Global The World Economic Forum’s recent report ... · PDF fileThe World Economic...

Institute of Directors

116 Pall Mall, London SW1Y 5EDwww.iod.com

2014

RESPONDING TO GLOBAL RISKSA practical guide for business leaders

Responding to global risksThe World Economic Forum’s recent report, GlobalRisks 2014, analysed dozens of global risks, basedon a survey of over 700 experts from industry, government and academia. This publication buildson the WEF report’s findings by describing practicalmeasures that businesses can take to manage andmitigate these risks.

Written by leading experts in the field of businessrisk management, this guide is particularly aimedat board-level directors, from all industry sectors,including public sector organisations. It offers global perspectives for multinational companies, as well as local implications for smaller firms. It isalso relevant to risk professionals and others whowish to understand global risks and the distinctiverole of the board in responding to them.

Group Editor, Director Publications Ltd: Lysanne CurrieConsultant Editor: Tom NashCreative Director: Chris Rowe

Production Manager: Lisa RobertsonHead of Commercial Relations: Nicola Morris

Director General: Simon Walker

Published for the Institute of Directors, Airmic, Marsh, PwC and Zurichby Director Publications Ltd, 116 Pall Mall, London SW1Y 5ED

020 7766 8910www.iod.com

©Copyright Director Publications Ltd, June 2014A CIP record for this book is available from the British Library

ISBN 978-1904520-86-3Printed and bound in Great Britain

The Institute of Directors, Airmic, Marsh, PwC, Zurich and DirectorPublications Ltd accept no responsibility for the views expressed by

contributors to this publication. Readers should consult their advisersbefore acting on any issue raised.

RESPONDING TO GLOBAL RISKS

Practical advice for business leaders

2014

001_WFC Sponsors_Title page v3_038_BigPic_Summer2013 08/05/2014 10:00 Page 1

AirmicAirmic represents corporate risk managers and insurancebuyers. Its membership includes two-thirds of the FTSE100, as well as many smaller companies. The associationorganises training for its members, seminars, breakfastmeetings and social occasions. It regularly commissionsresearch and its annual conference is the leading riskmanagement event in the UK. In 2014 it published the risk management report Roads to Resilience.

MarshMarsh is a global leader in insurance broking and riskmanagement, with approximately 27,000 colleaguesworking together to serve clients in more than 100countries. Marsh helps businesses around the world tosucceed by defining, designing, and delivering innovativeindustry-specific solutions that enable them to managerisk effectively. Marsh is a wholly-owned subsidiary ofMarsh & McLennan Companies.

PWCAs the UK's leading provider of integrated governance, riskand regulatory compliance services, PwC specialises inhelping businesses and their boards create value in aturbulent world. Drawing from a global network ofspecialists in risk, regulation, people, operations andtechnology, PwC helps its clients to capitalise onopportunities, navigate risks and deliver lasting changethrough the creation of a risk-resilient business culture.

ZurichZurich Insurance Group is a leading multi-line insurerserving customers in global and local markets. With morethan 55,000 employees, it provides a wide range ofgeneral insurance and life insurance products andservices. Zurich’s customers include individuals andbusinesses of all sizes, including multinationals, in morethan 170 countries. The Group is headquartered in Zurich,Switzerland, where it was founded in 1872.

Institute of DirectorsThe IoD is the leading organisation supporting andrepresenting business leaders in the UK andinternationally. One of its key objectives is to raise theprofessional standards of directors and boards, helpingthem attain high levels of expertise and effectiveness by improving their knowledge and skills. It is the publisherof Business Risk: a practical guide for board members,also produced in collaboration with Airmic and PwC.

IFC_WFC Sponsors_Title page v3_038_BigPic_Summer2013 06/05/2014 10:18 Page 2

03he catalyst for this guide has been the latest annualreport on global risks from the World Economic Forum(WEF). We make no apology for referencing this excellent

study because it provides vital insights into how industry leadersand experts perceive evolving, interconnected risks that cut acrossnational boundaries, the economy, technology, society, and theenvironment.

The WEF’s Global Risks 2014 report analyses 31 global risks overthe coming decade. The risks are grouped under five classifications– economic, environmental, geopolitical, societal andtechnological – and measured in terms of their likelihood andpotential impact.

The 10 risks of highest concern to respondents are:1. Fiscal crises in key economies2. Structurally high unemployment/underemployment3. Water crises4. Severe income disparity5. Failure of climate change mitigation and adaptation6. Greater incidence of extreme weather events7. Global governance failure8. Food crises9. Failure of a major financial mechanism/institution10. Profound political and social instability.

Of these threats, income disparity, extreme weather events andunemployment/underemployment are the three most likely to causemajor cross-border damage in the next 10 years. Fresh fiscal crises,climate change and water shortages, although seen as less likely, arethe three that would have the largest global impact. Further, the studydescribes the coalescence of various global risks into three unwelcomescenarios: a ‘generation lost’ because of social and economic strainson young people; ‘digital disintegration’ due to the world's increasingreliance on the internet despite its vulnerabilities; and ‘instability inan increasingly multipolar world’ from rising geopolitical tensions.

WEF’s study highlights how global risks are not onlyinterconnected, but also have systemic impacts. It concludes thatgreater effort is needed to manage them effectively.

And that is where this guide comes in. It is one thing to analyseglobal risks but, in the absence of a global authority to control them, itfalls to organisations, boards and individual leaders to understandtheir impacts and build resilience to them at both a strategic andoperational level.

This is by no means negative thinking. Improved resilience breedsincreased confidence, greater enterprise and other benefits. Equallypositive is the reality that a threat to one organisation can be anopportunity for another. A constant theme of this guide is thatbusinesses can achieve competitive advantage through an effectiveresponse to global risks.

Written by leading experts, the following chapters will help IoDmembers and other leaders, in both large and small organisations,understand how interdependencies between risks evolve, offeringthem fresh thinking and practical advice to supplement traditionalrisk management tools.

Improvedresiliencebreedsincreasedconfidence,greaterenterpriseand otherbenefits”

Simon WalkerDirector General,Institute of Directors

TForeword

002-003_WFC Contents_Foreword v4_038_BigPic_Summer2013 06/05/2014 10:21 Page 3

02

Part 1: IntroductionChapter 1: Managing global risks 4The onus is on boards to recognise global risks and take steps to mitigate them Dr Roger Barker, Director of Corporate Governance and Professional Standards, IoD

Chapter 2: Risks carry consequences 8Dealing effectively with global risks is a daunting task, but not an impossible oneJohn Scott, Chief Risk Officer, Zurich Global Corporate at Zurich Insurance Group

Part 2: Addressing critical impactsChapter 3: Financial fractures 12Businesses inhabit a harsh post-crisis world when accessing finance James Sproule, Chief Economist and Director of Policy, IoD

Chapter 4: Logistical nightmares 16Infrastructure and supply chains are vulnerable in today’s globalised economyCaroline Woolley, EMEA Property Practice Leader and Global Business InterruptionCentre of Excellence Leader, Marsh

Chapter 5: Social strains 20The consequences of global risks on workers, customers and other stakeholdersJohn Scott, Zurich

Chapter 6: Tech traumas 24Advances in technology and the internet bring major threats – and opportunitiesCharles Beresford-Davies, Managing Director and UK Risk Management Practice Leader, Marsh

Chapter 7: Reputational ruin 28Global risks pose an intangible threat: rapid damage to a brand’s reputationFaye Whitmarsh, Senior Manager, Culture and Behaviours, and Richard Sykes, Partner and Head of Governance, Risk & Compliance, PricewaterhouseCoopers

Part 3: Board responsesChapter 8: Creating resilience 32Creating a framework for long-term enterprise resilience James Crask, Senior Manager, Business Resilience, and Richard Sykes, PwC

Chapter 9: It could be you... 36Some final thoughts and key tasks for the boardJohn Hurrell, Chief Executive, Airmic

Contents

002-003_WFC Contents_Foreword v4_038_BigPic_Summer2013 06/05/2014 10:20 Page 2

exert a huge impact on the company's success or failure, bothat an operational level and, often more importantly, in termsof its overall business strategy. Equally, they can give rise to arange of business opportunities that, if successfully exploited,can translate into a major source of competitive advantage.One company’s nemesis may be another’s reason to exist.

Since 2006, the World Economic Forum (WEF) haspublished its annual Global Risks report. This widely-referenced study provides a unique insight into the significantand emerging risks that are seen as most likely to bringcalamity or opportunity to a wide range of organisations. Itprovides the starting point for the rest of this publication,which seeks to offer practical guidance to businesses on howthey might respond to the impact of these global risks.

According to the WEF report, a global risk is defined as anoccurrence that causes significant negative impact acrossmany countries, industries and organisations over a sustainedperiod of time (up to 10 years). Such risks may be economic,environmental, geopolitical, societal or technological inorigin. Their common characteristic, however, is theirpotentially systemic impact – they not only affect individualorganisations but may also give rise to a contagion effect thatcan generate disruptive shockwaves across entire economic,societal, environmental, technological and other systems.

Although such global risks may seem to be less immediatethan more organisationally-specific risks, their commercialimpact is potentially just as real. Unlike other risks to thebusiness, their effects are likely to be difficult to avoid due totheir wide-ranging systemic nature. Consequently, boardsmust develop a framework of decision-making, oversight andembedded values that enables this kind of risk to be managed.

Most governance frameworks break down the board’s riskoversight responsibilities into distinct components, each ofwhich is relevant to the management of global risks:

• Determining the organisation’s desired trade-off betweenrisk and reward. This typically involves defining the risktolerance (or appetite) of the enterprise, which in turnguides the development of the business strategy. In otherwords, what sort of activities does the organisation wishto undertake and which will it avoid?

• Identifying and reviewing the portfolio of risks to whichthe organisation is exposed, and determining whether toaccept, avoid, manage or outsource them. Risk is a fact oflife, but the board has a choice about how to deal with it.

• Monitoring management’s efforts to maintain effectiverisk management and control systems, and ensuring thatrelevant risk policies and values are fully applied.

• Communicating to shareholders and other stakeholdersthe critical risks faced by the organisation, and providingassurance that they are being well managed. Boards notonly have to ensure that risks are managed effectively;they must be seen to be managed in an appropriate way.

Global riskshave thepotential toexert a hugeimpact on thecompany'ssuccess orfailure”

Snapshot• It is a key task for the

board to performongoing risk oversight.It can’t be delegated torisk managementspecialists.

• Boards typically findthat global risks, thoughpotentially catastrophic,are difficult toconceptualise andmanage.

• Boards play a pivotalrole in defining thecompany’s risk appetiteand in identifying majorglobal risks.

• There is a need tocreate culture of riskawareness and buildresilience into thebusiness.

05

004-007_WFC Chapter_ONE v3_038_BigPic_Summer2013 06/05/2014 10:22 Page 5

lthough risk management may sometimes appear tobe the province of specialist risk managers, it isincreasingly recognised that the board of directors

must play a central role in managing risks. For example, theUK Corporate Governance Code states: “The board isresponsible for determining the nature and extent of thesignificant risks it is willing to take in achieving its strategicobjectives. The board should maintain sound risk managementand internal control systems”. But boards typically find thatglobal risks – which are the focus of this publication – aretricky both to conceptualise and manage. One of the lessons ofthe recent financial crisis was that companies often focus toomuch on their own company-specific risks and not enough onoverarching systemic risks.

Such risks tend to originate beyond the normal activities ofthe company, and the board may feel that it lacks sufficientin-house know-how to fully understand their causes andbusiness implications. And yet such risks have the potential to

A

04

Managing global risksTo achieve a company’s strategic objectives, theboard must decide what risks it is willing to take.This task is particularly challenging when it comesto assessing global risks.

Dr Roger BarkerDirector of CorporateGovernance andProfessional Standards,Institute of Directors

Chapter 1Part 1 Introduction


In larger organisations, the board may delegate certainaspects of its risk oversight responsibilities to board committees.Traditionally, the audit committee has been a forum for this kindof additional scrutiny, but an increasing trend – particularly infinancial institutions – is for a designated risk committee, andthe associated executive and board-level role of CRO, to becreated. This may permit more attention to be paid to emergingrisks, beyond the more backward-oriented issues of financialreporting, audit and control that can absorb the audit committee.

Although an effective board will seek to play a crucial role inthe governance of risk, directors should be conscious of the needfor a strong risk-aware culture throughout the organisation. Theboard faces a particular challenge in large and complexorganisations, where it must find ways to encourage employeesat all levels either to address potential risks themselves or flagthem up to leaders without delay or fear of the consequences.

But for this to happen, the board must nurture a ‘no blame’culture, particularly in terms of its own relationship with theCEO (which, if it breaks down, poses a critical but oftenunacknowledged risk for the organisation), but also through theestablishment of reliable lines of communication between theboard and other employees involved in risk managementactivities, including whistleblowers. The board needs to engendera healthy level of trust between itself, management andemployees to avoid the creation of a ‘risk management glassceiling’ between the board and the rest of the organisation.

Effective boards will also wish to increase their ability tomanage global risks by encouraging diverse and challengingperspectives within the boardroom itself. This will include:considering how diversity can be achieved on the board;recognising the limits of their own direct oversight capacities;and searching for ways to embed and incentivise appropriateethical behaviours throughout the organisation. And they mightconsider how the redesign of organisational structure couldsimplify the board’s oversight of the business and facilitate easycommunication between all levels of staff.

Ultimately, it is the board that is responsible for thegovernance of risk. But given the uncertainty and potentialimpact of the global risks highlighted by the WEF report, it is thepeople and culture of the entire corporate entity that willdetermine if these risks can be successfully navigated.

Checklist for the board• Do we have a framework of decision-making and risk oversight that fully incorporates evaluation

and management of global risks?

• Does the board devote sufficient time and resources to the evaluation of global risks?

• Should we appoint a chief risk officer or form a dedicated risk committee?

• Have we evaluated the potential impact of today’s global risks and drawn up a risk register?

• What can we do to instil a culture of risk awareness and build resilience into our business modeland operational processes?

The board mustfind ways toencourageemployees at alllevels either toaddresspotential risksthemselves orflag them up”

07


In large organisations, many aspects of the board’s role willinvolve risk oversight rather than risk management (which willbe undertaken by the CEO and executive team), whereas insmaller companies the board may play a more ‘hands on’management role, both in the identification of critical globalrisks and the direct operation of risk management systems.

But even in the largest corporations, which may employsignificant numbers of risk management specialists, the boardwill typically be well placed to play a key role in the assessmentand oversight of global risks and their impacts. The strategicimportance of global risks means that they are an essentialaspect of board-level discussions of the corporate vision andbusiness model. And the board is a better vantage point thanelsewhere to take a broad view of the organisation and its

business environment,bringing to bear the wide-ranging experience of bothexecutive and non-executive board members.For this reason, oversightof global risks is notsomething that can bemainly delegated tospecialist risk managers orin-house internal controlfunctions. It demands aboard-level perspective. Insome cases, it merits theboard-level role of chief

risk officer (CRO) – with the key task of identifying links betweenglobal risks and organisational impacts, ensuring resilience.

A commonly-utilised tool in the board’s risk oversight processis the risk register, which classifies individual risks in terms oftheir likelihood and impact and identifies measures formitigating them. The risk register may also specify a manager orboard member who is personally accountable for themanagement or oversight of the particular risk. In addition toregular board meetings, boards may also use strategic ‘away days’to brainstorm such risks in more detail, incorporating the inputof both management and external experts.

Some global risks may be ‘slow-burn’, but a lesson of recentcorporate crises is that many are sudden and difficult to identifyin advance. Furthermore, interrelationships between differenttypes of risk mean that analysing them individually may lead toseriously misleading conclusions.

It is also important that the board builds sufficient resilienceinto its business model and operational processes, in order tosupport the organisation in coping with the impact of a variety ofglobal risk outcomes, including the so-called ‘black swan’ eventsthat are not widely anticipated. Appropriate precautions, manyof which are discussed in this Guide, include business continuityarrangements, securing emergency access to human, financialand physical resources, and ensuring adequate margins of errorin the design of technical and operational systems.

06 Tooling upIn a ground-breaking article,Managing Risks: A NewFramework, (Harvard BusinessReview, June 2012), Harvardprofessors Robert Kaplan andAnnette Mikes highlight theimportance of using appropriatetools for different types of riskmanagement.

Kaplan and Mikes argue,“Despite all the rhetoric andmoney invested in it, riskmanagement is too oftentreated as a compliance issuethat can be solved by drawing uplots of rules and making surethat all employees follow them.But rules-based riskmanagement will not diminisheither the likelihood or theimpact of a disaster such asDeepwater Horizon, just as it didnot prevent the failure of manyfinancial institutions during the2007–2008 credit crisis.”

They present a newcategorisation of risk that allowsbusinesses to tell which riskscan be managed through arules-based model and whichrequire alternative approaches.Their category of ‘external risks’includes global risks such asnatural and political disastersand major macroeconomicshifts. “Because organisationscannot prevent such eventsfrom occurring, they must focuson identification and mitigationof their impact,” they say.

To link global risks to businessimpact, boards need to use toolssuch as scenario planning. Inthis way risk management atboard level becomes closelyaligned with the strategyprocess. This is a very differentrisk tool suite to the preventativerisk models that might beemployed to quantify ‘hygienefactor’ operational risks such ashealth and safety risks, or ‘valueat risk’ (VaR) for financialproduct mark-to-market riskevaluation.


the consequences of global risks for any business and to takesteps to mitigate them. Indeed, many very different risks canhave similar consequences.

It is the interconnected and systemic nature of global risksthat creates surprises when their impacts are felt locally.Human beings are generally poor at putting risks into context,especially the probability component. People often don’t takeinto account extremes in probability distributions. Somehow itseems safe to get into your car and drive home, even thoughstatistically you are far more likely to die in your car thananywhere else. Similarly many people buy lottery tickets in thehope and expectation that ‘it could be me’ even though youare about as likely to be hit by lightning as win the big one.

So against this complex background of interconnected andsystemic global risks, it is important for businesses tounderstand the triggers, trends and scenarios to look out forand to prepare for the consequences they may have to face.

There are a handful of generic consequences of global risksthat are common to most organisations. ‘Fiscal crises’ is ratedas the highest-impact global risk in 2014. We are still livingwith the consequences of the 2008 fiscal crisis and there arestrong interdependencies with other global risks includingfailure of a financial mechanism or institution, liquidity crises,unemployment and underemployment, political and socialinstability and income disparity. The impact on individualbusinesses of economic downturns has implications forcompanies’ corporate and competitive strategies.

Snapshot• Over 30 global risks are

described in the WEF’sGlobal Risks 2014report, many of whichare systemic andinterconnected.

• It is important forbusinesses tounderstand the triggers,trends and scenarios tolook out for, and toprepare for the possibleconsequences of risks.

• There are a handful ofgeneric consequencesof global risks that arecommon to mostorganisations.

• Global risk managementis part of goodcorporate governanceand, as such, shouldembrace sustainabilityprinciples.

09

Source: Global Risks 2014, World Economic Forum, Switzerland.

Global Risks 2014 Interconnections Map

008-011_WFC Chapter_TWO v4_038_BigPic_Summer2013 06/05/2014 10:25 Page 9

ver 30 global risks are described in the WEF’s GlobalRisks 2014 report. They cover significant issuesranging from environmental risks such as climate

change and severe weather to societal changes such aslongevity and social disparity. Macroeconomic risks such asfiscal crises, with their consequences including fiscal austerity,currency wars and asset bubbles, are particularly important interms of their interconnectedness and impact on other risks.

It is easy for individuals and organisations to feeloverwhelmed by the enormity of this global risk landscape.The implications of global risks on an individual or businessscale can appear difficult to discern and often remote fromday-to-day challenges. But nothing could be further from thetruth. In our globally connected world, even the most localbusinesses are dependent on global events in ways they couldnever have dreamed of just a few years ago. While it is noteasy for an individual to change the likelihood or impact ofany one global risk, it is perfectly possible to think through

O

Risks carry consequencesBusinesses face a plethora of global risks, placingthe onus on boards to recognise them and takesteps to mitigate them. It is a daunting task, butnot an impossible one.

Chapter 208

John ScottChief Risk Officer, ZurichGlobal Corporate at ZurichInsurance Group

Part 1 Introduction


Cyber risks have been a focus of successive Global Risksreports by the WEF. These range from failure of criticalinformation infrastructure, to the risks of digital wildfires,spreading misinformation through social media. In 2014 thefocus shifted to the threats of digital disintegration, a loss oftrust in an internet that is subject to constant attacks fromcriminals and ‘hacktivists’ and increasingly used for espionageand warfare by state actors. This has significant impact onindividual firms in their management of data privacy andsecurity. No longer the responsibility of the IT manager, or ITsecurity specialist, this is now a topic for the boardroom, as newbusiness models are being challenged and customers oremployees expect their personal data to be kept secure. Thisrequires not only a good understanding of digital strategies, butalso of physical security – from ‘clean desk’ policies in the workplace to employee vetting procedures for staff handlingcritical or sensitive information in whatever format.Governments are now beginning to wake up to the importance ofworking with the private sector to raise awareness and shareinformation about the source of cyber attacks. It is everybusiness’s responsibility, whether large or small to understandthe impact on its particular business model and know how torespond, even with the simplest of physical security responses.

In all the consequences of these global risks lies one risk forcompanies that results from their inability to discern the localimpact – and that is reputation risk. Increasingly, resilience tothe consequences of global risks is no longer seen as somethingto be left to chance. Indeed in regulated industries, regulators arebeginning to demand that firms show evidence of a riskmanagement culture and that they not only follow the rules, butalso do the right thing. The implications for corporategovernance and the ethical dilemmas many employees face goesto the heart of a firm’s ‘moral purpose’, ie. what an organisationexists to do. No longer is it acceptable for a bank to be seen toexist to pay high remuneration to its staff rather than to providecapital to invest in a growing economy. The management of theconsequences of global risks is just one aspect of thisfundamental aspect of board leadership and good governance.

Checklist for the board• Have we accepted our business’s vulnerability to global risks and our obligation to manage them?

• Have we reviewed the critical global risks identified in the WEF’s Global Risks 2014 report andrecognised their systemic and interconnected nature?

• Have we considered the potential impact of these risks on our business, including the risk to ourreputation?

• What steps have we taken to create a risk management culture? (See chapter 1).

• Do we acknowledge that this culture should have an ethical dimension, embracing our organisation’smoral purpose, as well as its need to survive and prosper?

Increasingly,resilience to theconsequencesof global risks isno longer seenas something to be left tochance”

11


Difficulty to access trade credit, or other forms of longer-termfinancing can have immediate impact on credit ratings and theability to survive let alone thrive in such a tough economicenvironment. Firms may have to implement immediate cost-reduction exercises, look to new sources of funding and explorenew markets, but planning for such eventualities can mitigatethis. Maintaining healthy cash balances and not losing focus on alean cost structure, not to mention some strategic planning, canhelp in such circumstances. It is noticeable that economicdownturns are also opportunities when the strongest and mostprepared survive at the expense of their weaker competitors.

Extreme weather events are rated as the second most likelyglobal risk in 2014, behind income disparity. Otherenvironmental risks also rate highly, from water crises, failure ofclimate change mitigation and adaptation to the consequences ofnatural catastrophes (earthquakes, tsunamis, volcanic eruptionsand geomagnetic storms). These events typically have significanteffects on supply chain interruption. No matter the size, scope orscale of a company, the chances are that in our globalised worldthere are components or supplies which are sourced from remotelocations, often many thousands of miles away in low-costmanufacturing economies. Some of these interruptions can be onthe level of a nuisance, but some can effectively bankrupt anindividual organisation. This is especially so when lower workingcapital targets and just-in-time manufacturing philosophies havelimited supply chain flexibility and reduced supply chainresilience. Looking to simple strategies to localise supplies,develop multiple suppliers and design-in product and serviceflexibility can help mitigate these impacts

Driven in part by the global fiscal crisis, the global risk ofunemployment and underemployment links strongly with otherrisks including political and social instability income disparity.Youth unemployment rates have soared since the financial crisis.The situation is especially dire in the Middle East and advancedeconomies, notably some European countries such as Spain andGreece. About 300 million young people – over 25% of theworld’s youth population – have no productive work, accordingto World Bank estimates. Prospects for the young generation arebrighter in high-growth markets, particularly in Asia, where themiddle-classes are rising. The developing economies of China,Latin America and Africa face additional pressures of populationgrowth as rural-urban migration creates megacities with complexrisks and vulnerabilities. Companies operating in eitherdeveloped or developing economies need to develop humanresource strategies to deal with the situation. Apprenticeshipschemes in areas of low youth employment can build a skilledand committed workforce. In the emerging markets, jobs aboundwhile the broad-based skill sets required for a well-diversifiedworkforce have yet to catch up. Companies must engage youngpeople now, often in partnership with Government, to discusspractical solutions on their terms, with the power to create fit-for-purpose educational systems, functional job markets,efficient skills exchanges and the sustainable future on which weall depend.

10

As the floodwaters of thefinancial crisis recede, the faultlines in global governanceappear to have widened.

Debt-laden advanced economiesare reluctant to cohere on costlyforeign policy initiatives and areprioritising those offering short-term national advantage. Largeemerging markets want to flextheir muscles on theinternational stage, but faceincreasing pressure fromcitizens at home for far-reachingeconomic, social and politicalreform. Not only is this triggeringand exacerbating geopoliticalfriction, it is also inhibiting thedevelopment of solutions tolong-term global challenges. Thediversity of viewpoints has madeit increasingly hard formultilateral institutions toachieve authoritative consensusbetween stakeholders.

Recent unrest in Turkey, Braziland South Africa is a sharpreminder of the challenges toachieving stable economicgrowth, and the importance ofeffective governance. Theunresolved crisis in Syriathreatens progress in the MiddleEast. Relations between some ofthe leading Asian economieshave deteriorated. The situationin Ukraine risks a fresh rupturebetween East and West.

These corrections to the courseof globalisation and globaldevelopment create a highlyuncertain environment forcritical sectors (such as energy)and businesses in general.Companies should anticipateshocks, setbacks and policyreversals in markets undergoingsignificant change. They maywant to enhance their strategicagility and hedge their exposureto at-risk economies. Geopoliticalvolatility is likely to be a keydriver of uncertainty over thenext few years.

Geopoliticalfriction


must ensure that remote possibilities and risk inter-dependencies are also taken into account. Time and again,financial instruments that promised to be ‘insurance’ againstone or another danger came apart under pressure.Counterparties who had been thought to be completelytrustworthy, and financial instruments that had alwayspreviously been highly liquid, proved to be the opposite. Manyassumptions were tested to destruction, and an importantconcept in financial risk management was affirmed: no matterhow sophisticated the process of slicing and dicing risk, itdoes not go away. Ultimately someone still holds the risk.

What has become clear is that global financial risk is goingthrough a period of dynamic change. This leaves what wasalways an amorphous concept even more difficult to defineand equally challenging to price.

For banks, there has been a reassessment of the nature ofglobal financial risk, with regulators leading the way indemanding greater capitalisation, and banks themselvesresponding by consolidating balance sheets and generallyraising the cost of finance for businesses. This was a longoverdue and predictable first stage of reassessing risk. Yet asbanks have reduced their risk, investors have regainedconfidence and they are once again searching for yield, andnaturally as a part of that, accepting risk. A shadow bank orfund structure (call it what you will), where frequentreassessments of risk and resulting valuations simply alter thevalue of a fund, as opposed to such revaluations triggering arequirement for fresh capital, may well be more appropriatefor the business world we are moving towards.

Looking beyond the effect of changing risk assessments forbanks, four factors in particular have left businesses morevulnerable to global financial risk:

• As global markets have expanded, so too have the myriadinterconnections between economies and businesses,leading to a host of unforeseen circumstances. Whowould have anticipated that the failure of instruments ‘assafe as houses’ would be the harbinger of a global crisis?Or that banks on the other side of the world would be soexposed to instruments they did not actuallyunderstand? Or that sovereign bonds, or ‘risk-free assets’as they were often termed, would prove to be quite sovulnerable and volatile? In truth, the history of sovereignbond defaults is littered with examples of investorslosing their money, so the idea of ‘risk-free’ returns fromthis asset class has never been sound, except for thecentral bank gilts of the most stable economies. Thelesson of the most recent financial crisis is that even themost stable economies are subject to volatility. Despitethe hubris of some pre-crisis politicians, who were quickto claim “no more boom and bust” during the period ofcredit growth in the early 2000s, businesses shouldalways remain aware of the underlying risks in a global‘macroeconomy’ and adjust their business models to take

The creditcrisis meantthat many acompany, andeven banks,found theirmodelswanting”

Snapshot• In the wake of the

global financial crisis,businesses remainvulnerable to financialrisks.

• Boards shouldappreciate the potentialvolatility of markets andfluctuating valuations,and should ensure thatfinancial risks arecontinually monitored.

• But businesses shouldnot be obsessed withdownside risks andshould remain open topotential opportunities.

13

012-015_WFC Chapter_THREE v4_038_BigPic_Summer2013 06/05/2014 10:27 Page 13

isk and reward – or fear and greed if you prefer – areopposite sides of the same coin, and always will be.That said, perceptions of risk generally, and even

more obviously global financial risk, have changed beyond allrecognition in recent years.

In particular, greater amounts of data and increasedcomputing capacity have allowed many measures of risk tomove from the theoretical to the practical, making risk easierto measure than has ever been the case before.

Furthermore, the scope of risk has expanded. Along withcredit and market risk, businesses must now also considerliquidity, counterparty and systemic risk.

The credit crisis meant that many a company and evenbanks, whose understanding of financial risk had hithertobeen considered well developed, found that models have theirlimits. The arsenal of quantitative risk management tools areno substitute for informed qualitative judgements andexperience. Understanding individual risks is not enough; we

R

Financial fractures

Part 2 Addressing critical impacts

Businesses inhabit a harsh post-crisis worldwhen it comes to accessing finance andmanaging the associated risks. But opportunitymay be the reward for vigilance.

Chapter 312

James SprouleChief Economist andDirector of Policy at theInstitute of Directors


That there is a risk involved in any long-term financialarrangement is obvious, and there are few arrangements aslong-term as pensions. Famously, a poll once asked Americanteenagers if they believed in alien life on another planet, andalso if they thought they were likely to receive a retirementincome from the US social security system. The answers were‘yes’ to the first and ‘no’ to the second, showing that Americanyouth has a good grasp of the realities of long-term risk.

Estimates vary, but total unfunded pensions liabilities couldeasily double the UK’s debt-to-GDP to more than 200%. At thislevel, the risk is not merely that pensions liabilities could causetrouble for companies, as they have already for firms such asBritish Airways, but that the risk transmutes from ‘corporate’to ‘individual’. Government promises will be rewritten and lawsenacted to allow companies to reschedule. The risk is not thatcompanies or governments will be brought down by pensionsliabilities, but that promises will simply not be honoured.

Checklist for the board• The best form of ‘insurance’ is agility. How much extra would avoiding being tied into long-term

contracts really cost? Is that a cost it would be sensible to accept?

• Robust scenario planning should include driver analysis that takes into account ‘large impact butsmall likelihood’ events. But remember to review scenarios for the opportunities, as well as thedownside risks, each may bring.

• Avoid financial instruments you do not fully understand. If they cannot be quickly andcomprehensively explained to you, including all of the potential risks, it would be wise not to invest.

• Shop around. Banks are open for business again, but they have very different business models andmethods of assessing risk. Find the bank that appreciates and suits your business.

Many of theworst excessesof the creditexpansion havenow beenaddressed, andbanks are in farbetter shapetoday than theywere in 2007”

15Pensions timebomb

The process of financial fracture we have been through hashighlighted the importance to business of continual monitoring ofglobal financial risks. Whilst not obsessing over this task, boardsshould appreciate that all valuations are dynamic.

But the post-crisis world also offers opportunities. Many of theworst excesses of the credit boom have now been addressed andbanks are in far better shape than they were in 2007 (would that thesame could be said about government finances). Banks’ capitalreserves have largely been rebuilt and they are now beginning toexpand their lending, as opposed to their recent practice of closingcredit lines to even the most solvent and longstanding of clients.

What is not going to happen is a return to ‘covenant light’lending, essentially lending with few risk controls. Banks will varyin how they approach lending, decentralise decision-making andassess risk and the companies they lend to. The implication forbusinesses is that it will pay to shop around to find the banks thatwant you as much as you want them. After all, it is not as if there isany difference in the final ‘product’ they are lending you!


these into account. As all business people know, there is noreward without risk, but it is the prudent business thatunderstands the risks and takes advantage of volatility.Ultimately, individual businesses may fail and there is astrong argument that no business should be too big to fail.

• More and more parts of the economy have been‘monetised’. In the past, a company might well have ownedmany of its premises and, while the value of those premisesmay have fluctuated, the effects of this were minimal as allthe balance sheet showed was a constant, conservative bookvalue. Today, businesses’ premises are invariably leased,with the lease itself being traded and potentially used ascollateral in a variety of financial transactions. In thesecircumstances, any fluctuation in the perceived value of thepremises and the lease has a ripple effect across theeconomy that did not exist even 20 years ago.

• In general, businesses, banks, governments and householdsbecame too dependent upon under-priced capital. Highdegrees of leverage mean that even modest declines ingrowth expectations rapidly demand drastic action. Theultra-easy credit conditions, which ran for a decade prior tothe 2007 crunch, lulled many into the naïve assumptionthat the good times would continue ad infinitum.

• Finally, there has been a proliferation of financialderivatives that, in the credit crisis, did not prove asresilient as promised. In practice, the ultimate risks of manyof the more bespoke instruments, and those such as creditdefault swaps, proved hard to discern and have becomemuch less popular in the market as instruments to transferfinancial risk. Although credit default swaps are stillavailable, and are a good measure of an individualcompany's credit strength, investors are now much morekeenly aware of what they do and what they represent. Ahard truth has been driven home: a derivative, whilstpromising enhanced returns, can concurrently expose theholder to increased risks.

14From richesto ragsFollowing a spate of acquisitions,Premier Foods became the UK’slargest food company in 2006,employing around 20,000 staffand providing a home to somefamous food brands, such asHovis, Homepride, Oxo and MrKipling. But by the end of 2013,it was being described in themedia as a ‘zombie’ company,with most of its cashflowabsorbed by debt servicingpayments and the financing of asignificant pension fund deficit.

How did Premier move fromriches to rags in the space ofjust a few short years? Althoughdebt-fuelled acquisitions –particularly the takeover ofRanks Hovis McDougall in 2007 –placed Premier in a vulnerableposition, its fortunes weresealed by two global marketdevelopments. The first was asignificant increase between2005 and 2008 in the globalprice of wheat, whichdramatically reduced Premier’sprofit margins. The second wasthe advent of the globaleconomic downturn after thefinancial crisis of 2007/2008,which pushed down sales of itsproducts in its major markets. Inaddition, a complex financialhedge, designed to protectagainst rising interest rates,proved costly to unwind whenrates moved downwards in thewake of the financial crisis.

Since 2007, Premier hasundergone four separaterestructurings, shed 11,000staff and sold many of itsfamous brands. In 2010, marketcapitalisation declined below£100m (from a high of morethan £2bn) as investors priced inthe possibility of insolvency.Current CEO, Gavin Darby,believes the worst is now behindthe company, but it still facesmajor challenges if it is torebuild its financial position andits reputation.

Eurozone stagnationIn the aftermath of the credit crisis, the Eurozone has had aseries of difficulties. In particular, European banks used sovereignbonds as a part of their core capital and, as the viability ofcontinuing deficit financing has been questioned, banks’solvency has in turn been scrutinised.

At the same time, citizens of the southern states of theEurozone have moved a substantial proportion of their savings to northern EU banks, leaving local lenders with diminishedbalance sheets. The result is that credit has all but evaporated:after expanding by an average annual rate of 7% in the decadebefore 2007, the increase is now less than 2% a year. And that isan average across the Eurozone. In southern Europe, where credithas been shrinking, an early economic recovery looks unlikely.


as supply chains have become longer and more complex, sothe opportunity for failure at any critical point is greater thanever before. Supply chain exposures are changing as well, andtoday virtually all of the macro issues at the heart of the WEFreport present heightened risk for businesses sourcingproducts and services from overseas.

To make matters worse, this is all happening in theaftermath of the global financial crisis, at a time when manycompanies have diminished pain thresholds and/or appetitesto assume risk. As a result, unexpected events can have a fargreater impact on their business today than before the globalfinancial crisis of 2008.

To date, much of the work undertaken by companies inaddressing supply chain risk has been to improveunderstanding of their supply and value chains. Detailedinformation is generally lacking in these areas, in part becausetraditional insurance policies often only pay out in the eventof property damage suffered by first-tier suppliers, andtherefore do not require risk managers to provide details ofsuppliers further down the chain.

Becoming conscious of the fact there are third partystakeholders and third party incidents that can impact on afirm’s ability to trade is one thing, but being able to pinpointwhat those risks might be and address them, and/or planworkarounds in the event of them occurring, is considerablymore difficult. This is where the role of the board memberresponsible for risk, the risk committee or the chief risk officer(see Chapter 1), is vital in bringing together the necessarybusiness functions – procurement, business continuity,finance and operations – to establish a strategic plan that notonly ensures business resilience in the event of an incident,but also proactively instils it throughout the organisation.

Building resilienceThe benefits of demonstrable resilience are plentiful. It hasthe potential to make a company a far more attractiveinvestment proposition to shareholders and investors, becauseof the assumption that future volatility in performance willreduce. Today, the importance of being able to demonstrateresilience is more profound than ever, so it can even become apillar upon which a company can build its value proposition.In addition, capital invested in identifying business continuityrisk allows management to make the best-advised investmentsin protecting their business, be it through increased physicalsecurity, better management systems and programmes,contingency plans, or risk financing/insurance.

Resilience goes further than the typical approach tobusiness continuity planning, and requires taking a broaderview where there is fluidity around key processes and assets. Itinvolves understanding that the risk profile around the mostcritical production streams moves all the time, and that theresponse of the business has to be more than just a businessrecovery response. Resilience involves ensuring that some ofthe business’s intangible assets, like reputation, are protected,

Companieshave investedlarge amountsof money intotrying toimprove theirunderstandingof supplychain risk”

Snapshot• Boards must consider

the potential impact ofvarious global risks ontheir physical assets,supply chains, transportand logistics.

• Natural catastrophesand adverse weatherremains a majorcontributor to supplychain interruptions.

• As supply chains havebecome longer andmore complex, so theopportunity for failureat any critical point isgreater than ever.

• Companies have adiminished appetite forrisk, but tend to lackthe detailed informationthey need to assesssupply chain risks.

• By building resiliencethey can limit downsiderisks and capitalise onopportunities.

• Resilience involves bothbusiness continuityplanning and physicalloss prevention.Insurance cover is key,as it will fund themitigation post-event.

17

016-019_WFC Chapter_FOUR v4_038_BigPic_Summer2013 06/05/2014 10:29 Page 17

he recurrent theme of the WEF’s Global Risks 2014report is global events that impact upon businesses ofall sizes. From natural catastrophes such as

earthquakes and floods to man-made mayhem in financialmarkets or cyberspace, in a hyperconnected, globalisedeconomy, incidents often have repercussions for global supplychains that can be felt on the other side of the planet.

Complex supply chain liabilities were infamously exposedin 2011 in the aftermath of Japan’s Tōhoku earthquake andresulting tsunami, and again later that year by the Thai floods.The impact of these two incidents on automotivemanufacturing and hard disk drive production respectivelywas dramatic, and revealed the limited information on fullsupply chains and aggregated supplier risk.

Since then, companies have invested large amounts ofmoney into trying to improve their understanding of supplychain risk, as they have sought to build resilience into theirbusiness and gain competitive advantage over rivals. However,

T

Logistical nightmares


In a connected, globalised economy, disruptiveincidents can often have repercussions forinfrastructure and supply chains that are felt onthe other side of the world.

Chapter 416

Caroline WoolleyEMEA Property PracticeLeader and GlobalBusiness InterruptionCentre of ExcellenceLeader, Marsh


and/or transfer. The contrast provides a way to place a value onbusiness continuity efforts. Also, as insurers place greaterscrutiny on clients’ quality and level of supply chain data tosafeguard against high loss ratios and aggregated risk, in-depthquantifiable data will go a long way towards securing the limitsrequired at a reasonable price.

The limitations of traditional business interruption andcontingent business interruption cover are well documented.Work is being done within the insurance market to developexisting, and promote new, business interruption products toprovide cover for disruption to suppliers and service providersresulting from incidents that are unrelated to property damage,such as a pandemic or strike. However, many insured businessesoften lack the data on contingent risks and information onsecond and third-tier suppliers, making the decision of whethersuch insurance is value for money or not a difficult one.

Beyond insuranceCover or no cover, building resilience is key in today’s just-in-timeglobal supply chain. The businesses that are best able to do thiswill be those capable of generating the greatest quality of riskmanagement information to help understand where critical pointsof failure sit, allowing informed decisions on the risks they areprepared to take, as well as those they know they must face.

Checklist for the board • Identify: Bring together the various business functions – procurement, business continuity, finance

and operations – to identify exposures and map the full value chain from remote suppliers throughto the final customers.

• Improve: Seek to mitigate existing exposures by improving business continuity plans, and those ofsuppliers. Find alternative suppliers that can be used in the event of an incident, and establish aniterative strategic plan to proactively instil resilience throughout the organisation.

• Measure: Quantify supply chain exposures in terms of the financial impact arising from definedrisks. Calculate maximum and normal loss estimates, and evaluate any non-financial impacts.

• Treat: Use in-depth quantifiable data to secure investment from the board to mitigate supply chainrisk, and/or secure appropriate levels of insurance at a reasonable price. How would you know if thisis value for money if you have not quantified your exposures?

Cover or nocover, buildingresilience is keyin today’s just-in-time globalsupply chain”

19

Japan’s 2011 Thoku earthquake and resulting tsunami caused major disruption tomany global manufacturers’ supply chains


and is as much about understanding the risk profile as the keybusiness processes. It should focus on the immediate responseand behaviour of senior management, just as much as sourcingsuppliers and production facilities. Being nimble, with the abilityto react quickly to any interruption, can be more useful than abusiness continuity plan. But flexibility comes from in-depthknowledge of the organisation's operations and the interractionwith others. It is about knowing your risks and your options.

All this requires developing an iterative process thatrecognises that as any one component of the supply chainchanges, or if the risk profiles of some critical suppliers change,so the threat potentially changes too. Once it has beenestablished which threats exist, and where the critical points offailure might sit, the difficulty then involves keeping an up-to-date view on suppliers as business continues. Preparation is keyand, as natural catastrophe remains one of the biggest risksfaced, firms should consider natural hazard zones when decidingon locations and suppliers, and identify the accumulations ofrisk. Some organisations have significantly improved theirunderstanding by building risk weighting or risk evaluation intotheir core sourcing and supply chain management protocols, thedata for which is generated from a series of self-assessment auditforms to suppliers, and checks on the quality of their controls.

Quantifying exposureOnce identified, supply chain exposures need to be quantified interms of the financial impact arising from defined risks. Thisrelies on having an informed, detailed understanding of how thebusiness generates revenue and how much of that is exposed,and the key suppliers, processes, people and physical assets thatunderpin this. Detailed maximum and normal (mitigated) lossestimates can then be calculated, and these are essential to helpconvince the board that the level of risk requires investment,either by building in redundancy, improving risk management,

18 ContingentbusinessinterruptionThere is often an assumptionthat traditional propertydamage/business interruptionpolicies will cover a company’ssupply chain risk. In fact, this isnot always the case.

Contingent business interruption(CBI), the interruption tobusiness caused by an incidentat an external site (supplier orcustomer) is covered under thesupplier’s/customer’s extensionclause. But beware, this is oftendirect (first-tier) suppliers only,has a lower limit, and is limtedto damage-related events.

A supply chain market has beenestablished to cover anorganisation’s full supply chainfor both damage and non-damage events.

Volcanic ash from Iceland’s Eyjafjallajökull disrupted air travel in Europe for several weeks

J. HE

LGAS

ON /

SHUT

TERS

TOCK

.COM


Youth unemploymentThe indebted nations of Western Europe and, in particular, inthe peripheral countries of the Eurozone, face an enormouschallenge in youth unemployment. This presents practicalproblems for companies in attracting, training and retaininghigh-quality staff. Those that cease to employ new staff inorder to control costs in difficult economic times often findthemselves at a competitive disadvantage when the economyrecovers. A recruitment gap can mean a lack of succession anda lack of crucial frontline supervisors, who are often key tosuccess in delivering in the marketplace, constraining theability of businesses to build the capacity necessary to grow.

Young people, even if university-educated, often don’thave the specific professional and technical skills required tobe successful in the jobs market. Couple this with statisticsthat say people without full-time employment for more than10 years are unlikely ever to have a full-time job and the scaleof the problem for governments and businesses becomes clear.

Individual companies can go a long way to addressing theseproblems by putting more emphasis on professional andvocational education and training. Apprenticeships can beinvaluable in introducing young people to the workforce andequipping them with the skills to be successful. It seems clearthat governments and businesses need to work together tocreate the optimal mix of professional and vocational trainingopportunities to drive economic recovery and employment.The private sector can influence education curriculums,guiding them in terms of businesses’ requirements and linkingthem to skills needs. In addition, businesses can work with theeducation sector to improve apprenticeship opportunities.

As governments respond to fiscal crises with ‘austeritybudgets’ and reduced welfare spending, the onus for providingemployee benefits also shifts from the public to the privatesector. Innovative approaches to income protection,rehabilitation back into the workplace, employee benefitschemes and employee wellbeing are all being explored asways to provide support for employees.

Political and civil unrest The challenges for business of high youth unemployment areeven more stark in areas such as the Maghreb region of NorthAfrica, the Levantine and Middle East. A large, well-educated,but underemployed youth population, constrained inentrepreneurial activities by the vested interests of anestablished elite, can be a powder keg of social and politicalunrest. This can move rapidly from low-level protest, tooutright civil war and regime change, as we have witnessed inseveral states in the region over the last few years.

Such outcomes are not confined to the Middle East. Eventhe ‘stable’ Western democracies of Europe have experiencedsevere civil unrest and political turmoil related to austeritybudgets and high levels of youth unemployment. In theseenvironments, businesses need to develop crisis managementto deal with strikes, riots and disruption. All of these can also

Even the‘stable’Westerndemocracies ofEurope haveexperiencedsevere civilunrest”

Snapshot• The WEF’s Global Risks

2014 report citesseveral serious socialrisks to businesses,many of which areinterconnected.

• Challenges range fromyouth unemployment inWestern Europe to civilwars in the Middle Eastand skills gaps in someemerging economies.

• It is important forbusinesses tounderstand the issuesand take a multi-faceted approach toemployment and humanresource practices.

• Tackled imaginatively,social risks can throwup opportunities forprincipled, informed andagile companies.

21

020-023_WFC Chapter_FIVE v4_038_BigPic_Summer2013 08/05/2014 10:02 Page 21

ocial risks rank highly among the global risks that canimpact businesses today. WEF’s Global Risks 2014report cites risks such as unemployment and

underemployment, social and political instability, and incomedisparity, which all have strong interdependencies as well aslinks with some underlying global macroeconomic risks.

As Chapter 3 highlights, the global fiscal crisis, triggered bythe banking failures of 2008, has had a major knock-on impacton governments’ indebtedness, as financial risk has beentransferred from private to public balance sheets. Theresponse of governments, especially in indebted, developedeconomies has driven either austerity budgets and/or ultra-loose monetary policies. These in turn have not only hadmacroeconomic impacts, such as altered patterns of foreigndirect investment affecting emerging economies, but alsosocietal impacts for many countries. All this has taken placeagainst a backdrop of shifting demographic patterns that bringvarying challenges to employers around the world.

S

Social strains


People-related risks, such as unemployment,social unrest, political instability and incomedisparity, rank highly among the global risks that threaten businesses today.

Chapter 520

John ScottChief Risk Officer, ZurichGlobal Corporate at ZurichInsurance group


better alternative, devising and implementing education andtraining schemes for young people, providing them with lifeskills and preparing them for work when they are older.

Opportunity knocks?The ‘Generation Lost?’ risk in focus section of the WEF’s GlobalRisks 2014 report should not be viewed by business as entirelynegative. Admittedly, societal risks and trends create tremendouschallenges for both governments and businesses to solve. Buttackled imaginatively, these risks can also be opportunities forbusinesses to create a workforce for the future that is bothresilient and resourceful – as well as a critical source ofcompetitive advantage.

Checklist for the board • Have we identified how various global social and political challenges could impact upon our business?

• How is our strategy informed by the risks and opportunities these issues present?

• Do we have principles and standards in place, for example on ethical trading, to guide our strategyand operations, and protect our reputation?

• Do we have sufficiently versatile HR policies to manage and mitigate human resource-related risks –and capitalise on opportunities to create competitive advantage?

Businesses cancreate aworkforce forthe future thatis both resilientand resourceful– as well as acritical source ofcompetitiveadvantage”

23Human rightsPrinciple 1: Businesses shouldsupport and respect theprotection of internationallyproclaimed human rights.Principle 2: Businesses shouldensure they are not complicitin human rights abuses.LabourPrinciple 3: Businesses shoulduphold the freedom ofassociation and the effectiverecognition of the right tocollective bargaining.Principle 4: Businesses shoulduphold the elimination of allforms of forced andcompulsory labour.Principle 5: Businesses shoulduphold the effective abolitionof child labour.Principle 6: Businesses shoulduphold the elimination ofdiscrimination in respect ofemployment and occupation.

EnvironmentPrinciple 7: Businesses shouldsupport a precautionaryapproach to environmentalchallenges.Principle 8: Businesses shouldundertake initiatives topromote greaterenvironmental responsibility.Principle 9: Businesses shouldencourage the developmentand diffusion ofenvironmentally friendlytechnologies.Anti-corruptionPrinciple 10: Businessesshould work againstcorruption in all its forms,including extortion andbribery.

Source: UN Global Compact

United Nations Global Contract Principles


be triggers for supply chain interruptions (see Chapter 4), forwhich businesses also need to develop business continuity plans,including arranging substitute suppliers and reserving alternativemanufacturing or retail sites.

For some businesses, social and political risks, with theirpotential for upheaval, can offer new business opportunities, andthis shifting political and social landscape should be factoredinto businesses’ scenario and strategic planning activities.

Skills gapsThe picture changes again in the emerging economies, withdifferent drivers of global societal risks. Demographic shifts inNorth Asia (China, South Korea and Japan) are similar to those inWestern Europe and North America with an ageing population.In other Latin American, African and East Asian economies thereare large young populations, but the challenge here is oftenabout finding economic opportunities to absorb this workforce.Even though many young people in these regions are becomingbetter educated, the challenge is about matching the broad-basedskill sets required for well-diversified and sustainable economies.In addition urbanisation and migration trends affect businessesoperating in these emerging economies. Skills match gaps areparticularly difficult to resolve in Africa and the Middle East,while in India and other countries there is a brain-drain of toptalent to other regions. The rapidly increasing numbers of peopledefined as middle-class in terms of their education andpurchasing power also creates opportunities for businesses, notonly in new consumers, but also as employees who bring a freshdiversity of cultures, talents and interests. The new middle-classin Asia is adaptable and versatile, with access to smarttechnology and social media. Businesses that exploit and developthis ‘digital native’ generation will reap competitive advantagefar beyond these local markets.

A principled approachAll of this requires companies to have a multi-faceted approachto employing people in the emerging economies. Humanresource policies that reflect local requirements and which alsosupport a mobile global workforce become even more important.Portability of employee benefits for globally mobile workers suchas pensions and healthcare from one jurisdiction to another,often with different laws and regulations, is just one challenge.Different attitudes across emerging economies to the principlesheld in the United Nations Global Compact around labourstandards, human rights and anti-bribery and corruption policiesare also tough ‘people challenges’ (see opposite).

For a business operating in emerging economies with low-costmanufacturing, even through distant and disparate parts of itssupply chain, it is important from a reputation risk perspective –as well as a moral perspective – to ensure that all forms of forcedand compulsory labour and child labour are avoided. This canpresent tough practical challenges, as in some communitiesremoving child workers can exacerbate poverty and result indestitution. Instead, successful companies have found a much

22 Doing well,doing goodThe UN Global Compact focuseson some key human rightsissues, in particular highlightingthe problems of child labour andforced labour. These becomeimportant considerations for anycompany with a supply chainthat extends into low-costmanufacturing economies.

Next plc is a good example of acompany that addresses theseconcerns in its management ofethical trading. The clothingretailer’s approach is to use itsinfluence to promote goodpractice and raise awarenessamong both suppliers andemployees, as well as othersalong its value chain. The ethicalstandards within Next’s code ofpractice apply to all suppliers ofits products, in every countrywhere it sources production.

Next’s code has 10 keyprinciples, which set out theminimum standards andrequirements for suppliers inrelation to workers’ rights andworking conditions, includingworking hours, minimum age ofemployment, health, safety,welfare and environmentalimpacts. The company is verycommitted, with a dedicatedglobal team that auditssuppliers’ factories for codecompliance, monitors localworking conditions and promotesimprovements throughpartnership and support.

Next continues to be an activemember of the Ethical TradingInitiative, an alliance ofcompanies, non-governmentalorganisations and trade unions,striving to ensure the workingconditions and rights of workersproducing for the UK marketmeet or exceed internationallabour standards. The companyalso supports initiatives andwork programmes across arange of supply chains in keysourcing countries.


estimated to cost the world economy $500bn1 a year. For those companies that fall victim to this new breed of

cybercriminal, ‘hacktivist’, and/or cyber terrorist, theoperational disruption can be huge. There is also the internalcyber threat from negligent employees and contractors, which –at a time when concerns surrounding privacy and dataprotection are more prominent than ever – can have disastrousreputational, and ultimately financial, consequences.

Yet where there is risk there is also opportunity. In today’sfast-paced, just-in-time business environment, trust andreliability are revered by clients and business partners alike, andjust as there is huge downside risk for those companies that failto demonstrate these characteristics, there is also vast potentialfor competitive advantage for those that succeed in establishingthemselves as a paragon of security and dependability.

Our reliance on technology is growing and the pace oftechnological change is increasing. Today, for example, thereare 14.4 billion devices connected to the internet, and by 2020 itis predicted this figure will surpass 50 billion.

The opportunities this growth presents for businesses arehuge, but so too are the risks to their operations and security.This increase in online devices will result in much greater andmuch more complex interconnectedness between people andtheir devices – and therefore between devices in general – aswell as a three-fold increase in the number of potential entrypoints for those bent on disruption.

At a time when so many components of a business’s day-to-day operations are technologically-dependent, companiescannot afford to treat IT security as a peripheral risk that can beoutsourced to third-party security providers, or even left to theresponsibility of the chief information security officer (CISO).

In today’sjust-in-timeenvironment,trust andreliability arerevered byclients andbusinesspartners alike”

Snapshot• The internet is a

powerful engine forgrowth, commerce andsocial development. Itwill continue to offerhuge opportunities.

• But technologicalthreats cast a shadowover all organisations,regardless of size orlocation.

• Incidents described inthe media are just asnapshot of a disturbingvolume of cyber crimeand electronic attackson industry.

• Basic information riskmanagement can stopthe majority of cyberattacks seen today, butexperience suggeststhat few organisationsget it right.

• Information securityand cyber security areissues that all boardsneed to own directly.

25

Criminal• Personal information• Credit/debit card

information• Held funds• Intellectual property

Terrorist or State• Disruption to critical

infrastructure• Economic impact• Loss of life• Damage to property

Malice• Disgruntled

employee/customer• Proof of ability• Untargeted malicious code• Random selection

‘Hacktivist’• Public support for a cause• Direct impact of core

activity• Corporate or industry-

wide scandal• Top corporate brand

target• Disgruntled

employee/customer• Proof of ability• Untargeted malicious code• Random selection

Internal• Loss of hardware• Data mismanagement • Negligence

THREAT ENVIRONMENT

024-027_WFC Chapter_SIX v3_038_BigPic_Summer2013 06/05/2014 10:36 Page 25

t is little surprise that cyber risk featured prominentlyyet again in WEF’s Global Risks 2014 report, as seniormanagement continues to gain greater understanding

of the extent of the cyber threat in today’s rapidly changingtechnological environment. As technology becomes ever morepervasive both at home and in the workplace, many companieshave moved swiftly to take advantage of the opportunities thatadvances have brought. But far fewer have kept up with therisks to their business that such advances have introduced andthe financial impact should a vulnerability be exploited.

Cyber attacks regularly make their way into the news, butthe incidents described in the media are just a snapshot of whatis going on. For example, the UK government has revealed that,on average, 33,000 malicious emails a month are blocked at thegateway to its secure intranet. The volume of e-crime andattacks on industry is equally disturbing. Attempts are made tosteal British intellectual property in a wide range of industries,not just in defence and security. Globally, cybercrime is

I

Tech traumas


As information technology becomes ever morepervasive, so the opportunities and threats itbrings also increase. Boards must respond tothese twin challenges.

Chapter 624

Charles Beresford-DaviesManaging Director andUK Risk ManagementPractice Leader, Marsh


senior management can guarantee that standards are beingadhered to, not least to avert the potential reputational andregulatory consequences of mismanagement.

Insurance can also play an important part in a business’s cybermitigation strategy. While the development of cyber cover is stillin its early years, products are evolving rapidly as insurers learnmore about what their clients need, and the risks that theythemselves are willing and able to accept. Present policies arepredominantly focused on protection against privacy breaches anddata theft. Typically, this has been a response to legislation, in theUS in particular. In Europe and elsewhere businesses areincreasingly seeking broader protection for a wider range ofimpacts, most notably business interruption arising from criticalsystems failure. The insurance industry is listening to businessconcerns, and we can expect developments to be made in newtechnological risk areas in future.

With or without insurance, cyber risk can never be trulyeliminated. Those companies that adapt best to their technologicalsurroundings – exploiting the opportunities as well as managingthe risks – will be those best placed to survive and thrive.Ultimately, however, cyber risk is a global issue, and a muchgreater degree of information sharing between governments andbusinesses worldwide should be encouraged to improve awarenessof existing and emerging threats. Recent high-profile revelationsabout the activities of national security organisations may have setback progress on this front, but it is difficult to envisage how thebalance of advantage can be tipped from attackers in favour ofdefenders without concerted, cross-border business andgovernmental collaboration.

Checklist for the board • Implement a board-led, holistic approach to cyber risk and opportunity, and ensure there are board

members in place with the technical expertise to help drive this.

• Maintain a dynamic and nimble stance on cyber issues, which can continuously be adapted to therapidly changing risks.

• Develop a cyber risk appetite based on the trade-offs between security and system usability.

• Map all areas of technological infrastructure, data-related tools, systems and processes. Linkphysical data and security policies with your new cyber-risk approach.

• Quantify the risk in terms of its potential financial impact, and develop an incident response plan incase an incident should ever occur.

• Improve the understanding of technological systems and how they are integrated, and implement ameans to guarantee that best practice information and physical security standards are adhered to.

While thedevelopment ofcyber cover isstill in its earlyyears, productsare evolvingrapidly asinsurers learnwhat theirclients need”

27

1 The Economic Impact of Cybercrime and Cyber Espionage, McAfee and the Center for Strategic and International Studies.

2 Taming Information Technology Risk: A New Framework for Boards of Directors, Oliver Wyman and the National Association of Corporate Directors.


Instead, it requires a holistic board-led strategy that nurturesawareness and expertise with regard to technologicaldependencies and liabilities throughout the organisation.

The starting point for this is the board itself. At a time whenbusiness performance is so closely aligned with companies’ abilityto use technology effectively, only 16% of board members haveprevious experience working as a CISO or senior IT executive2.Boards across the world have traditionally been filled with peoplewith expertise in a variety of disciplines, and it is now moreimportant than ever that they bring in more members with thetechnological nous to guide their companies around cyber issues.

The nature of a business’s approach to cyber risk is essentialtoo. Technological innovation is now moving at such a pace thatan IT security policy comprising antivirus software and a fewfirewalls is simply insufficient. Instead, companies must maintaina dynamic and nimble position from which they can rise and adaptto the cyber challenge, as opposed to taking up a defensive stancein the hope of repelling the incoming threat. Defence alone is notnearly enough. Instead, an approach is required that detectsopportunities resulting from technological innovation, whileidentifying and mitigating accompanying cyber exposures, as wellas those of legacy systems. In this respect, responsibility for cybersecurity needs to sit above the role of CISO. It must sit with theboard, because it is the board that, while not managing day-to-daycyber risk responses, needs to be satisfied that they are robust.

Top-down work must then be carried out to map all areas of acompany’s technological infrastructure, data-related tools, andsystems and processes. This will make it much easier to establishthose points of weakness that are traditionally found at connectionpoints between programmes and systems. With these areasidentified, businesses can begin to quantify the risk in terms of itspotential financial impact, and develop an incident response planin case an incident should ever occur. This should involveundertaking a programme to improve the general understanding ofthe company’s technological structures, and how they areintegrated, throughout the entire organisation.

Implementing strict standards and policies to ensure everyemployee knows how to work with the company’s technologicalinfrastructure is essential, both to ward off the external cyberthreat and to limit the potential for internal negligence to result inthe loss of data and/or network control. It is important toaccompany such a cyber policy with a means of control whereby

26 Boards owncyber risk A key role for the board is toconsider the organisation’s cyberrisk appetite, not least in termsof trade-offs between thesecurity of information systemsand their usability.

It is important for the board tounderstand what levels of riskcan be accepted in any businessmodel that relies on informationsystems and the internet fordelivery.

Considerations that go farbeyond the technical issuesshould be included in thisdecision. For example, whatefforts have been put in place tovet the security of employees incritical data-sensitive roles –also bearing in mind that theseroles are often outsourced?Bribery and blackmail are aseffective as sophisticatedphishing attacks or malware atgetting employees to revealsensitive passwords.

Physical security and informationsecurity become intertwinedtopics that any cyber securitypolicy needs to take intoaccount. The board should notallow this issue to become solelythe domain of technical experts.It is as much about employeevetting and clean desk policiesas it is about patchmanagement and malwaredetection.

Connected ObjectsPenetration (RHS)

Conn

ecte

d Ob

ject

s, W

orld

(bn)

Number of Connected Objects Expected to Reach 50bn by 2020

Penetration of connected objects in total ‘things’ expected to reach 2.7% in 2020 from 0.6% in 2012Source: CCS, 2013

0 0%

2%

3%

5%

6%

10

20

30

40

50

60

2012 2013 2014 2015 2016 2017 2018 2019 2020


regulators and the media. Ultimately, an organisation is thesum of its people – and their actions.

Your people may be your most important asset, but they canalso represent a hidden business risk. And not just throughisolated fraud, data security or privacy breaches. People do nottend to act on the spur of the moment or in isolation. Theirbehaviour is likely to have been influenced by the culture of theorganisation over time. It is paramount, therefore, to considerbehaviours and the culture of the company as a fundamentalcomponent of building a resilient organisation and managingemerging business risks. It is a lot more than just managingsystems, processes and procedures.

In order to best demonstrate its ability to deliver on thepromises it makes, aligning an organisation’s purpose, visionand values to the actual behaviours demonstrated by its leadersand employees is critical.

If there is a mismatch between what you say and what youdo, you risk losing trust. This can be damaging to motivation,performance and reputation.

Aligning purpose, vision and values To ensure that an organisation is engendering a strong culturethat is aligned to its values and business objectives, it isimportant to examine why it exists. What are the purpose,vision and values of your organisation? What behaviours do youneed in place to deliver them? Do your policies, processes andprocedures drive the required behaviours?

Aligning your intended, espoused and actual behaviours isthe key to demonstrating your ability to deliver on yourpurpose, vision and value and delivering on your promises.

Your purpose, vision and values need to be protected,embedded, monitored and discussed on an ongoing basis at alllevels of the organisation. These ultimately drive the rightdecisions for your reputation, ensuring your actions reflect whatyou stand for as an organisation.

Your purpose,vision andvalues need tobe protected,embedded,monitoredand discussedat all levels”

Snapshot• Boards should consider

the potential effect ofthe impact of globalrisks on their company’sreputation.

• Managing andmitigating theseimpacts begins bybuilding trust.

• Organisations muststrive to align theirpurpose, vision andvalues to the actualbehavioursdemonstrated byleaders and employees.

• Opportunities, as well asresilience, will emergefrom building the rightcorporate culture.

29

Firms profiting from sweatshop labour risk public shame

ALAM

Y

028-031_WFC Chapter_SEVEN v5_038_BigPic_Summer2013 09/05/2014 14:14 Page 29

hile the risks contained in the WEF’s Global Risks 2014report can be managed individually, boards shouldconsider their wider potential effect on a firm’s

reputation. The reputational aspects of managing risk can bethe defining factor in determining business winners and losers.They rightly receive prominence in the both the latest WEFreport and Airmic’s 2014 study Roads to Resilience (see page 34).

Damage to an organisation’s reputation can result insignificant revenue loss and the destruction of stakeholdertrust. Today, with social media adding a new dimension, it canhappen in an instant. Depending on how it is managed, socialmedia can add a further substantial threat to an organisation’sreputation, or it can present new opportunities.

Reputational risk links to trust The foundation of an organisation’s reputation is the trust of itsstakeholders. This is built on the organisation’s ability todeliver on its promises to customers, employees, investors,

W

Reputational ruin


Global risks can cause damage to a company’sreputation, with significant revenue loss and thedestruction of stakeholder trust. But boards canmanage the risk and create opportunities

Chapter 728

Faye WhitmarshSenior Manager, Culture and Behaviours,PricewaterhouseCoopers

Richard SykesPartner and Head ofGovernance, Risk &Compliance, PwC


‘yesterday, today and tomorrow’ lens to your decision-making canensure that you stay aligned to your, and society’s, values. It willhelp the board to deliver against the objective of driving decision-making that is ethical and aligned to social values.

When reflecting on decisions your organisation has made in thepast, hold these up to today’s values – this is where any ‘skeletons’may emerge from the past that need to be dealt with. Whenmaking decisions for today, make sure they are aligned to today’spurpose, vision and values and uphold what you stand for as anorganisation. Considering likely future decisions can often be themost challenging. While we do not know what society will value inthe future, there are significant clues in the WEF’s Global Risks2014 report as to what developments may occur. In particular,WEF highlights the societal trends of longevity, income disparity,unemployment and underemployment. In the meantime, you canfeel secure in decisions and actions that support current societalvalues. Should those need to shift in the future, you can take stepsto modify your actions over time.

Opportunities, as well as resilience, emerge from building theright corporate culture. For example, you are more likely to attractand retain talented people and, by enabling a more collaborativeculture, you may encourage greater innovation. Advocating aculture of ‘speak up and challenge’ will also enable problems to behighlighted, escalated where necessary, and resolved efficiently.

Checklist for the board • Have we recognised the potential for global risks to impact upon our reputation?

• Are our purpose, vision and values aligned to our actual behaviours?

• Is this alignment regarded as a strategic issue for the board?

• What practical steps can we take to create the right organisational culture?

Applying a‘yesterday,today andtomorrow’ lensto decision-making canensure that you stay alignedto your, andsociety’s, values”

31The Institute of Business Ethics (IBE) recently published itstriennial survey of the mechanisms used by large companies toembed ethical values within business practice and provideguidance to staff. One of the most notable findings of thestudy is the evidence of increased investment into ethicsprogrammes, with 70% of UK and European businesses polledsaying they have increased such investment over the last threeyears, compared with 50% saying this in 2010. Furthermore,87% of UK respondents state that a board member takesultimate responsibility for the ethics programme, suggestingthat the embedding of ethical values is being given a highpriority at board level.

However, ethics is only a regular board agenda item for 65%of UK and 70% of other European companies. “When youconsider the cost of ethical failures to a company’s reputation,it is a cause for concern that more boards are not regularlyassessing their company’s ethical performance,” says the IBE.

A question of ethics


Principles, not rules Promoting empowerment can help build an organisational culturethat enables your business to be more agile. This allows for fasterdecision making. Getting employees to think within an ethicalframework, rather than blindly following rules, engenders trustand allows for faster, better decisions that align to your purpose,vision and values. This is particularly helpful when you considerthat most business decisions require a trade-off: for example, whattakes priority – customer or profit? Making the right decision atkey moments is critical to delivering on your promises andremaining aligned to your values.

Tension can exist between the control that organisations seekand allowing people freedom to make decisions and be responsiblefor them. Finding the right balance can be a challenge. It will notbe achieved by acting like ‘Big Brother’, but by discovering howyour organisation can enable and encourage the desiredbehaviours whilst disabling and discouraging the undesirable.

Practical steps Within the most successful organisations, culture and behavioursare seen as a board-level issue of strategic importance.Behavioural expectations need to be clear. People at all levels arepersonally accountable and know what is expected of them. Thetone from the middle and tail are taken into account alongside thetone from the top. Successful organisations recognise thatleadership can operate at all levels. Alignment is essential, socritical behaviours are clearly defined and aligned to purpose,vision and values and, crucially, measured. If behaviours are strongand aligned this can help enable the achievement of businessobjectives, which can be the best control for your business.

An organisation’s purpose, vision and values reflect the societywithin which it operates. Our social values change over time: somethings that were acceptable 50 years ago are not today, forexample, wasteful packaging or smoking in the office. Applying a

30 CulturechangeWe are starting to seeorganisations in the bankingsector develop comprehensivecultural assessment andmeasurement approaches toenable them to effectivelymonitor their behaviours.

One of these organisations hadrecently conducted a majorbehavioural change programmeas the result of an unauthorisedtrading incident. By undertakinga detailed review of the designand operational effectiveness ofthis programme it was able toprovide comfort to managementand the industry regulator thatthe required change inbehaviours was occurring. Thisincluded testing key controls toensure that the right peoplewere being recruited, promotedand trained, and that consistentvalues and underpinningbehaviours were embeddedacross the business.

Increasingly, organisations aremeasuring their culture andbehaviours to discover where tofocus interventions and toensure they are achieving thedesired cultural state.

Word spreads: Northern Rock’s customers rapidly withdraw their savings on news of the bank’s crisis

GETT

Y


2. Companies still fail, or suffer major disruptions, despiteheavy investment in a range of risk managementactivities, suggesting there are other factors required tosupport resilience.

3 The relentless pressure on businesses to cut costs whileenhancing their long-term prospects of survival meansthat agility can sometimes be at odds with therequirement for robust protection mechanisms. Formany, this can result in poorly considered investments inresilience. The ‘buffers’ that contribute to resilience areincreasingly seen as an unnecessary expense and areremoved to reduce costs.

There is a requirement to think more broadly about how toenhance the long-term sustainability of an organisationagainst a backdrop of constant change. Existing riskmanagement activities need to be supplemented with abroader focus on a series of interrelated factors thatcontribute towards resilience. There will always beuncertainty, but a uniform and integrated model againstwhich to measure an organisation’s resilience can provide aninvaluable source of intelligence to support decision making.

Crucially, resilience is a quality rather than an absolute. Noorganisation can say it is completely resilient, making it hardfor it to visualise what delivering enhanced resilience mightlook like. For many, their response to this issue has been to‘de-scope’ their approach, focusing on the more tangible andreadily understood aspects of risk management at the expenseof the broader factors that drive enhanced resilience.

Businesses will always need the ability to identify andmanage risk, and to deal with sudden shocks, disruptions andcrises. As most leaders are aware, however, this is not enoughto create true enterprise resilience, which is a state that isenhanced or diminished by an organisation’s ability toanticipate and react to change in order not only to survive, butto evolve. This is reinforced by a recent report by Airmic andCranfield School of Management, Roads to Resilience, whichfound that resilience is created or reduced by much more thanan organisation’s ability to manage risk (see page 34).

Leveraged in the right way, an enterprise resilienceframework will help organisations actively manage both thedownside and also the upside from risk, as well as changing,and freeing-up precious resource from, the near constantfocus on individual risks.

The model for enterprise resilienceResilience is much more than the sum of the risk managementparts that protect the organisation from harm. It can becreated or depleted by everyday decisions, behaviours andactivities as well as corporate strategies.

Resilience can be enhanced or eroded in four dimensions:

• The ever-changing personality of an organisation, itsculture, values, purpose and mission

An enterpriseresilienceframeworkwill help toactivelymanage boththe downsideand upsidefrom risk”

Snapshot• Boards should consider

opportunities as well asdownside risks, andlonger-term resilienceas well as short-termbusiness continuity.

• Businesses should takea broad approach,incorporating theirsustainability principles,to maximising resilienceacross all areas ofactivity, from product orservice design, tosupply chain flexibility.

• True enterpriseresilience requires anorganisation toanticipate and adapt tochange in order not onlyto survive, but to evolve.

• Enterprise resilience isdependent on strongleadership.

33

032-035_WFC Chapter_EIGHT v4_038_BigPic_Summer2013 06/05/2014 10:41 Page 33

e often focus on managing the downside of risks atthe expense of the opportunities presented by them.This guide has sought to address this issue by setting

out how organisations can balance negative risk impactsagainst the opportunities arising out of expected andunexpected change. This chapter goes further. Existingorganisational structures, which protect against short-termdisruptions and change, need to be supplemented with aframework that will support enterprise resilience over the long term.

The need for a focus on enterprise resilience stems fromthree issues:

1. Traditional enterprise risk management is not enough. Ithas difficulty in capturing how to respond to events thatare truly unique and unknown. And it is unsuited tomanaging the consequences of every decision taken byan organisation.

W

Creating resilience

Part 3 Board responses

As well as taking measures to manage andmitigate short-term disruptions, businessesshould strive to create a framework that willsupport longer-term enterprise resilience

Chapter 832

James CraskSenior Manager, Business Resilience,PricewaterhouseCoopers

Richard SykesPartner and Head ofGovernance, Risk &Compliance, PwC


• Genuine social capital with customers, staff, regulators andthe public at large

• People who work with and for them and their behaviours

• Intelligently integrated risk management activities thatcooperate to protect all key assets and aspects of theorganisation

• Having the right skills, competencies and other resources inthe right place at the right time.

The importance of measurementMany of the factors that contribute to an organisation’sresilience are harder to visualise than functional or operationalprocesses, but they are not impossible to measure or manage. Bygauging the level and impact of the factors that contributedirectly to an organisation’s level of resilience, leaders are able tomake better-informed choices and adjust their strategies toleverage competitive advantage.

The importance of these factors will vary between eachorganisation depending on a range of dynamic factors, includingpurpose, environment, context and culture. This means that anyapproach to measurement must be tailored to these factors.

Survive and thriveEnterprise resilience is not just about surviving in the present. Itis about having the foresight, capability and agility to adapt andevolve; to identify and take advantage of opportunities as well asaddress challenges; to thrive as well as survive. Enhancing anorganisation’s resilience cannot be achieved in silos. It requirescoordination and action across all locations, within all functions,and at all levels of an organisation.

It remains important for an organisation to consider how itmight respond to individual risks, not least those highlighted bythe WEF’s Global Risks 2014 report. But investments in managingsuch risks can be wasted if delivered without considering theintegration of the wide range of activities an organisationundertakes to protect its interests. A broad approach is required,with clear focus on the interrelationship between various factorsthat combine to make an enterprise more resilient.

Checklist for the board • Are we currently protecting the right parts of the business?

• What are our current levels of resilience across the organisation?

• Are functional silos collaborating and working as effectively as they should?

• Are we spending wisely with our investments in resilience?

• What aspects of resilience are most important to us?

Enterpriseresilience is notjust aboutsurviving in thepresent. It isabout havingthe foresight,capability andagility to adaptand evolve”

35


• The degree to which an organisation’s networks,interdependencies, context, environment and likely futuresare truly understood

• The activities undertaken, including those to protect theorganisation from harm

• By an organisation’s rules, behaviours, norms, innovationsand leadership.

The operational aspects of resilience, including riskmanagement, business continuity, IT resilience, crisismanagement and information security management, to name afew, are never likely to be less important than they are today, andin fact need to exhibit a much higher degree of collaboration indelivery. Organisations that focus excessively on these areas atthe expense of the wider factors that contribute towardsresilience could perversely be diminishing their overall levels ofresilience. A mature business will generally mix these activities,which aim to address shorter-term risks and impacts, with aconsideration of a wider range of resilience factors that draws onthe characteristics that define the business and can guide itsdecision-making. Few businesses, however, have identified thesewider elements clearly and consistently in every department andat every level. To give an example, creating a code of values isuseless if only half the workforce identifies with it.

Leadership for resilienceLeadership plays a crucial role in building resilience. Leaderscommitted to creating more resilient organisations typicallydemonstrate authenticity, build trust that enhances socialcapital, maintain an awareness of an organisation’s current andfuture relevance, and innovate accordingly. These leaders havein-depth understanding of their organisation and the networksand circumstances upon which they rely. Their deepunderstanding is embedded within both everyday and strategicdecision-making. They also empower staff to take ownership ofdecisions, including delegating risk management tasks alongwith the ability to raise issues, ideas and innovations that willhelp the organisation to manage change positively.

When great leaders talk of making their organisations moreresilient, they speak from a position of understanding theirbusiness and the context in which it operates.

Leaders focus on:

• The capability to respond when needed

• Placing sustainability at the centre of their strategy anddecision-making framework

• The agility to move quickly and decisively when required.

In delivering resilience, leaders are concerned about:

• Shared values

• Disciplined innovation

34 Roads toResilienceRoads to Resilience, a 2014report published by Airmic,highlights that effective riskmanagement goes way beyondcompliance or adherence tostandards. The findings haveprofound implications for bothboards and risk professionals.

Roads to Resilience follows up onRoads to Ruin, also from Airmic,which looked at high-profilecrises involving 23 companiesthat left their reputations intatters. The latest reportdemonstrates, through a seriesof in-depth case studies, thatsuccessful corporate resilience isnot characterised by an absenceof the key points of failureoutlined in Roads to Ruin. Inresilient organisations, riskmanagement was found to beintegrated into strategic andoperational decision-making andformed part of the very essenceof the corporate identity.

Airmic and Cranfield School ofManagement studied leadingorganisations that have createda resilient culture, protectingtheir business and reputation.They found the incentive tobecome resilient goes wellbeyond avoiding disaster. Firmsthat are sure of their riskmanagement also have moreconfidence to be enterprising,not only identifying risks but alsoseizing opportunities.

The research found that thequalities embedded in resilientorganisations enable them tosucceed in other respects. Theyare more responsive to theircustomers and the markets theyserve, their staff and suppliersare motivated and loyal, theygain trust by being moredependable, and achieve betterresults for shareholders.

In short, resilience should be atthe heart of strategy and part ofthe overall vision of everyorganisation.


Dr Roger Barker isDirector ofCorporateGovernance andProfessionalStandards at the

IoD. He is Senior Adviser to theBoard of the EuropeanConfederation of Directors’Associations (ecoDa) andChairman of its EducationCommittee. He sits on theadvisory board of the Institute ofChartered Accountants in Englandand Wales and is a visiting lecturerat the Saïd Business School(University of Oxford), ESSEC(Paris), UCL (London) and theMinistry of Defence in the UK.

James Sproule hasbeen ChiefEconomist andDirector of Policyat the IoD sinceJanuary 2014.

Prior to joining the IoD, he ledAccenture's UK Research andGlobal Capital Markets Research.He started his financial career asa merchant bank economist,working at Bankers Trust,Deutsche Bank and DresdnerKleinwort, and eventually helpedto found the boutique bankAugusta and Company. Beforeembarking on a career ineconomics, he was a signalsofficer in the Royal Navy.

Richard Sykes is aPartner and Headof Governance,Risk & Complianceat PwC, where hiscurrent focus is

on driving the risk resilienceagenda. He has contributed toseveral thought leadershippublications around risk andcompliance by PwC, the IoD,Tomorrow’s Company and others.He has spent the majority of hiscareer as an audit partner onFTSE 100 clients and he iscurrently PwC’s globalrelationship partner foradvertising group WPP andinsurance company Old Mutual.

Charles Beresford-Davies is head ofthe Marsh UK &Ireland RiskManagementPractice, Marsh’s

major account managementbusiness. Prior to thisappointment in 2012, he led theMarsh UK Financial ServicesPractice for seven years followinghis return to Marsh from JardineLloyd Thompson in 2005. His 24years in the insurance businessbegan with Lloyd’s of London, butfor much of his career he hasfocused on insurance brokeragewithin the international financialservices sector.

James Crask isSenior Manager inPwC’s EnterpriseResilience team,where he advisesclients on how to

improve their resilience. Heregularly coaches and speaks onthis theme and has advised theUN International Strategy forDisaster Risk Reduction, exploringthe private sector’s role inmanaging disaster risk. He iscurrently helping to develop a newInternational Standard forOrganisation Resilience. Beforejoining PwC, he worked for the UKCabinet Office Civil ContingenciesSecretariat.

John Hurrell hasbeen ChiefExecutive ofAirmic since 2008,following a careerof almost 30

years in the Marsh and McLennanGroup of Companies, where hewas Chief Executive of Marsh’sRisk Consulting businessthroughout Europe and theMiddle East for five years. AtAirmic he has led extensiveresearch into risk and insurance-related issues, resulting in anumber of groundbreakingpublications, including Roads toRuin (2011) and Roads toResilience (2014).

John Scott is ChiefRisk Officer forZurich GlobalCorporate, wherehe leads theimplementation of

the Group’s enterprise riskmanagement strategy. Agraduate of Oxford University,with a PhD in Geology, his earlycareer was with BP in theupstream oil and gas industry. In1995 he gained an MBA atCranfield and joined BOC, laterbecoming General Manager ofBOC’s Edwards business division.He currently chairs the CarbonCapture and Storage Association’s(CCSA) group on risk.

Caroline Woolley isProperty PracticeLeader at Marshand responsible forthe company's riskpractices and its

global Business Interruption Centreof Excellence. She was previously inMarsh Risk Consulting’s ForensicAccounting and Claims Servicesteam, where she was head of theForensic Accountants. She haswritten numerous articles onforensic accounting, businessinterruption and supply chain-related topics, and also receivedthe Business Insurance global'Women to Watch' award in NewYork in 2011.

Faye Whitmarshleads PwC’s RiskAssurance cultureand behavioursteam, whichspecialises in

assessing and measuring cultureand behaviours. This includesconducting cultural assessments,designing behavioural measurementframeworks and assessing theeffectiveness of behaviouralchange programmes. She holds anMSc in Organisational Psychology,adding a psychological lens to herskills in risk assurance andbusiness resilience. Much of hercurrent work is for clients in thefinancial services industry.

Contributors Tap play buttons for videos

IBC_WFC Biogs IPAD_038_BigPic_Summer2013 12/05/2014 11:51 Page 1

36

his guide has highlighted that global risks are amongthe most dangerous an organisation can face. Thesethreats move fast: a pandemic could go global in

weeks; the 2007 financial market crisis caused mayhem indays; and political and military events, like the recent turmoilin Ukraine, spur rapid change. Yet global risks also offeropportunities for well-prepared businesses. The very fact thatsuch risks are systemic means they are likely to affect yourcompetitors as well as you, and then the most resilientcompanies will survive at the expense of the rest.

Airmic’s Roads to Resilience research shows that one of thecritical aspects of resilience is adaptability. This entails havingan effective ‘risk radar’ (boards should subscribe at low-cost toup-to-date sources of intelligence on key political, economic,financial and market trends), excellent communications andempowered management. Here, SMEs hold an advantage overlarge corporations in their speed of response.

The impact of a global risk is likely to attract significantmedia attention, putting the reputation of businesses involvedon the line. Those seen to be part of the solution – deliveringfor customers, employees and other stakeholders despitechallenges – stand to reap long-term reputational benefits.

Ultimately, company boards cannot anticipate everyeventuality and even the best prepared can be blindsided by‘black swan’ events. But, as this guide has highlighted, thereare many decisive steps that they can, and should, take.

T

It could be you...Some final thoughts and key tasks for the board

John HurrellChief Executive, Airmic

Chapter 9Part 3 Board responses

Key tasks for the board • Seek to understand the nature and extent of global risks, with the help of expert analyses such

as WEF’s Global Risks 2014 report.

• Look at your organisation’s critical dependencies, including people, physical assets, financialsupport, supply chains and technology, and assess major areas of vulnerability.

• Adopt a strategic approach and appropriate operational tools to build resilience – from scenarioplanning and business continuity management to people policies – ensuring that robustmeasures are in place to manage and mitigate the impact of global risks.

• Demonstrate leadership by: clearly taking board ownership of global risk oversight; adopting astrategic mindset that is open to opportunities as well as wise to threats; observing principlesof sound governance and regulatory compliance; implementing appropriate internal structuresand policies; and adhering to – and communicating – an ethical and sustainable approach.

036_WFC Chapter_9_v4_038_BigPic_Summer2013 06/05/2014 10:43 Page 36

https://www.youtube.com/watch?v=b_Gh1WC5V44

https://www.youtube.com/watch?v=GeWWnKmaLDg

https://www.youtube.com/watch?v=eNjApuGy-RE

https://www.youtube.com/watch?v=dLzNijwq-rs

https://www.youtube.com/watch?v=e5FADKYOia0

https://www.youtube.com/watch?v=dNAZjrUKF9M

Institute of Directors

116 Pall Mall, London SW1Y 5EDwww.iod.com

2014

RESPONDING TO GLOBAL RISKSA practical guide for business leaders

Responding to global risksThe World Economic Forum’s recent report, GlobalRisks 2014, analysed dozens of global risks, basedon a survey of over 700 experts from industry, government and academia. This publication buildson the WEF report’s findings by describing practicalmeasures that businesses can take to manage andmitigate these risks.

Written by leading experts in the field of businessrisk management, this guide is particularly aimedat board-level directors, from all industry sectors,including public sector organisations. It offers global perspectives for multinational companies, as well as local implications for smaller firms. It isalso relevant to risk professionals and others whowish to understand global risks and the distinctiverole of the board in responding to them.

1_Cover v7_001_WEF 06/05/2014 11:09 Page 1

Date post:	04-Mar-2018
Category:	Documents
Upload:	doandat
View:	217 times
Download:	2 times

Global The World Economic Forum’s recent report ... · PDF fileThe World Economic...

Documents