Apples to Oranges
I was recently sandwiched in a middle seat on a long haul flight. Impossible not to strike up a conversation with both seat mates. On my left was the head of human resources, responsible for the health and safety of 10,000 employees.
On my right, was the CFO of that same company charged with all things finance, but also responsible for IT. Inevitably they asked me what I did – all things risk management – and as usual they wanted to talk of risks they face.
From the left, I heard HR concerns about the next virus or disease that could make employees sick. From the right, I heard fears of hacking.
How does one compare two different risks and assess priority?
To provoke, I asked, Which risk is bigger? More important? If you had only $500,000 for a solution, which risk would you choose to mitigate?
Life safety is always the priority, the left proclaimed. But a nasty breach could paralyze the company leaving us potentially bankrupt, the right argued. Frustrated they proclaimed: “You can not compare them. It is like comparing an apple to an orange.”
It is not the first time I heard that statement. In the risk management proficiency reviews, it is a common concern. How does one compare two different risks and assess priority?
Answer? Set context for risk assessments before starting a risk evaluation. This is an essential step. Set context by answering questions like this:
Which corporate performance objectives could the risk event compromise? Are all objectives equally important to achieve? If not, which are the most important? What timeframe bounds the risk assessment? Will the risk events happen within the next quarter, year or over five or 10 years?
Does the organization have a common scale that can inform the organization as to what is considered a high impact? In other words, a compromise of one or more objectives?
For example, if an objective for safety performance is “to ensure less than five lost time employee injuries annually,” or if an IT security objective states that “less than three IT systems penetrations shall be allowed annually,” what is considered to be a high compromise of those objectives? Twenty or 100 lost time injuries, or system penetrations?
Conversely, what is considered a low compromise of those objectives? What score will we give a high or low compromising risk event? Will the scores reflect how a risk event can compromise multiple objectives? What do we do if a risk scenario impacts none of our corporate objectives?
By answering these questions, you build a “risk ruler” system.
Risk rulers assure that you have pre-negotiated tools and context around your pending risk assessment. It sets the ground rules for what the risk assessment will tell you, and how the risk events will be prioritized.
Most importantly, risk rulers allow you to establish common criteria that link performance objectives to risk events. If an “apple” can cause more damage to objectives than an “orange,” keep an eye on that apple.
High Risk, High Consequence?
Imagine you are a board member on a $200 million widget-making company. The risk manager has duly presented their quarterly risk register to you. You learn of two risks.
The first risk states there is a 1 percent chance that in any given year a rainfall could flood the factory costing an estimated $4.8 million in plant and employee injury damages, and loss of business. The company insurance policy excludes coverage for damages and loss of business due to flooding.
The second risk states there is a 90 percent chance that 24 company laptops worth $2,000 containing company information will go unaccounted for in any given year. Your insurance policy excludes coverage for mysterious disappearance of those assets.
I have three rules of thumb when it comes to risk response planning and investment.
Risk 1 has a low probability with sudden high consequences, while Risk 2 is a near-certain event with a comparably low unit consequence value. Both risks present a total expected loss of $48,000 for any given year. Risk management is looking for board guidance as to which risk to respond to first. Which risk captures your attention?
In recent conversation, a board member told me he felt that risk management often neglects high-consequence risks because of low likelihood, and that high consequence risks must be addressed regardless of their likelihood. He felt that most risks were inadequately selected, ranked and qualified.
He suspected risk management was only comfortable presenting risks that boards would perceive as manageable. Was he right?
Consider Risk 1. Did the register highlight the associated reputational losses and future opportunity losses? Did the register stress that embedded in the event was an employee injury?
If management re-evaluated the two risks to incorporate associated losses and the expected loss was yet again equal, which risk should take priority?
I have three rules of thumb when it comes to risk response planning and investment.
Rule 1: Address low-hanging fruit. Risk 2 has a 90 percent certainty of occurrence. It’s a matter of time. Let the register reflect this. The loss is almost a given and should be treated accordingly. If your company can influence the risk for a reasonable cost, just do it.
Rule 2: Deal with risk that can severely derail your operation. Ask how quickly the company could bounce back if the risk were to occur. Let your register reflect your answer.
Rule 3: Address risks that can exceed your capacity to bear risk. Know the level of loss you can handle any given year. Let your register reflect that. Does the company have the capacity to absorb flooding damage costs of $4.8 million any given year? If not, it needs your attention. Moreover, if this one risk has the ability to wipe out the company, it needs serious attention.
The prickly disconnect between management and boards seems to stem from how risks are reported. Easy fix: Let’s start there. &
Hoodies and Brandy
I recently returned from California where I had fabulous meetings with some fabulous companies. One meeting in particular stood out.
I was providing risk management advice to a rapidly growing technology company. When I arrived for the meeting, I was greeted by the CEO and chairman of the board. I confess I did a double-take: In front of me was a very young man, sporting a “man-bun,” wearing a grey hoodie and flips flops.
Maybe it was my East Coast corporate conservatism? Maybe I was not cool enough to fully appreciate the West Coast carefree attitude? Maybe I’ve been too conditioned to how a board chairman should appear?
Most of us have been groomed to think that once we served our time in a C-suite and near retirement that it is only then we get the time-honored privilege to join a board and coast through retirement imparting our vast knowledge and experience with a cigar and brandy in hand.
So when my new friend complained how old he felt to be the board chair at age 28, I couldn’t help but chuckle. Being years his senior it pained me to hear that.
But after hearing his company’s numbers, soon to be a $100 million in revenue company in only a few years, I felt less pain but much pride, proving that age and freshness can in fact be a great asset.
It has been long argued that a lack of diversity on boards, long tenure and inadequate board composition create a risk that boards will lose independence from management.
The idea of diversity and inclusivity is very much part of our national discourse today. But what my encounter helped me frame was that we tend to think of diversity as a proper blend of gender, race and abilities.
We seem to speak less about having a mix of age groups representing us.
The fundamental purpose of a board is to guard investors’ and consumers’ interests. The board should reflect those who fuel and support your company — the customers and the society it serves.
Having too many like-minded people, the same age, who come from the same background, can lead to a blind groupthink that can fail to hold management accountable and ask tough, pertinent questions.
It was no surprise when I recently read a “Financial Times” analysis of data by the shareholder advisory group ISS Analytics that showed U.S. boards are “maler, staler and frailer” than their European counterparts.
The analysis said these directors, on average, are less independent-minded. It is no coincidence that shareholders of Chipotle Mexican Grill, recently plagued with a series of food safety problems, blamed a stale, insular board of directors for failing to move fast enough to address problems.
If I learned one thing from my recent meeting, it’s that 20 is the new 40. Push aside some of the brandy and cigars. Make room for the hoodies and flip flops.&