Interdependencies have grown not only within the private sector. Governments and industries are increasingly dependent on each other at a level of intricacy not seen — in the United States, at least — since World War II. The National Strategy for Homeland Security calls for the development of protection plans in 14 “critical infrastructure sectors” (such as energy, telecommunications, defense industrial base, and banking and finance); although private industry overwhelmingly owns and operates these sectors, government and business must collaborate to develop and implement the assurance plans. One current public–private sector partnership model is the National Security Telecommunications Advisory Committee (NSTAC), which supports the Office of the President in addressing telecommunications issues vital to U.S. national security and emergency preparedness needs. The stakes in such collaboration can be enormous. A war game, cosponsored by Booz Allen with the Council for Excellence in Government in December 2001, and designed to model the effects of an intentional release of pneumonic plague in multiple metropolitan locations, found that casualties would be dramatically reduced by cross-sector knowledge-sharing mechanisms.
Interdependence risk — within the private sector or across the public and private spheres — underlies many recent reports of operating loss. Consider what happened in September 2002 when a labor dispute shut down West Coast ports for several weeks. As critical supply chains stopped functioning normally, severely constraining manufacturing and product replenishment, U.S. companies lost an estimated $1 billion per day. The events highlighted the interdependencies among shipping companies, supply chain–intensive industries, contract logistics providers, and government agencies.
ER vs. ERM
Risk management models have not kept pace with the shift from centralized to networked organizations. In military terminology, most enterprise risk management (ERM) programs rely on “point solutions,” which attempt to moderate risks by “hardening” potentially vulnerable spots against attacks, a futile exercise in a networked enterprise. An organization cannot simultaneously harden all the nodes within its network; threats will just migrate from a hardened node to more vulnerable points. Military strategy has long since adapted to this new understanding. In the early 1990s, when the U.S. Department of Defense recognized that its war-fighting doctrine of “information superiority” increased its dependence on networked communications systems, it transitioned from the traditional risk management technique of hardening every node to a “defense in depth” model, which uses a layered approach to security.
Directors and senior managers, many of whom are faced with analogous challenges, have not followed suit. In a recent survey of Fortune 1000 CFOs, treasurers, and risk managers by the National Association of Corporate Treasurers and other organizations, three-quarters of respondents agreed that a major disruption to their top earnings driver would either cause sustained damage to their company’s earnings or threaten business continuity. Yet fewer than one-quarter of respondents said their current risk management efforts sufficiently anticipate a wide variety of potential large-loss events. (See Exhibit 1.)
In pursuing strategic objectives, boards and CEOs must factor into their decision making the trade-offs involved in selecting one risk alternative over another. Conventional ERM programs certainly help focus executives and directors on the nature of specific vulnerabilities, and they can provide partial frameworks to help firms protect potentially weak links from low-probability catastrophic risks. But they do not fully prepare companies for the discontinuities that can jeopardize earnings drivers. Conventional enterprise risk management fails to account for interdependencies across vertical and horizontal corporate operations and thus tends to underestimate the range and severity of risks faced by the firm. Such network discontinuities can accumulate exponentially and often spiral out of control, subjecting a company to levels of loss without modern precedent. So Barings Bank learned when the actions of a single trader in Singapore destroyed the centuries-old institution.