Conventional risk management has focused on avoiding the risks to a business strategy, rather than understanding and managing the risks of the strategy itself. While the protection of existing assets is necessary, a diet of pure risk aversion likely will lead to extinction.
Life is short, art long, opportunity fleeting, experience misleading, and judgment difficult. – Hippocrates
Like people, companies die. In fact, a 1997 study concluded that the average life expectancy of a Fortune 500 company is fewer than 50 years and for smaller companies even less. And it’s safe to say that enterprise mortality rates have spiked in the aftermath of the global economic crisis of 2007-2009.
The degree of recent loss and public outrage has caused many to cast the failure to properly understand and manage risk as the root cause, the enemy of order and, therefore, the most compelling and top-of-mind business issue of our time.
Because corporate risk taking and management involves decidedly human factors, such as judgment, and management and communication skills, the issue has become very personal for all concerned—senior executives, directors, as well as investors, regulators, rating agencies and even the general public—as demands for greater accountability and transparency reach unprecedented levels. Business leaders are understandably concerned with:
- Finding the unexpected before it finds them and thus becoming more proactive.
- Determining the right balance between board oversight and executive management.
- Defining the appropriate level of risk taking for their enterprise.
- Improving transparency and oversight for the board and other key stakeholders.
- Gaining first-mover advantage through the identification of “black swans,” both uncommon opportunities and unexpected disruptions.
- Taking a longer-term perspective for success that can still accommodate the need for survival in the short term.
Enterprise leaders want to manage complexity, reduce uncertainty and prepare their companies for an unpredictable future, especially the next killer risk or the next giant opportunity. So, while the events of the recent past have made a strong case for revisiting how risk is conventionally understood and managed, the best way forward remains unclear for many, beginning with who has the authority and who is responsible. The art of leadership and governance is fundamentally about judgment and decision-making: What are the key decisions that affect the life and death, success or failure of the enterprise and who gets to make them?
One key lesson of these turbulent times is that critical risks need to be addressed by the board and leadership. Senior executives need a more systematic way to make decisions about risks and reward. Boards need to better understand what the key enterprise risks are, what types of relevant information need to come to their attention, and what constitutes their role vis-à-vis management.
Ultimately, everyone in the enterprise has a role to play, because risk-related decisions are made daily at every level of the enterprise. Although CEOs and chief risk officers make different decisions than the rank and file, it is possible and necessary that they all share in an understanding of key decision-making skills, processes and tools. This is the starting point for a discussion about “risk intelligent” enterprise management, since value and risk cannot be meaningfully separated. Risks to existing assets must be guarded against and certain other risks must be taken to create new value.
Risk intelligence: A new approach to risk
Conventional risk management has focused on avoiding the risks to a business strategy, rather than understanding and managing the risks of the strategy itself. While the protection of existing assets is necessary, it is not sufficient for competitive advantage. Unfortunately, when risk is defined by an organization only as the failure to adequately protect existing assets and prevent loss (unrewarded risks), the rewards of reasoned, calculated risk taking (rewarded risks) are often neglected at potentially high cost to the company’s future success. Avoiding the risks of non-compliance with regulations, operational failures and lack of integrity in financial reports are essential activities but are not sufficient for competitive advantage, and a diet of pure risk aversion likely will lead to extinction.
A diet of pure risk aversion likely will lead to extinction.
Enterprise survival is about more than just staying out of trouble; it is also about creating new and future value to ensure the highest return on investment. New business models; shifts in the competitive landscape, consumer preferences and behaviors; and new technologies all demand enterprise agility and resilience.
Risk includes the potential for failure that could result in loss, harm or missed opportunity – the risk of inaction. Risk intelligence is both the capability to produce and then effectively act upon such intelligence in order to achieve the desired results. Some level of failure is essential for innovation and experimentation. The enterprise needs to determine acceptable versus unacceptable differences between actual and expected performance. Otherwise, intolerance of any level of failure will lead to risk aversion and competitive disadvantage.
In this broad context, success often requires the embedding of risk intelligent capabilities throughout all levels of the organization – from directors to executive leadership to business units and all employees.
10 fatal flaws of conventional risk management
Conventional risk management has not lived up to expectations for a number of reasons. The authors’ research and experience have identified 10 fatal flaws that have been major factors in economic crises and business failures:
- Counting on false assumptions.
- Failing to exercise vigilance.
- Ignoring velocity and momentum.
- Failing to make the key connections and manage complexity.
- Failing to imagine failure.
- Relying on unverified sources of information.
- Maintaining inadequate margins of safety.
- Focusing exclusively on the short term.
- Failing to take enough of the right risks.
- Lack of operational discipline.
Everyone who is successful has failed at some point, and the causes of such failure can often be found in the above list. In certain circumstances, whether individually or in combination, these flaws can send an enterprise to the brink of ruin or push it into the arms of its competitors or government protection. Conventional approaches to risk management tend to separate the discussion of value and risk. But when risk management is viewed as a discipline for improving an enterprise’s chances of survival and success, risk intelligence counters conventional wisdom with new ways of thinking about risk: primarily as the potential for failure in terms of both loss and missed opportunity. Thus, a risk intelligent mindset and the practical skills and actions it encompasses can provide tools and approaches for executives and directors that enable decisions and actions that help to both protect and optimize value and gain – even in times of great turbulence and uncertainty.
Countering the flaws: Ten essential skills
The authors have identified 10 essential risk intelligence skills that correspond with and counter the 10 fatal flaws. These can be used to help exercise better judgment and make better decisions under even the most uncertain and chaotic conditions:
1. Check your assumptions at the door – The greatest source of risk and opportunity lies in one’s assumptions. Author Nassim Taleb has used the metaphor of the black swan to describe the mental models people create that lead them to believe that extreme events are exceptionally rare.1 He argues that these black swans cannot be predicted. However, the authors believe that conventional assumptions can be seen as the “white swans” and their antitheses are the “black swans,” which may either be killer risks or gigantic opportunities. Simply conducting business based on tradition, habit or operating on autopilot can lead to a business’s downfall. Southwest Airlines achieved 39 consecutive years of profitability in part due to its antithetical view of prioritizing regional coverage for secondary markets. Among other differences, in contrast to the formal, hierarchical corporate structures common to the industry, Southwest focused on informality, having fun on the job, and sharing profits with personnel. This model proved to be a significant source of marketing differentiation and competitive advantage.
By understanding current assumptions about the business environment and the existing business model and describing their antitheses, enterprise leaders can identify the characteristics of major shifts in advance and whether they are beneficial or adverse. They can defend against adverse black swans or they can become the industry black swan by changing the conventional model and adopting an offensive position.
2. Maintain constant vigilance – A study reported in an aerospace medical journal found that 80 percent of accidents are caused by operator error and 80 percent of operator errors are caused by lack of vigilance or situational awareness.2 Once the signals of a shift (black swan) have been identified and the shift’s implications understood, the enterprise can set up early warning systems that enable rapid detection and provide the opportunity for first mover advantage. This is not about prediction; it’s about awareness and early detection, which enables preparation and rapid adaptive response.
In situations of sudden, sharp change, information overload, siloed or isolated communications, lack of a shared “central nervous system,” or perceptual blind spots become barriers to information sharing. There are several classic examples: Multiple warnings about Bernard Madoff’s fraud went unanswered; and before both the events of September 11, 2001 and the sub-prime crisis, government agencies did not connect the dots with regard to collected intelligence, or they failed to listen to pertinent warnings.
How does one identify a weak signal amidst a lot of background noise? First, know what you are looking for (black swans), then set up signal detection mechanisms, develop a range of potential responses and then maintain constant vigilance. These same concerns apply to failures to see shifts in the industry business model. Prior to 1973, Royal Dutch Shell anticipated several potential scenarios that could lead to an oil crisis and planned accordingly, leading its industry in a shift from further development of primary refining capacity to improvements in refining outputs. Similarly, FedEx saw the coming impact of electronic commerce on global sourcing and added end-to-end logistics services to its core business of overnight delivery of packages.
Success tends to breed complacency and a resistance to change that which has produced past success. Effective signal detection systems are a challenge to develop, but if people can become more alert to signals that may contradict their current worldview, it can lead to major opportunities and better defenses.
3. Factor in velocity and momentum – Opportunity is fleeting, and disaster can strike swiftly. Bad things often seem to happen much faster than good things. Yet conventional risk assessments typically evaluate likelihood and not velocity. Only those who are adequately prepared will have the ability to respond quickly and the resilience to overcome adversity.
The news is often replete with stories of business failures, product recalls, tainted products and services, executive scandals and corporate malfeasance. How can companies identify such risks before they manifest themselves? Esther Colwill, a Deloitte & Touche LLP partner in Calgary, recalls prior to her successful ascent of Mt. Everest that the climb team prepared for all the big possibilities, such as someone falling into a crevasse or surviving an avalanche. But only she and three of her party of 12 made it to the top, because of “little things” that had been unpracticed, such as taking care with eating or exercise routines.
“It was a combination of these tiny little things, little decisions they made along the way,” she said. “And in the end, they just weren’t strong enough to succeed.” These small inactions gathered momentum and led to their failure.
The ways in which crises and their effects develop vary with their velocity and momentum. So instead of asking, “How likely is it that this event—good or bad—will happen?” ask instead, “How good or bad can it get, and how fast can it get that way?” Those questions help frame what the organization must do to improve its resilience and agility – regardless of the size of the risk factor.
4. Manage the key connections – The complexity and interconnectedness of the global business environment makes it very difficult to see how one set of events can affect another. This skill and the corresponding tools help the enterprise understand its critical dependencies, how long it can go without them, and how it can improve its chances of survival.
Managing key connections requires in-depth understanding of the organization, knowing where vulnerabilities lie and making conscious decisions about which ones to accept and which to mitigate. Without the resulting transparency, the enterprise may be unprepared for either profound disruption or opportunity.
5. Anticipate causes of failure – One of the greatest challenges for any enterprise is to discuss constructively how it might fail so that it can act to prevent such failure. Perhaps the second greatest challenge is to identify potential failure quickly and escalate it to the appropriate level for remediation. Certain organizational cultures inhibit such communication and often divert, delay or distort critical messages. The constructive identification and timely communication of failure or potential failure is an essential skill.
One tool of quality and process improvement, Failure Modes and Effects Analysis (FMEA) (Figure 1), poses forward-looking questions to help locate areas of risks or the possibility of missed or suboptimized gains. After one private equity firm learned the hard way during the acquisition of a well-established family business that family tradition can get in the way of rapid responses to market changes, it now applies FMEA to every transaction proposal so as to improve anticipation of failure factors. Once the factors are identified, they decide whether to proceed with the deal and, if they do, how to mitigate potential sources of loss.
Figure 1. How could it fail?
6. Verify sources and corroborate information – When it is too good to be true, it often is. Credible does not mean true, it means believable. Given that risk management aims to develop the best intelligence available to support decision-making, it is essential to have both credible sources and corroborated information to exercise the best judgment under the circumstances.
The first U.S. secretary of Homeland Security, Tom Ridge, has said that his department approached corroboration by getting “as much awareness as you possibly can … Have we had information from that source or sources before that proved to be accurate? Did they tell us something six months ago or a year ago that turned out to be right? Can we corroborate from another source? Do we hear other sources talking about the same thing? Is it credible; it is corroborated?”
The board is ultimately responsible for governance of the enterprise, but management is responsible for managing the business, including identifying key risks and avoiding them or accepting and mitigating them. Management has to provide reasonable assurance to the board that the risks that are being taken to create competitive advantage are within the approved risk appetite and that controls are in place to detect and either prevent, correct or escalate risks to existing assets.
7. Maintain a margin of safety – High leverage and low liquidity leave no margin for safety. No margin for safety leaves no margin for error. Leaders need to maintain confidence in their abilities, while also knowing their limitations. No leader or organization is too big or too smart to fail, to take the wrong risks, or to become overly leveraged. This skill focuses on ways to establish and maintain an appropriate margin of safety.
An incident from the NASA Apollo program illustrates the value of maintaining a margin of safety. When the lunar lander was being designed and built, the weight increased, but the rockets that would deliver it followed their original designs. When Wernher von Braun, director of NASA’s rocket development center pressed for final numbers on spacecraft weight, he was given a bottom line of 34 tons, including “fudge factors.” But von Braun knew from experience that weight estimates always increased, and he did not expect this one to be any different. He told the rocket developers to plan for 39 tons, which he later increased even more. At liftoff, the Apollo 11 spacecraft weighed about 45 tons – and it flew on time only because the program director had been so extra cautious about the margin of safety.
8. Set your enterprise time horizons – Warren Buffett has said, “Our favorite holding period is forever.” Recent emphasis on immediate profit over sustainability and long-term growth can lead to “short-termism” where enterprises choose to maximize short-term gains in ways that jeopardize their chances of long-term survival. What can boards and management do about short-termism? The attitude and practice can be changed, but leaders have to also bring analysts and investors around to a longer-term perspective. Charles O. Holliday, Jr., chairman and former CEO, DuPont, states, “DuPont is 206 years old, so we very naturally have a long-term view and don’t have to put a lot of emphasis on it internally. I think some organizations probably need to. I find other companies are very short-term and don’t really know it.” If one is investing with a short-term horizon, he or she is giving up the value creation of a business. Favoring quick profits over longer-term performance results in an enterprise—and an economy—that cannot create or sustain long-term growth.
It sometimes becomes easier for directors to focus on the oversight of compliance at the expense of competitiveness.
This skill helps leaders to remain mindful of critical strategic considerations at all times to ensure continuation of success in areas that require long-term thinking, such as global competitiveness, R&D investments, environmental sustainability and corporate responsibility.
9. Take enough of the right risks – Competitive advantage requires calculated risk taking. All risks cannot be eliminated and not all risk-related decisions will be correctly made. Every organization needs to understand what risks it is taking and decide whether the potential for reward warrants the risk or not. The enterprise needs to distinguish between risks that are right or wrong for the enterprise and its current capabilities.
Risk appetite defines the types of risk that leaders are willing to take (or not take). Risk appetites will vary according to the type of risk under consideration. Using a risk intelligent approach, companies need to have an appetite for rewarded risks, such as those associated with new product development or new market entry, and ought to have a much lower appetite or tolerance for unrewarded risks, such as non-compliance or operational failures. While the CEO proposes risk appetite levels, the board ought to approve them—or challenge them and send them back to the CEO for adjustments—based on an evaluation of their alignment with business strategy and stakeholders’ expectations.
Seeing the writing on the wall: TRI case study
Success often breeds a dangerous level of complacency. Dominant incumbents often fail to see a macro-shift coming in their environment. Generally, the more finely attuned an enterprise is to a specific environment, the more likely it is to be successful, provided the environment doesn’t change. However, since uncertainty and change are inevitable but unpredictable, being too finely adapted to a specific environment may cause an enterprise’s ruin. It is often very difficult to get successful companies to change what they’re doing in the short term in order to create longer-term success, but when they do, the results can be very rewarding.
Such was the case with companies publishing encyclopedias in the 1990s. First, the portability of CD-ROMs made bulky published volumes obsolete. Then the Internet made it possible to access and update huge amounts of information quickly and either freely or inexpensively, eliminating the need for printed annual updates. The early signs of change were there, but most producers of encyclopedias failed to take the cues and preserve their marketplace advantage by exploiting alternative quality, distribution or revenue model options.
One information company, however, did maintain awareness and vigilance. Executives of Thomson Reuters Corporation (TRI), which originated as a family-run, premier publishing business, recognized nearly 20 years in advance that troubled times were ahead for newspapers and other printed information sources with the onset of Internet accessibility and popularity. Well before other publishing enterprises spotted the shift, TRI was shedding threatened assets and building a niche market in meeting a continuing need for high-quality, specialized, technical and professional information – an information research and vetting process that existing electronic search engines could not reliably perform.
The CEO at the time, Richard Harrington, said, “There was a need for a Google for the high-end user.” In doing so, the company acted consistently on a number of the essential skills as it effectively challenged conventional wisdom, constantly validated with its markets the information driving decision-making, and managed key connections with constituencies who would be the source of future growth and success. They had also proven they were willing to take enough of the right risks to stay on top of their game, while sustaining operational discipline. TRI capped off its survival challenge by remaining vigilant for the next big trend. This led the company to further ensure its ability to deliver needed information in immediately usable forms by acquiring software and application tools, giving TRI the infrastructure to distribute the information it researched and analyzed for technical and professional users.
10. Sustain operational discipline – Sustainable success demands discipline. This is the final, vital risk intelligence skill because without it risk intelligence cannot be implemented or maintained – assumptions will not be challenged; warning signals will not be detected, transmitted or heeded; potential causes of failure will not be addressed; sources will not be verified; and so on. The absence of operational discipline can undermine a successful enterprise, but most enterprises do not attain success without a high level of operational discipline. It is operational discipline that enables organizations to survive crises and to maintain high standards of performance and integrity while experiencing extraordinary success.
Former U.S. Navy Commander Mike Abrashoff tells of his experience in taking command of the USS Benfold, which turned out to be a lesson in turnaround leadership. Abrashoff realized that performance was subpar because previous leaders had gotten out of touch with the crew. In response, he set out to see the ship through his crew’s eyes so he could better understand their view and learn how to reengage them. He couldn’t offer financial incentives, so he changed the ship’s culture to one in which people took ownership and worked hard because they felt important and valued. He developed four key principles: question every rule; build trust through responsibility; thank the messenger for reporting problems; and promote risk takers for taking the right risks, even if mistakes occur.
The rising bar of accountability
Since passage of Sarbanes-Oxley legislation in 2002, senior executives and directors have been held to an increasingly higher standard of visibility and accountability. More recently, there has been a growing movement to increase board involvement in risk oversight. Drawing on their outside-in perspective, directors are expected to keep management and the enterprise on course to meet its objectives. However, they face significant challenges by virtue of being part time, independent and often without specific industry experience. For these reasons, it sometimes becomes easier for directors to focus on the oversight of compliance at the expense of competitiveness.
Pending regulatory initiatives related to the financial services industry will likely further increase pressure on attention to compliance but not necessarily competitiveness. The board must make sure that there is the appropriate balance between emphasis on controls and compliance and the competitive strategy for future growth. The board needs to decide how big an opportunity or risk needs to be in order to get on their radar screen. They need to be clear about the powers reserved for the board and those that are delegated to management through the CEO.
How do boards and management incorporate understanding of the fatal flaws and adoption of the 10 skills? By treating risk as intrinsic to the conduct of day-to-day business, executive leadership effectively elevates risk management from an exercise in risk avoidance to an essential consideration in every decision, activity and initiative of the organization, i.e., risk intelligent enterprise management. Risk intelligent executives develop policies and practices that integrate these skills into risk management capabilities, which in turn become an integral part of core decision-making processes throughout the enterprise. They are accountable for their decisions and for providing timely, relevant, value and risk-related information as appropriate to the board that ultimately translates into cost savings and revenue and market share gains.
Risks must be taken to seize opportunities, and they must be managed not simply avoided.
One of the greatest challenges of effective enterprise management with regard to defining roles and responsibilities is the fine line between board oversight and management execution. The board’s role is to oversee but not manage.
Generally, the board should take the longer view, assessing alignment of risk appetite with management’s decisions and recommendations but without actually attempting to directly manage risks themselves. This is a difficult and delicate task in which to achieve the right balance.
Directors need to have reasonable assurance that executives are appropriately managing the risks that do not need to come to the board’s attention. It is also essential that the board obtain independent reassurance that management’s reports are reliable. For those decisions that do come to the board, it can judge for itself how well the risks are being managed. Boards and management have to work together to ensure that what they each think is happening is actually happening. Organizations cannot allow their hope to become their only strategy.
A holistic approach to surviving and thriving in uncertainty
Surviving and thriving in the uncertainty and turbulence that has characterized the first decade of this century requires unconventional thinking and calculated risk taking. To do this well, the enterprise needs to be viewed holistically. Between the two extremes of life and death, people and companies have choices to make and options to explore by way of adapting and possibly extending their longevity and success.
The successful enterprise incorporates risk intelligence into the ways it understands and manages the business. Risks must be taken to seize opportunities, and they must be managed not simply avoided. They must also be analyzed for their complexity and interactivity. Anticipation and preparation are key to survival and success.
As Hippocrates reminds us, judgment will always be difficult. Consistent practice of the 10 skills we have described can aid superior judgment and competitive position in an ever-changing and predictably uncertain environment.
EndnotesView all endnotes
- Nassim Nicholas Taleb, The Black Swan: The Impact of the Highly Improbable, Random House, 2007
- D.G. Jones and M.R. Endsley, “Sources of Situation Awareness Errors in Aviation,” Aviation, Space and Environmental Medicine, 67(6), www.asma.org/journal/abstracts