The pandemic, combined with other factors in its wake such as supply chain disruption, has put a sharp focus on risk management with ‘resilience’ and ‘risk-free’ being different things. We often think about risk as something we have to manage and remove, but in fact successful businesses are those who work out how to take strategic risks and find the opportunity from them.
Growth story at Booking.com
I was delighted to be joined by Tanya Robbertze, Director of Risk Management at Booking.com at our latest virtual ‘In Conversation’ event.
Booking.com is one of the giants of consumer ecommerce and has seen tremendous growth. Five years ago it had around 850,000 properties on its website – that’s grown to over 2.5 million today. It has expanded from places to stay to other services such as car rentals, airline tickets and attractions. Its market cap has grown by an impressive 14 percent - all achieved despite the turbulence and disruption of Covid-19!
So what role has risk management played in this story, and what lessons may there be for other consumer businesses to think about?
Developing an enterprise-wide approach to risk
Tanya explained that when she joined Booking.com five years ago, there was plenty for them to address.
“We had risk management processes, but they weren’t connected” she said. “Finance was managing business processes whilst IT was managing security risk; but they were doing so separately. A number of issues came up and that’s when the old adage of ‘never waste a good crisis’ came into play! We began to build the foundations of what good risk management looks like and took a more enterprise-wide approach to risk. The Board really bought into this and we embarked on a full risk management and controls transformation.”
The very nature of Booking.com – like most consumer businesses – is to be agile and fast-moving in response to customer demand and market shifts. Clearly then, there’s a danger of risk management being seen as a blocker that slows the business down and blunts its edge. So how did Tanya go about reconciling that?
“Two things have been key,” she reflected. “Firstly, it’s all about partnership. The risk department can’t be seen ‘imposing’ controls on the business. We made sure that we spent a lot of time speaking to teams in the business and understanding their goals and priorities. We then collaborated with them to find appropriate risk solutions that balanced speed and velocity with control. So it’s a cultural thing – we’re all on the same side, looking for win-wins.”
“Secondly, innovation. The whole business is about being innovative, so clearly we in the risk function had to be innovative too. For example, we created a simple but effective risk management tool that enables the business to carry out a self-assessment and helps them understand what to do next. Our focus was always to ‘de-jargonise’ risk management and make it something people could actually relate to and easily adopt.”
Putting out fires before they’ve started
Putting this risk management framework in place has certainly held Booking.com in good stead. As Tanya put it, it was like developing a muscle that the business could then exercise and use during the days of Covid-19. And as the pandemic has begun to ease and conditions have returned to nearer normal, the business is reaping the benefits. As Tanya expressed it: “Now that the world is no longer on fire, we can think more about sustainable risk management and prevent fires in the future.”
Of course, it’s not just exceptional events like the pandemic that demand strong risk management – it’s an ever-present in commercial life. And right now in the UK, it’s set to become an even greater priority due to the government’s proposed internal controls reforms – ‘UK SOX’ as it’s sometimes referred to.
UK risk reform will change the landscape
As my colleague Osama Rabbani, Director in Risk Consulting at KPMG, described it, the UK corporate governance landscape is about to undergo unprecedented change. It’s a watershed time - the equivalent for corporates of what banks went through post-2008. Internal controls will need to be bolstered and new processes created. Many businesses may uncover risks they’ve not recognised before. But, just as Booking.com did not ‘waste a good crisis’, this too can be an opportunity for businesses to strengthen risk processes and accelerate transformations that they already wanted to undertake.
It’s not about reinventing the wheel, but rather applying known risk and financial management framework best practices across the enterprise, whether that’s for regulatory risks, operational risks or for emerging ESG risks. Technology can play a big part too, as often existing technology can help move the dial on dynamic risk management, control automation and process efficiencies.