Risk Management How to manage your brand & build business resilience to improve your bottom line

2010 RMIA Members Forum Primary focus for RMIA in 2011 Risk Management How to manage your brand & build business resilience to improve your bottom line Grant Whitehorn RMIA Chief Executive Officer CPA Congress - Brisbane, Melbourne & Sydney October 2013 25/05/2012 0

Overview What is your Brand and reputation worth Risk Management vs. Business Resilience... what s the difference? What are the essential elements of a resilient organisation How to achieve Business Resilience & KPI s for measuring success

What is your Brand & Reputation worth?

$$$$$???

What is Reputation Risk Management? The effective management of risks associated with your corporate reputation (identity, brand and stakeholder perceptions).

What is Corporate Reputation? Corporate Identity: Name, logo, typeface, look & feel, colour scheme, etc + Corporate Image: Total impression the entity makes on people + Perceptions: Appropriate role and behaviour of the entity = Corporate Brand or Reputation

Reputation risks are important as they impact on your stakeholders... Customers Employees Regulators Suppliers Advisers Banks / Investors Ratings Agencies Shareholders Competitors Communities

And is increasingly important because... The move from products and services to the customer experience customer expectations The rise of consumer power Globalisation and ease of access eg: shopping online, e-commerce, etc Regulatory and reporting requirements Brand value = $$$ (considered a commodity) Share Market expectations Competitive advantage

The consequences of a damaged reputation... Loss of Share Price Reduction in Brand Value Poor Employee Morale Loss of Sales / Turnover Loss of Clients / Customer Retention Loss of Staff / Recruitment and Retention Damage to Strategic Relationships Bankruptcy

The benefits of effective reputation risk management... Improve relations with shareholders Increase customer satisfaction Increase investment attraction Recruit and retain valued employees Customer loyalty Supplier stability Secure premium pricing for products and services Minimise threat of litigation or more regulation Reduce the potential for crisis Reinforce trust and market credibility

Who is responsible for managing reputation risks?

Everyone!!!

Reputation Risks... Brand / Image Website Annual Report Poor Governance Marketing Campaigns / Public Education Programs / Advertising Defective Products and Services Competition / Competitors Organisational Capability / Business Continuity Customer Expectations & Satisfaction Breaches of Contractual obligations Disasters fire, flood, scandals, etc Environmental Standards / Pollution Staff Behaviour / Corporate Culture WHS Regulations & Standards Politics Fraud / Financial mismanagement Terrorism Regulatory failure Strikes / Industrial Action

Risk Management vs. Business Resilience......what s the difference?

Risk Management Philosophy: All Management is Risk Management!

What is a Risk? Risk is defined as: the effect of uncertainty on objectives (AS/NZS ISO 31000:2009 Risk Management Principles and Guidelines)

What is Risk Management? Coordinated activities to direct and control an organisation with regard to risk (AS/NZS ISO 31000:2009 Risk Management Principles and Guidelines)

What s the Difference between Risk & Uncertainty? Uncertainty Things that will happen uncertainty about their magnitude Risk Things that may or may not happen Have a probability of occurrence & an impact if they happen

What is the Relationship between a Hazard and a Risk? RISK = [HAZARD] x [EXPOSURE] Hazard x Exposure = Iceberg x Travelling too close to it = Risk Risk of Collision

What is an Opportunity or Upside Risk? The occurrence of a favourable event that is due to: Changes in the environment Risks that were managed efficiently and effectively A chance to save time or money or improve capability A chance to sell a positive message

Business Resilience It is not the strongest or most intelligent that survive, it is the most adaptable to change Charles Darwin, 1809-1882

Defining Resilience... The adaptive capacity of an organisation in a complex and changing environment. Source: ISO Guide 73

Defining Resilience... Resilience is an organisation s state of being resulting from the management of uncertainty in a complex adaptive system. An indicator of this state of being is an organisations adaptive capacity. Source: RMIA Resilience White Paper, 2009

There are 4 different types of Resilience: 1) Individual Resilience 2) Community Resilience 3) Organisational Resilience 4) Sector Resilience

For example Individual Resilience Healthy or weak, support from Family & Friends, educated or ignorant, etc. Community Resilience Rural vs. Urban, Transportation, Internet access, Electricity, Bushfires, etc. Organisational Resilience Proactive vs. reactive leadership, adaptive culture, survival vs. injury/death, profit or loss, etc. Sector Resilience Global Financial Crisis or business opportunity?

Reference: Page 5

What are the essential elements of a resilient organisation?

Resilience arises from a combination of culture and attitude, process and framework.

Are these practices embedded into your organisation s policies, processes, systems, values & culture? Enterprise Risk Management or Risk & Opportunity Management Business Continuity Management & Crisis/Emergency Management Security Risk Management Safety Management Environmental Management Sustainability & Ecologically Sustainable Development (ESD) Corporate Social Responsibility Quality Management Ethics, Integrity, Fraud Control, AML & Corruption Control Corporate Governance, Strategy & Business Planning Compliance & Audit Management - Legal, Regulatory, Policy, Process, Performance, IT, Finance, etc Cultural Change Management & Organisational Development

INTERNAL COMPONENTS Physical Components Human Components Process Components Risks, Hazards, Risk Management & ERM what s the difference? Buildings Offices / Sites Comms Board Direct Planning ERM and IT Hardware and Management Continuity Plans Equipment Security Relationships Staff Emergency Management Hazard - a source of potential harm (HB205-2004) Vehicles Management Leadership Cash flow Occupational Health and Safety (OH&S) refers mainly to hazards. Software/IP Succession Brand knowledge Inventory Staff Welfare Insurance Risk the chance of something happening that will have an impact on objectives (AS/NZS 4360:2004) Services Generators Information & Backup Fuel Supplies Knowledge Privacy Risk the effect of uncertainty on objectives (ISO31000 Draft International Risk Management Standard, due for release in late 2008) IT Networks Training/review EXTERNAL COMPONENTS Risk Management coordinated activities to direct and Physical control Components an organisation Human with Components regard to risk Process Components (Draft ISO31000) Services Electricity Comms Emergency Services Indirect Interconnectedness The purpose Water of managing and risk is to Local give authority you more Planning control over Govt. your Legislation business to maximise the achievement of objectives. Sewerage Relationships Customers Contracts Telecomms Suppliers Reputation/Image Transport Media

How to achieve Business Resilience & KPI s for measuring success

SQE (QMS, SMS, EMS & Sustainability Strategy) Governance (Strategy / Leadership / Succession Planning / AS8000) Finance (AASB / IFRS / Payroll) BCM (AS5050 / Cairns Office Cyclone Preparedness Plan) Human Resources (Workplace Relations / L&D / AS4811) Risk Management (ERM / ISO31000) Business Resilience Legal & Contracts Facilities (Offices / Property / Assets) Security (ISO28000 / SRMBOK) Project Management (IPP / PMBOK) Marketing & Comm s (Reputation / Brand / CRM) Compliance & Audit (AS3806 / International Auditing Standards) ICT (Records & Knowledge Management / ISO27001)

Situation Awareness Indicators: Situation Awareness Attribute Indicator Description Roles and Responsibilities Hazards and Consequences SA 1 SA 2 Awareness of roles and responsibilities of staff internally in an organisation and the roles and responsibilities of the organisation to its community of stakeholders Awareness of the range of hazard types and their consequences (positive and negative) that the organisation may be exposed to. Network Interdependencies SA3 Awareness of the links between the organisation and its entire community of stakeholders, internally (staff) and externally (customers, local authorities, consultants, competitors etc). Insurance SA 4 Awareness of the obligations and limitations in relation to business interruption insurance and other insurance packages that the organisation may have or have available, business advice and mentoring services, government aid etc. Recovery Priorities SA 5 Awareness of minimum operating requirements and the priorities involved in meeting these requirements, together with expectations of key stakeholders.

Keystone Vulnerabilities Indicators: Key Vulnerabilities Attribute Indicator Description Planning KV 1 The extent to which the organisation has participated in planning activities including risk management, business continuity and emergency management planning. Exercises KV 2 The extent to which the organisation has been involved in external emergency exercises or created exercises internally for staff and stakeholders. Internal Resources KV 3 The capability and capacity of physical, human and process related resources to meet expected minimum operating requirements in a crisis. Includes economic strengths, succession and structural integrity of buildings. External Resources KV 4 The expectations of the organisation for the availability and effectiveness of external resources to assist the organisation in a crisis. Connectivity KV 5 The extent to which the organisation has become involved with other critical organisations to ensure the availability of expertise and resources in the event of a crisis.

Adaptive Capacity Indicators: Adaptive Capacity Attribute Indicator Description Silo Mentality AC 1 The degree to which the organisation experiences the negative impacts of silo mentality and the occurrence of strategies in place for mitigating them. Communications and Relationships AC 2 The effectiveness of communication pathways and relationships with all stakeholders, both internally and externally in day-to-day and crisis situations. Strategic Vision AC 3 The extent to which the organisation has developed a strategic vision for future operations and the degree to which that is successfully articulated through the organisation. Information and Knowledge AC 4 The degree to which information and knowledge is acquired, retained and transferred throughout the organisation and between linked organisations. Leadership and Management AC 5 The degree to which leadership and management encourage flexibility and creativity in the organisation and how successful decision making is in times of crisis.

What s your risk appetite?

Questions? Grant Whitehorn Chief Executive Officer Risk Management Institution of Australasia Limited Phone: (02) 8208 6434 Email: grant.whitehorn@rmia.org.au

Representing the practice of Risk Management for over 30 years.

We value your feedback. Visit Congress Mobile and rate this session Join the conversation: #CPAcongress @cpaaustralia