On January 28, 1986, the space shuttle Challenger broke apart 73 seconds into flight, leading to the tragic deaths of its seven crew members.1 As the doomed spacecraft disintegrated over the Atlantic Ocean, the paradigm of risk management shifted from reactive to proactive. Taxonomies, frameworks, methodologies and tools have evolved over time to meet the need to manage risk proactively. And while, 25 years later, the evolution of risk management has led to greater confidence in answering the reactive question, “Are we more at risk today than we were yesterday?”, we face the stark realization that we are not truly able to answer an even more important proactive question: “Will we be more at risk tomorrow than we are today?”
Realizing a collective vision to have forward-looking informative dashboards and provide confidence in assessing future risks is the work of the current generation. That makes today an exciting time for risk management. Great progress has been made so far; however, we know so much more can be done.
In this issue of The Bulletin, we will look back 25 years on how risk management has evolved and some of the lessons we can draw from the past. Then, we will look forward and envision how risk management will likely take shape over the next 25 years.
The Last 25 Years
Historically, risk management has focused on managing financial and hazard risks through hedging and insurance, along with managing operational risks such as environmental, health and safety. Focused solely on protecting enterprise value, this traditional risk management model was highly fragmented with a strong focus on achieving functional excellence. Deeply rooted in the command and control structure, the issue of silos and their potential consequences were major underpinnings of the Challenger catastrophe.
Formed to investigate the disaster, the Rogers Commission determined the accident was caused by a failure in the O-rings sealing a joint between two lower segments of the right solid rocket booster, which were meant to prevent leakage of hot gases during the propellant burn of the rocket motor. When this leakage occurred during the Challenger launch, it caused the structural failure that led to the shuttle’s demise.2 The Commission’s report pointed to the failure of both NASA and the aerospace company contracted to manufacture the O-rings first to recognize them as a problem, then to redesign them once the problem was recognized, and finally, to identify the danger, as the problem was treated as an acceptable flight risk.3 More important, there were flaws in the pre-launch process that caused launch decision-makers to be unaware of the recent history of problems concerning the O-rings and the joint. They also were unaware of the contractor’s initial written recommendation advising against launching at temperatures below 53 degrees Fahrenheit, and of the continuing opposition of the contractor’s engineers after management reversed the company’s position.4 Sadly, the rest is history.
Seventeen years after the Challenger explosion, the space shuttle Columbia disintegrated during re-entry into the earth’s atmosphere, resulting in another tragic loss of seven astronauts. The Columbia disaster was caused by damage sustained during the launch, when a small piece of foam insulation broke off the main propellant tank due to aerodynamic forces. This was not a new problem. There was a long history of external tank foam shedding. Even though early in the space shuttle program foam loss was considered a dangerous problem, it ultimately was regarded as an ongoing maintenance issue. In fact, the Columbia Accident Investigation Board noted photographic evidence of foam shedding for 65 of the 79 missions prior to the fatal flight.5
Both space shuttle catastrophes illustrate the phenomenon of accepting events that are not supposed to happen – or what is technically known as the “normalization of deviance.” For example, flight seals had shown erosion and blow-by on flights prior to the Challenger incident. Because erosions and blow-bys were unexpected in the design, there were early warnings that something was askew. The design of O-rings did not intend them to erode, so erosion was a clue there was a problem. If a reasonable launch schedule were to be maintained, engineering often could not function quickly enough to keep up with the expectations of originally conservative certification criteria designed to guarantee a safe vehicle. In these situations, subtly, and often with apparently logical arguments, the criteria were altered so flights could still be certified in time to authorize launches of the spacecraft. These flights therefore flew in relatively unsafe condition with a chance of failure; although very low, the potential for disaster existed nonetheless. This is exactly what happened with the foam shedding that ultimately spelled the end of Columbia; it too, evolved into an “in-family”6 event or a non-safety-of-flight issue that was believed not to pose a threat to the crew or spacecraft. Accordingly, it was deemed an acceptable risk and, therefore, a maintenance issue.7
The issues affecting the space shuttle program frame a formidable dilemma facing business organizations. As globalization intensifies; as the speed of business increases; as the displacement effect of new technology magnifies; as competition fuels the drive to “better, faster and lower cost”; and as the era of involuntary transparency accelerates through social media, new whistle-blowing channels and the WikiLeaks phenomenon; business becomes increasingly complex and more risks emerge. As management and boards struggle to keep pace with new market developments, the trade-offs considered in decision-making processes tend to de-emphasize the so-called “high-impact, low-likelihood” risks because of the low probabilities involved and the false sense of security arising from the lack of historical precedence of failures. The irony is that these unlikely events are often the ones that cause the most damage if and when they occur. A reliable assessment of likelihood is almost impossible without a detailed loss history or an understanding of the cause-and-effect interrelationships among multiple possible future events. Therefore, the decision-making process may be missing vital pieces of the puzzle.
Over the past 25 years, we can point to similar high-impact, low-likelihood events that literally “stopped the show” for organizations experiencing them. The Exxon Valdez crisis in 1989, the enormous financial derivatives losses of the 1990s by different companies (as much as US$1 billion in some cases), the spectacular failure of Long-Term Capital Management in 1998, the devastating terrorist attacks of September 11, 2001, the fallout from Hurricane Katrina in 2005, the Deepwater Horizon Drilling Rig explosion in the Gulf of Mexico and the flooding in Australia in 2010, and the more recent tragedy in Japan are examples of dramatic, unexpected events that have taken place during the last 25 years.
The past-quarter century also has been marked by unprecedented change in fundamental business and societal models (e.g., the end of the Cold War, globalization, the war against terrorism, the advent of social media, the intensifying debate over climate change and the emergence of regime change in the Middle East, to name a few) that have raised the bar on the importance of being more informed and responsive to changes to an organization’s risk profile. The last decade, in particular, has been besieged by high-profile business scandals and financial failures, sparking unprecedented regulation and providing some valuable lessons for risk management.8 There has never been a greater need to access data – both internally and externally – that is necessary for understanding and managing risk better.
During the last 25 years, we have seen risk management evolve to a more holistic view that portrays an enterprise risk profile designed to help management and directors understand the full array of risks the organization faces. While the process of updating the risk profile helps executives answer the question, “Are we more at risk today than we were yesterday?”, progress has been curtailed by a continued emphasis on fragmented silos. The lack of effective measurement and monitoring of risks, as well as the need for a common definition of risk management, are also inhibiting factors. Risk management capability, in general, is still relatively immature. And due to the absence of one or more “conditions precedent,” which we will discuss later, the experience in applying enterprise risk management has been uneven at best, since no one can agree on what it really means.
Today, the good news is that risk management has made its way onto the agendas of executive management and boards of directors as a critical discipline and necessary part of good governance. This is a base we can build on as we go forward, because this heightened level of importance at the highest levels of organizations will accelerate improvements in risk management in the future.
The Next 25 Years
We can expect the next quarter-century to produce two broad trends in the pursuit of answers to the question, “Will we be more at risk tomorrow than we are today?” The first will be greater integration of risk management into an organization’s fundamental management practices. The second will be significant advancements in measuring and monitoring risk. Both trends are discussed in detail below.
Integration of Risk Management with Core Management Processes
The ultimate destiny for risk management is maximizing its relevance by integrating risk and risk management with what really matters in running the business. Several developments will make this happen in the future:
- More explicit recognition of the vital “conditions precedent” in executing the governance process – Effective governance will be about balancing entrepreneurial opportunity-seeking activities for creating enterprise value with the appropriate control mechanisms for protecting enterprise value, so that neither one is too disproportionately strong relative to the other. The speed at which business will be conducted in the competitive environment necessitates that there will be times when the brakes must be tapped and strategies and plans revisited. While this has always been the case, in the future, boards and executive management will need to work even harder at cultivating an environment that encourages managers to raise their hands at crucial moments when strategic assumptions are no longer valid, when significant disagreements exist among multiple constituencies over competing metrics (e.g., budget and on-time delivery versus safety issues), or when critical risk tolerances are either near their limits or exceeded.
If the financial crisis taught us anything, it is that there are several critical “conditions precedent” that must be in place for risk management to be effective in achieving the necessary balance. These are a fully engaged board, a “bought-in” chief executive officer, an open and transparent culture, a compensation structure that balances the shortand long-term and, most important, the will and discipline to act in a contrarian manner when warning signs signal danger.
- Integration of risk with strategic planning and business planning – The ad hoc integration of risk assessment with strategy development and business planning will evolve over the next 25 years into a mature process for the most successful companies. The key to this evolution will be structuring risk assessments according to the unique characteristics of the risks being assessed.9 The planning process will more effectively define the soft spots, loss drivers and incongruities inherent in the enterprise’s strategic objectives and could dramatically affect performance and adversely impact execution. These risks will raise important points of focus, providing greater assurance that the appropriate risks are being considered.
As the pace of change increases, experience gaps in risk management capabilities will arise. Therefore, management will have to spend more time in the initial assessment phase not only identifying risk, but also understanding its sources and consequences. Traditional risk assessment approaches will lose their value over time and be replaced with more sophisticated assessment techniques to provide the insights management needs regarding strategic uncertainties. This trend will entail breaking down “silo thinking” internally and looking outside the organization more frequently for insights regarding the implications of changes in the risk profile.
- An ongoing, explicit risk appetite dialogue – Once critical risks are identified, successful companies will have a process in place for defining the level of risk the enterprise is willing to accept in pursuing its strategy. They will use this risk appetite statement as a benchmark for ongoing dialogue between management and the board. While many struggle with defining risk appetite today, the dialogue between the board and management will cover topics such as the maximum acceptable level of performance variability in specific operating areas; policy prohibitions needed to establish behavioral boundaries and clarify risks to be avoided; targeted financial and operating parameters within which the business model should operate; periodic upside/downside debates on significant matters; the risks and assumptions inherent in the corporate strategy; and the implications of changes in the business environment on the core assumptions inherent in the strategy, including the desired risk appetite. Over the next decade, many companies will discover that risk appetite is not a meaningless theoretical exercise, but rather an effective means by which management and the board can get on the same page in the strategy-setting process.
- • Formal monitoring of the environment for changes in one or more critical assumptions underlying the corporate strategy – The two activities of strategy-setting and risk assessment will facilitate a more explicit articulation of critical strategic assumptions. Once these underlying assumptions are understood, management will be able to use intelligence gathering and scenario analysis to “reality test” them. Intelligence gathering activities will focus on monitoring relevant key factors and trending metrics to ascertain whether critical assumptions remain valid over the planning horizon. Should the validity of one or more assumptions come under question, it will be cause for management to revisit the strategy.
This forward-looking process can position the organization in attaining “first mover” status when a strategic inflection point 10 exists, and the company’s market position could be harmed significantly if the imminent opportunity is not recognized and acted upon on a timely basis. Such inflection points can arise as a result of any number of factors, including technological advancements; new market entrants; significant changes in financial markets; a major product launch; a decision to enter untapped markets; pursuit of a major acquisition in a different line of business; or a major product or process failure.
- More effective intersection between risk and crisis management to drive better preparedness – The maxim of “sooner or later, every company gets tested” will become generally accepted in the future, if it isn’t already. As risk identification and likelihood assessments become more complex as sources of risk expand, it will be evident that the improbable event often matters most. Accordingly, more companies will consider velocity of impact, persistence of impact, and response readiness when evaluating low-likelihood risks in order to provide greater insights to management on where to improve preparedness. The speed and quality of the enterprise’s response to a crisis will often determine the speed and quality of its recovery. Preparedness is the name of the game. Therefore, building a rapid response crisis management capability is a management imperative for unlikely risks with a high velocity and reputation impact. More insightful risk assessments will help identify areas where preparedness is more critical, particularly when information about risk is scarce. Scenario planning and crisis response will be explicit parts of the “risk enlightened” business planning process.
- Recognition that an end-to-end extended enterprise view of the value chain is vital to managing risk, requiring consideration of upstream and downstream relationships – The past 25 years have blurred boundaries among organizations, such that an enterprise is almost always “boundaryless.” Globalization, outsourcing, increased cross-border sourcing, information technology and shared services centers have encouraged many organizations to consolidate facilities and streamline processes to eliminate nonessential and redundant activities, as well as focus and automate remaining activities. The successive waves emphasizing total quality management, process re-engineering and Six Sigma process improvement have created a bias for strong supplier and customer relationships and tight coupling within supply chains and distribution channels to drive costs out of processes and products. Decisions to favor a sole-source or single-source strategic supplier over multiple suppliers involve trade-offs where quality, time and cost considerations often win out over business continuity considerations. The supply chain disruptions resulting from the combined effects of the earthquake, tsunami and nuclear crisis in Japan clearly illustrate that these trade-off decisions are not without risk. If the focus on lean manufacturing leads to empty or minimal inventory buffers, disruption risk increases. During the next 25 years, the companies that manage risk using an end-to-end enterprise view of the value chain will be far more successful than those that do not. This means looking upstream to supplier relationships, including the tiers of suppliers supporting critical suppliers, as well as downstream to channels, customer relationships and even the ultimate end users – not to mention the transportation systems connecting all of these vital components – to identify the most critical risks and impacts of changing conditions. The emphasis will be on evaluating the velocity, persistence and response readiness of the enterprise in the event of loss of any significant aspect of the value chain. As the speed of business continues to increase, the risk of business interruption will be a more significant issue to executive management and the board of directors.
- Continued expansion of risk management disclosures, with the market rewarding companies demonstrating capability to deploy risk management as a differentiating skill – The risk factor, financial reporting footnote, proxy and other disclosures that exist today are likely to expand further. Savvy investors will recognize that, over the long-term, protecting enterprise value is as important as creating it. The market will reward those companies able to increase the transparency of risk within their strategy and extended value chain and quickly identify and respond to changes in the environment that alter their risk profile.
Advancement of Risk Measurement and Monitoring
The future will be full of innovation and change. We see several developments that will help advance risk measurement and monitoring capabilities:
- Integration of risk management with performance measurement and reporting – The most successful companies will effectively consider two critical sources of inputs in the determination of key metrics and targets. First, they will consider the strategic aspirations, differentiating capabilities, and infrastructure needed to deliver those capabilities, as articulated by the strategy. Second, they will consider an understanding of the risks inherent in the strategy along with the company’s risk appetite. The combined perspective of strategy and risk is important because, once it is factored into the setting of key metrics and targets, risk management begins to intersect with performance management. We envision a more refined process of selecting key performance indicators (KPIs) and key risk indicators (KRIs) to create a single family of metrics for monitoring execution of the strategy.
KPIs are measures of performance developed to monitor progress toward the achievement of the strategy and the ultimate creation of stakeholder value. They are the primary means for communicating business results across an organization. KRIs provide lead and lag indicators of critical risk scenarios related to the sources and consequences of risk, resulting in a more balanced mix of forward-looking indicators to complement the usual metrics around customer satisfaction, quality, innovation, time and financial performance. As more companies adopt KRIs, benchmarking through independent studies will be possible and will facilitate further refinements over time.
- More effective cascading of risk tolerances into the business using a scorecard of lead and lag indicators – The most successful companies will define risk tolerances that fall within the scope of their established risk appetite. Today, this is difficult for most organizations to do. It doesn’t need to be. Successful companies will not only understand their most critical risks, they will articulate risk tolerances they can drive into their operations to establish stronger accountability and discipline throughout the enterprise.
- Continued evolution of risk quantification techniques by leveraging enterprise data availability and increasingly sophisticated measurement tools made possible by leaps in computing speed and storage – Simulations like Monte Carlo will be able to run in many more iterations than are practical today. Such models will be applied in a systematic, comprehensive risk assessment and fully supported by senior management, as the volatility of an ever-changing business environment continues to make a singlepoint (or deterministic) view of the future useless in the planning process. The implications of leaps in computing speed and storage may make looking at and evaluating things such as contagion risk and correlation, which are so challenging to evaluate today, commonplace in 25 years. Of course, the availability of myriad data does not undermine in any way the importance of ensuring quality inputs to avoid the “garbage in – garbage out” dilemma affecting the models used to quantify risk.
- Further progress in monitoring performance and risk – We envision further progress in using more technology capabilities in monitoring performance and risk, mining data, gathering intelligence, and establishing automated escalation triggers. The focus will be on leveraging the data and information aggregation capabilities of financial consolidation, budgeting, planning, forecasting, and data warehousing software, while addressing additional needs with new technologies in other areas, such as balanced scorecards and advanced analytics and modeling. The value proposition of monitoring capabilities will increase dramatically through the influx of more forward-looking lead indicators made possible through convergence of performance and risk management. Only time will tell whether a single software package will be able to effectively deliver all of these capabilities.
- The emphasis will be increasingly forward-looking – Many measurement models exist, each with their own challenges and limitations, such as economic capital, regulatory capital, and internal capital models, among others. We expect further improvements on definitively measuring risk, simplifying it, and making it more concise, transparent, practical, cost-effective, scalable, flexible and decision-useful. This will be the focus for the next decade at all levels, including executive management, the board of directors, unit management and key stakeholders.
- Progress in measuring the value of risk management – A key ongoing challenge of risk management is how to measure the “loss not taken.” This is one reason why risk has not been valued as much in the past. Risk is always on offense, looking for weaknesses to exploit. When bad things happen, risk management is considered a failure. When risk management prevents unacceptable losses, no one knows. The measurement of “losses prevented” is the “Holy Grail” for risk management executives, making it truly aspirational as we look forward. If we can figure this problem out, the true “value” of effective risk management can be separated from luck or good fortune. While some progress has been made on near misses, measuring the value of risk management is an area still very much in its infancy.
As the financial crisis taught us, speed matters. Hundred year-old companies can evaporate or become nearly extinct in a matter of days – all due to loss of market confidence and reputation. At the same time, speed is what enables businesses to gain competitive advantage by adopting first mover status. Make no mistake, first movers will be the ones who endure and prosper over the next 25 years.
The future of risk management looks exciting. We’ve come a long way over the last quarter-century; however, there is much to be done in the next 25 years. While we envision execution catching up with theory, we also expect risk management capabilities to mature in terms of helping companies become more forward-looking.
We believe the most successful companies will set the trends in integrating risk management into their core management processes and advancing risk metrics, measures and monitoring. These companies will achieve superior performance relative to their competitors by positioning themselves to more effectively answer the vital question: “Will we be more at risk tomorrow than we are today?”
1Space Shuttle Challenger Disaster.
2Report of the Presidential Commission of the Space Shuttle Challenger Accident, 1986, Volume 1, Chapter 4, page 72.
3Ibid., Volume 1, Chapter 6, page 148.
4Ibid., Volume 1, Chapter 5, page 82.
5Columbia Accident Investigation Board, 2003, Chapter 6, pages 121-122.
6As defined by the Columbia Accident Investigation Board, a reportable problem that was previously experienced, analyzed and understood.
7Ibid., pages 122 and 130.
8See Issue 6 of Volume 3 of The Bulletin, “Ten Common Risk Management Failures and How to Avoid Them.”
9See Issues 2 and 3 of Volume 4 of The Bulletin, “Making Your Risk Assessments Count: A Strategic Perspective” and “Making Your Risk Assessments Count: An Operational and a Compliance Perspective.”
10This term was coined by Andy Grove in his book, Only the Paranoid Survive, 1996.
The Bulletin (Volume 4, Issue 6)