A pandemic, civil unrest, stretched supply chains. These and other challenges have put a spotlight on the need for retail and restaurant companies to not only address existing risks but also prepare for emerging ones that may not yet be apparent, catapulting risk managers into the hot seat.
Retailers and restaurants have sought ways to deal with a constant stream of risks, and pivot in unprecedented ways to survive, elevating the profile of the risk manager. In some companies, risk managers have been called upon to help with new risks, including workforce challenges or supporting a change from usual operations that transformed risk profiles. Those retailers that were deemed essential have been put under the spotlight as never before as they’ve dealt with employee and customer safety while addressing product shortages and other risks.
As boards and C-suites discuss risk mitigation and organizational resilience, many have leaned on risk managers to provide information and guidance. In many cases, risk managers have been included in decision-making, their expertise sought out to help organizations pivot according to fast-changing circumstances.
While the major risks of the past year will likely continue to affect companies for some time, as we start returning to a new normal risk managers should take action to retain their seat at the table and continue elevating their newfound position. The following four actions can help risk managers maintain the current momentum and underscore their indispensable contribution in helping organizations identify, manage, and finance risk.
"As retailers and restaurants deal with new risks, the risk manager can play a strategic role."
More than ever before, organizations need an integrated strategy to address both traditional and emerging risks. However, the recently launched Marsh Risk Resilience Report identified discrepancies in the way organizations perceive risk and their actions to manage these challenges. Risk managers should strive to help their organizations close these gaps and become more resilient.
Retailers and restaurants that spent much of the past year-and-a-half dealing with new and constantly changing risks will start looking back at their traditional risks — such as employee injuries, customer complaints, and foodborne diseases — and assessing how these may have shifted as a result of pandemic-related stressors.
A seat at the decision-making table puts risk managers in a better spot than ever before to identify any shortcomings and provide guidance on the best steps forward. Risk managers should show leadership the resilience that already exists within organizations, along with gaps that still need to be filled. By leading the discussions, risk managers can become involved with critical strategic decisions and help answer leadership’s questions, further showcasing their contributions and value.
Retaining this newfound elevated position requires risk managers to understand the strategic goals of the organization and then, conversing in the language of the C-suite, communicate their most pressing concerns and formulate plans to address them. Show them that you’re thinking about risk in parallel to the way they’re thinking about the business. For example, if the company’s leadership is considering a major investment in new technology, it is incumbent on the risk manager to find out and communicate the potential risks and present a strategy to mitigate them.
Both current and emerging risks should be discussed in relation to their potential impact on company goals, with decisions on prioritizing and addressing these risks reflecting that reality. Risk managers have the necessary expertise to identify any risks that could arise from a new strategy — for example, a shift to a single supplier of a restaurant’s crucial ingredient to save money that can lead to a disastrous shortage if that supplier cannot fulfill orders.
"Risk managers should understand the strategic goals of the organization and converse in the language of the C-suite."
Data-driven decisions are imperative for an organization to succeed. The right metrics are crucial in helping understand risk profiles, quantifying exposures, and making decisions to become more resilient. A supermarket, for example, may want to have a clear idea of the cost of another E. coli outbreak in lettuce and a swimsuit retailer may want to determine the effect of an unseasonably short summer.
But C-suite and board members may not have the time, or the knowledge, to look through heaps of information and extract actionable insights. Risk managers should consider this an opportunity to present leadership with analysis that helps them make informed strategic decisions. Visualization tools, like dashboards, can help present information in a more consumable manner. Such tools can also be used to demonstrate the effectiveness of risk management initiatives and investments and help build credibility and C-level buy-in. But risk managers should also focus on an effective narrative that clarifies what data is saying.
Now is also the time for risk managers to take a more data-centric role and begin mining data to identify existing and incoming risks and present leadership with data-based proposals for risk mitigation strategies. For example, a retailer may want to determine the potential losses related to business interruption following a number of different disaster scenarios, ranging from another infectious disease outbreak to a major hurricane.
"Data can demonstrate the effectiveness of risk management initiatives and investments and help build credibility."
Crisis management, business continuity, emergency response, cyber management, and all other response plans should be regularly updated and exercised. Using learnings from the past year, risk managers should embark on a company-wide initiative to review all plans and update them with the aim of increasing the organization’s resilience in the face of a crisis.
Business continuity plans, for example, should take into consideration breaks or delays in the supply chain. What will a restaurant do if a particular ingredient — integral to its high-demand fried chicken recipe — is suddenly the subject of health concerns or no longer available? What is an e-commerce-dependent retailer’s response to a cyber-attack that takes down their website on Black Friday?
Informing leadership of ongoing reviews is not enough; they need to be involved in the process, sharing insights and ideas about the best ways to respond. Further, leadership needs to be trained in executing these plans, ensuring that everyone knows their individual responsibilities and what they need to do in a crisis. Risk managers should be the ones spearheading tabletop sessions where plans are exercised, to identify gaps or overlaps in execution, and tweaked based on the feedback.
As organizations evolve, so should response plans. Risk managers will need to identify the need for changes, update plans, and ensure that all those involved are familiar with any revised responsibilities.
"Leadership should be involved in response plan reviews, updates, and exercises, ensuring that individual responsibilities are known during a crisis."
Risk managers are uniquely positioned to effectively see risks across the enterprise, help identify interdependencies and overlaps, and establish a prioritization strategy. This requires both knowledge and familiarity with the way different departments are operating and an ability to ask the right questions to get all the necessary information.
While risk managers don’t always have all the answers, they should tap into the knowledge of subject matter experts to explore different issues and identify solutions. It’s important to question existing policies and controls and help identify operational opportunities that help minimize risk — for example, identifying suppliers for a particular product in different geographic areas to reduce the risk of a supply chain break following a natural disaster or other region-specific catastrophe.
Risk managers should remain connected with the business and always be prepared to assist when challenges arise. Any request for assistance should be considered an opportunity for the risk management team to showcase its work, capabilities, and value.
This requires bending and flexing according to the company’s needs. Use these interactions to resolve issues, explain existing programs, and underscore the importance of an effective risk management strategy.
Unless they showcase their indispensable contribution when they have the attention of the company’s leaders, there is a real threat that risk managers’ elevated role will dissipate as the world goes back to business-as-usual. The pandemic was a catalyst to win many risk managers a seat at the decision-making table; now they need to retain it.
"Risk managers should tap into the knowledge of subject matter experts to explore different issues and identity solutions."