Re-thinking Risk Management: Why the Mindset Matters More Than the ModelPublished: April 15, 2009 in Knowledge@Wharton
Forecasting used to be straightforward. Over the years, by the end of the first quarter, managers usually had a fairly reliable sense of how the business was shaping up and whether targets would be met, missed or exceeded. Confidence in quarterly and annual predictions was so high that coming in above or below by even the smallest amount was considered a surprise and set off moves in stock prices. This year, however, things have changed. Companies like Unilever, Union Pacific and Visteon are declining to make any predictions at all for their performance over the months ahead. In other words, all bets are off.
According to company reports, the problem is not that these firms are reluctant to provide a gloomy outlook. Instead, the companies say they just don't know which way the markets will go; it seems the global economy is so shaky that executives have little confidence in their projections. This means that more and more managers are growing unwilling, at least temporarily, to make judgments about the future and then to act on those beliefs. The danger is that these businesses will become paralyzed -- and by extension, the global economy as well.
The fundamental issue, of course, is understanding and managing risk. Any time a merger is considered, a new product concept funded or an investment made, success is never guaranteed. Over the years, business has become increasingly sophisticated in developing tools that can help in this analysis, especially in financial matters. Complex mathematical models were created to analyze potential outcomes and probabilities, based on past performance. Yet, as has been widely reported in the media, many of these same models failed spectacularly to predict or prepare companies for the current global economic crisis, and major efforts are underway on Wall Street to fix these systems.
At the same time, experts at Wharton and elsewhere argue that too much blame is being placed on the risk management model and other tools of the trade, in banking and beyond. The models are not necessarily broken, but instead are only as good as the decisions that get made based on them, they say. As a result, the current crisis may represent an opportunity for companies to re-visit and re-think historical approaches to risk management. When it comes to planning for the future, the new thinking goes, it is not just the model that matters, it is the mindset.
"I think we've learned a lot recently about the limitations of models," says Richard J. Herring, a professor of international banking and co-director of the Wharton Financial Institutions Center. "We've also seen that the governance of risk is not as good as it ought to be." Herring notes that top managers in many companies need to understand what can happen when the assumptions that drive a model change, and then subsequently communicate these scenarios to their boards.
The first step is to get a fuller picture of risk. Most recent coverage of the global economic crisis and its origins, particularly from a risk perspective, has focused on the financial industry; the problems with identifying and measuring the risk in this sector kicked off the chain of events that brought the global economy to a near standstill. Some banks were dramatically more exposed to risks than they thought they were. Most others simply did not know; they could not assess with any confidence the value of their own or others' financial assets.
But there is more than one kind of risk. U.S. food giant Cargill, for example, earlier this month suffered a blow related to what is typically called "sovereign risk." Accusing the company of having failed to lower food prices, Venezuelan President Hugo Chavez stunned Cargill by ordering the seizure of one of its rice plants in the country.
Another category of risk that companies face -- which is even more common -- is operational. The delays Airbus encountered in the development of its 380 super-size jetliner are a perfect example. Over the course of 2005 and 2006, Airbus pushed back the launch of the new aircraft three times, ultimately leading to the departure of its CEO and a projected earnings shortfall of more than 4 billion euros. Iridium, a company backed by Motorola, experienced an infamous failure related to operational risk. The high-profile satellite phone venture was launched in late 1998 with widespread media coverage, yet it failed within a year. The company was not able to get enough satellites in orbit quickly enough, causing customer demand to fall far below expectations.
These stories illustrate some key points about risk from a manager's perspective. The first is that traders, economists and academics think about risk very differently than do most business managers. For the former, the key issue in risk is variance -- the expected spread of possible outcomes. But that is not how managers think about it. For them, the biggest issue in risk is the potential for loss. As a result, they ask, "What's the downside?" If the risk is too high -- or even unknown -- companies typically pull back.
The second point is that risk management has no silver bullet. As a result, many companies need to develop a more integrated view of risk. "We have seen a tendency to separate risks into rigid silos -- operational risk, market risk, credit risk and so on," says Wharton's Herring. "But what we have found is that major shocks and problems do not come that way. For instance, in the financial world, you would see trading desks staffed with people who were experts in market risk, but they were trading instruments that were laden with credit risk. The skills you need to think about each of those kinds of risk are very distinctive, and unless you have an integrated view of risk, you could encounter major problems."
Nevertheless, risk taking remains what managing is all about, and not just in financial services but in every industry. Indeed, from an economic perspective, all firms fundamentally are in the business of taking risks based on their core capabilities. For the manager, then, the basic objective is simple: As one executive noted in Zur Shapira's 1995 book, Risk Taking: A Managerial Perspective: "You have to be a risk taker. But you have to win more than you lose." The catch is that managers are always attempting to win more than they lose in the face of uncertainty about which are the good risks and which are the bad.
Constructing a New 'Risk Architecture'
Given recent events, "What I see now is a new risk architecture emerging for organizations," says Erwann Michel-Kerjan, managing director of Wharton's Risk Management and Decision Processes Center. "Whatever industry you consider, it is always the same pattern. Things are getting faster, and therefore we need to make decisions faster, but based on information that we often don't have. Of course, we would like to have time to get all the information, but the reality is that managers have to make decisions under uncertainty, if not outright ignorance."
To overcome the problem, Michel-Kerjan sees some companies moving beyond traditional risk management practices, which have largely been internally focused. Call it "Risk Management 1.0" -- essentially, looking at a company's existing position or investments and analyzing what could go wrong. However, organizations need to look beyond the boundaries of the firm and consider what is happening elsewhere. In recent years, businesses around the globe have become increasingly interdependent, which brings great benefits in both efficiency and innovation but also increases companies' exposure to risks -- in many cases, risks that they don't even know about. Indeed, it is the systemic nature of the current crisis and how widespread the impact has been that caught most people by surprise.
"We were trained to solve problems with clear questions and clear scientific knowledge," says Michel-Kerjan. "Knowing the historic risk profile, we made investment decisions. But historic data does not shape the future anymore, given how rapidly the world is changing. We usually look at the known issues and make a nice diagram with probability on one axis and impact on the other. That's Risk Management 1.0. Risk Management 2.0 is [going] beyond the known issues to look at the links and interdependencies. You can no longer look at the risks independently of each other."
The key, Michel-Kerjan adds, is to have knowledgeable people in the organization who are looking broadly and challenging assumptions about the future. "Form a team of people and mandate that they come back with two or three major links that the company has not yet thought about," he suggests. "Not 25 links -- three links that they believe are important but not fully visible. And then bring some data about that to prove to you that it is something the company has to think about."
In addition, new techniques and technologies are now coming into the picture. For instance, so called "track-and-trace" technologies, integrating software and advanced scanning and identification technologies, are improving visibility across companies' supply chains, so they can precisely identify which components are coming from whom and where. Similarly, Michel-Kerjan is working on a project to identify the "DNA" of financial products, in an effort to provide more visibility into the components that go into a product and offer more effective tools for auditing. Consulting firms also are stepping up efforts to provide companies with a more holistic, multidimensional view of their risks. Even the definition of "business intelligence" is expanding from a focus on operating performance to increasingly include monitoring risks, both inside and outside the organization.
Philippe Hellich, vice president of risks, control and audit at Danone, is already moving to the new model. "We use very few mathematical models," he says, although the organization is working on a small set of new ones for certain risks. "Instead, we rely much more on interviews and benchmarking with peers outside the group and between our subsidiaries around the world. Our approach is based on listening and challenging the operational management, common sense analysis, sound judgment and good governance at the top."
Looking ahead, Hellich sees even more focus on risk from Danone's leadership, a consequence of the increasing volatility in markets and the potential severity of impact. "Top managers are convinced of the necessity to use enterprise risk management. We now have an effective working session with part of the executive committee twice a year. And we continue to rely on yearly updates of the risk maps of all major business units worldwide."
Making Better Decisions
In the last pages of the 1996 bestseller on risk, Against the Gods, Peter Bernstein anticipated the challenge many companies are facing today. "Nothing is more soothing or more persuasive than the computer screen, with its imposing arrays of numbers, glowing colors and elegantly structured graphs," he wrote. "As we stare at the passing show, we become so absorbed we tend to forget that the computer only answers questions; it does not ask them.... Those who live only by the numbers may find that the computer has simply replaced the oracles to whom people resorted in ancient times for guidance in risk management and decision-making."
Phil Rosenzweig, professor of strategy and international business at IMD in Switzerland and author of The Halo Effect and Eight Other Business Delusions That Deceive Managers, agrees. "I would caution executives not to rely on models that are appealing for their apparent sophistication. They may delude us into thinking we've understood the underlying factors, when really we've done nothing of the kind. It's what I call the Delusion of Rigorous Research -- if the quantity of data is impressive, we forget the underlying quality may be bad."
On the other hand, well-designed efforts to look ahead even three to five years can be stunningly prescient. Consider the annual Global Risks Report, published by the World Economic Forum in cooperation with Citigroup, Marsh & McLennan Companies, Swiss Re, the Wharton School's Risk Management and Decision Processes Center and Zurich Financial Services, which is based on a qualitative assessment of global risks, workshops and input from business leaders and experts around the world. In the 2007 report, a global collapse in asset prices was identified as the major risk with one of the highest probabilities of occurring and the biggest potential impact. Then again, in January 2008, the next report warned of a high likelihood that a "liquidity crunch will spark a U.S. recession in the next 12 months" and called for new thinking on systemic financial risk. As we know now, both predictions were right on target.
Also effective are company-specific assessments, if done right. Michael Hession, senior vice president at Woodside Energy, Australia's largest energy company, offers an example based his experiences both at company headquarters and in running local operations in diverse places like Algeria, Azerbaijan, Indonesia, Lybia and Vietnam. In these settings, risk has a much more tangible profile, which Hession says taught him many lessons.
First and foremost, Hession notes, "You have to be proactive. Understand the risks as well as the environment you are operating in. In entering a new country, we would put considerable effort into understanding the full risk picture for the business. Each of the risks was analysed and then mitigation strategies were put in place. Very importantly, input to this process was not just from within the company. We sought advice from many external sources, including the authorities and peer companies. We recognised it was not possible to capture all the risks that might happen, but we certainly hoped we had captured the major ones."
IMD's Rosenzweig adds that companies also need to think about what level of risk-taking is required to win in their specific industry. "The great unspoken issue is about payoffs, and the degree to which payoffs are skewed in an industry," he says. "In an industry with many players, low barriers to entry and where only a small number will make a lot of money, the payoffs are highly skewed. If this is the case, you cannot afford to take a conservative approach. So winning is not about limiting the downside in situations like this. Only companies that have an appetite for risk in that industry will find themselves winning."
Ultimately, then, the new thinking about risk management is becoming much more a strategic discussion, turning risk managers into strategists and vice versa. "Strategy is making choices under conditions of uncertainty," says Rosenzweig. "And you cannot make the right strategic choices without understanding your industry and how much risk you need to take on."
As a result, risk management promises to become an even more central part of managing any business. In Danone's case, for instance, Hellich says risk considerations are now embedded at multiple stages during the course of business -- at the strategic planning stage, the budgeting stage, etc. -- and should be discussed more often during quarterly reviews and whenever there are major changes or new projects. "Again, it relies pragmatically on common sense and business judgment, shared with peers across the organization."
Wharton's Michel-Kerjan shares the sentiment. "We have to be careful -- not all the models were bad. What we are really seeing now is a need to integrate decision-making processes into the evaluation. These things are not at the margin; they are central. You can assess the risks very carefully with the best experts, but if you don't think about [them] and integrate [them] with the strategic decision process, you don't get anywhere."