What follows is an amalgam of presentations I made to two risk management groups in very different sectors: one in health care, and the other in insurance. The principles are the same, even though the immediate concerns may differ.
Let me start by defining risk management as the process of asking the right questions about what might happen in the future, and then preparing the best plans you can to deal with events that might occur. Hence, if there’s a major pandemic, and if you’ve considered that possibility, have a plan prepared to deal with it, and the plan works reasonably well, then you have adequately managed that risk.
And yet, I very much doubt that any contingency plan, no matter how well you prepare it, will deal with everything that happens – you will still be caught by surprise in some regards. This is why you always need to do a “lessons learned” assessment after each crisis. Your task in risk management, though, is to both to be able to cope with problems as they arise, and to be prepared to change your plans when new, unexpected developments occur.
I’m going to approach risk management from a futurist’s viewpoint, not from the body of risk management literature, so my view will be different from the risk management texts that are out there.
And let me start by making three comments about risk management. First, the best kind of risk management is where you forestall problems rather than cure them. Hence, successfully promoting the use of condoms for safe sex is better than being prepared for a widespread outbreak of AIDS. Second, risk management can’t always allow you to stop problems from happening. You can’t stop a plane crash, because that’s out of your control, so the appropriate response then becomes containing the problems, keeping difficulties to a minimum, and producing the best possible corporate outcome in the most cost-effective manner. Hence, while you may not be able to stop a plane crash, you can make sure that you don’t allow too many key corporate leaders to fly in the same plane. And third, not all risks are negative. This last point is often not considered at all, or is considered to be outside the purview of risk managers, but I contend it is critically important to proper risk management.
Suppose, for instance, in-house research allows you to cut carbon emissions, reduce costs, and improve customer satisfaction (which, by the way, is not that far-fetched as it might sounds as it has been the focus of work I’ve done for number of clients). Or consider a significant increase in productivity, due to new technological tools. Does your organization have the awareness and ability to capture the benefits of such improvements, or will you waste the opportunity? I know that, for many groups, this has more to do with the responsibilities of senior management; my point is that not all the changes we face in future are negative, and managing positive outcomes can be just as important as managing negative ones – they just don’t get as much attention. I call this the “lottery effect”; if improperly managed, positive outcomes can be frittered away, as often happens when someone wins a lottery and blows all the money.
Three fundamental types of risk
Next, I believe there are three fundamental kinds of risks to be concerned about: Rapid onset, gradually developing, and unexpected.
Typically with rapid onset risk, you will have considered a catastrophic event, but when it happens, it’s still a shock because of the speed with which it occurs. Examples include SARS, a flu pandemic, a plane crash with senior management on board, or a major product defect that causes harm to customers or clients.
With a gradually developing risk, you can see it coming, but because it happens over a long period, no one day seems that urgent and you can usually justify deferring action. Examples include the rising level of financial stress due to an aging population, and the growing abuse of mortgage financing in the States from 2000 and before. Eventually such gradually developing situations reach a tipping point where they become a crisis. At that point, if you haven’t prepared for it, you can look awfully foolish. After all, after the fact, everyone saw it coming, so why didn’t you? This is precisely what happened with the financial panic of 2008.
Finally, let’s consider the unexpected. The unexpected risk is something that happens that you haven’t foreseen or considered, and to which you must respond. Among the more recent classic examples are the terrorist attacks of 9/11, the south-Asian tsunami of 2003, or a tornado hitting downtown Chicago.
The classic responses to these three kinds of risk also tend to vary, according to the type. The classic response to rapid onset risk is to deploy the contingency plans you’ve prepared, if they exist; otherwise people will treat it as they will an unexpected risk. With a gradually developing risk, the classic response is to ignore it, and hope for the best. With an unexpected risk, the classic response is panic.
You need to think through all three kinds of risk, and have plans to deal with them. Most of the effort devoted to risk management is spent on the first category, rapid onset risk, but you can be devastated by all three. It can be argued that the second category, gradually developing risk, actually falls more into the area of corporate management rather than risk management. That may or may not be appropriate, but however you define it, you still need to manage it. And, of course, managing the unexpected is, by definition, hard to do, but you can try to whittle down the types of things that are unexpected. I’ll return to this later.
Next, I’m going to discuss risk management in two parts. First, I’m going to survey the future, which is also called “environmental scanning,” and talk about some of the risks I see ahead of us at this time. Then, I’m going to talk about a particular approach to risk management. I’m also going to give you some tools to take home and use, and discuss how you can use these tools to improve your strategic foresight and develop appropriate contingency plans to cope with all three kinds of risk. So let’s start by talking about what risks are out there that we can see
Let’s start big, first with global health, and then the global economy.
We know we are experiencing a flu pandemic, but what we don’t know is how bad it will be. Although there have been deaths from the H1N1 strain, the number of deaths in the Southern Hemisphere was significantly lower than for the normally expected seasonal flues of recent years. However, this was also the pattern we experienced with the Spanish flu of 1918-20, so let’s review that pandemic. We don’t really know how bad it was, because there weren’t as accurate global statistics as there are today. However, the estimates I’ve read indicate that roughly one-third of the world’s population, or about 500 million people, caught Spanish flu, and between 10 and 20% of that third died from it. This death rate is between about 3 and 6 times normal, and would overwhelm our health care system.
Now transpose these sickness and death rates to your own staffs. Imagine having 12% of your staff sick at any one time, and having 5-10% of your staff die from a pandemic. What would that do to your company’s ability to operate? Probably decimate it, regardless of any contingency plans you’ve made – but the real issue becomes how badly you are affected, and how quickly and well you recover.
Of course, global pandemic plans aim to break the cycle of infection and transmission, so it’s quite possible that isolation and inoculation could keep these numbers down. But in your plans, this is the kind of rapid onset risk you need to be considering. So far, this kind of killer flu pandemic has been a once-a-century risk – but we’re due, and there is, now, a potentially nasty pandemic that we know is happening.
By comparison, there’s another pandemic that is also happening, but as a gradual onset risk, which is why you haven’t heard much about it. The rise of antibiotic-resistant bacteria represents a very real threat to public health, but its rise has been relatively slow and steady, so we’ve tended to ignore it. We know it’s happening, but there isn’t the same kind of outcry about it – it doesn’t get the media or political attention, even though it may ultimately claim more lives than the H1N1 flu.
Now let’s step back and consider a more complex probable risk. Suppose we get hit by a combination of events, such as the emergence of a hyperbug – resistant to all known antibiotics – while we are fighting the flu pandemic. This is not an improbable scenario: if health professionals are overworked and tired, or overwhelmed with patients even after triage, as might well happen in a flu pandemic, then they may get sloppy with protection procedures. Then, add to this the inevitable overcrowding of hospital facilities and there is a real increase in the probability of the emergence of a hyperbug, leading to substantially higher death rates, and a dramatic decrease in the effectiveness of health care facilities and practitioners. Have you thought about or planned for these kinds of combined risks?
The potential for nasty economic surprises
Now let’s turn to the economy. At this stage of the cycle, when the economy is starting to grow again, it’s easy to assume that things will continue to get better. That’s probably the case, but the economy and the global financial systems are still fragile, so we could be shocked by new nasty surprises that still might happen. I’d like to mention three possibilities, although there are others.
The first is that the American banks – and others – are now starting to register significant losses on commercial real estate loans. If things go badly, this could push more banks into insolvency, trigger a new run on banks, reigniting a financial crisis. These aren’t the same big, money-center banks, by and large, but a lack of confidence in some banks could easily spread throughout the system, as we saw last October.
The second is one we’ve all rather conveniently forgotten: toxic debt. It was lack of due diligence on the part of all the financial players in the States – and elsewhere – that led to the creation of all of the toxic, asset-backed securities in the first place, and there are trillions of dollars of this stuff still out there. At some point, someone has to figure out how to value these securities – which may be impossible – or write them off entirely. However they are dealt with, someone is going to have to take big losses – and taxpayers are almost certain to figure prominently in this group.
And the third, and potentially most dangerous, is a wild card: the possible insolvency of the government of the United States. Let me cover this with a quote from the blog I posted on my website in June, 2009, “Is America Too Big to Fail?”:
“… the U.S. federal government, unless it makes a Herculean effort to change direction, will fail. … With the U.S. already the biggest debtor nation in the world, with its biggest [external] creditor, China, already musing publicly about whether the U.S. government is capable of supporting the debt loads projected, and with market players musing about whether the U.S. government will lose its AAA credit rating, who is going to want to step up and buy more U.S. securities than have ever been sold before? Why would any sane investor want to take that kind of risk? … If the American government tries to sell all of this new debt, and doesn’t find enough takers, than the U.S. government won’t have enough money to pay the bills it is so freely running up. Its checks (or cheques) will start to bounce; it will be functionally bankrupt.”
Am I sure that these things will happen? No, and I clearly hope they don’t. But the difference between a crisis and an opportunity is foresight, and foresight implies taking a hard look at reality, whether you like it or not. And just as clearly, you need to have a Plan B ready to deal with these kinds of possible shocks. I would classify a possible default by the government of the United States as a gradual onset risk – and, as such, one that we all tend to ignore.
The aging of the population: another gradually developing risk
Now let’s turn to one aspect of demographics that is clearly defined and falls into the gradual onset category of risk: the aging of the population. Average per-capita health care costs tend to remain reasonably stable from about age 2 until around age 55 – but then they start rising almost exponentially. The baby boom – the biggest generation in history – is entering the high-rent district of health care. They were born between 1947 and 1967, so the leading edge is turning 62 this year. This is inevitably going to push up spending on health care, as will happen not only in America and Canada, but throughout the developed world.
Three things will happen as a result: First, program spending in every other area will have to be cut to allow for greater health care spending – which will make for uncomfortable choices, acrimonious cabinet meetings, and unhappy users of government services. Next, governments and corporate payers will try to cut back on the things that government- and corporate-sponsored health insurance covers (you can already see this happening), with the result that there will be pressure from unhappy voters to spend even more on health insurance. And finally, there is a high probability, in my view, that taxes will rise, and might rise significantly.
This is clearly an example of a gradual onset risk – and yet, it’s one that governments and the private sector alike are ignoring, but which will have significant, even dire, consequences. There is a very real risk that these problems could bankrupt not only American and Canadian national, state, and provincial governments, but the governments of developing (and rapidly aging) countries around the world as well. I’ll bet that very few organizations here have even considered this in their risk management planning
Now we come to unexpected risks.
There are positive risks ahead of us that are highly probable, but hard to anticipate. There are going to be immense new opportunities opening up to do things that have never been done before – but they are difficult to forecast precisely because we have no experience with them. For example, I worked on one of the first applications for cellphone licences in the early 1980s. Our group (which did not get a license) did a feasibility study of the potential demand for cellphones, and concluded that it had money-making potential because almost 8% of consumers said they were likely to use a cellphone. This was good enough to establish a business case, but our projections were wrong by almost a factor of 10. Neither we, nor anyone else, expected the extent of the market penetration of cellphones at a time when they cost over $2,000 each, and were so heavy that you had to store them in the trunk of your car. The reality turned out to be much better than we had projected – and could have bankrupted us if we had won the license, but had not had the necessary working capital to fill demand.
Next, have you considered the risk to your business of someone you don’t know applying technology in novel ways? Let me use as an example a prognostic test for cancer, for instance, that is about to be submitted to the Food & Drug Administration for approval. (And pause for disclosure: I’ve worked with this company, and hold shares in it, but it’s not publicly traded, so you couldn’t buy shares in it anyway.) This test has been produced by a young upstart of a company that applies patented, problem-solving computer software to come up with tests and treatments for cancer. The test promises to be significantly more effective than current techniques in telling patients who have had surgery for colorectal cancer whether they should have follow-on therapy or not.
Now suppose you were a pharmaceutical company that had just come up with a new drug to treat Stage III colorectal cancer, only to find that this young upstart could tell half of your market that they don’t need any additional cancer treatment, and a third of the remaining market that they can get results that are as good, or better, with a cheap, out-of-patent drug? Tufts University estimates that in 2006 it cost $1.2 billion to develop and market a new drug, and suddenly you find that market for your drug has just been scooped by a company offering two tests that cost about one-tenth of a course of your new drug. Where were the risk managers in your organization while this was happening?
Which leads, rather naturally, into governance, both corporate and public sector. I would suggest that a number of the things I’ve characterized as risk most organizations tend leave to senior management, particularly gradual onset risks, and positive risks. But what about management itself as a risk?
Looking back at last year’s financial collapse, it’s clear that the interests of the organization and the interests of management don’t always coincide. What happened in the U.S. financial system (and elsewhere) was that senior managers were chasing the prospect of enormous bonuses by pushing their organizations into taking unreasonable risks. This is a classic case of “heads I win, tails you lose”, because all that could happen to the executives would be that they were fired, whereas many corporations lost everything, either by being taken over (Bear Sterns, Merrill Lynch) or going to the wall (Lehman Brothers, AIG).
The problem is only partly recognizing these risks; the other part is how do you deal with someone to whom you report who is putting the corporation at risk? Especially if the Board of Directors is involved as well? I would suggest that you’ve already lost if you encounter a situation where you are trying to change the behavior of senior management that is pursuing personal gain at corporate expense. Instead, this is the kind of risk that, probably, can only be dealt with by anticipating it. In particular, you should seek to have corporate policies in place that identify such behavior, and provide an accepted means of blowing the whistle if it happens. Even then it’s dicey – which only heightens its importance.
Next let’s consider external governance risks. We’ve already talked about two potential government risks: rising taxes because of health care costs; and over-reaction because of privacy violations. I think you should also consider what happens when governments are faced with a world where they have less and less influence at a time when their constituents are feeling more and more anxious. You are likely to get governments that act irrationally, and look for scapegoats and whipping boys. And if your company happens to be handy for that purpose, it may be your turn in the barrel. I would strongly suggest that one of the risks you should consider preparing for is arbitrary government actions. You should watch for it, and have contingency plans in place for dealing with it. And remember; it’s easier to head off such developments than to undo them once they’ve become law. This also argues strongly for working together as a group, both here, and within your own industries, because an industry has more chance of influencing outcomes than a single company.
The balance of this article, dealing with techniques for risk management, will appear next week.