Risk Viewed in the Round
A few years ago, the pharmaceutical industry was almost paralyzed—by a triple blow from the Olympics, a hurricane, and subprime mortgages. To set the scene: pharmaceutical companies use tiny amounts of an inexpensive solvent, acetonitrile, to measure impurities in the drugs they make. Acetonitrile is a byproduct of acrylonitrile, which is used to make plastics for things like car parts and acrylic fibers for things like carpets.
And now to the action: China shut a chemical plant to reduce air pollution for the Olympic Games in Beijing in August 2008. The following month, Hurricane Ike knocked out another chemical plant in Texas. Then Lehman Brothers failed, marking the start of the global financial crisis. As a result, new-home construction and car sales dried up, sinking demand for acrylonitrile—fewer new carpets and new cars were being bought.
Production of acetonitrile, the byproduct, also dropped. That meant pharmaceutical companies found themselves unable to continue clinical trials because of a lack of the solvent.
It's an example of how "megarisks" beyond anyone's control can sneak up on a company in what seems like a completely unrelated sector. It also shows just how interconnected risks have become in a global economy.
Megarisks—such as sudden regulatory changes, demographic shifts, or natural disasters—have always existed, but because they're something nobody can control, corporations tend to react to them fatalistically. But this is starting to change: the world's leading companies are now methodically looking at how they can survive such threats, with a holistic approach to the situation.
"It's a challenge for business," says John Scott, chief risk officer at Zurich Global Corporate. "How do you understand those big, exogenous risks and to what extent do they affect your business model? Because they are risks you need to mitigate in some way."
To achieve this, he says, companies need to "identify the big global risks and the connections between them." Risks rarely stand alone; they form a multidimensional web that can amplify their effects and deliver a substantial blow to an unwary organization. Look at how defaults on home mortgages hit automotive suppliers after the last financial collapse. "In the 2008 crisis, people focused on the minutiae and not on the big picture," Dr. Scott says.
And as if the risks themselves weren't enough, damage now often comes from the immediacy of public reactions via social media when problems arise—a risk that has sprung up only in the past few years.
"In an extremely interconnected world, media risks will be made public globally in a matter of minutes," notes Sven Heiligtag, principal at McKinsey & Co. in Hamburg. "Ten years ago, fewer people would have known or cared. Today, within five minutes of a problem, the public knows it, and you have people saying they won't buy from that company and regulators and NGOs [nongovernmental organizations] coming in."
In such a setting, traditional approaches to risk management simply aren't enough.
So what is the solution and where does it start? A conventional enterprise risk-management approach segregates risks into smaller packages, so that ownership of the risks can be assigned. But some risks come out of the blue—the way the Olympics affected drug makers—while others fall between the cracks of corporate silos.
"A lot of pure risks are easy to give ownership to," says J. Tyler Leverty, professor of finance at the University of Iowa. But for external risks, "it's hard to assign ownership unless there's a chief risk officer. It's not so you can point a finger at somebody, but [rather] that you have somebody whose job is to think about these risks. If you ask most employees about the risks in their jobs, they can't answer beyond their cubicle."
That won't work for dealing with megarisks. Just as the top management develops the vision for where the company is going, it also has to keep an eye out for the big threats that can derail that journey.
The corporations that are most successful in dealing with risk in a holistic way have a dedicated risk manager, who reports to the board, but also a cross-disciplinary committee that reports to the risk manager, Dr. Leverty says.
Mr. Heiligtag suggests a three-layer line of defense: the first is frontline management of operational risks; the second is functional experts and internal audits; the third is the executive risk committee or a business-unit leadership, with the board overseeing all layers. "Companies need full transparency and prioritization of risks. It's also key that top management take responsibility for managing risks," Mr. Heiligtag says.
But how can organizations get transparency and spot risks early?
Companies are moving from an internal, reactive focus on risk to a more external view, says Jonathan Blackmore, senior partner and risk leader for Europe, Middle East, India, and Africa at EY. "World-class organizations will have a risk radar, or will scan the horizon for potential risks that might impact them. They will gather information on what's going on externally. They are looking across their sectors as well as looking at other sectors and asking whether that could happen to them."
There is a tension among short-, medium- and long-term threats. From a strategic point of view, companies need to look at the long term, but from an operational point of view, they need to act on risk immediately, says Antonio Borghesi, professor of economics and enterprise management at the University of Verona and coauthor of the book Risk Management: How to Assess, Transfer and Communicate Critical Risks. For example, the risk for security or cyber crime must be managed immediately.
Zurich has highlighted four major, global pressure points for companies today: digital; physical world; lifestyle; and regulation and governance.
Unplanned information technology and telecommunications outage was the top threat named by 77% of the 690 companies in 82 countries, responding to a survey conducted in December by the Business Continuity Institute. Data breach and cyber attack came next, each cited by 73% of respondents. Digital threats can lurk in the familiar as well as the unfamiliar: the Heartbleed bug wasn't a malicious attack, but a long-unnoticed weakness in widely used security coding.
Digital challenges are an example of the need for short-term and long-term risk management. While cyber-security threats change quickly and need to be monitored constantly, other digital trends are developing that could have big impacts on long-term strategic planning. Smart cities could dramatically change how we communicate in the future, including how companies provide products and services, says Deborah Higgins, head of learning and development at the Business Continuity Institute.
Smart cities are also an example of how digital risks interconnect with physical-world risks. Other physical-world challenges also rank high among concerns—adverse weather was named by 57% of BCI survey respondents.
Lifestyle challenges, such as a changing workforce, can squeeze companies' ability to recruit talent, or can quickly shift the marketplace for products and services. Demographics, stresses on pension funds, a rising middle class with rising expectations—all these can affect strategic planning. In the BCI survey, human illness and pandemics were a top concern in Asia and India. But in the United Arab Emirates, the availability of skills and talent was more of a worry.
Regulation and governance "have been a nightmare for global organizations," says Mr. Blackmore of EY.
Increased regulation started with the financial-services industry and spread into utilities, pharmaceuticals, and life sciences. "We think that trend will continue," he says. Meanwhile, in emerging markets, the risk from regulation is that "it's not clear what it is—and it can change overnight."
While it can help to drill down into each category, "it's no good being an expert in just one area of risk," Dr. Scott of Zurich says. "You have to be able to work across all risk types and see the big picture, or you can't communicate the relative importance of various risks."
Once armed with an idea of possible threats, companies need to do scenario-planning or stress-testing. "If an event [did] happen, what would the effect be, what would be the implications, how would we respond?" Mr. Blackmore says. Companies can use this information to develop resilience or business continuity plans.
One of the biggest challenges in managing risk is that it's a moving target, a project that's never complete.
"You have to continually monitor," Dr. Borghesi says. "Each change in the real world can be a change in your risk condition."
Holistic risk management requires board-level attention. It needs to be embedded in all aspects of the organization and not treated as a bolt-on. Holistic risk management needs to look for the interconnections among risks. Scenario planning can give you a picture of how different risks will affect you.