Man-made risk—such as cyber risk, physical security threats, and climate
change—are the central driving forces in the global risk landscape. Unlike
natural risk, which remains a central preoccupation, man-made risks have
agency.
Acknowledgment
The author would like to acknowledge and thank
coauthor Dante Disparte, the CEO of Risk Cooperative, for his contributions
to this commentary. He and Daniel Wagner are the coauthors of Global
Risk Agility and Decision Making.
A tornado does not plan in advance where and when it will strike. A cyber or
terrorist attack, by contrast, is not a random event. While large organizations
can often shield themselves from the financial consequences of many risks, the
ensuing reputational harm can irrecoverably erode market share and stakeholder
trust. Small to midsize enterprises confront these challenges as an existential
threat.
In the face of such threats, global risk agility is a management framework
aimed at changing the way organizations and their leaders think about risk.
Rather than making risk an object of "passive control" and something
to be feared, agile decision-makers make risk an object to be understood—with a
healthy dose of respect. There is great risk in doing nothing at all in
response to turbulent times, so no organization can afford to remain on the
sidelines in the face of such threats.
Organizations tend to be far too passive vis-à-vis their approach to risk
management. Risk does not recognize the annual planning, strategy, or budgetary
cycles. In the era of man-made risks, decisions need to be framed around
longevity and optimization, as opposed to short-term performance.
It is every global firm's duty and obligation to develop its own
"foreign policy" with respect to operating in international markets.
Creating greater awareness of man-made risk in the context of global risk
analysis is an important first step. Too often, boards and senior
decision-makers do not know what questions they should ask of each other or
necessarily where to obtain the right answers. This is confounded by the
individual silos or domains over which senior leaders reign, largely in
indifference to and with independence from their colleagues in the C-suite.
Acknowledging that they may not have all the answers, particularly within the
context of long-range planning, is really important.
Businesses will never be outside the reach of controllable and
uncontrollable risk—all that they can do is attempt to manage them in a
reasonable and effective fashion. In the era of man-made risk, which often
clashes with natural risk, many organizations should either greatly strengthen
their organizational resilience and risk management procedures or consider
getting into another line of business in another location, because their
approach to managing the clash between man-made and natural risks has proven
inadequate. Some examples are firms with high profiles and/or a lot of money
(that may attract the attention of cyber criminals), those located in flood
prone areas, those that operate in strategic sectors (that may attract the
attention of nationalistic governments), and those that operate in areas of the
world prone to terrorism.
Decision-makers from large and small enterprises, and across sectors,
continue to be confounded by a world that is increasingly difficult to read
and, therefore, to make long range plans for inventory, investments, hiring,
and market expansion. Risk can be measured, but uncertainty cannot; uncertainty
creates bank runs, erodes consumer and investor confidence and trust in
counter-parties and institutions. Those firms already seeking global risk
agility—and actively devoting resources to and making decisions consistent with
that objective—stand the best chance of actually achieving organizational
resilience in the face of such uncertainty.
Making Decisions in the Era of Man-Made Risk
We are living in the Anthropocene Era, where human actions collide with
natural risks and negatively impact the environment. In this era, where
uncertainty and unpredictability are the norm, and organizations of all kinds
are being challenged like never before, the need to make great decisions
transcends the profit motive, for the survival of each firm is at stake. This
calls for a change in how organizations make decisions and allocate
resources.
Traditional organizational decision-making processes—which tend to entail
linear, empirical, one-dimensional thinking—have of course been widely used for
decades but have never before been put to the test with such transcendent and
centrifugal forces tugging at their core. We have entered an era in which
information boundaries have been erased, communication and money flows are
instantaneous, and our infrastructure, cities, and even some countries face
grave threats to their existence because of the threats of climate change,
cyber risk, and terrorism. It should be clear to risk managers and leaders
alike that conventional means of making decisions cannot possibly be sufficient
to be able to manage and stay ahead of such risks.
In addition to having to contend with man-made risks, the "forced"
regulatory transparency that has been routinely imposed on publicly held
organizations—particularly since the Great Recession—has had an adverse effect
on the decision-making processes in large and complex entities. Enhanced
compliance and governance guidelines have only added to the legions of
employees devoted to compulsory forms of risk management, which have diluted
the inclination of leaders to rely on their intuition. The resulting
orientation toward risk-aversion, and the accompanying indecisiveness in
determining the nature of unprecedented threats, can result in outcomes every
bit as dangerous as many of the threats organizations are trying to understand
and manage.
Against this backdrop, how can organizations adapt their decision-making
frameworks to create a more agile approach? Will the predominant
consensus-driven frameworks give way to a greater degree of instinctive or
entrepreneurial approaches? Are these models size or velocity dependent? And,
will decision-makers feel free to move beyond their comfort zone to
meaningfully address the risks?
Instinctive decision-making, which is most commonly associated with
entrepreneurs who are constantly walking the tightrope between success and
failure, is rare in all but a handful of large organizations. The cornerstone
for "following your gut" decision-making is a leader's innate
conviction, belief in a given value system (corporate or personal), and comfort
with making decisions in opaque conditions. The rise of corporate activism
among a handful of firms supports this argument.
Some activist firms have proven to hold their value system as paramount,
even above the profit motive, taking stands—such as Apple's stance against
the Federal Bureau of Investigation's demand to unlock a terrorism
suspect's phone or Starbucks' stand against campaign finance and its
controversial Race Together Campaign—both of which could have been detrimental
to their shareholders. But with leaders such as Tim Cook and Howard Shultz at
the helm, increasingly instinctive decisions are being made, often in the face
of complex and potentially incalculable consequences. What drives these leaders
and their choices appears to be a natural ability to make the right call and do
the right thing.
One of the best examples of this instinctive quality is how Apple defied its
company culture of absolute secrecy and centralized control by publishing a
transparent supply chain report in 2007 and every year since. Facing mounting
criticism and market pressure on its stock valuation as a result of worker
conditions at Foxconn, Apple leapt ahead of the potentially damaging news (and
its competitors) and published an uncharacteristically transparent supply chain
report providing a scorecard on how Apple's thousands of subsuppliers
compared against the company's desired performance standards, including
worker rights and conditions.
Had Apple followed an empirical decision-making approach, it may have looked
at its competitors, which provided no transparency into their supply chains or
worker conditions. The assumption was that the world is an imperfect place and
running a global supply chain is necessarily an imperfect practice. Instead,
Apple put its peers on notice and gained substantial competitive advantage by
instinctively anticipating that the market would respond favorably to more
transparency. Other firms are now grappling—often clumsily—to adhere to
Apple's standard, yet Apple's culture of secrecy and centralized
command remains as entrenched as ever.
Elon Musk, founder and CEO of SpaceX and Tesla, provides another great
example of an instinctive leader. While building reusable rockets like Falcon 9
(which made a successful landing on a waterborne drone) depends on a vast
amount of empirical data, SpaceX, like Tesla, is clearly thriving due to Mr.
Musk's stubborn commitment to his instincts—that humanity's fate
depends on commercially viable space travel and the death of the internal
combustion engine.
These examples demonstrate that instinctive decision-making need not suggest
that unintelligible decisions be made in the absence of data. Rather, the
instinctive leader is able to make a choice (or series of choices) and is not
afraid of course corrections. The advantage, amid so much uncertainty, goes to
people and organizations not afraid to choose. This gives them agility and an
almost innate ability to walk the tightrope between success and failure. It
also gives them pause in the face of adversity or pressures that go against
their value systems or commitments. Instinctive leaders tend to stick to their
word, although they may make multiple choices in doing so.
Intuitive leaders may weigh empirical data and consult with peers and
colleagues in the process, but, in the end, they rely on their sense of smell
and gut feeling to guide their decision-making process. There is no real secret
about what makes a good forecaster—it is a combination of a natural curiosity
about the world, being informed, and having an opinion, combining it with
insight and instinct, and correcting course as necessary. More and more
organizational decisions fall into a domain where little reliable information
is available, or where a decision needs to be made faster than information can
be reliably sourced, and the consequences are entirely unpredictable. That is
when relying on instinctive decision-making is the only option.
No one, no matter how experienced, can anticipate precisely when a problem
will arise. This is particularly true in the era of man-made risk. All we can
do is make educated guesses based on what history teaches us and integrate what
we have learned in the process. In the end, the ability to anticipate
what the future will bring, using a combination of knowledge, insight, and a
healthy sixth sense, can make all of the difference. Listening to your gut and
sense of smell are, in the end, as important as all of the other tools at
one's disposal. A good leader knows when to listen to them.
What the Unforeseen Teaches Us about Risk Agility
What is unforeseen is not necessarily something that was
unknown, but rather was not predicted or anticipated. By contrast,
what is unknown is ambiguous and a mystery, so it cannot be predicted
or anticipated. We cannot do much about what is unknown, precisely because
there is no way to quantify or understand it. The most we can hope to do is
"manage" the risks associated with the unforeseen, by anticipating
those risks. Herein lies the distinction between risk and uncertainty. Risk can
always be measured and generally understood, while uncertainty cannot be
measured and is the domain along the risk spectrum that paralyzes markets and
causes bank runs.
We can learn a lot about this from the terrible tragedy of Germanwings
Flight 9525 in 2015, which was deliberately crashed into a mountain by the
flight's copilot, Andreas Lubitz, killing all onboard. The passengers and
cargo had been successfully screened for explosives and weapons, which,
ordinarily, would imply a safe and successful flight. Germanwings' owner,
Lufthansa, had learned during Mr. Lubitz's flight school training in 2009
that he had suffered from severe depression, and subsequently, that he had
suicidal tendencies, yet it still allowed him to fly commercial aircraft.
It cannot be argued that there was not a potentially substantial
risk associated with allowing Mr. Lubitz to fly. Such risk was neither unknown
to the airline, nor could his action necessarily be considered unforeseen. On
the contrary, that he was allowed to continue flying was probably criminally
negligent, as the risk could certainly have been managed by preventing him from
continuing to fly.
The simple mitigation strategy to this known risk, which was, ironically,
compounded by the secured cockpit doors mandated post-9/11, would have been to
conduct mental health screenings with greater scrutiny and frequency.
Germanwings, Lufthansa, and the airline industry exposed the traveling public
to the risk, however remote, that pilots would attempt to take their own lives
along with everyone onboard an aircraft. The fatal error was assuming that a
standard mental health checkup resulting in no known signs of suicidal
tendencies or other issues at the pilot onboarding process was a constant
variable in the system.
The Germanwings case serves to emphasize several things. First, some risks
that are thought to be unknown are not unknown. Second, with some foresight and
critical thought, some risks that at first glance may seem unforeseen, can in
fact be foreseen. Third, with the right set of tools, procedures, knowledge,
and insight, light can be shed on variables that lead to risk, allowing us to
manage them. Adopting a broader view of risk that places an emphasis on having
specialized knowledge inside an organization to specifically address issues
that are, or will prove to be, critical to the organization is no longer just
nice to have—it is essential.
By the same token, individual businesses and entire industries are being
forced to address the increasingly important conflict between the right to
information privacy and a right to genuine security. In the Germanwings case,
Mr. Lubitz's right to privacy vis-à-vis his medical records, and the
airline's obligation to maintain his records' privacy, became negated
the instant such privacy impinged—in the slightest way—on passengers' and
airline crews' right to fly safely and securely. The debate ends when
people's lives are at stake. In such circumstances, a decision-maker's
obligation no longer resides with their employees' rights, but rather, with
their own civic duty and their customers' rights.
If managing risk were based solely—or even primarily—on past data and
experience, and if risk managers and decision-makers were unable to adapt to
the underlying conditions that define risk, the game would be over before it
began. By the same token, adopting a "reactive" approach clearly will
not work. What is required is a proactive approach, which entails closely
monitoring the forces that drive change, analyzing their relationship to risk,
and adapting the strategies required to manage risk flexibly.
Risk agility is not all about downside risk, quite to the contrary.
Risk-ready organizations often have outsized financial results, with an innate
ability to read the market and gain a first-mover advantage. Agile enterprises
can neutralize bad news and have a propensity to turn bad information and risk
into an upside. They do this by confronting risk head on. Their orientation is
not the "analysis paralysis" that can take hold of larger, more
cautious organizations. Since doing nothing is often more dangerous than taking
risks, agile enterprises are, by definition, entrepreneurial and instill a
culture of bounded risk-taking at all organizational levels.
Risk agility is as much about being bold and taking responsibility
as it is about having both temerity and deference to challenge risk head on.
Agile risk managers are a new breed of organizational leaders who are part
psychologist and part financial guru. To rise to the occasion
and help organizations harness the unprecedented yet unforgiving upside that
can be created, we must move the discipline of risk management from being a
business prevention function (a cost of doing business) to being a
catalyst for longevity.
Risk agility implies a deftness of movement; whether the required
pace given the circumstances is slow or fast, movement is the key. Standing
still is usually not an option. We do not need to be taught that observing
smoke rising from a few floors beneath us and standing still is ill-advised.
While the data may suggest that everything is fine, silencing your instincts
occurs all too often in organizational decision-making. Agile risk managers,
therefore, need to be as courageous in confronting authority as they are poised
in the face of new challenges.
When decisions are made at the global level, risk managers are most often
not in the room—and they need to be. Changing this reality will require
discipline. Professionals in the decision-making and risk management domains
need to take a long look in the mirror. They need to adapt personally
as much as the organizations they work for, particularly since organizations
are beginning to leave board room and corner office doors ajar.
For organizations to fully harness the power of risk agility, the
competitive advantage of survivorship—long-range planning, entrepreneurial
culture, and bounded risk-taking—those at the top need to be challenged, at
times resulting (as in the Germanwings case) in a cold hard slap on the face.
Risk managers must challenge decision-makers in the form of dialogue that
fosters the ability to make sensible decisions under opaque conditions because
sometimes the best long-range results are created when the playing field has
been entirely abandoned.