Like tsunamis and ash-spewing volcanoes, Hurricane Sandy was a “black swan” event, the kind of disaster that even the most careful preparations can’t stave off. It’s also a stark reminder of the need to plan as best as possible for the unexpected.
But while we gird against future storms, it’s wise to keep in mind that the biggest risks to companies aren’t necessarily the black swans, but rather the underestimated and mismanaged challenges in core business areas.
Consider Kodak, which filed for Chapter 11 this January after 132 years in business. The American camera pioneer didn’t fail due to a black swan, but rather because it responded too slowly to the threat of digital cameras. Lehman Brothers, which filed for Chapter 11 on Sept 2008, similarly failed to prepare for a predictable threat, taking on huge exposure to subprime mortgage-backed securities, which ultimately did the venerable firm in. Both companies failed in their core strategy areas, cameras and securities.
Unfortunately, it’s not enough to try to manage risks; we have to manage the right risks. Perhaps this truism is best illustrated through the story of BP’s Tony Heyward. When he joined the company as CEO in 2007, Heyward, “the safety CEO,” instituted new requirements that all employees use lids on coffee cups while walking and refrain from texting while driving.
Happily, burns and car accidents among BP employees decreased. Unfortunately, while Hayward was doubling down on hot beverages, he wasn’t focusing on the risks of drilling 18,000 feet under the ocean. The team working on the well under the Deepwater Horizon rig misread readings, ignored warning signs, and relied on inadequate backup systems. The well eventually started to leak, mud was forced up the pipe and onto the rig, and you know what happened next.
Empowering Risk Management
Companies that want to avoid similar crises need to think differently about risk management. Many companies have established enterprise risk management programs with dedicated staffing. While the goal of these efforts is to build a risk program throughout the organization, unfortunately they often yield simple lists of risks rather than information about why key risks are occurring and how they might be averted.
For example, an enterprise risk list usually contains such items as talent management, regulatory change, economic markets, and safety. Those are definitely key risks, but they are too broadly stated to be useful and could be applicable to any company.
Reporting on these programs to senior management and the board often includes a graphic or heat map showing risks as red, yellow, and green to indicate impact and likelihood of the risk occurring. These too tend to be simplistic, containing broad statements worded to fit in one small box on one page, such as, “plans are in place,” “training is being improved,” or “regulations are being monitored.”
Instead, risk management programs should provide information that allows for companies to take actions. For example, what if the senior management at Lehman had determined back in 2007 that the mortgage investments were highly sensitive to market movement and that a drop in the overall mortgage market of just 3% would destroy the company? And what if they got reporting after that point indicating there had already been a 1% drop over the past three months? Now that would have been powerful information on which action could have been taken.
What if a company were to list talent management as a top risk and specifically state that 26 employees who have significant and unique knowledge – and would be impossible to replace – are close to retirement age? A risk management plan that includes the dates they’re planning to retire would enable management to offer bonuses or other incentives to delay the retirements, so that the key staff has time to transfer their irreplaceable knowledge to others.
Companies have spent millions of dollars on risk-management programs yet still ask what value those investments are bringing to their businesses. Those are fair questions and key drivers of the need for risk programs to evolve, especially when it comes to potentially company-killing risks. In such cases, a poor understanding of the full risk landscape and false assumptions around the effectiveness of a company’s risk-management efforts in core areas can lead to disaster.
You can never know exactly when and how a storm will strike with the force of a Sandy. But you can be sure that your own field is mined with potential business killers that deserve not just risk management, but the right risk management.
Sally Bernstein is a principal in the risk consulting advisory practice of PricewaterhouseCoopers. The views expressed in this column are solely those of the author and not the firm.