As the regulatory climate for public companies continues to focus on further transparency, boards and executive management must prepare their organizations for the risks and opportunities that lie ahead. Directorship.com recently interviewed risk specialists, Frederick (Rick) Funston, who co-authored the recently published book Surviving and Thriving in Uncertainty: Creating the Risk Intelligent Enterprise with Stephen Wagner, and Henry Ristuccia, Partner, Deloitte & Touche LLP, and U.S. leader of Deloitte’s Governance and Risk Management services. They agree that risk-taking is necessary for growth, but that it can be detrimental to business if decision making is ill-informed. Boards need to create plans for growth and innovation as well as the unknown and unknowable. To gain some insight into how corporate officers and directors should approach the complex challenge that is risk management, Funston and Ristuccia agreed to be interviewed. What follows is an edited transcript of that interview.
How should boards be thinking about risk?
Henry Ristuccia: The SEC has been in existence since 1934 and has historically had four divisions. Last year, a fifth division – the SEC’s Division of Risk, Strategy and Financial Innovation – was created. Legislators, regulators, and the investing public at large are putting much more scrutiny on boards to execute their fiduciary responsibility for oversight – especially of risk management – which is probably one of the most fundamental dimensions of what the board can do.
The question is: What does this mean for boards? It means they need to create more transparency into what management is doing to manage risk. Boards need to look not only at what has happened, but what could happen. More and more organizations are looking at risk factors related to their business strategy. They are asking: What are the assumptions that we’re making and what are the challenges of our business model? Boards need to think outside the boundaries of an organization and look at bigger-picture risk factors, such as macroeconomic and jurisdictional issues. We think that it’s helpful to think of these bigger-picture risks as falling into four categories: strategic, operational, financial and compliance.
Rick Funston: A lot of the questions that we’re getting today from boards really have to do with how prepared the enterprise is for the risk and opportunities that inevitably lie ahead. They’re asking how they can continue to build reputation, revenue, margins, and productivity – and find the unexpected before it finds them. Some of the common recurring themes from board members are: “We don’t want to be blindsided. How can we get assurance from management that management is really on top of things? How do we get independent reassurance that management’s reports are reliable, and what’s the appropriate balance of roles and responsibilities between the board and executives?” Boards don’t really have the tools to help them deal with this, other than the tools that have been used conventionally.
What’s wrong with conventional risk management?
Funston: I think the fundamental problem is that conventional risk management does not work when risk is extreme—which of course is when it’s most needed. Most people assume that extreme events are extremely rare, and yet it seems that we’re having a once-in-a-lifetime crisis every three to four years – and, more recently, every three to four weeks.
Another problem with conventional risk management is that it focuses on the protection of existing assets, which largely has to do with operations reporting, and compliance. The problem with this is that protection of assets is necessary, but it’s not sufficient for competitive advantage. You really need to focus on the risks that you need to take in order to drive growth. You have to manage those risks if you’re developing new products, entering into new markets with new business partners or alliances, or developing new technologies. These are the risks that one might call “frontier risks,” risks that need to be taken to create future growth.
“A lot of risk assessments look at the impact and likelihood of a risk event…but likelihood has proven to be a very unreliable indicator.”
Ristuccia: Historically, risk professionals have focused, as Rick mentioned, on certain limited views of risk. There is an opportunity for senior executives to help sponsor and elevate the message and create a culture that allows the organization, the board, executive management, and risk professionals to all work together to identify what an organization’s major risk factors are and what future trends could look like.
Funston: Directors and executives that we’ve spoken with feel that they’ve been blindsided by risks that never appeared on their radar screen. They thought everything was fine until it wasn’t. What we did in the book, Surviving and Thriving in Uncertainty: Creating the Risk Intelligent Enterprise, was to identify some of the reasons why conventional risk management has failed, especially in highly turbulent and uncertain conditions. We also explored alternative ways of finding possible threats to your business model, as well as where the opportunities lie for you to be a real game changer.
In the book, we identified 10 fatal flaws of risk management. One of the most important of them is failing to check your fundamental underlying assumptions. The subprime mortgage crisis is a good example of that. It wasn’t the math that got people into trouble; it was the assumption that the national price of housing in the United States would continue to rise indefinitely, and the choices people made based on that assumption.
Also, there’s generally a lack of vigilance. People aren’t paying attention to what’s going on in the environment around them. They don’t understand the connections in a very complex environment. They don’t factor in velocity.
Another problem is that many executives dismiss worst-case scenarios as implausible, based on their own experience. The challenge then becomes: How can executives constructively challenge the ideas they hold most dear? They need to challenge those ideas, because the things that made them successful are also the things that can end up being the cause of their downfall. They need to challenge what their experience has been, because if you look at some very successful companies that are no longer in existence, you’ll see that they continued to do what they had always done until it was no longer relevant. For example, you could be the best buggy whip manufacturer in the world – but that is irrelevant if there are no longer any buggies. The challenge is to find the unexpected before it finds you.
In your research and work, who have been some of your greatest sources of information about risk?
Funston: I have had the privilege of speaking with some very talented people. Among those was The Honorable Tom Ridge, who was the nation’s first Secretary of Homeland Security. He was very influential. I tried to take his lessons and apply them to the commercial enterprise. He emphasized vigilance, cooperation, threat assessment prioritization, and recognizing that you have to tolerate some level of risk.
Jamie Clark and Esther Colwill are two people who have successfully climbed Mount Everest. They emphasized that you have to be brutally honest with yourself about your skills and abilities. You have to be very, very well prepared for all kinds of contingencies, but you have to know your limits—even while you’re trying to extend them. You need to be confident, but beware of false confidence. According to Clark and Colwill, most mountaineering accidents happen on the way down. People are very cautious trying to make the ascent but they’re less cautious—particularly the more they’ve done it—as they come down.
Bill McCabe, a former B-52 pilot and later a commander, and Matt Sharp, who was in the U.S. submarine force, both emphasized the importance of operational discipline – how important it is to do everything humanly possible to understand and manage the risks, leaving nothing to chance, so that you can complete your mission successfully and still come home safely. Their mantra was, “Hope for the best but prepare for the worst.”
Describe the concept of velocity. What can corporate leaders learn from them so they’re not caught off guard by velocity of change?
Funston: If I were to ask Mario Andretti how quickly things can go wrong when he’s driving at 180 miles per hour, the answer is pretty obvious—it’s the snap of a finger.
It’s very important to factor in velocity and to think about how effective and timely your response will be to a crisis situation. The key is to think about both speed and impact. How fast can things happen and how fast can you respond?
A lot of executives aren’t used to thinking along these lines. Traditional approaches to risk assessment don’t consider velocity—how bad the situation can get or, inversely, how good it can get and how fast it can get that way. A lot of risk assessments look at the impact and likelihood of a risk event, but likelihood has proven to be a very unreliable indicator. The problem is that highly unlikely causes of failure can still result in a meltdown.
Where do you see today’s companies making their mistakes while “descending the mountain?” Are companies not asking the right questions?
Funston: I think part of the issue is that success breeds complacency – or it can. It’s very difficult to try and convince someone who is successful that they should do things differently. Our recommendation is to continue to challenge your assumptions about what has made you successful and see whether there are any signs that things are changing. You must maintain constant vigilance in an environment where things are changing and ensure that you are alert to those signals.
You make a cogent point about how directors need to think of the corporations they oversee as “living entities.” Would you elaborate on that?
Funston: The average life expectancy for a Fortune 500 company is less than 45 years. For smaller companies, it’s even shorter than that. Rather than thinking of enterprises as inanimate objects, it’s important to think of them as living entities that have high mortality rates and a short life span, despite the apparent advantage that they have a choice about whether to live or to die.
The question then becomes: What are the choices they are making and how are they being made? To be enterprising really means to be bold and willing to take new initiatives that involve risk. Frontier risks, such as entering new products and markets, new alliances, disruptive technologies etc. are where larger and more mature organizations often fail because they often don’t take enough of these risks.
Ristuccia: There are two imperatives that are applied to any living entity: Survive adversity and thrive—despite uncertainty and turbulence. To do this, it comes down to using intelligence to make better decisions to avoid or manage the risks that cause loss or harm—and doing so while taking calculated risks successfully, thus creating new opportunities and new value.
About Deloitte
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries.