How Covid-19 has underscored the failures of Effective Risk Management (ERM)
The COVID-19 pandemic has highlighted a serious failure in risk management: A lack of 'out-of-the-box' thinking and anticipation in ‘what if’ scenario planning.
“Americans only change from catastrophe, not from experience”
– President Theodore (Teddy) Roosevelt
COVID-19 is the latest, but perhaps the most extreme example to date, of the failure of risk management as a result of the profession’s chronic case of blinkered myopia.
Take for example the 911 terrorist attacks on the World Trade Centre’s twin towers in 2001. In a spectacular failure of anticipation and ERM, only one of the two twin towers was covered for loss, as ‘experts’ believed that the collapse of both towers simultaneously was simply too far-fetched to be worth insuring against. With the benefit of hindsight and the knowledge of the nature of the terrorist attack, it was always likely that both towers would be vulnerable, if one was. The broader question should have been, what event (structural, seismic, terror, etc) could result in one tower failing? And if so, how would that change the odds of the second tower also failing?
On a commercial basis the application of risk management is supposed to elevate this practice to a higher professional level and apply robust approaches to anticipate significant business and operational threats and assess the value of avoiding, or at least mitigating the consequences of them in advance. Unfortunately, plenty of evidence suggests that the RM profession has fallen well short in this respect. For such an important and potentially critical issue with massive cost implications, this is simply unacceptable for any major enterprise and its shareholders in today’s increasingly unpredictable world.
There’s little doubt that professional risk management is useful for managing familiar and recognisable commercial risks. Typically these tend to be close to home, such as re-insurance, hedging currencies or future oil contracts. The more apparent and predictable the risk based on past experience, the better it is anticipated and handled. What the industry is demonstrably poor at however, is assessing out-of-left-field threats and ’black swans’. A case in point is the present COVID-19 crisis and its profound commercial ramifications around the world.
This sort of unpredictable systemic risks is on a scale, and the implications so profound that they are implicitly off-loaded by businesses to governments and supra-national organisations (WHO, World Bank, IMF, etc). Consequently, they are often simply ignored by industry as ‘out-of-scope’ from their ERM planning. This might make sense if the event is cataclysmic and unaddressable such as an existential threat from an epoch-ending meteor strike. But when the threat is real and in plain sight, as well as openly forewarned – as the coronavirus pandemic or an impending climate disaster has been – it is usually a case of ‘out of sight – out of mind’ and someone else’s problem. Why this is and how the issue can be fundamentally improved, is a critical concern in today’s volatile and unstable world.
Other examples that could have been anticipated and effectively scenario planned include;
- The Barings Bank rogue trader collapse
- BP’s Deep Water Horizon disaster
- The sub-prime crisis and the collapse of Bear Sterns & Lehman Brothers
- The Fukushima tsunami nuclear disaster.
Let’s start with some possible reasons for this systematic negligence
In fairness, it’s easy to be a critic after the event, but sticking your neck out ahead of time risks being labelled a Casandra or looking foolish, unless and until the dismal event occurs. At an individual level this takes conviction, tenacity and courage of the sort that Greta Thunberg has shown over climate change. Or more immediately, the persistent warnings of an impending coronavirus pandemic by Bill Gates and many others over the last decade. This begs the question, when is it myopia and blinkered thinking, as opposed to unnecessary alarmist concerns? In this respect the renowned historian and double Pulitzer Prize winner, Barbara Tuckman’s book ‘The March of Folly’ is instructive. In it she lists the conditions for something to be considered as ‘folly’, as opposed to simply wise in hindsight. A similar logic is helpful to identify and critique the failings of ERM today.
What should it take for a crisis to be labelled an ERM ‘failure’?
Perhaps the following conditions should have been met:
- There should have been plenty of information ahead of time available to assess the likelihood of the risk.
- There must have been alternative voices raising alarm about the possible scenario. (e.g. professional warnings in advance, science, credible examples in literature, etc.)
- The organisation should have been expected to have been aware of the risk in advance.
- There must have been an ability to assess and weigh the risks concerned.
- There needed to be a reasonable opportunity to mitigate the risk in advance (N.B. this rules out a ‘dinosaur extinction event’).
- There should have been identified and viable alternative options available to choose between other than.
Assuming the above conditions, yet not considering the possible impact or taking reasonable mitigating steps, amounts to a failure in ERM – whether or not the worst case actually eventuates.
A recent McKinsey Quarterly paper authored by Larry Fink on climate risk titled ‘Bring the problem forward’ nails the point. Strong leaders involve themselves in key issues of risk management and once a threat is identified they move quickly towards it, rather than ignore or shy away from it.
So how can risk management professionals identify major threats and address them upfront?
For a start they must step out of their RM comfort zones and embrace broader strategic threats. This demands out-of-the-box strategic and creative ‘what if’ scenario planning. The measures and approaches necessary to achieve this are beyond the scope of this short paper.
Suffice it to say that there are plenty of models and approaches that can facilitate this, as well as rich resources from experts and editorial opinion to stimulate possibilities. But even assuming that effective scenario planning identifies the key addressable risk and threats, how can management prioritise and deal with them, without becoming bogged down in endless hand-wringing? As usual, a simple 2×2 helps to simplify a basic, practical approach to prioritise and tackle the issue;
How might better scenario planning of a coronavirus pandemic have impacted business’s ERM plans?
The following approach in advance may have helped:
- Identify a coronavirus pandemic as a the near/mid-term possibility and threat with commercially existential implications
- Assess the measure and potential commercial impact of such an eventuality
- Consider affected business processes (supply chains, sourcing, manufacturing, logistics, distribution…)
- Take active measures to diversify sourcing, etc.
- Develop capabilities and place emphasis on e-com & direct-to-consumer
- Develop WFH contingency plans and routinely stress-test them from time to time
- Put in place early alerts to enable pre-emptive responses to contingency plans
Obviously, the impact of such a scenario will vary differently across different industries (e.g. travel / hospitality or retail, vs on-line media streaming / gaming) and different geographies, as well as varying levels of government competence (who would have predicted that Vietnam, NZ and S. Korea would out-class the US and UK?).
No scenario planning will ever be perfect, but it appears that in the case of COVID19, anything would have been better today than nothing at all. On that score, it is not just enterprises that should be upping their ERM competence. Governments who have failed to provide even basic PPE should give this issue serious thought and investment in future.
It would appear that the risk management profession is just one more industry that will be fundamentally challenged and perhaps forever changed by this latest COVID-19 experience. And like bad fortune tellers, they probably didn’t see that coming…