The importance of integrating CR into risk management

Risk management is a cornerstone of running a good, responsible business, writes BITC's Stephen Gee. Investors want to know the level of risk they are committing to and wider stakeholders want to know that the company is being managed responsibly so as to continue to pay wages, taxes, make a positive contribution to society and operate within environmental limits. Some businesses thrive on risk taking, whilst others are more risk averse. What all good businesses should have, however, is an effective process for identifying and managing risk.

CR practitioners should drive change and continuous improvement in a business, and getting issues onto the company’s risk register can be a powerful way to do this.

To start with, CR practitioners need to ensure that all appropriate risks are captured by the company’s risk management system. Looking through a ‘CR lens’ can help identify risks that may not be on the radar of the people traditionally involved in the risk management process.

These could relate to:
• How materials are sourced
• How products are marketed, sold and used by the consumer
• The health, wellbeing, diversity and skills of the workforce
• The environmental impacts of a company’s value chain
• The health and resilience of communities affected by the organisation’s operations

In the absence of a knowledgeable practitioner these potential risks may remain unidentified or misunderstood by the core business.

It’s widely known that risk management has strong links to organisational reputation and the level of trust that customers and consumers have in the business. In this context, it is easy to see how acting well or badly on any of the issues above can enhance or tarnish an organisation’s reputation and directly impact trust. Studies show that consumers are more likely to buy from companies they trust and their expectations of business to behave in a responsible and sustainable way are increasing*.

Despite this, trust in business to achieve this is falling.

When bad news travels fast and events can be broadcast on a global scale within minutes, these areas of CR risk must be managed and acted upon appropriately and transparently. The task of risk management is not to remove all risks but to manage the likelihood of the risk occurring and the potential impact. Social, environmental and ethical risks should not sit in a different risk register or be managed any differently to traditional financial risk. If this isn’t happening in your organisation, then here are the key steps to achieve it.

1. Identify the risk
In order to identify CR risks, Business in the Community recommends the following framework which can be based on these four areas of categorisation: community, marketplace, workplace and environment.
It’s important to remember that identifying risks is not a purely internal exercise; looking outside of the organisation is also critical. External influencing factors on risk could include:
• Political – changes in government and policy
• Governance – are there checks and balances in place and enough independence to challenge bad practice?
• Societal trends – such as an ageing population, trends towards healthy eating and expectations of greater transparency.

To fully understand the external risks, benchmarking tools and stakeholder engagement are key methods that should be used.

2. Evaluate the risk
To understand the context of a risk is important, and for this you should talk to issue owners to understand ‘what is normal’ and why. Bear in mind that history has shown that whole sectors can shift their perception of ‘normal’ to something that is increasingly risky; banking and oil exploration to name but two.
To assess the likelihood and impact you need to be able to describe the risk clearly and assess the potential impact on the business against relevant business criteria, such as impact on market share, customer loyalty or organisation reputation. To prioritise the identified risks, final evaluation should be based on “likelihood” and “severity of impact”.

3. Identify Responses
Based on steps one and two you first need to decide whether or not to act on the risk. Are there social, environmental or ethical dimensions that place a responsibility on the business to address a risk?
Draw up a ‘long-list’ of potential responses and actions and think creatively about all the options available.

4. Agree action
Your available resource and capacity will have to be taken into account. Some of the risks may appear to be beyond your control (for example, climate change), but you should still do what is proportionate for your business – it may damage your reputation not to.

5. Plan and resource your response to the risk
At this point, the risks have been analysed and responses selected so it is now a management exercise. Your goal now should be to embed these specific ‘CR risks’ into the organisation’s central risk management system.

6. Monitor and evaluate
Regularly monitor and re-evaluate the risk. The context, likelihood or impact may all change at any point. Equally, you need to check that the responses that you selected are having the desired effect.

 

Stephen Gee is a Senior Business Support Manager at Business in the Community, the responsible business charity.

Click here for more information.