Global corporations have been hit by a series of disasters over the last 10 years – natural and financial — that have caused tectonic shifts in thinking about risk planning and readiness. These disasters include the financial crisis of 2008 and such extreme weather events as the Indian Ocean and Tohoku earthquakes and tsunamis, and hurricanes Katrina and Sandy.

To analyze some of the ways companies are responding, Howard Kunreuther and Erwann Michel-Kerjan of the Wharton Risk Management and Decision Processes Center, and Michael Useem of the Wharton Center for Leadership and Change Management, are co-leading an ongoing study, “Effective Leadership and Governance Practices in Catastrophic Risk Management,” that looks at the ways executives at large companies can build and sustain practices to reduce the likelihood and consequences of catastrophes. The Wharton team recently brought together close to 100 leaders from S&P 500 companies to present the research findings and facilitate discussion on “Corporate Strategies for Managing Catastrophic Risks: Linking Intuitive and Deliberative Thinking.”    

The conference program featured several panels, among them “Leading the Company When Disasters Strike,” with panelists from three top financial services companies: William Egan, global head, financial institutions group corporate and investment banking at Bank of America-Merrill Lynch; Keishi Hotsuki, chief risk officer at Morgan Stanley, and Ellen Richey, chief enterprise risk officer at Visa. 

The discussion focused first on the various risk-management processes companies have been adopting in response to these recent disasters. Egan began by noting that “at BoA-ML, the risk reporting we have to do, the risk meetings we have to do … [are] much more significant than the days when Merrill Lynch had a different balance sheet [from BoA.]”

At Morgan Stanley, Hotsuki noted, “we [now] have much more stringent risk testing and analysis.” Before the financial crisis, the chief risk management executive at many Wall Street firms mostly had reported to the CFO. Now, however, “the majority report to the CEO. In my case, I report to both the CEO and the board, and we spend between 25 and 30 hours with the board per year focusing on risk management. That’s a lot of time.”

The past five or six years, Hotsuki added, have been marked by three major developments at his firm. “The first was to rebuild our defense, post-financial crisis…. Obviously, the industry has lost some credibility around risk management, so we had to rebuild the defense of knowing where the risk is and how to monitor it, and making sure there are no surprises.” The second trend involved going on the offense, which meant developing “a platform that recognizes that risk capital is one of the scarcest resources…. We have to maximize our return on equity…. Risk has started to be used as an optimization tool” to improve the firm’s return on capital.

The third theme, which has emerged more recently, is a greater focus on enterprise risk management. Hotsuki said that the challenge facing the financial sector now is gradually changing from financial-market risks to reputational risks, including “technology, cyber security and many types of more qualitative risk management.”

Visa’s Richey noted that the firm faces a very different set of disaster risks. “Visa is probably one of the least understood well-known brands” because many people – including millions of Visa cardholders — mistakenly think of Visa as a credit-card company. “We do the processing for the technologies of Visa, but we are not a credit card company.” Nevertheless, she added, “We are a very young company with a lot of risks. From a risk perception, we have such an incredibly valuable brand and highly concentrated processing risk. We are not a bank; [but] we were previously owned by banks, and so Visa inherited a lot of risk assessment practices from the banks” before it became independent six years ago.

What kind of nightmarish scenario keeps Visa executives up most at night? The company, noted Richey, pays a lot of attention to avoiding “system down time.” In such a scenario, “people would go to use their Visa card, and if it suddenly didn’t work for a period of time, we would consider that a big blow…. Reliability is part of Visa’s value proposition and brand promise…. We worry a lot about system down time, and we manage to very, very high standards.” Those concerns have paid off: Visa has suffered only two minutes of total system down-time over the last 10 years, says Richey, adding that “We worry about it, so we have this very elaborate system of controls.” 

What kind of nightmarish scenario keeps Visa executives up most at night? The company, noted Richey, pays a lot of attention to avoiding “system down time.”

At Morgan Stanley, noted Hotsuki, a key risk-management lesson from the economic crisis has been “the importance of the connectivity effect. When Lehman [Brothers] went down [in 2008], many of the banks felt, ‘I’m OK,’ because their direct exposure to Lehman was very manageable. But what all of us underestimated was the indirect second- or third-order negative connectivity effect.”

The under-assessed complexity of the financial system created a “cascade effect that could bring everyone down.” That came as a surprise, and the situation got worse every hour, every day, according to Hotsuki. The cumulative factor and the complex-system issues “are definitely something that we need to focus much, much more on. The historical cases of [this sort] are not frequent and therefore we need to think” a great deal about the lessons these cases offer for risk-management specialists. He added that “at Morgan Stanley, we do have board members who are familiar with complex technology risks, such as cyber security.”

Hotsuki warned that while “a lot of good processes are being developed and the system is much safer than before,” there is an ever-present challenge that “the risk will move somewhere else” beyond those targets that executives have identified as priorities.

The Evolving Role of the Board

Are board members in these companies approaching risk management executives in search of solutions? Are the strategies for addressing these risks being developed or fine-tuned in partnership with the boards? These were some of the questions posed to the panelists. Visa’s Richey said that her company’s board members “want us to be able to articulate for them in, say, a maximum of a one-hour period, a problem that they can engage with us in partnership to resolve.”

Visa’s “board has become a bit more interested in delving into the specifics of risk management, which creates a significant challenge,” Richey added. This process can involve what she called a “translation challenge,” when senior management and the board get together to discuss issues of cyber-security risk. The overall challenge is to “get the right level of information to the senior executives at the right time, and out to the rest of the organization.” 

At Morgan Stanley, the board has a different perspective. Noted Hotsuki, “The board is very engaged because our management is not just engaged in issues of how much they could lose [as a result of risk], but [because] in the investment banking world, risk is a source of income. It is not just about how much we could lose, but also what kind of risk we are taking to make money.”

“…In the investment banking world, risk is a source of income. It is not just about how much we could lose, but also what kind of risk we are taking to make money.” –Keishi Hotsuki

What role should the board play in evaluating the technicalities of risk management? “At financial institutions, board members sometimes lack the technical knowledge required to understand the growing complexities of global risk management,” said Egan. “When the CIO [chief information officer] tries to explain such complexities, the board may need to have someone with more expertise so that it can properly evaluate key decisions.”

Hotsuki argued that when it comes to cyber security, a board could have much more value to the firm if there were at least one member who could ask informed questions about the highly complex issues of vital concern for managing operational or reputational risk.

Yet, maintained Richey, “You don’t want to have just one person who is a technical person interpreting [technical issues] to the board. We want to make sure that they are not overly reliant on [just] one expert.”