As consumers, we all feel the effects – to varying degrees – of recessions and other forms of economic disruption. From a risk management point of view, this is economic risk for which some risk managers have direct responsibility. For the vast majority of us, it's often viewed as a personal risk issue. In reality, however, the economy and its impact on performance pose a serious issue to all, both personally and commercially. For risk managers without direct accountability for economic risk, the key question is: does the economy matter to what they do – and should they care? If the latest Business Insurance Solution Arc on the economy and emerging risks is any indicator (featuring story headlines like: "Improving economy puts pressure on supply chains" – "Recovering economy creates numerous employment-related risks" – "Strategy, data and workforce mitigate risks associated with growing a business"), then I think we’re on to something important for risk managers.
I think the answer is a strong "yes." But why should they care? Assessed as a risk to your firm and yourself, it is clear the effects of the current economy – while not always directly measurable or even immediately tangible – are potentially significant. If true, then this would drive our interest in and response to the exposure. So, in framing a fundamental assessment, what is the impact and, secondarily, the likelihood of economic risk? If we can agree impact should take precedence over likelihood, then here are the top five exposures, significantly driven or affected by economic forces, risk managers should consider:
- Inability for key suppliers to meet contractual obligations. Supply chain risk, especially the global variety, has been highlighted repeatedly in the last few years; a global economy and its increasingly complex profile of interconnected obligations have raised the stakes considerably for all. While procurement experts manage this daily, risk management needs to get more involved in the assessment and mitigation strategies to ensure alignment with overall corporate risk appetite.
- Fraud. System security vulnerabilities are exposed with ever-increasing frequency and impact – another risk as hackers and other bad actors continually and persistently innovate new ways to attack and breach corporate controls in this area. As the headlines have screamed repeatedly of late, this risk often flows through to your customers with far-reaching ramifications.
- Underinvestment in business continuity/disaster recovery planning (BCP/DRP). While many risk managers have no direct accountability for BCP or DRP, it's begging for their expertise. Helping define and consider the scenarios at the heart of this important discipline, in order to better understand likelihood and impact, naturally leads to the ultimate concern: what should we do about it, if anything? Only truly collaborative efforts between functional experts and risk experts have any hope of approaching an optimal treatment of the exposure.
- Increasing regulatory compliance failures due to workload pressures on personnel. Even if you're not in a heavily regulated environment, you can't afford to ignore this exposure as regulations rapidly increase and their enforcement and related penalties often increase at a similar pace. Again, you may see this as the domain of compliance leaders, but the risk management perspective must be considered in resource-constrained environments that impact related decisions. Are you operating in a business segment where key success metrics are increasingly unlikely to be achieved as a result of virulent regulation?
- Workforce degradation. This exposure has many drivers including key leaders looking for more secure ships; inability to hire those skill sets that closely match business needs; over-worked employees due to margin squeeze who foment morale problems, quality deficits and even workplace violence. Clearly, the people impacts of a stressed economy and its flow through to your workforce set the stage for numerous other business challenges downstream culminating in destruction of the customer experience. Could there be any bigger consequence?
This focused "top 5" list leans toward things risk managers can do something about. Most of these will affect risk managers either directly or indirectly and thus deserve some attention and consideration in your planning. Interestingly, my starting list was much longer and noted as many lost opportunity "exposures" as those with explicit downside. But I won't belabor my pet peeve that risk managers need to be as much or more involved in addressing these lost opportunity exposures as any exposure likely to produce loss. Instead, let me emphasize the other common denominator associated with all five: reputation "risk." While reputation is not so much a risk as a consequence of risk, it is a consequence that can, and often does, trump all others. Managing these risks enables the protection of reputation from particularly negative consequences.
For so many of these risks, the exposure manifests in the over-used adage that we all need to do more with less. While that implies a need to improve our productivity or suffer the consequences, it does implore us to consider how we can improve productivity by executing more efficiently and eliminating tasks that provide little or no value. Technology, of course, is a great enabler if designed and implemented well, but done otherwise can just worsen conditions. Another obvious response to these challenges is to hire only the most qualified people, not only well-matched to the roles required, but with the innovative mindset that can often design or improve processes; people who might, for example, turn jobs currently designed for two people into a single job able to accomplish all that is truly needed and valuable.
Beyond these two suggested responses, risk managers have the opportunity to engage the business on enterprise-level issues affected by economic exposures and show a new level of contribution beyond their (perhaps narrowly defined) box. In other words, why not step out and raise your hand as offering something that can have a big potential impact and to which you can tie your own personal success? Try forging alliances across functions to drive an integrated approach to managing workforce productivity; look to blend occupational and non-occupational risks into a single integrated approach – potentially executed with fewer personnel and at lower combined expense.
I call that "leveraging a risk for gain" – the true core purpose of an ERM approach to managing risk. Are you up for this type of challenge and the personal risk it engenders?
Chris Mandel, SVP, Strategic Solutions