INTRODUCTION
Over the last two decades in particular business continuity has become an increasingly crucial issue that is of vital importance for an organization regardless of its size and location. This is even more the case in this age in which key stakeholders have become much more empowered and have a greater voice through the rapid technological advances that have made the world appear to be a great deal smaller in many respects, for better or for worse. Transparency in word and action are watchwords. This is especially relevant in the context of business continuity and reputation risk management. If proper continuity policies and practices are not in place any business may suffer both temporary and permanent losses.
As risk and reputation risk incidents continue to occur in this increasingly transparent age, the responsible players must see the value of integrating their more holistic non –financial risks and issues into their business risk, compliance and integrity programmes. It may even take a public controversy or scandal to arouse or alert an individual company or sector to the current reality that an integrated risk, compliance and integrity programme makes sense. Those tainted by scandal or affected by risk gone wrong are already demonstrating this. For example, major players in the Retail sector such as Walmart, - following the Bangladesh based Rana Plaza disaster and the Mexico bribery allegations - is developing what has been noted as being one of the more advanced approaches to an integrated global business risk, compliance and integrity programme.
Preliminary Risk Issues and Examples
It is clear to all business observers and advisers that there have been dramatic changes in the way that businesses have reorganised themselves as they take up new opportunities to research, produce, market and deliver. In turn this has impacted upon their management issues such as ongoing due diligence, risk management and overall corporate governance (see further below). The four major types of risk include: Strategic risks (risks that change a business strategy); operational risks (risks that affect ability to execute strategic plan); financial risks (risks in areas such as financial reporting, market, and credit); and, compliance risks (relating to legal and regulatory. Moreover there have been varying trends over the last two or three decades as regards risks and opportunities. These opportunities include new technological tools, wholesale data mining, new faster and direct-to-customer communications, increasing multi-nationalism, the sheer scale and strengths of merged companies, urgent outsourcing dependencies, value chain management, and improved communication or new relationships with the workforce.
As has been touched upon in the Author’s recent report on Reputation Risk Management (published by Wilmington 2014) many companies or businesses could be described as being made up of no more than a brand, having owned or rented intellectual assets, and outsourcing contracts. These elements have often become crucial or main dependencies - single points of risk for the survival of that business. This highlights the link between business continuity and reputation risk management. In other words, a sudden closure and/or removal from their marketplace is increasingly, not less, likely than previous business models. Almost every day in the corporate world in most jurisdictions, there are examples or case studies demonstrating a lack of proper risk management and a responsible risk culture. There are indeed individual examples that have been so dramatic that they have brought about reaction from the sector as a whole and even caused the introduction of legal reform.
The energy sector has experienced a number of cases that have shown the long memory that the public has for reputational incidents that create distrust. For instance, oil giant, Beyond Petroleum’s (“BP”) downfall was the result of a devastating event that revealed BP’s reputation to be much more positive than its underlying reality. BP molded its reputation around the idea or concept that it was a corporation that put the environment first. The major event that led to its negative reputation was the leak in a pipeline in its oil field in Alaska. Meanwhile the coal industry has been blamed for many environmental and safety problems that have damaged the reputation of the sector. There is a role for CSR to be properly implemented to balance such concerns to an extent where appropriate and this will form part of further analysis in another article. It is submitted that the Cleaner Air Foundation project is one initiative that may be examined in this regard. Meanwhile for further information regarding this initiative see the outline found at www.thecleanerairfoundation.org
One major instance has been that of the meltdown in several financial and banking institutions, including failed products and corruption that has led to major upheaval in many jurisdictions over the last several years. Reputation risk management has proved to be very difficult after the widespread publicity and damage that raised awareness across the world in which the victims of the crisis were empowered to bring class actions where possible. Meanwhile, the consequences of damage by a risk incident may not be only monetary, such as in the loss of valuable assets or by destructive levels of litigation. The consequences may be that the business may lose equally valuable dependencies that are needed for its very survival as noted, depending upon the sector involved. These dependencies and responsibilities may include the following:
- intellectual assets;
- brand values,;
- regulatory and licence approvals;
- legality; and
- the trust or the confidence of its various stakeholders and its ability to deliver urgent contracted products and services.
Furthermore the practical consequence may be that the organization has to step back from its marketplace or forum for a period of time, allowing competitors to fill the gap and do lasting damage to the customer, supply or distributor base. The damage of course may not be from within the organization. Another example may be the destruction of the legal or physical environment on which the organization depends. For instance, an urgently needed supplier or distributor may be the one directly affected by a disaster. However, their failure to deliver as contracted may have an equally destructive impact on the production line of the organization being discussed. Again reputation risk management is a priority.
Risk Attitude, Culture and Decision Making
For the purposes of this discussion an important point is that different organizations – and even personalities within an organization – can take - and wish to implement - very different views on the acceptability and unacceptability of risk exposures. They will make these decisions within and based upon their different backgrounds and cultures, as well as the quite different pressures upon them. This is even more so in the rapidly expanding connected world of global business activity. By way of example, a Bank, servicing credit cards and cash machines 24 hours seven days a week, will take an entirely different view on acceptable gaps in service compared with an organization where customers could reasonably wait a few days for the contracted service, product or for another response. Some organizations, especially those using e-commerce distribution may have competitors than can respond incredibly quickly to any difficulties within their own organization. It is for this reason that business continuity issues - the amount of time lost or “time out” - is another vital consequence for the risk manager and the decision makers.
As the Author has explained in her Reputation Risk Report, available on http://www.wlrstore.com/ark/reputation-risk-management-ethics-and-values-an-international-debate.aspx, over the years there have been significant changes in:
- the way businesses deliver and market their own products;
- changes too in their relationships with their stakeholders, and
- even in the risks themselves.
The organization can be destroyed not only by new risks but even a new level of damage caused by “old” risks. Indeed, the consequences of a damaging occurrence may be far removed from the consequences of a similar incident some years ago. This is witnessed in the area of business continuity where the demands of the modern day customer, client or consumer are more and more evident and time bound. The integrity of the brand - and reputation - can be a strong defence against additional loss. Moreover, reputation risk – which is noted to be potentially embedded in every kind of risk – is increasingly recognized by boards as a key strategic risk. The main cited reason is that reputation risk attaches itself to other kinds of risk and enhances any impact. As is always the position with aspects of management and governance, the responsibility for risk identification, understanding and management rests firmly with the board. In accordance with the generally recognized corporate governance principles whereas the board may delegate the processes of risk understanding and risk management it cannot delegate the responsibility. Once the risks and the potential consequences are understood the directors must make decisions around the information obtained.
It has become more and more understood that it is important to include governance systematically into companies’ business risk, compliance and integrity programmes – through corporate governance procedures, codes of conduct and policies, especially relating to legal and regulatory matters. In the UK, Company boards enjoyed long established financial risk measuring mechanisms but developments such as the Turnbull Report, Basel II, the Combined Code and others have driven boards to consider non-financial risk in the last few decades. These risks are much more amorphous, and as such these guides and legislation have moved into areas where decision makers, quite rightly, may feel much less confident. This is very important in any debate over business interruption and reputation risk management. Indeed experience in many jurisdictions shows that the greatest potential for destruction is in these areas of these non-financial risks. Therefore it is very important to consider the risk culture very carefully and decide as fully armed as possible, having regard to any potential individual and collective impacts, direct and indirect.
When considering the response to a potential risk and its mitigation the decision could be that the exposure is an acceptable one. Bearing in mind the above, this could be a reasonable decision where:
- the potential worst case consequences are clearly understood; and
- the board considers that they could not possibly have an unacceptable impact on their own people, their stakeholders, balance sheets, controls, legality, market presence, brand values, revenue accounts nor cash flows.
If, however, the exposure is deemed to be unacceptable then the organization still has choices to make, such as the suggestions cited below. The Board could:
- invest resources to manage the exposure or the potential consequences down to what is considered to be the acceptable level.
- Prepare in advance for the consequences of a risk incident, in the knowledge that , with that preparation, the strengths of the organization can be used to manage through the consequences without unacceptable damage.
- decide to avoid the particular activity or environment altogether.
- enter a contract to transfer the risk into an insurance product or to another counterparty.
practice may well use a combination. It is submitted that the trend is in favour of responsible managers, executives and board members helping their organisations or companies to adopt a more integrated approach. It should be recalled also that individual personalities within the organisation may be very persuasive in this context and the following should be noted given the growing pressure on transparency and attributing responsibility. The phenomenon of technology and the prevalence of media in our society has shifted the focus of stories from complex business information to a focus on the leaders of the corporation, who make far better, and more interesting, stories. These individuals personify the attributes and values of the company. As a result, institutions now need to strategize and determine a positive individual face for the company, a decision that could make or break its reputation. An Economist Intelligence survey asked companies what individual in the company had the biggest responsibility for the company’s reputational risk; 84% responded, “The CEO.”
Closing Comment
As a closing aside, there are a couple of important dangers worthy of mention at this point when considering the mitigation of risk and loss that may be discussed further in a later publication. For the purposes of this discussion, in some cases the organization’s lawyers may indeed be able to transfer the potential cost of risk by contract to suppliers, distributors or other counterparties. There is no real value however in a risk incident destroying a just-in-time and critical supplier or a distributor; that, in turn, by its failure, damages or destroys the host organization’s ability to remain in business.
Another, more technical, danger is that the risk analysis needs to be quite clear whether the assessment is of the maximum probable loss or the maximum possible loss. These can be entirely different things. This may be academic interest to an insurer who makes these assessments but has reinsurance protection against a significant miscalculation. The organization that retains risk just has to get it right; that is to err on the side of the cautious. It is submitted that the lawyer’s view needs also to take account of and include the additional and important dimension of business continuity and reputational risk management.
|