This post was originally featured on ERM Insights by Carol.
You don’t need to be a rocket scientist or have a crystal ball to know how chaotic today’s world is. Whether due to rising costs, supply disruptions or some other industry-specific issue, companies across the board and around the world are experiencing unprecedented challenges where the response/reaction will determine their course for the next decade or more.
If there ever was a time for companies to be more proactive rather than reactive, it is now.
Without a sense of urgency, many companies lumber along reacting from one crisis to the next. Many do not develop strategic goals of any kind, and if they do, they fail to consider upstream dependencies and downstream consequences.
Taking a reactive approach to risk management or otherwise pushing it to the back burner can result in a range of consequences outlined below.
But before getting into the bad stuff, let’s explore a fundamental concept using the common cold as an analogy.
When you are sick with a cold, you could experience a sore throat, mild fever, runny nose, coughing, fatigue, etc. The virus is the underlying root cause of the problem, while the sore throat, fever and coughing are the symptoms.
Translating this to your company, the consequences we’ll discuss shortly are the symptoms, while the following examples could be the root cause that leads to the symptoms or consequences. The following may seem mundane, but leaving them unresolved leads to devastating results.
- Immature or missing foundational governance and business practices – these practices include but are not limited to corporate policies, vendor management, strategic planning, and even a true operating budget.
- Poor communication from leadership – without clear and consistent communication between executives, managers, and employees, rumors will begin circulating, leading to even bigger headaches such as negative workplace culture. According to a survey, risk professionals consider tone at the top to be one of risk management’s biggest hurdles.
- Constantly shifting priorities – without clear goal(s) that remain steady, the company will struggle to focus on execution and completion, leading to a lot of half-finished projects.
- No clear roles and responsibilities – without knowing who is responsible for what, when, where, and how, the company will not be able to keep the right person(s) on track with goals with accountability (including executives) should a particular goal fall short.
You may notice these do not mention “risk,” certainly not in the way we conceive of the word.
Many companies will establish formal “risk” management programs at the prompting of regulators, and even though it takes an enterprise view, these programs are very “risk” list oriented focused on minimizing risks and preventing failure.
Proactive risk management, on the other hand, is not about checking a box but rather something you build into how you conduct business day-to-day…or as Norman Marks explains in his book Risk Management in Plain English: A Guide for Executives: “Risk management is just really good management.” According to a survey, risk professionals consider tone at the top to be one of risk management’s biggest hurdles.
This is important because the following consequences manifest themselves through shortcomings either in:
- A formal risk management program established at the behest of regulators (regulator-driven)
- General business management practices like those listed above (business-driven)
Each of the following consequences include an indicator to denote which circumstance applies.
Below are eight of the most common consequences (with examples) that companies experience when they are not proactive in managing both threats and opportunities.
8 consequences of a reactive approach
1. Fines and other regulatory or legal actions (regulator-driven)
If a company required to have a formal risk management program has a program that fails to comply with relevant regulations or otherwise isn’t helping, they could be subject to an array of fines and other actions from federal, state, or even industry-specific regulatory bodies. The SEC, for example, changed the burden of proof from fraud to negligence, meaning that boards and executive leaders can no longer claim they were not aware of a risk.
In early 2022, the Office of the Comptroller of the Currency with the U.S. Treasury Department issued a $60 million fine against a major financial institution for not complying with the agency’s Bank Secrecy Act regulations. Failing to implement an adequate “risk” program in this context, the institution was unable to submit suspicious activity reports in a timely fashion. In addition to the fine, the institution was issued a cease-and-desist order requiring it to take dramatic corrective actions.
Without robust risk and business management practices, companies will fail to spot weaknesses beforehand and quickly take steps to address them and avoid drawing the negative attention of regulators.
2. Elevated employee turnover (business-driven)
It’s expected that a certain number of employees will leave an organization each year for different personal or professional reasons, but if there’s a toxic culture with little to no communication and inadequate foundational business processes, it’s likely a company will experience a higher-than-average percentage of employees seeking opportunities elsewhere.
As I discuss in a previous article on the changing nature of work, more and more employees (especially Millennial and Gen Z workers) are growing skeptical of the traditional career itself. One jobs survey from Bankrate showed that 55% of respondents claim they plan to look for a new job in the next year, while data from the U.S. Bureau of Labor Statistics shows a higher number of workers leaving their jobs voluntarily – pre-COVID, this number stood at around 2.1 million per month but now this number averages around three million per month.
Without managing risks around retention and culture, your company could experience an even higher number of voluntary quits or increased rate of employee turnover, therefore leading to additional consequences, including some listed below.
3. Customer dissatisfaction (business-driven)
Founder of Walmart Sam Walton is quoted as saying:
“There is only one boss – the customer. And he can fire everybody in the company from the chairman on down, simply by spending his money somewhere else.”
It should be obvious that customers (or donors in the case of a nonprofit) are the heartbeat of any organization. Therefore, if customers become dissatisfied for any reason, they may respond by moving their business elsewhere.
For example, if you have a call center and people have to wait on hold for 20 or 30 minutes before speaking with a real person, some will certainly take the opportunity to complain – very loudly – about it. And with the supply chain disruptions of the last couple of years, many customers will not wait for things to come back but rather find another source or alternative to meet their needs.
The main takeaway is do not let issues like this fester or go unaddressed. If they do, your company could lead itself into bigger problems like…
4. Negative or damaged reputation (business-driven)
While this may seem similar to customer dissatisfaction, a company’s reputation among customers, employees (both current and future) and the general public is much more significant. A dissatisfied customer could come back, especially if the company does an excellent job of making up for their mistake.
But with the 24-hour news cycle and social media, a company can see both its reputation and market value crater in the blink of an eye. One knee-jerk reaction to a situation or issue could take years to overcome. Unfortunately, a company’s stellar reputation is often taken for granted.
A 2020 survey from Weber-Shandwick indicates that, on average, executives attribute 63% of a company’s value to its reputation. In the 1980s, the impact of ALL intangible assets accounted for less than one-third of a company’s value, so it is clear how important it is for a company to closely guard its reputation.
Just one major scandal, such as a highly publicized sexual harassment issue or scathing customer or employee social media posts, can lead to drastic losses in a company’s stock price and customer base. If severe enough and left unchecked, these issues could lead to the complete demise of the company.
5. Missed opportunities (business-driven)
Risk management is not only about identifying and addressing risks in the negative sense. While this will always remain a core activity, proactive risk management is also about identifying, assessing, and pursuing opportunities to achieving strategic goals.
However, when risk management’s sole focus is on reacting from one crisis to the next, it is likely the company (i.e., its executives) will not know when opportunities will arise to meet goals faster or be an industry gamechanger.
One example involves car dealerships who seem to have much more new inventory than others. With the constant supply chain issues, dealerships have had to morph to stay alive. These manufacturers spotted opportunities to diversify their supply chain and rethink how they operate.
With the world changing at the pace it currently is, companies have to be diligent in identifying opportunities, or else they will pass them by. As Hans Læssøe explains in his book Prepare to Dare, proactive risk management is about “taking on huge, but managed risks to raise the bar” and “looking for opportunities to expand into new industries.”
6. Product or project failure (business-driven/regulator-driven)
Companies who go rushing headlong into a project or some sort of new product development without any sort of proactive risk identification and assessment often find these efforts end up in failure.
One example where this is especially common is with major systems upgrades or implementations.
Let’s say a company’s IT department is working on a new purchasing system, but they don’t consult with the users of this system. I know this sounds crazy, but it happens more than you think. Dozens if not hundreds of man hours will be poured into sourcing and deploying this system. Upon release, though, the end users find that it is cumbersome to use. After much complaining, the new system is scrapped due to a lack of buy-in and its difficulty to use.
Another example can include the infamous Texas winter blackouts in 2021. The state’s grid operator had known about the many vulnerabilities in the event of a major snow and ice storm, but nothing was done proactively. So when the state experienced its coldest weather in decades, there was no choice but to take the reactive approach of implementing rolling blackouts. This “product failure” led to an estimated $18 billion in insured losses and a death toll of close to 100 people.
7. Decreased market share, decreased profit, and financial loss (business-driven/regulator-driven)
Regardless of the source – fines from regulators, lost revenue from loss of customers, increased cost due to higher employee turnover, or lower stock values from a damaged reputation – each of these above consequences could technically result in some type of financial loss for the company. However, this consequence of poor, reactive risk management deserves its own section.
One area where this relationship between risk management approach and financial condition has become increasingly more evident in recent years is the area of credit ratings. Agencies like Moody’s, Standard & Poor’s, Demotech, and Kroll are increasingly looking at how robust a company’s risk processes are. If an agency determines the company doesn’t have adequate governance, risk, and business processes in place, they could respond by lowering the company’s credit rating and therefore make it harder and more expensive to acquire business or financing, among other consequences.
Also, supply chain disruptions of recent years can also be damaging to a company’s bottom line. By not being proactive in securing materials from diverse sources, the company is forced to either have customer goods on backorder or pay an exorbitant amount of money to obtain the goods it needs to serve its customers. A couple of additional examples from several years ago can be found here and here.
8. Business failure (business-driven)
Saving the worst for last – a company without robust business processes and proactive risk management could end up failing altogether. You may have noticed how each of preceding consequences or symptoms built on each other.
A disgruntled customer is one thing, but if it’s not addressed, it can cascade into a damaged reputation, which then eventually cascades into financial loss. If this continues, the company could end up being displaced by a more agile competitor or otherwise forced to close its doors.
I could cite numerous examples, especially in the retail space – think of all the once-iconic major retailers that are long gone.
For an example though, I want to turn to the industry I primarily work with – insurance companies. After multiple years of steep losses in the Florida property insurance market, three companies have gone insolvent this year alone. While outside parties or influences like subpar contractors or overzealous litigation attorneys have played a large role in the escalating claim volume and substantial net losses every quarter, the ultimate reason a number of companies continue to struggle (with some shutting down operations) is because of their failure to proactively manage these third-party interactions and the financial implications.
The time to act is now
In conclusion, the typical course of action for companies experiencing consequences – or symptoms – like these is to apply some sort of Band-Aid fix like a new software system or some fancy process. But as we explain above, by not addressing the underlying issues that causes these symptoms, they will just re-appear more severely in other areas.
Taking cold medicine can help your runny nose or headache, but until your body fights off the virus causing these symptoms, the underlying illness will remain and rear its ugly head again.
Has your company experienced consequences like these or others due to reactive decision-making and risk management?
To learn more about how NAVEX can help you create a more risk resilient business