Everyday risk management discipline does not effectively address catastrophes arising from the unknown
Friday, May 1, 2020
By Karamjeet Paul
Crises labeled as unprecedented catastrophes create unnerving anxiety. Suddenly, issues that seem abstract in everyday life become critical, with no definitive answers: How bad will it get? Whose survival may be in question? Preventing the bottom from falling out becomes the top priority.
In the aftermath of crises, organizations review their risk management policies and practices, make some adjustments, and then go back to dealing with daily operating challenges . . . until the next crisis. But threats that may arise from such crises and create unnerving anxiety are not really addressed. So it is not too soon to understand such threats and ask what should be done to address them well before the next crisis arrives.
The nature of such threats is so different in relation to risk management challenges that its context must be internalized before discussing what can be done.
Complexity and Adversity
Since the beginning of time, whether locally or globally, our world has been growing increasingly complex because of the continuing development of human activities. As this complexity has grown, we have become more vulnerable to adversities that can arise from events beyond one's control. So how can an organization continue flourishing while keeping vulnerabilities to such adversities under control?
Humans adapt naturally to addressing potential adversities by focusing on prevention and mitigation. Therefore, employing progressively more sophisticated tools, organizations have responded to this growing vulnerability with increasingly methodical approaches to prevent and mitigate potential adversities.
The discipline of these approaches generally is referred to as risk management. Billions have been invested in risk management over the last 30 to 40 years, appropriately so, because the threat of adversities is a critical hurdle in capturing opportunities aggressively. Proactively managing risk alleviates this threat. Disciplined risk management is an important key to capturing opportunities and flourishing.
However, despite the huge investment and advances in risk management, organizations can find themselves exposed to meltdowns from catastrophic adversities. This is because what works in dealing with the threat of everyday adversities can actually keep us from addressing the threats arising from catastrophic unprecedented crises.
Risk management relies primarily on prevention and mitigation. And prevention and mitigation is possible only for the adversities that we can envision. After all, we can't prevent/mitigate if we don't know what it is that we are trying to prevent/mitigate. Prevention and mitigation thus can never address what can't be envisioned and arises from the unknown.
Experience shows that unprecedented catastrophes and meltdowns - man-made or natural, financial or non-financial, the ones that make headline news or go unreported, the ones with industry-wide impact or are consequential in only a specific situation - almost always arise from the cascading effects of unknown events that can't be envisioned until they happen. Therefore, despite all the investment and advances in risk management, catastrophic meltdowns that emerge from the unknown can't be prevented, and they create unnerving anxiety when a crisis materializes. As a result, relying only on prevention-based approaches leaves us unprepared for unprecedented catastrophes and meltdowns.
Most people imagine extreme threats from the unknown as fast-paced, cataclysmic events arising from major disasters that make headline news. This is only one way that an unknown threat can materialize.
Catastrophic meltdowns from the unknown can materialize in the blink of an eye, with little to no time to react, as experienced by financial companies in 2008; or over a long period when threats develop so slowly that they are unnoticeable until it is too late and require desperate actions to survive, as what victimized one-time market leaders like Kodak, Toys R Us and Nortel.
Such consequences for an organization can arise from major disasters and disruptions, such as pandemics, natural calamities, frozen financial markets, new technology applications, changes in consumer-behavior patterns, or from minor incidents that one may never hear about, such as the small fire in a supplier's plant over 5,000 miles away that brought to a halt Ericsson's cell phone business in 2000. Without a deeper understanding of specific underlying factors, it is difficult to realize that all such meltdowns, regardless of how or over what time period they unfold, arise from un-envisionable events that cascade into catastrophes for an organization impacted by such factors.
Importance of the Going Concern
In extreme situations, such catastrophes from the unknown can have existential consequences not just for a business model, but also for going concerns. While it is imperative to protect business models, preserving the going concern is even more paramount, as without a going concern, a business model has no way to operate or adapt to changes.
This distinction is demonstrated by the fates of two companies. Xerox, despite the devastation of its old business model, maintained its going concern and lived to fight another day. Kodak could not sustain its going concern to have a chance to reinvent its business model. Therefore, sustaining going concerns is paramount, which requires everything needed to protect business models and more to avoid existential consequences.
Focused primarily on preventive approaches in everyday operating life, when catastrophic crises seem like an abstract concept, most businesses do not explicitly define or recognize this extreme vulnerability from the unknown. And there is little appreciation of the need for a disciplined framework to address it distinctly from preventive approaches. Thus, there are no defined parameters for what should be done to address the unknown so that it does not turn into an existential threat.
Managers who do realize such vulnerabilities try to deal with potential adversities from the unknown in a variety of ways, ranging from doing almost nothing to taking specific steps, such as business continuity plans, stress testing, scenario planning, and trend monitoring. However, without an explicit focus on the unknown, they may not realize that such steps are simply an extension of the attempts to prevent adversities arising only from what can be envisioned.
I am reminded of a recent conversation with a senior risk manager at one of the largest financial institutions. When questioned about their policies, his response was that, using sophisticated analytics in the aftermath of the 2008 crisis, they have developed clearly defined risk-appetite and risk-tolerance policies, which they believe sufficiently address extreme threats. He failed to comprehend that such policies, while critical for a disciplined risk management process, have nothing to do with what can't be envisioned and arises from the unknown. His comment reflects the false sense of security that emanates from the use of sophisticated analytics and stress testing. These are important risk management tools, but they miss the vulnerability to the unknown.
So how can threats arising from the unknown be addressed?
When managers think about the unknown, it is understandable to look for magical operating solutions that can address such threats. However, it is critical to recognize certain key limitations as to why extreme threats from the unknown can't be addressed through operating solutions.
Risk-related decision-making relies on perceived expected values of cost-benefit considerations to employ prevention and mitigation at the operating level. However, such considerations produce meaningless results in relation to perceived expected values of extreme unknown occurrences because of their ultra-low likelihood. Therefore, likelihood-based cost-benefit considerations are not useful when addressing extreme exposure from the unknown. The unknown requires thinking about the possibilities, and not just the likelihood.
The prevention-based approach, driven by perceived likelihood of events, is the only way to operate a business. However, applying prevention-based thinking to something that can't be prevented leads to absurd conclusions. Therefore, it is not possible to address the unknown in the context of operating a business with the traditional, preventive risk-management approach.
Perceived cost-benefit considerations enable operating managers to determine how much exposure may be too much, and then employ countermeasures to address what may be perceived as too much. So even without any top-down guidelines, managers can review the cost-benefit equation on their own and make operating decisions. But if a cost-benefit equation is of no use, then how do operating managers determine how much exposure to the unknown is acceptable or too much? Actually, it can't be done at the operating level.
It is for these reasons that the unknowns are ignored by operating managers. This is exposure that can only be addressed strategically and through an explicit and distinct, disciplined framework that originates from the highest level in organizations.
Since it needs to originate from the highest level, a starting point is the organization's objectives. Every organization has two primary objectives: one explicitly defines and focuses on maximizing the potential of the business model; the other, rarely stated or discussed, is about the need to always sustain the going concern. Not being explicitly stated, sustaining of the going concern is taken for granted, with no one designated to address its vulnerability - until an unprecedented catastrophe arises.
Therefore, the framework must start by defining a clear objective to sustain the going concern. While each entity's objective has to reflect its need, the common theme must be to ensure that the going concern is always sustained in a way that provides for maximizing the potential of its business model.
The next step is to establish explicit, disciplined policies and governance guidelines to direct the organization to achieve this objective. Who is accountable for addressing such vulnerabilities? What should be the strategy to address the unknown? Reduce extreme exposure, build stronger cushions, or both? And by how much? What limits and boundaries are prudent? Which best practices produce effective results? These must cater to the entity's specific needs vis-a-vis its extreme risk from the unknown in addition to the traditional framework, which is not useful for the un-envisionable. Through such a framework, the organization's objective can be translated into operating guidelines without distracting managers from growing and running their businesses.
Such specific and clear guidelines are critical to ensure that the organization is not victimized by un-envisionable, unprecedented crises arising out of the blue, while solely focused on maximizing its business potential. The current anxiety is a good reason to start. And it must start at the highest echelon of the organization.