Achieving Global Risk Agility

A tornado does not plan in advance where and when it will strike. A cyber or terrorist attack, by contrast, is not a random event. While large organizations can often shield themselves from the financial consequences of many risks, the ensuing reputational harm can irrecoverably erode market share and stakeholder trust. Small to midsize enterprises confront these challenges as an existential threat.

In the face of such threats, global risk agility is a management framework aimed at changing the way organizations and their leaders think about risk. Rather than making risk an object of "passive control" and something to be feared, agile decision-makers make risk an object to be understood—with a healthy dose of respect. There is great risk in doing nothing at all in response to turbulent times, so no organization can afford to remain on the sidelines in the face of such threats.

Organizations tend to be far too passive vis-à-vis their approach to risk management. Risk does not recognize the annual planning, strategy, or budgetary cycles. In the era of man-made risks, decisions need to be framed around longevity and optimization, as opposed to short-term performance.

It is every global firm's duty and obligation to develop its own "foreign policy" with respect to operating in international markets. Creating greater awareness of man-made risk in the context of global risk analysis is an important first step. Too often, boards and senior decision-makers do not know what questions they should ask of each other or necessarily where to obtain the right answers. This is confounded by the individual silos or domains over which senior leaders reign, largely in indifference to and with independence from their colleagues in the C-suite. Acknowledging that they may not have all the answers, particularly within the context of long-range planning, is really important.

Businesses will never be outside the reach of controllable and uncontrollable risk—all that they can do is attempt to manage them in a reasonable and effective fashion. In the era of man-made risk, which often clashes with natural risk, many organizations should either greatly strengthen their organizational resilience and risk management procedures or consider getting into another line of business in another location, because their approach to managing the clash between man-made and natural risks has proven inadequate. Some examples are firms with high profiles and/or a lot of money (that may attract the attention of cyber criminals), those located in flood prone areas, those that operate in strategic sectors (that may attract the attention of nationalistic governments), and those that operate in areas of the world prone to terrorism.

Decision-makers from large and small enterprises, and across sectors, continue to be confounded by a world that is increasingly difficult to read and, therefore, to make long range plans for inventory, investments, hiring, and market expansion. Risk can be measured, but uncertainty cannot; uncertainty creates bank runs, erodes consumer and investor confidence and trust in counter-parties and institutions. Those firms already seeking global risk agility—and actively devoting resources to and making decisions consistent with that objective—stand the best chance of actually achieving organizational resilience in the face of such uncertainty.

Making Decisions in the Era of Man-Made Risk

We are living in the Anthropocene Era, where human actions collide with natural risks and negatively impact the environment. In this era, where uncertainty and unpredictability are the norm, and organizations of all kinds are being challenged like never before, the need to make great decisions transcends the profit motive, for the survival of each firm is at stake. This calls for a change in how organizations make decisions and allocate resources.

Traditional organizational decision-making processes—which tend to entail linear, empirical, one-dimensional thinking—have of course been widely used for decades but have never before been put to the test with such transcendent and centrifugal forces tugging at their core. We have entered an era in which information boundaries have been erased, communication and money flows are instantaneous, and our infrastructure, cities, and even some countries face grave threats to their existence because of the threats of climate change, cyber risk, and terrorism. It should be clear to risk managers and leaders alike that conventional means of making decisions cannot possibly be sufficient to be able to manage and stay ahead of such risks. 

In addition to having to contend with man-made risks, the "forced" regulatory transparency that has been routinely imposed on publicly held organizations—particularly since the Great Recession—has had an adverse effect on the decision-making processes in large and complex entities. Enhanced compliance and governance guidelines have only added to the legions of employees devoted to compulsory forms of risk management, which have diluted the inclination of leaders to rely on their intuition. The resulting orientation toward risk-aversion, and the accompanying indecisiveness in determining the nature of unprecedented threats, can result in outcomes every bit as dangerous as many of the threats organizations are trying to understand and manage.

Against this backdrop, how can organizations adapt their decision-making frameworks to create a more agile approach? Will the predominant consensus-driven frameworks give way to a greater degree of instinctive or entrepreneurial approaches? Are these models size or velocity dependent? And, will decision-makers feel free to move beyond their comfort zone to meaningfully address the risks?

Instinctive decision-making, which is most commonly associated with entrepreneurs who are constantly walking the tightrope between success and failure, is rare in all but a handful of large organizations. The cornerstone for "following your gut" decision-making is a leader's innate conviction, belief in a given value system (corporate or personal), and comfort with making decisions in opaque conditions. The rise of corporate activism among a handful of firms supports this argument.

Some activist firms have proven to hold their value system as paramount, even above the profit motive, taking stands—such as Apple's stance against the Federal Bureau of Investigation's demand to unlock a terrorism suspect's phone or Starbucks' stand against campaign finance and its controversial Race Together Campaign—both of which could have been detrimental to their shareholders. But with leaders such as Tim Cook and Howard Shultz at the helm, increasingly instinctive decisions are being made, often in the face of complex and potentially incalculable consequences. What drives these leaders and their choices appears to be a natural ability to make the right call and do the right thing.

One of the best examples of this instinctive quality is how Apple defied its company culture of absolute secrecy and centralized control by publishing a transparent supply chain report in 2007 and every year since. Facing mounting criticism and market pressure on its stock valuation as a result of worker conditions at Foxconn, Apple leapt ahead of the potentially damaging news (and its competitors) and published an uncharacteristically transparent supply chain report providing a scorecard on how Apple's thousands of subsuppliers compared against the company's desired performance standards, including worker rights and conditions.

Had Apple followed an empirical decision-making approach, it may have looked at its competitors, which provided no transparency into their supply chains or worker conditions. The assumption was that the world is an imperfect place and running a global supply chain is necessarily an imperfect practice. Instead, Apple put its peers on notice and gained substantial competitive advantage by instinctively anticipating that the market would respond favorably to more transparency. Other firms are now grappling—often clumsily—to adhere to Apple's standard, yet Apple's culture of secrecy and centralized command remains as entrenched as ever.

Elon Musk, founder and CEO of SpaceX and Tesla, provides another great example of an instinctive leader. While building reusable rockets like Falcon 9 (which made a successful landing on a waterborne drone) depends on a vast amount of empirical data, SpaceX, like Tesla, is clearly thriving due to Mr. Musk's stubborn commitment to his instincts—that humanity's fate depends on commercially viable space travel and the death of the internal combustion engine.

These examples demonstrate that instinctive decision-making need not suggest that unintelligible decisions be made in the absence of data. Rather, the instinctive leader is able to make a choice (or series of choices) and is not afraid of course corrections. The advantage, amid so much uncertainty, goes to people and organizations not afraid to choose. This gives them agility and an almost innate ability to walk the tightrope between success and failure. It also gives them pause in the face of adversity or pressures that go against their value systems or commitments. Instinctive leaders tend to stick to their word, although they may make multiple choices in doing so.

Intuitive leaders may weigh empirical data and consult with peers and colleagues in the process, but, in the end, they rely on their sense of smell and gut feeling to guide their decision-making process. There is no real secret about what makes a good forecaster—it is a combination of a natural curiosity about the world, being informed, and having an opinion, combining it with insight and instinct, and correcting course as necessary. More and more organizational decisions fall into a domain where little reliable information is available, or where a decision needs to be made faster than information can be reliably sourced, and the consequences are entirely unpredictable. That is when relying on instinctive decision-making is the only option.

No one, no matter how experienced, can anticipate precisely when a problem will arise. This is particularly true in the era of man-made risk. All we can do is make educated guesses based on what history teaches us and integrate what we have learned in the process. In the end, the ability to anticipate what the future will bring, using a combination of knowledge, insight, and a healthy sixth sense, can make all of the difference. Listening to your gut and sense of smell are, in the end, as important as all of the other tools at one's disposal. A good leader knows when to listen to them.

What the Unforeseen Teaches Us about Risk Agility

What is unforeseen is not necessarily something that was unknown, but rather was not predicted or anticipated. By contrast, what is unknown is ambiguous and a mystery, so it cannot be predicted or anticipated. We cannot do much about what is unknown, precisely because there is no way to quantify or understand it. The most we can hope to do is "manage" the risks associated with the unforeseen, by anticipating those risks. Herein lies the distinction between risk and uncertainty. Risk can always be measured and generally understood, while uncertainty cannot be measured and is the domain along the risk spectrum that paralyzes markets and causes bank runs.

We can learn a lot about this from the terrible tragedy of Germanwings Flight 9525 in 2015, which was deliberately crashed into a mountain by the flight's copilot, Andreas Lubitz, killing all onboard. The passengers and cargo had been successfully screened for explosives and weapons, which, ordinarily, would imply a safe and successful flight. Germanwings' owner, Lufthansa, had learned during Mr. Lubitz's flight school training in 2009 that he had suffered from severe depression, and subsequently, that he had suicidal tendencies, yet it still allowed him to fly commercial aircraft.

It cannot be argued that there was not a potentially substantial risk associated with allowing Mr. Lubitz to fly. Such risk was neither unknown to the airline, nor could his action necessarily be considered unforeseen. On the contrary, that he was allowed to continue flying was probably criminally negligent, as the risk could certainly have been managed by preventing him from continuing to fly.

The simple mitigation strategy to this known risk, which was, ironically, compounded by the secured cockpit doors mandated post-9/11, would have been to conduct mental health screenings with greater scrutiny and frequency. Germanwings, Lufthansa, and the airline industry exposed the traveling public to the risk, however remote, that pilots would attempt to take their own lives along with everyone onboard an aircraft. The fatal error was assuming that a standard mental health checkup resulting in no known signs of suicidal tendencies or other issues at the pilot onboarding process was a constant variable in the system.

The Germanwings case serves to emphasize several things. First, some risks that are thought to be unknown are not unknown. Second, with some foresight and critical thought, some risks that at first glance may seem unforeseen, can in fact be foreseen. Third, with the right set of tools, procedures, knowledge, and insight, light can be shed on variables that lead to risk, allowing us to manage them. Adopting a broader view of risk that places an emphasis on having specialized knowledge inside an organization to specifically address issues that are, or will prove to be, critical to the organization is no longer just nice to have—it is essential.

By the same token, individual businesses and entire industries are being forced to address the increasingly important conflict between the right to information privacy and a right to genuine security. In the Germanwings case, Mr. Lubitz's right to privacy vis-à-vis his medical records, and the airline's obligation to maintain his records' privacy, became negated the instant such privacy impinged—in the slightest way—on passengers' and airline crews' right to fly safely and securely. The debate ends when people's lives are at stake. In such circumstances, a decision-maker's obligation no longer resides with their employees' rights, but rather, with their own civic duty and their customers' rights. 

If managing risk were based solely—or even primarily—on past data and experience, and if risk managers and decision-makers were unable to adapt to the underlying conditions that define risk, the game would be over before it began. By the same token, adopting a "reactive" approach clearly will not work. What is required is a proactive approach, which entails closely monitoring the forces that drive change, analyzing their relationship to risk, and adapting the strategies required to manage risk flexibly.

Risk agility is not all about downside risk, quite to the contrary. Risk-ready organizations often have outsized financial results, with an innate ability to read the market and gain a first-mover advantage. Agile enterprises can neutralize bad news and have a propensity to turn bad information and risk into an upside. They do this by confronting risk head on. Their orientation is not the "analysis paralysis" that can take hold of larger, more cautious organizations. Since doing nothing is often more dangerous than taking risks, agile enterprises are, by definition, entrepreneurial and instill a culture of bounded risk-taking at all organizational levels.

Risk agility is as much about being bold and taking responsibility as it is about having both temerity and deference to challenge risk head on. Agile risk managers are a new breed of organizational leaders who are part psychologist and part financial guru. To rise to the occasion and help organizations harness the unprecedented yet unforgiving upside that can be created, we must move the discipline of risk management from being a business prevention function (a cost of doing business) to being a catalyst for longevity.

Risk agility implies a deftness of movement; whether the required pace given the circumstances is slow or fast, movement is the key. Standing still is usually not an option. We do not need to be taught that observing smoke rising from a few floors beneath us and standing still is ill-advised. While the data may suggest that everything is fine, silencing your instincts occurs all too often in organizational decision-making. Agile risk managers, therefore, need to be as courageous in confronting authority as they are poised in the face of new challenges.

When decisions are made at the global level, risk managers are most often not in the room—and they need to be. Changing this reality will require discipline. Professionals in the decision-making and risk management domains need to take a long look in the mirror. They need to adapt personally as much as the organizations they work for, particularly since organizations are beginning to leave board room and corner office doors ajar.

For organizations to fully harness the power of risk agility, the competitive advantage of survivorship—long-range planning, entrepreneurial culture, and bounded risk-taking—those at the top need to be challenged, at times resulting (as in the Germanwings case) in a cold hard slap on the face. Risk managers must challenge decision-makers in the form of dialogue that fosters the ability to make sensible decisions under opaque conditions because sometimes the best long-range results are created when the playing field has been entirely abandoned.