Even if you have been running a successful and secure business for years, problems might still arise unexpectedly that put the operation in jeopardy. Companies are at risk of all types of potential threats, from force majeure to cybercrime to whistleblowing on an internal problem. Knowing about your company’s exposure to problems is vital, therefore risk analysis should be an integral part of your corporate governance.
Attention to detail
Risk analysis can be a complex task as it requires information on a variety of topics right across the business. Project plans, security protocols, financial data and marketing forecasts can all be used to build a picture of the challenges a business faces. The first step is to identify threats through a detailed analysis of the risks faced by the business. This work will highlight potential threats and their implications, and enable the board to identify and rectify any weaknesses and, at the same time, develop crisis contingency plans to manage any emerging crisis if a risk becomes a reality.
A threat might be a human one – for example, illness, injury or the loss of a key employee might cause significant damage to a business. ‘Key man insurance’ is an example of one strategy to address the financial implications of this particular risk.
Other threats can be classified as operational, reputational, procedural, political and structural. These example categories help you to define where the major risks to your business are and why your business is vulnerable.
It is also important to think about potential external shocks that could cause disruption to the business. Although an extreme case, you may recall that in 2013, a helicopter collided with a crane on a construction site in London – it left two dead, twelve people injured, caused damage to nearby local businesses, stopped London traffic and led to round-the-clock media coverage. External incidents can harm infrastructure, data and bring day-to-day business to a halt. As part of the risk analysis process, it is important to consider external factors that could disrupt the business and how it would continue to operate in such an eventuality. Companies need plans to protect transactions and their reputation from unforeseen crises.
Prepare to communicate in a crisis
It is imperative that there is consensus on crisis contingency plans. All managers should be fully apprised of the plans and know their roles and responsibilities in advance. Also, a communications plan needs to dovetail with the crisis and business continuity plans – If an incident occurs, staff, clients and the wider public will need to be informed, reassured and kept updated.
With this in mind, it is advisable to set up and test in advance, an information gathering system so that nominated staff can easily gather and collate data and share it with the relevant people. Finally, the likelihood is that some staff will need training on the response plans and their individual roles. It is up to senior management to identify those who can carry out tasks and provide the necessary training. The faster, more coordinated and effective the response (both to the incident and communications), the less damaging the impact will be on day-to-day business and the long-term reputation of the business.
Sometimes a problem will not be a visible one. If there is a persistent issue that management has failed to act upon and is of relevance to the general public, employees may resort to whistleblowing. The government protects corporate whistleblowers, and any gag order or non-disclosure agreement will not apply if the case is deemed to be of interest to the public at large. A whistleblower is completely protected when reporting on health and safety dangers, damage to the environment, and miscarriage of justice – when a company is breaking the law or if someone has attempted to cover up wrongdoing.
A problem that the board fails to uncover in its governance, or the risk analysis process, that is later revealed to the public by a whistleblower can be hugely damaging to the business. In terms of reputational damage, it may be a very expensive mistake to repair, if indeed it can be repaired. If the whistleblower reveals criminal activity, it might also lead to an investigation.
However, whistleblowing should not be feared as destructive in of itself. Companies that have the right system in place to deal with concerns and complaints should actually benefit from them, as it gives management the opportunity to put things right.
Employees should be made aware of a company’s whistleblowing policy and what they can expect in terms of actions and results when a complaint is made. Once the system is in place, however, it must be allowed to run without the interference of management. A recent case of an attempt to identify a whistleblower has shown that companies require a culture that encourages employees to speak their minds when they have a concern and that attempts to remove anonymity can badly taint that culture of openness. Employees who know their welfare matters will be more willing to come forward. The ideal scenario is for employees to feel assured enough in their standing that they can submit complaints without anonymity and without fear of censure.
Risk analysis is an essential part of strategic business management and should be a top priority for the board. If the issue is constantly moving down the agenda in your company, RiskNet’s article on the Top 10 operational risks for 2017 might galvanise you into action!