. It would be career suicide.
Why do companies need a crisis management plan?
“Be quick, honest, open and, in such circumstances, be compassionate in communications, these are the key principles of crisis management,” says Julia Graham, deputy chief executive of Airmic, the UK’s risk management body.
Yet time and again these messages don’t seem to permeate the rarefied air of boardrooms or the upper corporate classes, and it shows. Whether it’s Boeing’s chief executive taking a week to respond to the fatal Ethiopian Airlines crash or BP’s boss Tony Hayward making a quip during the Gulf of Mexico oil spill saying he “wanted his life back”. The rapid, heartfelt response to an incident is as crucial today as it was ten years ago.
“An actual crisis is a pressure cooker and no time to start working out roles, responsibilities, and processes for your management team. Yes, Mr. Hayward apologized quickly, yet the damage was done and here we are almost a decade later still talking about it,” says Marc Cornelius, founder of 8020 Communications, a specialist public relations consultancy.
At the heart of every response is an effective crisis response plan. Businesses are most resilient when they’ve already considered what to do if the worst happens and if all executives understand the roles they need to play. A risk manager co-ordinates decision-making teams that need to be multi-disciplinary, with all business functions represented, since they see situations from diverse angles.
“For instance, a classic tension can exist between legal and marketing perspectives: saying very little might theoretically limit your potential liability, but will the consequent damage to your brand end up costing you more long term? You can bet those functional tensions would have been going on recently within Boeing,” says Mr. Cornelius.
Why strong leadership is crucial in crisis management
Time and again though companies are caught up in a crisis storm that is hard to weather. Facebook had its Cambridge Analytica moment, while Monsanto had to deal with a customer allegedly contracting cancer from its weedkiller, then there was Exxon’s reaction to the Alaskan oil spill, the list goes on. The lessons that can be learned are legion. Each event is unique and complex.
Rupert Younger, director of the Oxford University Centre for Corporate Reputation, thinks we need to go beyond our preparation manuals, rehearsals, box-ticking exercises, and well-documented crisis management plans, and instead, create more of a wider culture of being able to respond to crises.
“Smart companies should spend as much time listening as talking, empathy, and humanity are crucial. Each stakeholder has to feel well informed and properly looked after at all times, and internal teams need to be organized and focused on this,” says Mr. Younger.
One thing that a lot of crisis experts agree on is the crucial role that executive leadership plays in dealing with a crisis. Like the logjam over Brexit, markets and corporations look for certainty, any perceived loss of control, lack of solutions or uncertainty can cause real harm, especially in the early stages of an incident, and a lot of direction comes from the top.
A responsive C-suite is the new imperative, especially when key executives are increasingly being held accountable if their company is not able to respond to a crisis. Look at various governments’ response to the live-streamed mosque attacks in New Zealand and their crackdown on social media companies for showing harmful content, from Australia to the European Union, including the UK.
Sound risk management leads to greater trust
When management could be personally liable for these crises and fines could reach as high as 4 per cent of global turnover, as is the case under the EU’s General Data Protection Regulation, it’s enough to make any corporate board, from Twitter to YouTube, rewrite their crisis management plans and think twice about how they respond.
“Yet events usually outpace responses and without preparations or expertise at the table, leadership can find themselves frozen as they watch things unfold. The organization needs to be clear on who takes the lead in efforts to restore the confidence of the public, clients, employees, and investors,” says Erik Petersen, head of crisis management consulting in Europe at Control Risks.
“The issue is that leaders will often be required to make decisions with insufficient information. It can take days or sometimes longer to get facts or understand the nature of the problem, while stakeholders will demand immediate answers and response.”
The fact is most of us trust corporations around the globe without knowing what kinds of systems they have in place to deal with risk, safety, and incidents that involve people’s lives, health and wealth. We eat, fly, drink, drive and consume various products from countless companies that we put our utmost faith in. The question is, can we really trust them?
“Companies that manage risk well tend not to face crises of their own making,” says Sandra Sucher, professor of management practice at Harvard Business School. “In my research, I’ve found a close association between sound risk management and being trusted. Risky actions lead to mistakes of many kinds, and we mistrust, with good reason, companies which don’t seem to appreciate the consequences of their mistakes and fail to anticipate the risks that things could go wrong.”
Why you cannot ignore crisis communication management
Another aspect that’s crucial is crisis communication and the language used. “It is arguably becoming one of the most important elements of damage limitation in an era where harm to brand and reputation is the greatest part of the impact,” says Mr. Petersen.
Increasingly, big corporations value the role of crisis communications, they also understand that it’s a specialized skill either to be cultivated in-house or via an outside consultant who knows the business well and is on call. “Those organizations that don’t value communications, do so at significant risk,” says Kelli Matthews, senior instructor at the School of Journalism and Communications, University of Oregon.
Many crises that whip through the media are hardly binary affairs, they are infinitely complex. The key is to make these issues simple and communicate in plain, unambiguous language. “This can be really challenging,” says John Martin McDonald, founder of Caeli Communications. “As Mark Twain once said: ‘I didn’t have time to write you a short letter’. But you must make the effort and do it throughout the crisis.”
Reputational damage may be significant, if not permanent
All this underplays the role of the risk manager, yet they are a crucial go-to person in any crisis. They have a pivotal role to play since the impact of a crisis can touch many facets of a business from customers to shareholders, affected communities to supply chains.
“The professional risk manager serves as a coordinator across many functions that need to be involved in a situation like this, both for the manufacturer and the airlines in the case of the Boeing crisis,” says Typhaine Beaupérin, chief executive of the Federation of European Risk Management Associations. “The risk professional will also play an important role in managing the complex insurance issues that will inevitably arise as a result of a crisis.”
It’s not all doom and gloom. Many businesses can be resuscitated over time. “A company’s reputation is not earned overnight and, usually, not lost overnight,” says Marc Szepan, a lecturer at the University of Oxford Saïd Business School.
But beware, a recent study by The Economist of the eight most notable corporate crises since 2010, including those at Uber and Wells Fargo, found that the median firm was worth 30 percent less today than it would have been had the scandals not occurred. Ouch.
Originally posted on Mark On Solutions by Matt Davis.
The insurance industry uses the term “risk appetite” to describe the level of risk that an organization is willing to accept. An essential first step in managing corporate security, and resiliency, has to do with determining your firm’s risk appetite.
Risk appetite is defined as the amount of risk exposure that an organization is willing to accept as a normal course of business. Tolerance for risk exposure can vary greatly from one company to another, and among different industry segments.
As a precursor to establishing an effective risk management program, it’s essential for a firm to determine its risk appetite. This can be done using a baseline analysis that accounts for a combination of threats, vulnerabilities, consequences, and readiness.
It’s interesting to note that often a company’s appetite for risk doesn’t match its actual exposure. In other words, companies are often unaware that their risk exposure is significantly greater that their actual tolerance for that risk.
Assessments, training, and exercises are all excellent ways to expose those gaps and establish focus points for adjusting your firm’s security posture to align with its risk appetite.
Originally posted on BlueDrop by Colin McCabe.
Whilst risk management played a role in business prior to the financial crisis of 2007-2008, it didn’t have quite so much of a major importance as it does today. These days, if a company doesn’t find a way to prevent or mitigate risk then it can really struggle to get back on track. Unexpected risks can shut down a business for days and sometimes even longer, many never even re-open.
Despite the scary facts, it is thought that 75% of businesses today still don’t have a risk management plan in place. Whilst there are many forms of risk management insurance can be one the most important as it helps to prevent losses, and as we all know fewer losses mean higher profits.
How we can help your Risk Management
At Bluedrop Services risk management is taken seriously and we endeavor to meet our client’s requirements to achieve maximum profitability with minimum risk to them. We have implemented a specialist risk management department which will strive to succeed in aiding clients in the process of risk management and how to reduce risk.
Risk management is the identification, assessment, and prioritization of risk followed by coordinated and economical application of resources to minimize, monitor, and control the probability of any unfortunate events, which can occur at any time. The objective of risk management is to assure a company/task does not deflect from achieving its goals.
Risks can come from various sources depending on your type of business, these can include; road risk, potential failure of projects, legal liabilities, financial risk, accidents, deliberate attack, incorrect or no process and procedures, and poor health & safety policies. All of which could have a serious financial impact on a business or body.
Where should you focus your Risk Management?
Emerging companies should focus in particular on employer’s liability, data privacy and cyber liability, errors and omissions liability, directors’ and officers’ liability (D&O) and, depending on the number of employees, fiduciary liability and employment practices liability policies. By identifying and assessing risk early this will reduce the chance of a potential financial impact on a business.
How to reduce your risk
Strategies to manage risk typically include avoiding the risk, reducing the negative effect or probability of the threat, transferring all or part of the risk to another party, and even retaining some or all of the potential or actual consequences of a particular risk.
Although risk management has no measurable improvement on risk there is an increase in confidence in the decisions made by risk management strategies.
Simple risk assessments can be completed to reduce any type of risk, these should include:
1. What is the threat/risk
2. Who is exposed and why
3. Current process
4. What can be done to reduce the exposure
5. Documentation of the above
Sensible risk management is about taking practical steps to protect people from real harm and suffering not bureaucratic back covering. Taking a sensible approach to risk management is about ensuring the safety of employees and public, learning & understanding by all and responsibility of risk by companies.
Falling in the middle of the risk management cycle (after developing risk appetite and tolerance and identifying, but before assessing and analyzing risks), the organization then must identify who will “own” or be responsible for a particular risk.
Although the exact definition of what a risk owner is will vary depending on the organization, it can generally be defined as a person or persons responsible for the day-to-day management of a risk. (I will talk later about when to assign a risk owner…)
Assigning an owner for these risks is important for a few reasons…
One, a designated risk owner ensures someone in the organization is accountable for the risk. If there is not one person or a group charged with managing a risk, then by default, the entire organization will own the risk, and therefore it is highly likely the risk will fall through the cracks (a/k/a nothing will be done). Having a risk owner is an important step toward ensuring that a response plan is developed and acted upon in a timely manner.
Two, risk ownership is one way for executives to not only hold individuals accountable for risks, but to show their support for ERM in general.
The third reason for appointing a risk owner is to ensure that the ERM function does not own risks.
It’s important to understand that ERM does not actually manage risks, which is a common misnomer. The role of ERM is to help facilitate a process for identifying, assessing, and analyzing risks, and to ensure that executives and other key players have the information they need to make risk-informed decisions.
The only exception to this rule is if the risk function is responsible for insurance, business continuity, or similar program. This situation applied to me when I was Director of ERM for a large Florida-based property insurance company…in this case, it was only natural for my area to be responsible for these risks. In fact, business continuity can very closely integrate with ERM, so it made perfect sense to have them under a single manager.
In what circumstance will the organization need to assign a risk owner?
Not every identified risk will require an owner. In fact, if your organization has thousands of risks identified through a bottoms-up approach, assigning a risk owner for each one will overwhelm you and your team and nothing will get done.
Instead, start with the most critical risks and then consider adding more once a workable, sustainable process is in place.
Iconic cosmetics brand Estee Lauder for example has 46 critical corporate risks where an owner has been assigned. These particular risks met several guidelines which exceeded their respective risk tolerance or could cross this threshold in the near future.
In short, a risk owner needs be assigned for risks that exceed tolerance levels that were set earlier in the risk management cycle. However, that doesn’t mean risks that are within tolerance levels should be ignored…accepted risks have to be monitored as well.
More specifically, the cumulative result of accepted risks and the inter-dependencies of risks have to be carefully considered as well. If Risk A occurs and could trigger Risk B, a risk owner should be appointed and action taken, especially if Risk B is considered critical and falls outside of tolerance levels should it occur.
You also don’t need me to tell you that things are always changing. Perhaps tolerance levels change down the road or the risk itself changes. Of course, this certainty that things change is why I’m a firm believer in having a maximum time limit for a review of both low and accepted risks to ensure nothing is being overlooked.
Risk Ownership: Key Considerations, Challenges, and Options
I could probably write an entire article or even an eBook on how an organization could go about assigning an owner for a particular risk. Before getting into different options though, there are a few key considerations and challenges I should discuss first.
- Ensure there are clear definitions on roles and responsibilities in place before proceeding any further…this is one of the first and most important considerations when it comes to choosing a risk owner. As explained by Chris Corless in this article in Strategic Risk, it’s important for everyone involved to have a clear understanding of expectations when someone accepts the role of risk owner.
- Properly train on risk owner responsibilities and how they need to manage and report the risk. Think about it this way – your organization wouldn’t roll out a new time management system and not train employees on how to use it, right? Risk ownership is no different…
- Maintain consistent language throughout the firm regarding risks. Frank Fronzo of Estee Lauder explains how the company has a dictionary of terms it uses to ensure everyone is speaking the same language and stays on the same page.
One of the most common challenges organizations face when assigning a risk owner is the tendency to give it to the highest accountable person in the organization. While this is okay for risks linked to the strategic plan, the fact is that executives and other leaders simply do not have the time to take many of these risks on. In situations like this, the individual may delegate the responsibilities of owning a particular risk to someone else with time to perform them.
In cases like this, the senior-level person becomes a risk “custodian,” meaning they still have an interest in the risk but do not fulfill the day-to-day responsibilities of an owner.
And as I mentioned earlier, risk ownership should extend down the organization chain for a couple of reasons. One reason is limited time on the part of executives and other leadership. Second to that, appointing a mid-level manager as a risk owner can play a huge part in cultivating a positive risk culturethroughout the entire organization.
Another challenge many organizations face when assigning and managing risk owners is the tendency for risk management activities to fall back within organizational silos. If this type situation occurs, the case can be made that you’re not really practicing ENTERPRISE risk management.
(Click here to learn more about risk management that occurs within a singular business unit vs. a top-level, enterprise-wide process.)
To address this challenge or avoid it altogether, a risk information system should be used that contains details about all risks the organization is managing, who the owner(s) of a particular risk is, recent activities and more. This system should be accessible by all risk custodians and owners…
During a recent conversation, a fellow risk professional mentioned that his organization uses Archer, but other commonly known software tools organizations commonly use include Logic Manager, MetricStream, CURA, and Sword Active Risk. But there are plenty of other options out there, like Aviron Financial Solutions, Audit Comply, and Vose Software, to name a few…
When developing the process and choosing risk owners, company culture and the accountability structure of the organization will play a huge role…
Broadly speaking, risk ownership can be assigned to an individual or a designated risk committee.
Individual risk owner
If your organization has diverse functions and a weak collaborative culture, you will most certainly want to go with an individual risk owner. This individual (…and the risk custodian if applicable) will be the oneperson held accountable for the management of the risk they are charged with handling. I mentioned this in a way in the beginning of this article…having an individual risk owner is not only a way to hold someone accountable for a risk, it is also a way for executives to demonstrate how important they view ERM.
When assigning an individual to be the owner of a particular risk, it’s vitally important they have decision-making authority and the ability to allocate financial and human resources for the risks they are charged with managing.
Another point to consider when determining an individual risk owner is assigning accountability by position rather by name. (I personally really like this concept!) This is one key point of how Estee Lauder determines the proper owner. Assigning accountability this way ensures risks are continuously managed, even if the individual person moves on from their position.
One situation where an additional person may be involved with managing a risk but not be considered group or committee ownership is when a department is impacted by a risk but another department is better suited to manage the risk. In cases like this, co-ownership and coordination between the departments will be needed, but in the end, one person will still be responsible for monitoring and managing the risk.
For organizations with a strong group or collaborative culture, group ownership of risk(s) may be the way to go. This group can consist of individuals from across the enterprise, which of course can be a positive in that it brings together different perspectives. Specific action-items can be assigned based on responsibilities of individuals within the group.
However, one big drawback of group or committee ownership is that it is hard to hold the entire group accountable. Absent any strong oversight from a management-level risk committee, the group can easily end up pointing fingers when things go awry or otherwise sit around and talk about a risk without ever taking any action.
These management-level risk committees can benefit the organization in many ways, including building a positive risk culture. Click here to learn more about oversight…
As you can see, your organization’s culture is a key part of determining the best model for assigning risk owner(s).
A Word of Caution
Developing your organization’s risk ownership process will take time and require a bit of trial and error, and above all, patience. Long before any risk owners begin their work and report their activities into a software system and to executives, definitions on roles and responsibilities and a consistent language must be developed, plus training for everyone involved.
This, of course, is all in addition to other phases of the risk management process like identification, risk assessment, setting risk appetite and tolerance, and more. But risk ownership should be embedded throughout the process of managing risks; after all, the risk owner will be your main contact for a risk. And by all means, don’t overlook the relationship factor and how it can support ERM success.
If done properly though, having individuals throughout the organization “own” and therefore be responsible for certain risks will go a long way to building a long-term, value-driven ERM program.
Source: ERM Insights
5 Cannabis Legalization Issues for Employers
Many employers are wondering what level of tolerance they should implement for cannabis use in the workplace. What do they do if an employee is impaired on the job?
It’s important to recognize that just because marijuana is legal does not mean employees can be impaired in the workplace. Just like alcohol, it is not acceptable for an employee to be under the influence on company time, and this is very clear in the new laws.
However, zero tolerance may not be the best route unless employers can absolutely prove that sobriety is a bona fide occupational requirement. Otherwise, a dismissed or disciplined employee could file a human rights or wrongful dismissal lawsuit — and they may win. Employers should check with their lawyers for a case-by-case analysis of tolerance levels.
Some lawyers have recommended a “low-tolerance” policy: addressing the concern if and when it appears and only moving forward to dismissal when there is a repeat violation. Consider this: an employee goes out for lunch one day and has a couple of drinks before returning to work. If this becomes a regular occurrence and lowers performance, it may be necessary to have a conversation and move towards termination if the situation doesn’t change. However, the employee would likely not be immediately dismissed for a one-time occurrence. The same idea may be applicable to marijuana use.
In addition, employers must consider the use of medical marijuana. Cannabis consumption with a prescription has been legal since 1999 for the treatment of various disorders and conditions. While medical marijuana in the workplace may not be new, employers must be careful not to discriminate against these users with new tolerance policies. They must accommodate medical marijuana to the point of “undue hardship”. Consider asking these employees what accommodations they need and what tasks they are able to perform, and make any necessary changes to their duties.
In particular circumstances, employers do have the right to implement a zero-tolerance policy. In “safety sensitive” positions, such as those involving driving or the operation of heavy equipment, employees must be strictly sober for the protection of themselves and others. In these situations, employers can place a ban on cannabis consumption (similar to alcohol consumption) during work hours or in a designated time period before work begins.
Once again, employers are required to accommodate medical users. For example, an employee could be transferred to a different role that is not safety sensitive.
3. Drug testing
Testing for cannabis impairment has not been fully addressed by the government prior to legalization. There are a few key issues in this area:
- THC (the component of marijuana that makes a user impaired) stays in the body much longer than other substances such as alcohol. Its presence in the body does not necessarily mean that the user is currently impaired.
- The Charter of Rights and Freedoms would likely prevent any kind of random drug testing in the workplace from being lawful. This would be seen as an invasion of employees’ privacy rights.
- Drug testing is currently only permitted in very specific employment situations, where safety is a key issue or there are reasonable grounds (for example, if there has been an incident or there is a strong reason to believe the employee is under the influence).
Until there are federal regulations in place to resolve these uncertainties, employers should be very cautious in implementing marijuana testing. In the meantime, they can use assessments of behavior and conduct in place of a hard test. If an employee is regularly underperforming and showing signs of impairment, it may be time to have a conversation. For a more in-depth discussion on drug testing in the workplace, check out this Huffington Post article.
4. Creating new policies
An employer should consider implementing new workplace policies to address the legalization of marijuana.
After carefully constructing a tolerance policy considering all of the above factors, employers must ensure it is well-known. For example, employees could receive training on the new policy and marijuana use. The policy should also be displayed and distributed to each employee, perhaps through email.
The tolerance policy must clearly define what is acceptable and what behaviors may be grounds for disciplinary action or dismissal. Doing so ensures the employer will have a strong defence if and when actions are necessary.
Cannabis consumption must also be considered in other workplace policies, such as smoking in designated areas on company property and scent-free policies.
5. Marijuana Stigma
Many members of Canadian society may stereotype marijuana users. These users are assumed to look and behave in a certain way. Now that recreational cannabis is legal, these ideas may become stronger.
As an employer, be careful not to make assumptions about employees. While some managers may not agree with marijuana usage, it is now legally permitted. This means employees cannot be judged on their personal choice as long as it doesn’t impact their ability to do their job. There won’t necessarily be any of the attendance or performance issues that employers fear. Take these situations on a case-by-case basis, similar to any other performance problem.
In certain face-to-face professional settings, employee marijuana consumption may create reputational issues. In these circumstances, employers must carefully construct tolerance policies to find the balance between employees’ choices and customer opinions.
Whenever new legislation comes in, organizations as well as the rest of society must go through an adjustment period. While adapting to marijuana legalization, employers should consult with lawyers before making policy decisions or changes.
By carefully considering new policies and employee safety, employers are prepared to face the risks of cannabis legalization. Ideally, severe issues will not arise and employers can mainly continue as normal. But as in any risk situation, it always pays to be proactive.