Now, some companies do think about risk and do a lot to prepare. I recently met with a leading financial-services company that has its own stash of Tamiflu and is laying out plans for how they’ll work people from home if there’s an avian flu epidemic. They’re actually having their people talk to suppliers to assess which will keep operating in case of an epidemic and which will not. That same day I met with another company, in the same industry. That company views the possibility of the avian flu as a force majeure and has decided to do nothing about it. They’re not oblivious to the fact that avian flu may be coming, but their attitude is: “Whatever happens to the population happens to us.”
S+B: In a state of better risk management, where both enterprise and government take a holistic approach, how will our lives change?
SHEFFI: Let’s start with what it does not get us. It does not get us freedom from disruption and disasters. This is life. There’s no 100 percent security and 100 percent certainty about the future. It’s just not in the cards.
But it does get us more informed decisions. For example, suppose you’re a consumer. You’re buying a toaster oven for 50 dollars, and somebody’s trying to sell you insurance for this toaster oven for, say, 15 bucks. Most informed consumers would not buy this insurance, because you know that there’s not much chance that the toaster oven will break, and even if it does, you’re only out 50 bucks. It’s not going to be a disaster.
On the other hand, most well-informed people buy health insurance. They don’t buy it because there’s a strong probability that they’ll need it — in fact there’s not, and that’s why insurance companies make so much money. But the consequence of not having it can be so bad. You buy health insurance because you want to eliminate certain really bad risks if you become sick or get injured, like being denied proper treatment or being driven to financial ruin.
When it comes to companies, I’m talking about balancing the various risks against the costs of protection and mitigation. It doesn’t mean that decisions and actions taken through a comprehensive process will eliminate risk. It means only that people make decisions with greater awareness of the risks actually undertaken.
Companies will more easily find the “right” level of protection and investment in mitigation measures. The right level is different for every company and situation, but a comprehensive process of assessment and balanced mitigation is likely to lead to fewer surprises.
In the short term, until we have clear models and metrics for assessment of operational risks, companies should involve all functions in strategic decision making and should carefully collect and distill information with Delphi-like processes (synthesizing the opinions of many people) to evaluate risk. They should also be aware of the tendency to move risk around rather than mitigate it. Resilience-oriented decision processes can be coordinated through a senior risk management officer.
In the longer term, as problems persist and trends seem to suggest more volatile markets and less secure and predictable supply lines, research is bound to develop the metrics, methods, and models for comprehensive risk assessment that can and should be embedded in corporate strategy.
Reprint No. 06110
Amy Bernstein ([email protected]) is deputy editor of strategy+business.