A Forward-Looking Response to a Chaotic World
The actuarial model of risk compliance employed by most large global enterprises – calculating the odds of future events based on past occurrences – has become outdated and ineffective, as the internet and global interdependencies have created an asymmetric, chaotic world in which small inputs (a tweet, a Facebook post, a changing regulation in country far from corporate headquarters) can cause enormous outputs. Consequently, risk modeling needs to become more forward-looking and less historically based and account for second-order, follow-on effects.
with co-author Gregory Lewis
More companies are failing faster. Average corporate life spans have been shrinking since the ‘60s. Many companies that have failed emerged in more stable and predictable economic and political times and were ill-equipped to manage the risks of a more volatile world. Today, these risks include climate change and extreme weather events, mass south-north population migrations, the rise of political populism and protectionism in Western democracies and the specter of cyberattack. None of these risks existed (or were perceived) 30 years ago. Some did not exist five years ago. But, for the most part, the practice of risk modeling has not changed.
It should.
Traditional actuarial risk models that calculate the chances of future events based on historical occurrences – which then are used to support business strategies – are no longer good enough. That was illuminated during the 2007-2008 global credit crisis where, based on historic trends, the stability of the U.S. housing market was assumed and the chance of a massive default dismissed (especially when that risk was distributed via derivatives). The risk models of the Great Recession’s corporate victims – such as Lehman Brothers – proved wrong and the business strategies they informed flawed.
The rise of fake news and false narratives promulgated swiftly through social media channels has served to amplify risk and distribute power asymmetrically. State and nonstate entities and even individuals today can manipulate millions of people, threatening superpowers, multinational corporations and markets. In this environment, companies need new, more forward-looking and comprehensive approaches to risk modeling and management.
How to Survive a More Complex Risk Environment
Even in this volatile world, it is possible to forecast risk reasonably, and in so doing, mitigate it. The OECD’s “Emerging Risks in the 21st Century: An Agenda for Action,” published in 2003, predicted the rise in global systemic risk due (among other factors) to population growth, technological change and fake news.
That report is now 15 years old, indicating that this confluence of risks is not a passing phase. Risk managers today must identify, understand and connect a broader range of inputs than ever before. To be effective, they must:
- Look forward, not back. As late as 2010, Thames Water, the private utility responsible for London’s water supply and wastewater treatment, assessed flood risk (and the investment to mitigate it) in traditional fashion by looking at the frequency of flooding at all their sites and adding 20 percent to accommodate climate change. According to the utility, this led to under- or over-investment at many sites. The company has since developed a process that uses climate projections to predict the risk at each individual site. Instead of being guided by the past, Thames Water now bases investment decisions on likely futures.
- Supplement traditional indicators. The leading metrics long used in risk models – average weekly hours worked in manufacturing and order volumes for consumer goods and materials, for instance – do not help forecast the impact of political and social forces. For example, in 2015, Salesforce CEO Marc Benioff commissioned an equal pay assessment within the company. After learning there was a discrepancy between men and women, the company gave 10 percent of its female workforce a pay increase. In 2017, he did the same again and continues to monitor the company’s gender pay gap. Today, as the #MeToo and #TimesUp movements force companies to review their gender policies, Salesforce is held up as an example of a company that got it right.
- Weigh up second-order effects. Especially when assessing political and regulatory risk, managers must be sensitive to how a sequence of events might unfold. For instance, Ukraine’s flirtation with the West contributed to the 2014 Russian annexation of Crimea, which in turn led to sanctions against Russia and the destabilization of Ukraine. Before the crisis, one multinational agrobusiness had its eye on Ukraine: the land was fertile, the infrastructure advanced and its major buyers were conveniently close. But, foreseeing the turbulence ahead, it chose instead to invest in Australia, assuming higher costs of production and distribution as a reasonable trade-off for lower risk. Subsequent events have vindicated that choice.
- Invest in cybersecurity. The frequency and seriousness of cyberattacks, particularly ransomware attacks, continue to rise, and cyber insurance costs are soaring. According to Symantec’s 2018 Internet Security Threat Report, attackers most often use simple, off-the-shelf, easily available tools and tactics. Attacks are successful because employees click on links in tainted emails, companies fail to apply available patches to known software flaws or technicians do not configure systems properly. In other words, there is a great deal companies can do simply and inexpensively to protect themselves, and it’s not that hard if they make and keep cybersecurity a top priority.
- Be heard on contentious issues. Companies today are judged in the court of public opinion, and to influence that judgment, they must speak out. A 2017 Harvard Business Review and KRC Research survey of 1,000 U.S. adults found that 44 percent of millennials said they would feel more loyalty toward a company if the CEO weighed in strongly on contentious public issues. Jamie Dimon, CEO of JPMorgan, has addressed income inequality publicly in a way that once would have been deemed odd or inappropriate for the CEO of an investment bank. Conversely, few British CEOs spoke out against Brexit before the referendum, even though the majority were against it and knew the risks it posed their businesses.
- Engage employees as advocates. According to Edelman’s Trust Barometer, employees are trusted more than a company’s CEO or its marketing department. According to another study, employee posts can generate eight times the engagement of a company’s brand page. It makes sense to leverage employees in the social media battles. While many companies resist, placing restrictions on what and when employees can post on social media, others, such as Electronic Arts (with 6,600 employee social media interactions a month) encourage and support it. When damaging, baseless rumors begins to circulate, companies can encourage their employees to post counternarratives. When a company is denigrated on a person’s social media feed, just one informed friend saying, “This isn’t so,” has an outsize, asymmetrical impact.
Getting Risk Right
Companies that fail to incorporate hard-to-quantify risks into their calculations will understate them, do too little to combat them and overstate expected returns on investment. This will damage shareholders and other stakeholders.
Those that improve these factors in their risk modeling will be in a better position to enhance returns, either by developing new strategies, de-risking old ones or offloading risky positions to more optimistic (or less astute) competitors. And those forward-looking, more risk-incisive companies will be positioned to snatch the ball when their competitors fumble it.