Risk and the Enterprise Creating a Risk-Competent Company in an Age of Volatility

Printer version  PDF

by David A. Nadler & Adrian Slywotzky

The recent turmoil in the financial services and housing industries provides a grim reminder that we live in a world of risk. Seemingly benign actions and events can have life-changing consequences for corporations and for the men and women who lead them. It’s not just the financial industry. Headlines of the past year point to unprecedented volatility impacting industries around world, ranging from energy, to transportation, to technology.

Each new crisis carries consequences that can quickly erode a company’s competitive advantage and even threaten its existence. Increasingly, a company must make significant strategic and financial bets in order to meet the requirements of its shareholders, and each bet brings new dimensions of risk. A company’s reputation can be irreparably tainted, its business model rendered obsolete, its talent pool decimated, or its leadership discredited. On the other hand, volatility can create opportunities to enhance value – if leaders learn how to navigate the world of risk.

We’ve developed a way of thinking about volatility that can help leaders understand risk and design strategies to manage risk. We’ve also identified the essential organizational elements that enable a company to successfully manage risk. In this article, we begin with a point of view on how to think about risk and then describe the measures companies need to take to be risk competent – neither risk avoiding nor risk insensitive, but cognizant of risk and capable of determining an effective risk appetite and managing accordingly.

• Business environment. If a company chooses to enter a certain business, it will need to deal with certain competitors, customers, markets, and regulators. If it decides to operate in a specific country, it will face a specific set of political, market, and labor conditions. And if a company opts to work in a particular geography, it will face corresponding environmental issues.
  
  
• Financial model. Moreover, as a result of a chosen strategy, a company also defines how it plans to make money, how it will deploy its assets, how it will structure its balance sheet, and what its relationships with the financial markets will be.
  
  
• Operational model. To implement a strategy, a company creates an operational model, determining where in the value chain it will play, what core competencies it will focus on, and how its operating units and functions will work together to achieve its strategic goals.
  
  
• Organizational model. Finally, a company’s strategic choices will drive a specific organizational model, defining how the company will organize, deploy, and develop its activities, and, in particular, its human capital.
  
  

Multibusiness companies deal with even greater complexity. Each individual business unit may have its own strategy, work in different business environments, and have a different financial, operational, and organizational model.

The volatility a company encounters will expose it to certain types of risks. Traditionally, people have thought of risk as an event that can significantly threaten a company’s value, but recent thinking takes a broader perspective. In fact, there are five different types of risks – hazard, financial, strategic, human capital, and operational – each with different sources and potential consequences.

We can think about volatility and the five risk types on two dimensions (see exhibit 1, “An enterprise view of risk”). The first dimension is the source of the volatility. In some cases, the source is external, such as when a hurricane destroys a distribution center or a new technology supersedes a decades-old product. In other cases, it is created by internal problems, such as when a manufacturing error results in a product recall or inadequate talent development results in performance problems. On occasion, the source of the instability may be internal, but an external event is what triggers the crisis.

The second dimension is the potential impact of the volatility. An event may have a negative or downside impact, causing major destruction of value and, sometimes, jeopardizing a company’s existence. But risk may also have an upside, allowing a company to create value. A company might spot an aggressive new competitor entering its space and respond by shifting its focus to another customer segment that turns out to be very lucrative. Each of the five kinds of risk have varying degrees of downside or upside impact:

1. Hazard. These risks, which arise from adverse external events that result in property damage and liabilities (such as a fire destroying a manufacturing facility), are one extreme. The impact of major property/casualty, environmental, and political incidents will most likely be on the downside. These events often cause devastating business interruptions.

2. Financial. Fluctuations in financial market prices – such as changes in foreign exchange rates, interest rates, and commodity prices – will often have a negative impact. But if a company manages its assets well, there is an upside potential to create value. Thus, financial risk appears midway on the potential-impact scale.

3. Strategic. Some external risks offer significant downside potential: the competition, the market environment, regulatory events, etc. The emergence of a new technology or market stagnation can derail a company’s growth trajectory. But if a company can recognize such events when they are just beginning to occur, the change can be turned into a huge competitive advantage. 4. Human capital. Risks arising from challenges related to a company’s talent, leadership, and related human capital systems may have a negative impact. Organizations that fail to attract and retain the right people face a certain downslide. But a company that implements a talent strategy that attracts, develops, motivates, and retains the right people and the right leaders will be equipped to respond quickly to technology shifts or new competition.

5. Operational. Internal process breakdowns can cripple a company’s supply chain, customer service, or manufacturing operation. However, ineffectiveness in these same processes can be equally damaging to shareholder value over time. The risks can generally be mitigated by creating a more effective organizational structure and internal controls.

These five categories provide a focused way of thinking about and discussing risk. The key questions leaders need to ask include: Do we understand how much risk we’re facing? What’s our appetite for risk in these areas? Do we have the capacity to manage these risks? Have we given any thought to the upside of these risks, not just the downside?

It’s easy to assume that only poorly run companies have problems dealing with volatility. But even companies perceived as having the best management teams and the best business models are vulnerable. Big names like Wal-Mart, Home Depot, Dell, and Microsoft have all been stung. Their leaders either did not see or did not understand an impending threat.

Successful enterprises treat risk as a core business issue. While different companies approach this in different ways, there seems to be one constant – they employ a proactive enterprise risk management (ERM) approach. An ERM process consists of several sequential actions: identifying and analyzing the risks, applying a risk strategy, creating a risk governance approach to oversee the process, and monitoring the risks (see exhibit 2, “Effective enterprise risk management”).

A risk analysis will surface previously unforeseen exposures and identify the nature of the company’s primary risks, the severity of their impact, their degree of probability, potential timing, possible costs, etc.

Executives can then apply the appropriate strategy to offset each risk’s impact:

1. Manage exposure by avoiding the risk altogether and preventing incidents from occurring.

2. Mitigate the risk when something goes wrong by implementing a business continuity plan, taking defensive actions, or launching a preplanned recovery strategy.

3. Transfer the financial impact of the risk to a third party, such as an insurer.

4. Leverage the risk by developing a countermeasure with upside potential.

A comprehensive ERM approach will include a risk governance process to ensure that C-suite executives and the board of directors work together to set the enterprise’s appetite for risk, a crucial step given today’s increased scrutiny from rating agencies, shareholders, and regulators. There is a huge advantage to looking at risk at the enterprise level. Executives can examine the variety of risks across the organization, revealing previously unrecognized interdependencies. They can then prioritize and address the most critical risks.

Finally, by monitoring its risks and its internal and external environments, a company can recognize early signs of significant threats. This arms the company with the information it needs to offset new risks.

Even a well-designed ERM program will fail if a company’s leaders and employees are not up to the challenge. Too often, ERM programs, processes, and techniques are done to the side – treated as a set of activities parallel to how the organization is actually led and managed. Our perspective is that the concepts of risk and strategic risk management need to be integrated into the way an enterprise is run.

For some time, we have used an approach for thinking about organizational effectiveness called the Congruence Model (Nadler and Tushman, 1977). The model conceives of the organization as an open system that receives input from the environment, which is used to develop a strategy. The strategy is converted into output through the interaction of four core components – the work, the formal organization (structure), the people, and the informal organization (culture and leadership). The key dynamic of the model is congruence or fit – organizations will be more effective to the extent that the configuration of work, organization, people, and informal organization meets the requirements of the strategy and are internally congruent.

Using this approach, we’ve identified the most critical elements of a risk-competent enterprise (see exhibit 3, “Organization design for effective risk management). However, the answer lies not in one specific area or action (such as getting the risk competencies for people right) but in addressing risk as a systems problem. Let’s look at each element of this model from the perspective of risk.

Executives often get into trouble when they don’t adequately consider risk during the strategic planning process. A risk-competent approach to strategic planning will:

• Have an informed strategic development process. The CEO and senior leaders need to have access to information on and understand likely sources of internal and external volatility, as well as potential risks.
  
  
• Clarify the organization’s risk appetite. It’s essential for the executive team to agree on and consistently apply the company’s risk tolerances, which were established with input from the board.
  
  
• Evaluate both the downside and the upside. Executives should review the risks inherent in each strategic alternative, evaluate whether they are in line with the risk appetite, and identify not only the inherent threats but also the opportunities the risks may present.
  
  
• Draw on a recycling process. Finally, it’s essential to step back and review the results of the risk management program, including data generated by risk monitoring systems embedded across the corporation, and to keep an eye on emerging shifts in the internal and external environments.
  
  

• JetBlue – hazard, operational, and human capital risks;
  
  
• British Petroleum – operating and human capital risks;
  
  
• Bausch & Lomb – strategic and operating risks;
  
  
• Citibank – financial, operating, and human capital risks;
  
  
and
• Sony – strategic and human capital risks.
  
  

• Hazard risk – not only the traditional insurance skills and specialized industry data (e.g., media, biotech, telecomm, retail), but also new methods and solutions for addressing the rapidly growing domain of uninsurable risks.
• Financial risk (credit, commodity price fluctuation) – historical databases, hedging techniques, and modeling capabilities.
  
  
• Strategic risk – specific expertise in value migration, business design, brand dynamics, and proprietary customer information.
  
  
• Human capital risk – specific tools and techniques for measuring employee productivity, morale, intent to leave, skill set availability, etc., as well as sophisticated techniques for measuring organizational congruence, succession risk, and other major human capital risk factors.
  
  
• Operational risk – investigative capabilities, data security technology, and process design skills to ensure better controls.
  
  

• Creating a risk management function that extends beyond the usual domain of hazard and financial risks to strategic, human capital, and operational risks.
  
  
• Providing for effective checks and balances in the strategic decision-making processes.
  
  
• Developing mechanisms for facilitating a horizontal perspective of risk (across products/services, customers and clients, production, distribution, marketing, etc.).
  
  

This could be accomplished through a crossorganizational risk management function or by charging business managers with shared risk responsibilities.

• Embedding risk monitoring and control processes in every unit and function and at every level across the organization.
  
  

Even with the right structures and processes in place, a company will not have the capacity to recognize or respond to risks if it doesn’t have risk-competent leaders and a supportive culture. An effective risk culture:

• Establishes clear values and alignment around those values. Ensures that employees understand and accept the company’s risk appetite, know how much risk they should allow when making decisions, and behave ethically.
  
  
• Internalizes integrity. Expects employees to tell the truth and do the right thing despite any short-term negative consequences.
  
  
• Addresses undiscussables. Encourages employees to raise sensitive topics – nothing is undiscussable. It’s unacceptable to look the other way, avoid, or cover up serious issues.
  
  
• Values productive failures. Promotes the sense that it’s okay to fail and to admit a mistake, as long as employees reflect on and learn from the experience.
  
  
• Requires evidence-based actions. Endorses the use of hard data as the basis for decision making, rather than reliance on gut instinct, wishful thinking, or blind optimism.
  
  

• Stresses cross-unit risk engagement. Requires business units to collaborate and resolve conflicts when managing risk, reducing the potential that serious risks will be overlooked or mismanaged.
  
  
• Encourages constructive contention. Fosters productive, not destructive, conflict, empowering people to raise and debate differences of opinion.
  
  

Risk-competent leadership is crucial to ensuring that ERM is effective. Leaders need to cultivate certain behaviors and lead by example to create an environment that supports effective risk management. These leaders are:

• Risk cognizant. They are aware of and actively think about risk, both upside and downside, internal and external. They understand the kinds of risks the company needs to take, and what is and isn’t acceptable.
  
  
• Approachable and open to others’ views. They show a willingness to hear and are open-minded enough to consider the opinions of other people.
  
  
• Demanding but not unreasonable. They demand results but don’t set unreasonable expectations that may cause employees to break the rules to meet performance goals.
  
  
• Aware of the external environment. They keep an eye on external volatility and events that may impact the company, and avoid becoming insular.
  
  
• Reliant on specialized expertise. They recognize the value of using experts’ knowledge of risk to understand, quantify, and clarify the company’s risk appetite.
  
  

The most important factor in ERM is simple: take action. Many companies have implemented risk programs to meet Sarbanes-Oxley requirements or to improve their governance processes in response to shareholder demand. However, their processes essentially boil down to gathering information, discussing risk issues, and checking off boxes on a list.

As several executives recently said to us, “If enterprise risk means making lists of things we already know about, and simply tallying them up and reporting them, then why bother? If we’re not thinking about things differently or doing anything differently, then there’s really no added value – it’s simply a compliance exercise.”

We couldn’t agree more. In the arena of risk, it’s time to move beyond compliance to action. We need to design risk-competent organizations that understand how decisions create risk, how risk is often systems related and horizontal in nature, and how seemingly unrelated risks can become correlated risks, sometimes with disastrous consequences. Risk-competent leaders treat risk systemically, linking it to their company’s strategy, work, structure, people, and culture and leadership.

Ultimately, if leaders don’t step up and exploit the information they’ve been gathering, their company will likely be hit hard when the next crisis strikes.

David A. Nadler is vice chairman of Marsh & McLennan Companies, Inc., and a senior partner at Oliver Wyman – Delta Organization & Leadership. In his consulting, he has worked for years at the CEO and board level, specializing in the areas of large-scale change, corporate governance, executive leadership, organization design, and executive team development. He has written numerous articles and book chapters, and has authored and/or edited 16 books, including Organizational Architecture; Prophets in the Dark: How Xerox Reinvented Itself and Drove Back the Japanese; Discontinuous Change; Competing by Design; Executive Teams; Champions of Change; and Building Better Boards.

Adrian Slywotzky, a director of Oliver Wyman, consults at the CEO and senior executive level on issues related to new business development and creating new areas of value and growth. He is the author of The Upside, as well as the bestselling The Profit Zone (selected by Business Week as one of the 10 best books of 1998), Value Migration, and How to Grow When Markets Don’t. He has also been published in the Harvard Business Review and the Wall Street Journal and has been a featured speaker at the World Economic Forum Annual Meeting, the Microsoft CEO Summit, the Forbes CEO Forum, and the Fortune CEO Conference.