‘The biggest risk is not taking any risk. In a world that’s changing really quickly, the only strategy that is guaranteed to fail is not taking risks.’ When the co-founder of Facebook, Mark Zuckerberg, provided us with this memorable quote, he left one crucial question open: How do you steer your business past overwhelming, often unpredictable risks without crashing?
‘If you don’t take risks, you won’t reap rewards. Risk management is not a matter of avoiding risk altogether, but of identifying it and deciding how much risk you are willing to take,’ says Edward Okaro, advisory services director at EY (previously known as Ernst & Young) in Joburg.
‘The advent of the fourth industrial revolution, unpredictable geopolitics and climate change, among other factors, have tremendously increased the visibility, volatility and velocity of risks across different organisations.’
He adds that in the past it could take days, even weeks until certain problems were noticed and communicated. Now with automation and social media it only takes a single click of a button to share information worldwide within a matter of seconds.
On top of managing your organisation’s specific risk appetite and internal risks, there’s also a multitude of external risks that need to be navigated, but are beyond your control. Think increased corruption, water crises, unemployment, droughts, leadership problems and credit-rating downgrades – these are currently the top South African country-level risks as listed (in this order) in the 2017 Institute of Risk Management of South Africa (IRMSA) risk report.
Strategic, external and preventable risks
‘Risk management is very, very important for any business, no matter how big or small,’ says Okaro. ‘Without it, your business is unlikely to reach its true potential, and in the worst case, could even be destroyed.’
Companies that manage their risks effectively often outperform their competitors, become more resilient in the long term and produce more sustainable returns.
‘Historically, risk management has been a reactive or “check-the-box” exercise’, says Sam Balaji, global risk advisory business leader at Deloitte. ‘Companies are beginning to elevate and closely link the risk conversations to business strategy and drive superior performance. Senior executives are now becoming more proactive and deliberate in assessing risks and utilising them to differentiate and create value in addition to protecting value.’
To manage risk, one should first look at the bigger picture. Okaro explains that business risks can be divided into three broad categories: strategic, external and preventable risks.
‘Strategic risks are those resulting from the decisions your organisation makes. For instance, whether to invest in South Africa, whether to grow organically or through mergers and acquisitions, and so on. It’s a balancing act that means evaluating the trade-offs between risk and reward,’ he says.
‘External risks are those that emanate from the environment, whether political, environmental, regulatory, technological or social. The impact of these risks may be minimised, but not eliminated.
‘Preventable risks are those that result from your own acts of omission or commission – for instance, if your employees don’t lock the warehouse doors and someone walks off with all your inventory. It’s entirely avoidable.’
All your potential risks (strategic, external and preventable ones) need to be identified and assessed in a risk register. Here each risk is graded according to its likelihood and its impact (low, medium, high, critical) on various aspects of the business, such as operational performance, health and safety, financial results or reputation.
‘Water crises’ and ‘drought’ are useful examples here, as they feature prominently on the IRMSA list of country-level risks (ranked second and fourth, respectively).
‘Everyone uses water; therefore, businesses should understand their own usage patterns and their business- interruption risk, so they know what to do if water isn’t available,’ says Vanessa Otto-Mentz, who heads up the group strategy unit at insurance firm Santam. ‘For us, this meant creating water risk scenarios for the business, and engaging with the City of Cape Town early on to establish what the water challenge meant for the residents and our business. We asked important questions about the availability of firefighting capabilities in conditions of drought or water scarcity and started preparing for “Day Zero” (the day the municipal taps run dry) and doing our bit to save water.’
Santam’s case demonstrates the value of creating risk scenarios. ‘We can’t predict the outcome, but we have to envisage a future with each outcome,’ says futurist and scenario strategist Chantell Ilbury. She explains that using scenarios in strategy goes hand in hand with risk management: ‘They demand we consider a possible event, evaluate the outcomes, weigh up the costs, and estimate the likelihood and probability.’
Locking the front door
‘Risks cannot be viewed in isolation; therefore, our report is indicative of how risk professionals should not work in silos, but be allowed to influence and assist in all areas of the business,’ says Gillian le Cordeur, CEO of IRMSA.
‘Each person in an organisation should be a part of the full risk-management process and really understand the interconnectedness of risks and how each individual plays a role.’
This involvement of employees becomes clear in the management of cyber risk, which, according to the Allianz Risk Barometer 2018, has been an increasingly pressing concern for South African businesses for the past five years.
Creating staff awareness – or what business consultant Roy Langley calls ‘locking the front door’ – serves as the most basic safeguard against cyber-crime. He explains that anyone using
the company computer system, from the intern to the CEO, needs to be educated about phishing, how to spot corrupt emails, and other schemes that could allow hackers in.
One of his clients, a cosmetics firm, found its computer servers hijacked by cybercriminals who demanded a Bitcoin ransom. ‘How wrong and naive we were in those first few days after discovering the hacking,’ says Langley. It soon became clear that the back-up servers had also been compromised, making it impossible to recover the data.
‘We kept the hackers on hold while we located file copies made by third-party service providers. Through much hard work and luck, we were able to piece together the database,’ he says. The damage to the business was substantial: ‘Besides the cost for extra staff and third-party IT service providers, it delayed our business development plans by at least six months. One year on, we are still feeling the effects of missing historical data.’
While the cosmetic firm never identified how the cyber syndicate hacked the servers, it has since strengthened its IT security, improved the back-up processes and regularly updates all employees on the latest phishing schemes.
A well-designed risk-response strategy will help companies when handling a disruptive incident, such as cybercrime, water-related issues, reputational damage or anything else that may cause a business interruption. It’s important to have the right structures in place and adapt them as needed, to be able to bounce back after a setback.
Creating a resilient business starts with the tone and risk culture set by the leadership, and requires a careful risk-assessment- and risk-management plan to cover all levels of defence. Successful risk management needs to be embedded in the business strategy, something that – in the words of Ilbury – should be ‘fluid and adaptive’ as opposed to ‘cast as a cemented path’.
The idea is to be ready for any risk, from wherever it may appear, and not ignore it or be crushed by it, but tackle it and then move on.