The latter part of the 20th Century and the early years of the Millennium have witnessed the convergence of international criminal and terrorist activity, so tragically highlighted in the USA on September 11. It is now clear that the events Stateside were planned, rehearsed and implemented with military precision by terrorists thoroughly trained in the use of new technology.
The ripple effect of last September’s atrocities has included a resurgence and reconsideration of risk assessment, target hardening and insurance.
While these measures are laudable in this new era of global risk, there’s a definite need for the practice of risk mitigation (including insurance) to embrace a wider range of risks – particularly in respect of the effective management of risks to reputation.
Like integrity, reputation is a word that’s widely used but seldom understood or defined. For instance, in banking parlance reputational risk is part of operational risk and includes the adverse effects of fraud and financial crime, bribery and corruption, cybercrime and money laundering. In other circles such as manufacturing, for example, it may be defined as the ability to deliver new products and innovation seamlessly.
Modern risk management must embrace ethical values, democracy and justice as well as environmental issues and, more generally, sustainable development, which – when taken together – have led to an ever-growing demand for more transparency and accountability in both Government and business.
The type of society that European citizens are calling for today involves new kinds of relationships between employers, employees, the State and the environment. It requires both public authorities and business to show a sense of social and environmental responsibility.
Corporate social responsibility
In response, companies have to rethink their roles and duties, not only in relation to their shareholders but also in respect of the needs and expectations of all their stakeholders.
Adopting measures that limit the negative impact of activities on the environment is no longer enough – the focus has broadened to include a new dimension referred to as ‘corporate social responsibility’.
‘Corporate social responsibility’ implies that a company conducts its business in a socially acceptable way, and that it is accountable for its effects on all relevant stakeholders. Thus, it raises the question of the total impact of an activity on the lives of individuals both within and without the company.
With a shrinking workforce, the challenge for enterprise today is to recruit and retain talented workers, at the same time remaining competitive. To do this, companies will have to continually seek new and better ways of motivating their workers. The way a company manages its social responsibility has emerged as one of the most important criteria on which a prospective employee bases his or her choice of career and employer.
For their part, consumers are becoming more discerning and better informed. They’re willing to change their preferences in support of what they believe to be ethical and sustainable products and services.
To maintain consumer trust, companies must be able to account for social conditions in which their products have been manufactured.
‘Corporate social responsibility’ is a powerful way of making sustainable, competitive profits and achieving lasting value for both shareholders and stakeholders. It’s a win-win opportunity for companies and their financial advisers and society at large.
There’s no doubt that companies are responding to the issues raised by ‘corporate social responsibility’ and business accountability by adopting codes of behaviour that are transparent and fair, not only to their paymasters but also to the general public – and to other protagonists directly or indirectly involved with their activities. More and more companies are now publishing information on their social performance by way of demonstrating to their stakeholders that they are indeed ethical, moral and accountable.
In short, the prevailing (emerging) issue for business and commerce – newly-appointed alongside the traditional risk factors – is that of reputation and integrity. How a business manages its image – both within and without – is becoming the single most important challenge presented by the new economy of the 21st Century.
Sustainable risk management
Conventional risk analysis has traditionally been a process of assessing generic risk based on individual subjective views. This method relies on the ability of companies to plan for most eventualities and hope for the best!
A new approach is what’s needed. One that’s able to cope with the diversity of pressures and risk factors involved.
Traditionally, risk management has been driven by insurance, and therefore the term ‘crisis management’ is irretrievably linked to a dated ‘one-size-fits-all’-style of risk policy that no longer addresses the concerns of the global marketplace. A cradle-to-grave approach to risks is one which addresses holistic risks and applies countermeasures to mitigate a crisis (which usually means a crisis of confidence affecting reputation).
A crisis can be defined as a significant business event which attracts substantial media attention and impacts on normal corporate operations – or a sudden unpredicted internal or external event requiring extensive resources and time if it’s to be solved. Crisis (or ‘pending reputational damage’) may come in many guises, including: environmental damage, the activities of consumer activists, discrimination, labour disputes, sexual harassment, white collar crime, whistle blowing, class action lawsuits and financial damages. All of these can have a catastrophic or debilitating impact on a given company’s reputation if they pass unmanaged.
The largest companies fall furthest, and big names that have hit crisis point in recent years include Coca Cola, Ford/Firestone, Texaco, Exxon and, of late, AIB/Allfirst, Enron and Andersen Consulting. These crises have shared no other common factor aside from the adverse effect that the incidents had on each company’s reputation. Mostly, it wasn’t the financial losses that hurt each company most, more so the media spin which made them out to be corporate tyrants – myopically pursuing financial gain over reasonable and fair dealing.
Calamities of this magnitude are usually accompanied by headlines such as “Glass found in child’s foot”, “Terrorist bomb destroys corporate head office: many feared dead”, “Company IT system used to access international paedophile ring”, “Major IT failure at Internet bank” and “Company accounts used to launder terrorist cash”.
Headlines like these cannot be avoided completely, but some lateral thinking and a phased approach will help to manage the diversity of reputational risk.
Phase One: The risk assessment
Working with key managers and industry specialists – and assisted by collaborative computer technology to identify actual exposure to risk – facilitates focused planning and the preparation of specific policies and controls. This phase should therefore include:
…and must be accompanied by written reports to the Board identifying levels of risk, determining insurance coverage and exposure and detailing conclusions.
A focused risk assessment benefits from brainstorming and risk mapping. These are extremely effective methods when conducted as workshops where ‘real’ risks are ranked and weighted according to their probability and impact. Typically, the key risks to emerge from these focus groups are: kidnap and ransom, generic crisis, fraud and financial crime, terrorism and workplace violence.
Again, ‘corporate social responsibility’ and the effects on reputation should not be far from the kernel of the risk portfolio being assessed.
Phase Two: Control
Having identified the actual risks facing the organisation, this phase will enable the security manager to implement policies and procedures that will reduce exposure. While this may at first appear to be a traditional response to age-old problems, the difference is that specific risk issues and exposures are being addressed here. The outcome of this phase of the approach is designed to control risks.
Exposures (identified during the risk assessment phase) are addressed. Crisis management is introduced as an integral part of overall risk management strategy. An integrated strategy of control is developed. An ownership culture is cascaded down through the organisation. Physical and procedural controls (checks and balances) are introduced. Policy is communicated. Insurance portfolios are tailored to the actual identified risk exposure. Specialist ‘best fit’ consultants are identified and retained. Head office/regional scenarios are tested. Training is reviewed, tested and updated where necessary. Crisis Management Team members are identified and responsibilities defined, and 24-hour hotlines firmly established.
Taken together, these measures enable an intimate understanding of operations, values and culture – and provide focused, intelligence-driven strategic solutions delivered by experts in the field.
Training and education is often overlooked or ignored at this stage, but it’s an essential part of the risk management process. We are now seeing the emergence of specific ‘corporate social responsibility’ and integrity training, which is a welcome development.
Risk databases are an essential part of the control phase, and allow information to be developed into intelligence of much strategic value. Databases – which assist in risk mapping and knowledge management – cover the disciplines of terrorism, kidnap and ransom, insurance norms, stakeholder/non-Government organisations (NGOs), fraud/anti-bribery and corruption and socially-responsible investment. They are available online via secure delivery systems.
Phase Three: The Corporate response
There’s always a crisis around the next corner, and a corporate strategy can make all the difference between prevention and a disaster. When a crisis hits, everyone (in particular members of the media) knows your telephone numbers. Key staff are not contactable. Expectations are too high. Internal communications fail. Local reporters enjoy their 15 minutes of fame. Their national colleagues expect doors to open for them. Journalists’ resources outweigh your own. Employees talk too readily to the media.
The early stages of a crisis are often marked by corporate surprise, followed quickly by wrong conclusions being drawn from insufficient or limited initial information. Given a rapidly escalating flow of events, a siege mentality quickly develops that’s driven by a short-term focus. It’s easy to see how company share values tumble in a crisis.
Hopefully, the risk assessment and control phases will have helped you to develop a strategic response plan that can be initiated the moment a crisis hits. Immediately a crisis of confidence occurs, the Crisis Management Team deploys, Emergency Response Teams go to the scene, the crisis communications operations room activates, the crisis management plan is implemented and specialists are deployed and co-ordinated.
For their part, the Emergency Response Teams should be capable of deploying to any geographic location to relay accurate, timely information and represent the company at the scene of a major incident.
Remember that the costs of managing and responding to specific crisis situations are insurable, and can be underwritten.
Following the declaration of a crisis situation, an independent Operations Centre should then be established to conduct administrative tasks, manage stakeholder communications, deploy – and liaise with – specialists and manage the Emergency Response Team members.
In essence, the role of the latter is to:
In line with this, the role of the Operations Centre is to:
Your incident room should be established well away from city centres and be equipped with real time satellite navigation and imaging capabilities, as well as the capacity to offer a 24-hour response facility. The corporate response phases of crisis management should include post-crisis support whereby lessons learned are shared and dissected, and amendments made to the crisis communications plans as a result.
In summary, it has now become essential to understand ALL of the internal and external pressures placed on corporate bodies in order to accurately assess, revise and respond to the threats of global business.
Proponents of project risk profiling, risk calibration and strategic responses need to view threats in the wider context of ‘corporate social responsibility’ and integrity assurance if they are to grasp the nettle of reputational risk management – which itself is one of the principal objectives of crisis management.
Second only, in fact, to the well-being and safety of an organisation’s primary asset. In other words, its people.
