June 25, 2018
Why Risk Management Is a Leadership Issue
Ten or 15 years ago, no companies had a chief risk officer. Risk was barely mentioned. Today, risk has to be on every board's agenda.
From product scandals to data breaches to natural disasters, companies are dealing with constant risk. But how they prepare for those risks can make the difference between riding the roughest wave — or drowning in it. The field of risk management, once an afterthought for many companies, is getting renewed attention with a new book by two Wharton professors who want to help business leaders think more deeply about worst-case scenarios. Michael Useem, management professor and director of the Center for Leadership and Change Management, and Howard Kunreuther, professor of operations, information and decisions as well as co-director of the Risk Management and Decision Processes Center, recently spoke with the Knowledge@Wharton show on SiriusXM channel 111 about their book, Mastering Catastrophic Risk: How Companies Are Coping with Disruption.
An edited transcript of the conversation follows.
Knowledge@Wharton: How did the two of you come to collaborate on this book?
Useem: If you think about the two terms that Howard has referenced, risk and leadership, they go together in this case. Often, we think of those as something separate. Risk — we’ve got to be analytical and disciplined, and it’s often technical. Leadership — it’s all about having a vision and setting a strategy. But we concluded, after talking with quite a few people and companies’ directors, executives and senior managers that the time has come for the conjoining of these two terms. Many companies now are self-conscious about appraising risk, measuring risk, managing risk and ensuring the company is ready to lead through a tough moment the risk has caused.
Knowledge@Wharton: Is this a recognition that has developed recently, compared with the executive mindset of the 1950s, ’60s, and ’70s?
Useem: Yes. I think what really got us going on the book in terms of the timing is exactly what you’ve referenced. Ten or 15 years ago, no companies had a chief risk officer. Risk was barely mentioned. The term “enterprise risk management” (ERM) was not even around. But if you look at any trend line out there, what do people worry about when they get together at watering holes for senior management? Risk now is on the agenda just about everywhere, for good reason: Because the risk that companies have faced in recent years has gone up. The catastrophic downside of big risk also has increased. More risk, more downside, more people are paying attention.
Kunreuther: One of the really interesting issues associated with the study and our interviews with senior management is that, before 9/11, there was very little emphasis by the firms on low-probability events — the black swan events. Starting with 9/11 and continuing through to today, these issues now have become more important, and black swans are now much more common than before. As a result, firms are paying attention. When we interviewed people, they were very clear with us that now that the events have occurred, they are putting it high on the agenda. As Mike has indicated, the boards and all of senior management are now paying attention to it, so it’s a big, big change.
Knowledge@Wharton: Certainly, 9/11 was an impactful event on the country, but it was followed a few years later by the Great Recession. How did that change the view of risk?
Useem: We raised the question in these in-depth interviews with people inside the company, whether on the board or in the management suite, and they consistently said that four events became a wake-up call or an alarm bell. First, 9/11 got us thinking about the unthinkable. A couple of hurricanes came through, including Sandy, which was a huge event. The recession or the near-depression back in 2008, 2009. Who thought that the Dow was going to lose 500 points in a day? Who thought Lehman was going to go under? But it all happened. And finally, the events in 2011 in Japan with the enormous tsunami after a 9.0 earthquake that left probably 25,000 people dead and set a fire in a nuclear plant.
Even if you were a company that was not touched, just look at the four points on a graph. The costs are high. Many companies are impacted. Everybody thought, let’s get on with enterprise risk management. Let’s make it an art.
See also: How to Improve ‘Model Risk Management’
Knowledge@Wharton: How have business leaders changed their thinking about risk management because of those four events?
Kunreuther: Leaders are now saying, “We have to put risk on the agenda. We have to think about our risk appetite,” which they hadn’t thought about before. “We have to think about our risk tolerance.”
Financial institutions played that role, and they were very clear about that right after the 2008-2009 debacle. They had to ask themselves very explicitly that question. But I think this is now much broader than that. Leaders have recognized that they also have to think longer-term. This is one of the issues. We have a framework that we’ve developed in the book that tries to combine some of the work that has come out of the literature that Daniel Kahneman has pioneered on thinking fast and slow — by indicating that intuitive thinking is the mindset that we often have. Thinking myopically. Thinking optimistically. Not wanting to change from the status quo. Leaders have now recognized that they have got to put on the table more deliberative thinking and think more long-term. That is a change, and they tie that together with risk.
One of our contributions, with respect to the book, is to try to put together a framework that really resonates with the leaders and the key people in the organization so that they can respond in a way that makes sense.
Useem: We asked a lot of people who are in the boardroom, if they go back 15 years, was risk, cyber risk or catastrophic risk in board deliberations? The answer typically was no. Ask the same people about today, and they say, “Of course.” We watched with horror what has happened with some of the cyber disasters at Target and elsewhere, and no board worth its pay is these days unconcerned about risk. Now, you’ve got to be careful. The board works with management, sets the vision, does not micromanage. But what boards are increasingly doing is saying to management, “Let’s see what your risk tolerance is. Let’s see what your risk appetite is. Let’s see what measures you already have in place. Nobody wants to think about the unthinkable, but let’s think about it.”
Knowledge@Wharton: The fake accounts scandal at Wells Fargo and the emissions controversy at Volkswagen are two recent examples of risk that you document in the book. Can you talk about that?
Useem: We don’t mean to pick on any company, and we don’t mean to extol the virtues of any company. But we can learn from all. Howard and I took a look at the events at Wells Fargo, which were extremely instructive. No. 1, the company put in very tough performance measures. They told employees, you’ve got to get results, otherwise you’re not going to be here in 12 months. But there was not a recognition that very tough performance indicators without guardrails against excess of performance was a toxic mix. We’ve seen what happened to Wells Fargo. They’ve paid billions in fines. The Federal Reserve has a stricture right now that Wells Fargo cannot accept one more dollar in assets until it can prove to the Fed that it has good risk measures in place.
We also document in the book the events with Volkswagen, which had the so-called defeat devices intended to report if a VW vehicle was brought in for an inspection, that the emissions were meeting U.S. standards. In fact, the software just simply was fooling the person looking at the dials. That, apparently, went all the way up to the top. We’ll see what’s finally resolved there.
Wells Fargo and Volkswagen took enormous hits in terms of reputation, brand, stock price and beyond. We also document a bit the BP problems in the Gulf…. They’re instructive.
Kunreuther: We didn’t interview anyone with respect to Volkswagen, but we did have public information, and it’s included in the book. The reason that we felt it was so important is that VW felt that this was a low-probability event that they would be detected, and they put it below their threshold level of concern. They emphasized the optimistic part of this, which was to say, “Let’s see what we can do as a way of really improving our bottom line.” What we do in the book is give a checklist to people, to companies and to individuals. We see it as a broad-based set of checklists on how they can do a better job of dealing with that.
What we really say is: Pay attention to these low-probability events. If you think not only in terms of next year but over the next 10 years, what you can see as a very low-probability event would actually be quite high over a period of time. If you begin to think long-term, which is what firms want to do, you pay attention to that.
Knowledge@Wharton: There’s such an economic impact on the company when these issues can’t be resolved quickly. Toyota, for example, has been dealing with its airbag problem for several years.
Kunreuther: You tie the issue of getting companies and directors to pay attention to the low probability, and then you say to them, “Construct a worst-case scenario.” Put on the table what could happen if it turns out you were discovered, or if there is an incident that occurs, or an accident, as Mike was saying on the BP side. What’s going to happen to the company? What will happen to its reputation, its survival, its bottom line? Our feeling is that, if you can begin to get people to think about the appetite and tolerance in the context of these low probabilities that could be quite high, then I think you have an opportunity for companies to pay attention. And they’re doing that, as Mike and I have found out in our interviews.
Knowledge@Wharton: What about when the disaster is a natural phenomenon, such as the volcanoes in Hawaii and Guatemala? Companies have to be prepared, but they can’t control what happens.
Useem: As we’ve watched the events unfold in Hawaii and Guatemala, it’s a great warning to us all that the impact of natural disasters worldwide is on the rise. There’s just no other way to describe it except a graph that’s going up, partly because people are living closer now to some of the places that historically are seismic. Hurricanes are possibly being intensified by global warming. There are more people along the Florida coast. All that being said, natural disasters are obviously in a much bigger class of disasters.
[Since] we wrote this book for people to be able to think through their own catastrophic risk management, we offered [examples] from the experience of other large companies, mainly in the U.S. We have a couple of German companies that we focused on: Deutsche Bank, Lufthansa and so on. We suggest that the vigilant manager, the watchful director, ought to be mindful of 10 separate points. One is, be alert to near-misses. What we mean by that is, “There but for the grace of God go I.” If I’m an energy producer, watch what happened to BP in the Gulf. Let’s learn from what they went through.
The A-case for me is Morgan Stanley, which had been in the South Tower of the World Trade Center when 9/11 hit. Because of the events eight years earlier — in 1993, a bomb had gone off in the basement of the World Trade Center — the risk officer at Morgan Stanley said, “Who knows what else might happen? That was a near-miss.”
Rick Rescorla, [vice president for corporate security,] insisted that Morgan Stanley every year practice a massive drill of evacuating the tower. When 9/11 occurred, the North Tower was hit first. Morgan Stanley is in the South Tower. Rescorla said, “Let’s get out of here,” and he managed to evacuate almost all 4,000 people. He was one individual who did not get out. He went back in to check. He is a hero for Morgan Stanley and many other people, but the bigger point taken from that is: Learn from the world around us, because these developments are intensifying. The threats are bigger. The downside is more costly.
See also: 3 Challenges in Risk Management
Kunreuther: Near-misses are important in any aspect. But the other point that I think is important for today is another part of the checklist: Appreciate global connectedness and interdependencies. That point really became clear with Fukushima and with the Thailand floods. We asked each company what was the most adverse event that they faced? They had the complete freedom to say anything they wanted. The death of a CEO could have been one. Kidnapping was another. But as Mike indicated earlier, Fukushima was a critical one, and so were the Thailand floods. These were companies in the S&P 500, but they were concerned about how they were getting their parts, so supply chains were very important. They recognized after Fukushima that they were relying on a single supply chain that they couldn’t rely on for a time.
Knowledge@Wharton: How can a company prepare for the unexpected death of a CEO?
Useem: From looking at the companies that are pretty far into it, all we’re calling for is getting those risks figured out, then having in place a set of steps to anticipate. It’s like insurance. The best insurance is the one that never pays off because the disaster has not happened. The best risk management system is the one that’s not invoked.
In the book, we get into the events surrounding a fatal Lufthansa crash. Within minutes, they were in action. Within minutes, they had called the chancellor of Germany. Within minutes, they had people heading to the scene, not because that’s what they do but because they had thought about the unimaginable, and they had in place a system to react quickly. You have to deal with an enormous amount of uncertainty when disaster strikes. Premise No. 1: Be ready to act. Premise No. 2: Be ready to work with enormous uncertainty, but don’t let that pull you back from the task ahead.