No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Featured

Needed: A New Approach to Risk Modeling in an Asymmetric World

by John Klick
August 20, 2018
in Featured, Risk
illustration of man in suit pulling thread from tangled mess

A Forward-Looking Response to a Chaotic World

The actuarial model of risk compliance employed by most large global enterprises – calculating the odds of future events based on past occurrences – has become outdated and ineffective, as the internet and global interdependencies have created an asymmetric, chaotic world in which small inputs (a tweet, a Facebook post, a changing regulation in country far from corporate headquarters) can cause enormous outputs. Consequently, risk modeling needs to become more forward-looking and less historically based and account for second-order, follow-on effects.

with co-author Gregory Lewis

More companies are failing faster. Average corporate life spans have been shrinking since the ‘60s. Many companies that have failed emerged in more stable and predictable economic and political times and were ill-equipped to manage the risks of a more volatile world. Today, these risks include climate change and extreme weather events, mass south-north population migrations, the rise of political populism and protectionism in Western democracies and the specter of cyberattack. None of these risks existed (or were perceived) 30 years ago. Some did not exist five years ago. But, for the most part, the practice of risk modeling has not changed.

It should.

Traditional actuarial risk models that calculate the chances of future events based on historical occurrences – which then are used to support business strategies – are no longer good enough. That was illuminated during the 2007-2008 global credit crisis where, based on historic trends, the stability of the U.S. housing market was assumed and the chance of a massive default dismissed (especially when that risk was distributed via derivatives). The risk models of the Great Recession’s corporate victims – such as Lehman Brothers – proved wrong and the business strategies they informed flawed.

The rise of fake news and false narratives promulgated swiftly through social media channels has served to amplify risk and distribute power asymmetrically. State and nonstate entities and even individuals today can manipulate millions of people, threatening superpowers, multinational corporations and markets. In this environment, companies need new, more forward-looking and comprehensive approaches to risk modeling and management.

How to Survive a More Complex Risk Environment

Even in this volatile world, it is possible to forecast risk reasonably, and in so doing, mitigate it. The OECD’s “Emerging Risks in the 21st Century: An Agenda for Action,” published in 2003, predicted the rise in global systemic risk due (among other factors) to population growth, technological change and fake news.

That report is now 15 years old, indicating that this confluence of risks is not a passing phase. Risk managers today must identify, understand and connect a broader range of inputs than ever before. To be effective, they must:

  • Look forward, not back. As late as 2010, Thames Water, the private utility responsible for London’s water supply and wastewater treatment, assessed flood risk (and the investment to mitigate it) in traditional fashion by looking at the frequency of flooding at all their sites and adding 20 percent to accommodate climate change. According to the utility, this led to under- or over-investment at many sites. The company has since developed a process that uses climate projections to predict the risk at each individual site. Instead of being guided by the past, Thames Water now bases investment decisions on likely futures.
  • Supplement traditional indicators. The leading metrics long used in risk models – average weekly hours worked in manufacturing and order volumes for consumer goods and materials, for instance – do not help forecast the impact of political and social forces. For example, in 2015, Salesforce CEO Marc Benioff commissioned an equal pay assessment within the company. After learning there was a discrepancy between men and women, the company gave 10 percent of its female workforce a pay increase. In 2017, he did the same again and continues to monitor the company’s gender pay gap. Today, as the #MeToo and #TimesUp movements force companies to review their gender policies, Salesforce is held up as an example of a company that got it right.
  • Weigh up second-order effects. Especially when assessing political and regulatory risk, managers must be sensitive to how a sequence of events might unfold. For instance, Ukraine’s flirtation with the West contributed to the 2014 Russian annexation of Crimea, which in turn led to sanctions against Russia and the destabilization of Ukraine. Before the crisis, one multinational agrobusiness had its eye on Ukraine: the land was fertile, the infrastructure advanced and its major buyers were conveniently close. But, foreseeing the turbulence ahead, it chose instead to invest in Australia, assuming higher costs of production and distribution as a reasonable trade-off for lower risk. Subsequent events have vindicated that choice.
  • Invest in cybersecurity. The frequency and seriousness of cyberattacks, particularly ransomware attacks, continue to rise, and cyber insurance costs are soaring. According to Symantec’s 2018 Internet Security Threat Report, attackers most often use simple, off-the-shelf, easily available tools and tactics. Attacks are successful because employees click on links in tainted emails, companies fail to apply available patches to known software flaws or technicians do not configure systems properly. In other words, there is a great deal companies can do simply and inexpensively to protect themselves, and it’s not that hard if they make and keep cybersecurity a top priority.
  • Be heard on contentious issues. Companies today are judged in the court of public opinion, and to influence that judgment, they must speak out. A 2017 Harvard Business Review and KRC Research survey of 1,000 U.S. adults found that 44 percent of millennials said they would feel more loyalty toward a company if the CEO weighed in strongly on contentious public issues. Jamie Dimon, CEO of JPMorgan, has addressed income inequality publicly in a way that once would have been deemed odd or inappropriate for the CEO of an investment bank. Conversely, few British CEOs spoke out against Brexit before the referendum, even though the majority were against it and knew the risks it posed their businesses.
  • Engage employees as advocates. According to Edelman’s Trust Barometer, employees are trusted more than a company’s CEO or its marketing department. According to another study, employee posts can generate eight times the engagement of a company’s brand page. It makes sense to leverage employees in the social media battles. While many companies resist, placing restrictions on what and when employees can post on social media, others, such as Electronic Arts (with 6,600 employee social media interactions a month) encourage and support it. When damaging, baseless rumors begins to circulate, companies can encourage their employees to post counternarratives. When a company is denigrated on a person’s social media feed, just one informed friend saying, “This isn’t so,” has an outsize, asymmetrical impact.

Getting Risk Right

Companies that fail to incorporate hard-to-quantify risks into their calculations will understate them, do too little to combat them and overstate expected returns on investment. This will damage shareholders and other stakeholders.

Those that improve these factors in their risk modeling will be in a better position to enhance returns, either by developing new strategies, de-risking old ones or offloading risky positions to more optimistic (or less astute) competitors. And those forward-looking, more risk-incisive companies will be positioned to snatch the ball when their competitors fumble it.


Tags: Cyber Risk
Previous Post

What a Code of Conduct ‘Says’ About a Company

Next Post

Compliance: From “Hall Monitor” to Strategic Partner

John Klick

John Klick

John Klick is a Senior Vice President at FTI Consulting, having led its Economic Consulting segment from 2004 to 2017. He is recognized as an expert in analyzing economic models and calculating damages.

Related Posts

castle pixel art

Building a Defense-in-Depth Culture to Combat Phishing

by Perry Carpenter
March 22, 2023

Phishing attempts are only growing more sophisticated by the day, and effective cybersecurity means defending all the vectors of attack,...

risk tunnel

From Regulation to Volume, There Is No Light at the End of the Data Privacy Tunnel

by Jim DeLoach
March 15, 2023

Data proliferation and data privacy regulatory activity across the globe have created the need for focused boardroom discussions. An underpinning...

cisa website

What Can Your Organization Learn From the New CISA Strategic Plan?

by FTI Consulting
January 11, 2023

Cyber threats against organizations of all sizes are only rising as scammers and fraudsters become more and more sophisticated. Kyung...

data minimization practices_w

Ransomware Threats Are Growing. How Can Boards Protect Mission-Critical Assets?

by Jim DeLoach
December 14, 2022

As the sophistication level of cyber attackers continues to rise, there’s probably not a business on Earth that isn’t at...

Next Post
Compliance: From “Hall Monitor” to Strategic Partner

Compliance: From “Hall Monitor” to Strategic Partner

Compliance Job Interview Q&A

Jump to a Topic

AML Anti-Bribery Anti-Corruption Artificial Intelligence (AI) Automation Banking Board of Directors Board Risk Oversight Business Continuity Planning California Consumer Privacy Act (CCPA) Code of Conduct Communications Management Corporate Culture COVID-19 Cryptocurrency Culture of Ethics Cybercrime Cyber Risk Data Analytics Data Breach Data Governance DOJ Download Due Diligence Enterprise Risk Management (ERM) ESG FCPA Enforcement Actions Financial Crime Financial Crimes Enforcement Network (FinCEN) GDPR HIPAA Know Your Customer (KYC) Machine Learning Monitoring RegTech Reputation Risk Risk Assessment SEC Social Media Risk Supply Chain Technology Third Party Risk Management Tone at the Top Training Whistleblowing
No Result
View All Result

Privacy Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2022 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe

© 2022 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT