By Frans Cornelis, MBA83J, IDP-C
Risk management is one of the “big three” attention items for non-executive directors, along with strategy and talent. And the current COVID-19 crisis has left many scratching their heads, wondering what lessons one should draw from this highly unpleasant experience.
Previous worldwide crisis situations that virtually no-one had planned for gave rise to concepts like “The Black Swan”. So is COVID-19 a “Black Swan”? Probably not – to quote Michele Wucker, it is more like a “Grey Rhino”: a known risk, rare but by no means fully extinct, and with very destructive properties.
So what is a non-executive director to do? Classic “risk management” often has a financial and statistical focus. One can and should insist that an organization maintains sufficient reserves. Of all types. And it is obvious that the idea that if you have less than your maximum leverage you are inefficient or in some way not maximizing things for your stakeholders is probably overdue for a rethink. One organization I am involved with, and that had to close down completely for almost three months, is now very happy with the fact that they did not go anywhere near the limit, and that they are therefore surviving where others have already gone bankrupt.
Over the decades, “Risk management” has almost been developing in a specialized science. In many if not most major businesses, there are elaborate schemes to assess risk; usually on the financial side (interest rates, policy changes, but also things like fashion change etc.). Mostly drawn up by accounting people. As a non-executive director, you could be forgiven for thinking that you have done your job well when you have scrutinized, probed and discussed the typical complex and serious report on “Risk Management” that has been produced for inclusion in the annual report.
And yet…… The Covid-19 crisis should also make us think first and foremost about something the Coca Cola leadership used to say: “You can take away everything, but if you leave the brand and some of our key people, we will rebuild the business”.
And, interestingly, science backs this up. The annual AON risk management surveys have a consistent item in the #1 spot for largest risks for decades now: Reputation. Not industrial policies, fashion, monetary policy, flooding or what have you. They all figure in the lists, but Reputation comes out on top. Almost every time, usually by some margin.
Also, the Boston based Reputation Institute, in cooperation with the Rotterdam School of Management (RSM), runs serious longitudinal studies of many thousands of organizations worldwide measuring “Reputation”. They also point out that Reputation is closely linked to another concept: Identity.
And there are quite a few cases, with verified examples, where they can prove that a high reputation score allows you to recover quickly from a disaster, whereas a poor reputation score does not.
Studies by prof. Cees van Riel (RSM, now emeritus) also show that the actions in the initial phases by the company executives and spokespeople are critical for benefiting from that “Reputation cushion” or not. The wrong actions quickly destroy that reputation, sometimes forever.
Like in the well-known case of once world leading Perrier water, where a contamination was detected in their flagship product. While a recall was forced on the company in the USA, the management sought to play for time and declared, untruthfully, that this had been a one-off mistake. In reality, it soon became clear that water all over the world had this contamination, and that it would have had this for quite some time. In a post mortem, it turned out it was due to bad quality and process control at the source itself. Why did management lie, did they know they were lying? Hard to tell, but certainly the attitude was one of denial, at the expense of their customers, and subsequently, the other stakeholders. The company never got anywhere near its previous market share, valuation and standing. It was sold 18 months later – to a direct competitor.
So does this mean that non-executive directors should also insist on better PR people, or that they should have probed the quality systems at the core processes better? That cannot be the right answer, as they would end up firmly on the chairs of the management.
What it does mean is that we should all be aware that while Reputation is the key risk, it is very closely linked to the actual Corporate Identity. That Identity is defined by norms, values, ethical choices, character. Not so much the beautiful words in the corporate statements, but the real actions and the actual paradigms.
What it does mean is that we should all be aware that while Reputation is the key risk, it is very closely linked to the actual Corporate Identity.
What you do in a crisis will be seen by all stakeholders, and they will immediately notice when, faced with a tradeoff between the interests of various groups of stakeholders, the company chooses against its customers.
This “Identity” (the actual one, not just the one on paper or in advertising slogans) is something formed over many years, and ingrained in the character of the employees. It is heavily influenced by the actions and personal examples of the management. The “value statements”, “purpose statements”, “brand” or whatever they are called are certainly important, and one has to start from somewhere, but actual behavior is the deciding factor.
That Identity is, as the Germans like to say, “Chefsache”. So yes, a Risk Analysis does deserve the full attention of good non-executive directors. If the report does take Reputation into account, so much the better. But in my mind, great non-executive directors have also made sure that the core values inside the organization, what people feel they stand for, and the ways the outside world perceives the organization, have been carefully defined and strengthened.
When a highly appreciated Identity as externally perceived is aligned with the “employer brand”, the “corporate brand promises”, the investor reputation, and the actual internal and external actions, you have a fantastic foundation that will also guide and determine the right actions in a crisis, when there is no time to weigh and ponder each individual statement or action.
In the current COVID-19 crisis, there are many examples of companies that were quick, open and transparent when they could not keep their promises. I know of some organizations where clients literally sent emails saying ”Keep my money, hang in there, and we’ll see what you can do when this is over”. But there are also many companies who leapt from promise to promise, did not follow through on the promises for many months, got into overly legalistic and “small print” conversations and lost a lot of sympathy with their stakeholders.
I have a hunch who, a few years from now, the winners will turn out to be.
So my recommendation for non-executive directors in these times is: do read your Risk paragraphs – but also do check whether the crisis actions harm or bolster the reputation of the organization. And whether there is a clear, admirable and effective “Identity”. Because once survival is more or less assured, that is what will determine how well you can bounce back – or not.
Reputation is the external market of risk. Internal reputation an internal one. You made the good link with the identity of the form which is always elusive and require more cognition from Exec and board members
Didier Duret IDP C 2019
Thanks Frans! Each organizational action reflects its identity. Every touch point counts. But risk managers could be too late in identifying misfits in behavior. There should be a control mechanism before the action takes place. Communicators could play that role with the executives.
Many thanks Frans for these interesting thoughts and insightful illustrations of sound risk management. Xavier