Most corporate risk managers today are finding they’ve got a higher profile than ever before. The reason is painfully obvious: Risk itself has a more prominent place on the corporate agenda. In a world where customer loyalty is plummeting, new forms of competition are multiplying, deregulation and globalization are making the environment more complicated and unpredictable than ever, and outside forces from political upheaval and terrorist threats to technological change are repeatedly disrupting “business as usual”–in such a world, risk is no longer the province of a few specialists. Instead, it’s near the top of the list of high-priority issues for virtually every manager.
But these new realities don’t make your job as a risk manager any easier. They may help you capture your boss’s attention. But they don’t tell you how to launch a focused, productive conversation about risk that can help your company prepare for the (almost) unforeseeable threats you face today, tomorrow, and the day after that. In this article, we’ll offer three tips about how to start that conversation, using the new-found salience of risk as a springboard for changing how your company thinks about and deals with uncertainty.
Tip #1: The world has handed you a broader mandate–use it!
Not so long ago, in corporate circles, “risk” was seen as being chiefly about compliance issues: What must we do to keep the SEC off our backs? To get approval from the FTC for our planned merger? To make sure we’ll be covered by insurance in the event of some kind of disaster? To meet the tough new rules mandated by Sarbanes-Oxley? But risk isn’t just about compliance any more. Today, it’s about the new world of strategic risks that threaten your company’s business plan–and that have already brought down a host of once-great companies in almost every industry sector.
In our new book The Upside, we explain the seven major kinds of strategic risk that every business needs to know about and prepare for: project risk (when your next big initiative fails); customer risk (when customers abandon you); transition risk (when unexpected changes in technology or business design undermine your company); unique competitor risk (when a Wal-Mart rides roughshod over your industry); brand risk (when your brand becomes irrelevant or unappealing); industry risk (when your industry becomes a no-profit zone); and stagnation risk (when growth grinds to a halt). These seven threats cover the gamut of risks that can destroy most companies’ business designs–and they represent the kinds of risks that every corporate risk manager needs to have on his or her radar screen.
Tackling this new, broader risk mandate begins with taking a close look at your business’s current risk story. Consider each of the seven varieties of strategic risk, and examine how each one applies to your company. Remember, strategic risk isn’t a matter of black-and-white. Each type of risk exists on a spectrum, from the most extreme to the least extreme–just as the risk of an earthquake may range from a devastating quake measured at 8.0 on the Richter scale (which can destroy entire communities and cause hundreds of deaths, as happened in San Francisco in 1906) to a mild shock with a Richter measurement of 5.0 or less (which might merely shatter windows and crack walls in buildings near the epicenter of the quake).
For example, industry risk may take an extreme form, in which case an entire industry may be transformed into a no-profit zone, as occurred in the airline industry during the past twenty years. Or it may be milder, as when an industry suffers eroding profit margins due to increased R&D costs (as in pharmaceutical development) or rising capital costs (as in semiconductors). You can think about the risks you face all along this spectrum, with the severity of the risks requiring different levels of response and preparation.
Start the conversation inside your company by educating your boss and your colleagues about the new world of strategic risk. Discuss the seven types of risk and look at an example or two for each one. Chances are good that you’ll see heads nodding around the table within a few minutes of launching the discussion. (In their guts, most managers understand how their businesses are threatened by strategic risk, even if they may never have used the precise term before.) After half an hour, you’ll be well on your way to redefining risk in the new, broader terms that today’s challenging business environment demands–the essential first step in getting your company ready to master the risks it faces and even transform them into opportunities.
Tip #2: Get people talking up and down the corporate hierarchy.
Convincing your C-level executives of the importance of a new, broader approach to risk is a crucial first step. But it’s equally vital to expand the conversation to include people at many levels within your organization. The challenge of identifying, measuring, monitoring, minimizing and reversing the strategic risks your company faces can’t be successfully met until middle managers in every corporate department are involved.
There are many reasons why drilling down through the organization is so essential when you’re trying to launch a conversation about risk management. Front-line managers are closest to the realities of the marketplace, fielding customer complaints, tracking competitive initiatives, and dealing with suppliers, distributors, and other players throughout the value chain on a daily basis. As your company’s eyes and ears, they are the ones most likely to be the first to recognize tomorrow’s threats in time to respond, as well as the ones most likely to see the opportunities bundled with the risks. And of course, middle-level leaders will be charged with implementing the risk management moves developed by the company. If they don’t understand or support the initiatives, nothing meaningful will happen.
A recent paper published by Babson Executive Education describes the frustration that can arise when middle managers are reluctant to buy into a company’s risk management strategy. The company in question is Harrah’s, the casino firm that has become the paradigm of knowledge-intensive risk management:
Harrah’s has developed a centralized real-time yield management system for all of its hotels that needed to be sold to property managers. . . . When a customer calls for a reservation, the system’s algorithms weigh a number of variables and data . . . to calculate a price to offer to the customer. The system almost always produces higher revenues for individual properties when it is employed. Yet property managers usually have to be convinced the system is more effective than traditional approaches to yield management and local decision making [emphasis added].
As the Harrah’s story suggests, your middle-level managers have an effective veto power over whatever risk management system your company’s top leadership creates. If the people in the middle don’t buy it, it won’t happen. In some cases, they may prevent it from being implemented by refusing to follow the system (as some Harrah’s managers did). In other cases, they may block its effectiveness by failing to participate in the discovery, gathering, combining, sharing, and analysis of information needed to keep the risk countermeasures up to date and accurate. Either way, the best intentions of senior management will not get executed.
The moral: As early as possible, involve middle managers in talking about the risks your company faces and the best strategies for overcoming them. The process can start with a few key managers who could play important roles on a task force or project team charged with developing a company-wide risk-management system. Later, these early allies can help you spearhead an educational program that will transmit the new ideas to every corner of the company.
Tip #3: Work to make risk monitoring, reporting, planning, and remediation a part of every manager’s job description.
Unfortunately, the culture and communications systems of most companies actively discourage middle managers from contributing to risk assessment, mitigation, and response. Companies tend to punish those who deliver “bad news,” which is often viewed as “negative,” “pessimistic,” “defeatist,” or “discouraging.” As a result, unfavorable developments from the outside world end up taking longer to reach top management’s attention, or they take top leadership by surprise, despite the fact that managers at lower levels were aware of the looming problems for months.
Other cultural biases further impede a realistic approach to risk. Over-valuing confidentiality and secrecy, many companies try to restrict the flow of information that’s deemed sensitive, even internally. In combination with the traditional silo-like structure of many corporations, this tendency produces cadres of managers who are well-informed only about their corners of the business and therefore are unable to “connect the dots” that might generate a larger, more informative, and more actionable picture of how the company’s world is changing.
Silo structures impede broad-based risk management in other ways. Most companies incentivize managers based largely or even entirely on departmental or division performance. And job promotions, of course, are driven mainly by the perceived success of a manager’s own group. This is logical and to a degree unavoidable, but the sense of inter-departmental competition it sets up inevitably reduces the willingness of managers to share information and ideas. The result isn’t always data hoarding, but the energy that managers apply to cross-fertilization of knowledge is, at least, drastically diminished.
Overcoming these common cultural constraints takes time as well as plenty of deliberate, conscious effort. As your company’s designated expert on risk, you have the leverage to play the decisive role. Start by getting your top executives’ buy-in to the importance of the new view of strategic risk. Once they hear the company’s leaders talking openly about the threats you may face, employees further down the line will realize they have permission to confront the same issues honestly. This will go a long way toward breaking down the cultural taboos that formerly silenced such discussion.
Then push to develop formal processes for surfacing your company’s biggest risk issues, developing strategies for addressing and reversing them, and monitoring progress. The old saw, “What gets measured, gets done,” is as true today as it ever was. Once strategic risk has a standing place in the agenda of your company’s periodic process of self-assessment and goal-setting, it will be much harder for managers to overlook it in the future.
The world of risks that today’s corporations face can seem a scary place. But the spreading awareness of these dangerous new realities creates a powerful opportunity for risk managers. Now is the time to start planning the steps you’ll use to take advantage of that opportunity and help your company get ahead of the risk curve.
Adrian J. Slywotzky–cited by Industry Week as promising “to be what Peter Drucker was to much of the 20th century, the management guru against whom all others are measured”–is a director of Oliver Wyman. He is the author of the bestselling The Profit Zone (selected by BusinessWeek as one of the ten best books of 1998), Value Migration, and How to Grow When Markets Don’t. He has also been published in the Harvard Business Review and the Wall Street Journal and has been a featured speaker at the Davos World Economic Forum, the Microsoft CEO Summit, the Forbes CEO Forum, and the Fortune CEO Conference.
Karl Weber is a freelance writer and editor who has collaborated with Adrian Slywotzky on several books and worked with such authors as former president Jimmy Carter, Loews Hotels CEO Jonathan Tisch, UN ambassador Richard Butler, and representative Richard Gephardt.