Risk can mean many things in a corporation, such as safety and compliance risks, hedging against unexpected market changes and natural disasters and the assumable risks of entering new businesses and markets. When prudent risk planning fails, however, it puts CEO and company fortunes directly on the line -- sometimes fatally.
For Tony Hayward, former CEO of BP Plc (IW 1000/3), erosion of risk awareness led to one of the worst environmental disaster responses in history, costing him his job and shareholders billions in lost value.
John Corzine's firm, trading house MF Global, disappeared into liquidation, his reputation in ruins, because of a changed approach to financial risks strategy.
JPMorgan's Jamie Dimon, surely the most prudent financial risk manager on Wall Street, became another addition to business history's long list of risk casualties this spring, when the bank discovered a $2 Billion ( and growing) trading loss.
JP Morgan's miseries were only partly due to the size of the loss, which was small against the company's balance sheet. The event also impacted the firm's lobbying efforts against stricter regulation of such risky betting strategies under the evolving Dodd-Frank legislation.
CEOs are not strangers to risk management. They have compliance departments for ethics and safety risks; finance departments for financial hedging; strategic planners to weigh the risks and rewards of new company initiatives. Yet, no year goes by with often spectacular failures. Why should that be the case?
The answer, which we address, is threefold:
- CEOs are often detached from risk planning. The responsibility devolves to other locations in the firm where problems, turf conflicts or inattention are hidden from the daily work of the CEO.
- Risks tend to appear as bundled problems: Business disasters bring multiple skill sets into play. Yet the hand off of risk planning to separate departments often means a lack of a holistic approach to risk preparedness.
- CEOs often don't see risk as a discrete, high priority strategic task. They don't think of it as part of building the business. Yet coherent thinking about risks often brings up opportunities for business advantage, because it entails critical thinking about the firm's business model-which is precisely the sort of thinking CEOs should perform and to expect from their teams.
In age of continuing economic stress and social volatility, companies need to make risk management a core part of doing business. But to be effective, we would need to change many of the behavioral habits of firms, and of many CEOs.
A Taxonomy of Risk and Management
Harvard's Robert Kaplan and Anette Mikes usefully divide risks into three categories:
- Preventable risks, internal company practices such illegal or unauthorized business practices, or breakdowns in operational standards such as in safety and environmental practices.
- Strategy risks, where one essentially is taking a risk to improve the business. Launching a new product, investing in a higher risk location, or trading in a new financial instrument are some examples.
- External risks, which are out of the control of a company. Macroeconomic crises, political crises and natural disasters are examples.
For Kaplan and Mikes, each category of risk has a mitigation solution:
- Preventable risks require very strict rules, close monitoring and an independent risk management function that can report frankly about risks when they are seen to be emerging.
- Strategy risks can be mitigated by having cross-functional teams look at risk from different angles and include the sorts of people who are natural devil's advocates in the process. The end result should be a well thought through plan which has been debugged of any "groupthink" biases.
- External risks can't usually be avoided, so the key is being resilient and fast to mitigate crisis when they occur.
Here the solutions are ones which many companies have used over decades: scenario planning, where one thinks through the responses to worst case events, and tries to mitigate vulnerabilities based upon those scenarios.
For example anticipating a worst case earthquake or political coup, and then assessing the preparedness level of a company against such an outcome. War games are also recommended-having several teams play out a scenario to judge business systems readiness and preparedness needs.
All of these are worthy tactics. Companies over time have used some or all of them. For example, scenario planning was historically customary in the oil industry for external risks.
But at BP this process was not used for what was seen as a "preventable risk" for which supposedly effective monitoring was in place (it wasn't).JP Morgan had several "devil's advocates" arguing heatedly about the strategic risks over the size and complexity of the trading bets out of its London Office.
That process failed. The Tokyo Electric Power Co. still argues that that they included worst case disaster scenarios in Tsunami plans for the Fukushima Reactor complex. But of course, there is no such thing as true "worst case" -- there is always some assumption missed.
Part 2 of 2 on "Leaders and Risk" will focus on top ways CEOs can drive successful risk-management strategies.
Andrew Goldberg serves as executive vice president of public relations firm Makovsky & Co. Inc.'s Corporate Advisors division,which counsels CEOs and other C-suite executives in restructuring, change management and M&A situations. Goldberg was previously the president of WPP-owned Pivot Red and chairman of the corporate practice at Burson-Marsteller. He earned a Ph.D. at Columbia University in international affairs, specializing in the psychology of decision-makers under stress.