When Risks Marry and Multiply: Risks in Combination Present Deadly Threat
June 2007
Currency devaluation. Natural disaster. Coup
d'etat. Influenza pandemic. What do such these seemingly unrelated items have
in common? They are all relatively rare occurrences that have increasingly received
the attention of risk managers who understand that low-probability/high-impact
risks—within and outside their walls—must be identified and addressed.
by Mark
Layton and David Hodgson
Deloitte & Touche
This widening perspective on risk is a welcome trend, to be sure. But less
desirable is the propensity of an organization to perceive risk in terms of
discrete, self-contained events. Many risk managers do not focus on the interdependent,
multi-dimensional nature of risk. Instead they believe that any given risk’s
true identity and potential danger are immediately self-evident. Worse yet,
they prepare for risks as if they conveniently occur sequentially.
Risk Interrelationships
A recent study shows that organizations are frequently victimized by risk
interrelationships that expose and exploit vulnerabilities more than single-risk
events in isolation. According to "Disarming the Value Killers," a 2005 study
by Deloitte Research that looked at decline in share prices among Fortune 1000
companies, "Eighty percent of the companies that suffered the greatest losses
in value were exposed to more than one type of risk. But firms may fail to recognize
and manage the relationships among different types of risks."
How bad can the interaction of multiple risks be? Some studies indicate that
the impact of a single risk can be significantly greater, by 30 percent or more,
when it occurs in the presence of certain other risks. For an example that is
translated into dollars, consider that the cumulative multi-risk impact of our
increasingly erratic global climate resulted in $200 billion in weather-related
losses for 2005, according to a study by the Munich Re Foundation.
A prime illustration of the potential impact of cascading risk can be found
in the current drought in parts of the U.S. southwest. A shortage of water resulted
in widespread insect infestations in affected trees, which set the stage for
unusually intense forest fires, which threatened not only the man-made infrastructure
but the forest ecosystem, whose eroded soil will likely cause flooding when
precipitation eventually returns.
Though predicted to get worse, this drought’s slow but steady unfolding,
for the most part off the radar screen, deceptively masks its inherent risks
to a multitude of business and governmental entities.
Similar examples of risks in combination can be found in business. For instance,
consider the case where a breach of security can lead to litigation, which results
in negative publicity, followed by an adverse judgment and a substantial jury
award, which impacts shareholder value.
Handling Multiple Risks
Faced with such complex scenarios, what’s a risk manager to do?
We recommend the following steps toward establishing multiple risk consciousness.
-
Preparing for high-frequency/high-impact risks is necessary but not sufficient.
Also on the radar screen should be the low-frequency/high-impact risk that,
should it hit, could devastate the organization. In addition, come to understand
that potential threats are characterized by numerous events occurring both
simultaneously and successively.
-
Understand that the potential damages of multiple risks are a function
of the domino effect of critical risk interdependencies. Allocate risk management
resources to identify, assess, and mitigate, not just the initial risk event,
but the likely cascading impact of the risk process as it unfolds.
-
Promote an organizational culture that understands the need to preserve
corporate value in the face of multiple risks. Optimum risk management requires
maintaining vigilance, marshalling resources, and staying the course until
the last domino falls.
The key to implementing these objectives can be found in scenario planning
which, in combination with statistical modeling, can help an organization prepare
for multiple risk events. Scenario planning prompts decision-makers to identify
and evaluate multiple risk factors inherent in each enumerated threat. Risk
management’s ability to systematically evaluate and quantify the multiple risk
content of oncoming threats will make it possible to define a range of events—such
as an increase in interest rates or a decrease in market share—that will trigger
an organization-wide alert to a potentially multifaceted risk that requires
further assessment and response. Needless to say, for optimal results, functional
and business leaders throughout the enterprise should be involved in the scenario
development process.
Many of the world's largest companies have suffered tremendous losses in
market value over the past 10 years because they failed to anticipate the interaction
of multiple risks unfolding both immediately and over time. In many cases, the
consequences were so dire that the affected companies never recovered. That’s
the bad news. The good news is that by taking steps to deal effectively with
the impact of multiple risks, your organization need not rank among the departed.
Next Installment
See the next installment in our series on making
risk management practices part of your corporate culture.
David Hodgson is a partner with the Enterprise Risk Services practice of Deloitte & Touche
LLP. He can be reached at dhodgson@deloitte.com or at (973) 683–6869.
Opinions expressed in Expert Commentary articles are those of the author and are
not necessarily held by the author’s employer or IRMI. This article does not purport
to provide legal, accounting, or other professional advice or opinion. If such advice
is needed, consult with your attorney, accountant, or other qualified adviser.