2010 RMIA Members Forum Primary focus for RMIA in 2011 Risk Management – How to manage your brand & build business resilience to improve your bottom line Grant Whitehorn RMIA Chief Executive Officer CPA Congress - Brisbane, Melbourne & Sydney October 2013 25/05/2012 0 Overview • What is your Brand and reputation worth • Risk Management vs. Business Resilience.... what’s the difference? • What are the essential elements of a resilient organisation • How to achieve Business Resilience & KPI’s for measuring success What is your Brand & Reputation worth? $$$$$??? What is Reputation Risk Management? The effective management of risks associated with your corporate reputation (identity, brand and stakeholder perceptions). What is Corporate Reputation? Corporate Identity: Name, logo, typeface, look & feel, colour scheme, etc + Corporate Image: Total impression the entity makes on people + Perceptions: Appropriate role and behaviour of the entity = Corporate Brand or Reputation Reputation risks are important as they impact on your stakeholders... • • • • • • • • • • Customers Employees Regulators Suppliers Advisers Banks / Investors Ratings Agencies Shareholders Competitors Communities And is increasingly important because... • The move from products and services to the ‘customer experience’ – customer expectations • The rise of consumer power • Globalisation and ease of access – eg: shopping online, e-commerce, etc • Regulatory and reporting requirements • Brand value = $$$ (considered a commodity) • Share Market expectations • Competitive advantage The consequences of a damaged reputation... • Loss of Share Price • Reduction in Brand Value • Poor Employee Morale • Loss of Sales /  Turnover • Loss of Clients / Customer Retention • Loss of Staff / Recruitment and Retention • Damage to Strategic Relationships • Bankruptcy The benefits of effective reputation risk management... • • • • • • • • • • Improve relations with shareholders Increase customer satisfaction Increase investment attraction Recruit and retain valued employees Customer loyalty Supplier stability Secure premium pricing for products and services Minimise threat of litigation or more regulation Reduce the potential for crisis Reinforce trust and market credibility Who is responsible for managing reputation risks? Everyone!!! Reputation Risks...                    Brand / Image Website Annual Report Poor Governance Marketing Campaigns / Public Education Programs / Advertising Defective Products and Services Competition / Competitors Organisational Capability / Business Continuity Customer Expectations & Satisfaction Breaches of Contractual obligations Disasters – fire, flood, scandals, etc Environmental Standards / Pollution Staff Behaviour / Corporate Culture WHS Regulations & Standards Politics Fraud / Financial mismanagement Terrorism Regulatory failure Strikes / Industrial Action Risk Management vs. Business Resilience.... ...what’s the difference? Risk Management Philosophy: All Management is Risk Management! What is a Risk? Risk is defined as: “…the effect of uncertainty on objectives” (AS/NZS ISO 31000:2009 Risk Management – Principles and Guidelines) What is Risk Management? “Coordinated activities to direct and control an organisation with regard to risk” (AS/NZS ISO 31000:2009 Risk Management – Principles and Guidelines) What’s the Difference between Risk & Uncertainty? • Uncertainty – Things that will happen… uncertainty about their magnitude • Risk – Things that may or may not happen – Have a probability of occurrence & an impact if they happen What is the Relationship between a Hazard and a Risk? RISK = [HAZARD] x [EXPOSURE] Hazard Iceberg x x Exposure Travelling too close to it = = Risk Risk of Collision What is an Opportunity or Upside Risk? • The occurrence of a favourable event that is due to: – Changes in the environment – Risks that were managed efficiently and effectively • A chance to save time or money or improve capability • A chance to sell a positive message Business Resilience “It is not the strongest or most intelligent that survive, it is the most adaptable to change” Charles Darwin, 1809 -1882 Defining Resilience... “The adaptive capacity of an organisation in a complex and changing environment.” Source: ISO Guide 73 Defining Resilience... “Resilience is an organisation’s state of being resulting from the management of uncertainty in a complex adaptive system. An indicator of this state of being is an organisations adaptive capacity.” Source: RMIA Resilience White Paper, 2009 There are 4 different types of Resilience: 1) Individual Resilience 2) Community Resilience 3) Organisational Resilience 4) Sector Resilience For example… Individual Resilience • Healthy or weak, support from Family & Friends, educated or ignorant, etc. Community Resilience • Rural vs. Urban, Transportation, Internet access, Electricity, Bushfires, etc. Organisational Resilience • Proactive vs. reactive leadership, adaptive culture, survival vs. injury/death, profit or loss, etc. Sector Resilience • Global Financial Crisis or business opportunity? Reference: Page 5 What are the essential elements of a resilient organisation? “Resilience arises from a combination of culture and attitude, process and framework.” Are these practices embedded into your organisation’s policies, processes, systems, values & culture? • Enterprise Risk Management or Risk & Opportunity Management • Business Continuity Management & Crisis/Emergency Management • Security Risk Management • Safety Management • Environmental Management • Sustainability & Ecologically Sustainable Development (ESD) • Corporate Social Responsibility • Quality Management • Ethics, Integrity, Fraud Control, AML & Corruption Control • Corporate Governance, Strategy & Business Planning • Compliance & Audit Management - Legal, Regulatory, Policy, Process, Performance, IT, Finance, etc • Cultural Change Management & Organisational Development INTERNAL COMPONENTS Physical Components Human Components Process Components Risks, Hazards, Risk Management & ERM – what’s the difference? Buildings Offices / Sites Comms Board Direct Planning and IT Hardware and Management Continuity Plans Equipment Security Relationships Staff Emergency Management Management Leadership • HazardVehicles - “a source of potential harm” (HB205-2004) Occupational Health and Safety (OH&S) refers mainly to hazards. Software/IP Succession ERM Cash flow Brand knowledge Staff Welfare • Risk – Inventory “the chance of something happening that Insurance will have an ServicesimpactGenerators Information & Backup on objectives” (AS/NZS 4360:2004) • Risk – “the effect of uncertainty on objectives” Fuel Supplies Knowledge Privacy (ISO31000 – Draft for release in late 2008) IT International Networks Risk Management Standard, due Training/review COMPONENTS • Risk ManagementEXTERNAL – “coordinated activities to direct and Physical Components Humanwith Components Components control an organisation regard to risk”Process (Draft ISO31000) Services Electricity Comms Emergency Services Indirect Interconnectedness The purpose risk is toLocal give you more control over Govt. yourLegislation business to Water of managing and authority Planning maximise the achievement of objectives. Sewerage Relationships Customers Contracts Telecomms Suppliers Reputation/Image Transport Media How to achieve Business Resilience & KPI’s for measuring success Governance (Strategy / Leadership / Succession Planning / AS8000) SQE (QMS, SMS, EMS & Sustainability Strategy) Finance (AASB / IFRS / Payroll) Human Resources BCM (AS5050 / Cairns Office Cyclone Preparedness Plan) Risk Management (Workplace Relations / L&D / AS4811) Legal & Contracts Business Resilience (ERM / ISO31000) Facilities Security (Offices / Property / Assets) (ISO28000 / SRMBOK) ICT Project Management (Records & Knowledge Management / ISO27001) (IPP / PMBOK) Marketing & Comm’s Compliance & Audit (Reputation / Brand / CRM) (AS3806 / International Auditing Standards) Indicators: Situation Awareness Situation Awareness Attribute Indicator Description Roles and Responsibilities SA 1 Awareness of roles and responsibilities of staff internally in an organisation and the roles and responsibilities of the organisation to its community of stakeholders Hazards and Consequences SA 2 Awareness of the range of hazard types and their consequences (positive and negative) that the organisation may be exposed to. Network Interdependencies SA3 Awareness of the links between the organisation and its entire community of stakeholders, internally (staff) and externally (customers, local authorities, consultants, competitors etc). Insurance SA 4 Awareness of the obligations and limitations in relation to business interruption insurance and other insurance packages that the organisation may have or have available, business advice and mentoring services, government aid etc. Recovery Priorities SA 5 Awareness of minimum operating requirements and the priorities involved in meeting these requirements, together with expectations of key stakeholders. Indicators: Key Vulnerabilities Keystone Vulnerabilities Attribute Indicator Description Planning KV1 The extent to which the organisation has participated in planning activities including risk management, business continuity and emergency management planning. Exercises KV2 The extent to which the organisation has been involved in external emergency exercises or created exercises internally for staff and stakeholders. Internal Resources KV3 The capability and capacity of physical, human and process related resources to meet expected minimum operating requirements in a crisis. Includes economic strengths, succession and structural integrity of buildings. External Resources KV4 The expectations of the organisation for the availability and effectiveness of external resources to assist the organisation in a crisis. Connectivity KV5 The extent to which the organisation has become involved with other critical organisations to ensure the availability of expertise and resources in the event of a crisis. Indicators: Adaptive Capacity Adaptive Capacity Attribute Indicator Description Silo Mentality AC1 The degree to which the organisation experiences the negative impacts of silo mentality and the occurrence of strategies in place for mitigating them. Communications and Relationships AC2 The effectiveness of communication pathways and relationships with all stakeholders, both internally and externally in day-to-day and crisis situations. Strategic Vision AC3 The extent to which the organisation has developed a strategic vision for future operations and the degree to which that is successfully articulated through the organisation. Information and Knowledge AC4 The degree to which information and knowledge is acquired, retained and transferred throughout the organisation and between linked organisations. Leadership and Management AC5 The degree to which leadership and management encourage flexibility and creativity in the organisation and how successful decision making is in times of crisis. What’s your risk appetite? Questions? Grant Whitehorn Chief Executive Officer Risk Management Institution of Australasia Limited Phone: (02) 8208 6434 Email: [email protected] Representing the practice of Risk Management for over 30 years. We value your feedback. Visit Congress Mobile and rate this session Join the conversation: #CPAcongress @cpaaustralia