CRO Challenges in the New Normal
With Covid-19, everything has become so different from what it used to be, said Syahril Nizam at the start of his presentation at a recent CRO Networking Group event. “Risk itself was already an important topic before the pandemic,” said the Chief Risk & Compliance Officer of Lembaga Tabung Haji. “Regardless of whether it is operational risk or financial risk, Enterprise Risk Management is really the umbrella that covers every type of financial and non-financial risk management. In Tabung Haji, we have Tabung Haji risk, for instance, and for Islamic institutions, we are talking about Shariah-related risks.”
Regardless of the kind of risk, however, he stressed that what is implemented is a top-down strategy. “It comes all the way from the top,” he said. “In our case, that’s from the Ministry, but it starts with the Board of Directors and goes all the way down.” Clarifying that Tabung Haji has devised a roadmap for governance and performance, he said that it was important to find a balance between the two. Organisations which practised ERM enjoyed better decision-making; ERM improves organisational agility, sustainability and resilience. “We wanted to ensure continuity, to ensure that the organisation remained a going concern, and not disappear over time, despite (changes in) the environment.”
In the second part of his presentation which focused on reputational risk, he stressed that at times the CRO of the organisation was expected to know almost everything; the CRO has really become indispensable. “When other departments talk about the operational aspects of their work, like underwriting, for instance, they expect you to understand the whole concept,” he said. “We need to understand the business well so that the strategy we craft is in tandem with our target.” The world of risk, he added, was about writing down the list of risks, noting the controls in place, and assessing whether additional controls need to be developed.
Describing reputational risk as a hidden threat or danger to the good name or standing of an entity which can occur in a variety of ways and can erupt out of nowhere, he said that in today’s New Normal, things cannot be done as they used to be. “The pandemic has been about doing things immediately,” he said. “If you fail to do it, it means losing the lives of human beings.” Emphasising the necessity of working across departments and collaborating with staff at various levels, he said that it was no longer about rating agencies giving their perspectives; rather, it was about an organisation’s own staff working together and giving feedback, and being able to understand what is required of them.
For organisations like Tabung Haji, he said, reputation is everything; even mere gossip, if not managed well, could severely damage investors’ confidence. Explaining that the Fund’s main role was to facilitate members’ pilgrimage, he said it also provided profits on the amount invested by its more than nine million members, based on market performance. “Reputational risk has never been more relevant than now,” he said. “Back in the 1990s, most organisations didn’t consider anything other than official complaints or the traditional media. But now, there is Facebook and Twitter; some news organisations are actually taking their reports from social media to increase their audience.”
There could also be situations where the wrong impressions have been given, as Tabung Haji has several subsidiaries which are separate legal entities. But what happens in these different companies could also affect Tabung Haji directly as they carry the Tabung Haji name, and the public generally tends to associate them with Tabung Haji. Thus, any remark by or untoward event in any of these firms could adversely affect Tabung Haji’s reputation, placing it in an awkward position, and eroding the confidence of its stakeholders. Syahril quoted instances when this has happened, noting that such negative remarks made in the public sphere had to be dealt with by Tabung Haji, regardless.
If such instances are not managed well, the reputation of the organisation will be adversely impacted. But what does reputational risk management involve? The risks are very high. It can be negative exposure, but can also be beneficial to the organisation if it is managed well. Most organisations have dedicated teams, usually under corporate communications, that track news on social and traditional media. It is important for organisations to know what has been spoken and what is perceived out there because this is what impacts reputation. “Unfortunately for Tabung Haji, we are often quoted,” he remarked. “If something does not have positive connotations, it will impact us.”
He stressed that the firm therefore needed to know what was happening, in advance. He suggested several ways of managing reputational risk such as creating a multidisciplinary team to handle it, and making employees ambassadors of organisational purpose. Organisations needed to understand not just their stakeholders but the entire ecosystem of their audiences, he said, as well as develop narratives that were believable and engaging. Brand awareness should be monitored through social and traditional media, and risk management strategies should be regularly updated. He cautioned against having a generic narrative; appropriate individual responses should be developed instead.
“Coming up with the right culture, working as one, improving the infrastructure so that governance is strengthened, making sure that everybody understands the importance of risk – all this is key,” he concluded. “But it’s also about awareness, and teaching people. It’s not about just getting the job done and going home – it’s about making sure the organisation is well-protected, its image is well-managed, and we believe that the organisation is worth protecting.”