I've spent some time the last month thinking about the concept of risk, the practice of risk management... like just about everyone else on the planet I suppose. Luckily enough, my colleague Eamonn Kelly at GBN was asked to write a piece for the Financial Times on the evolving nature of risk in the business world... and we wrote together this piece -- which is an overview of course given the 4000 word constraint. That said, there are some ideas that I believe are worth sharing and developing further.
The Changing World of Risk (appeared in the Financial Times on Friday Sept 9)
Eamonn Kelly and Steve Weber
Eamonn Kelly is the CEO of Global Business Network (GBN) and a Partner in the Monitor Group. His book Powerful Times: Rising to the Challenge of our Uncertain World is published next month by Wharton School Publishing. Steve Weber is a professor of Political Science at UC Berkeley and a senior consultant with GBN. His most recent book was The Success of Open Source, published by Harvard University Press in 2004
Is risk bad for business? In the uncertain, complex, and volatile environment of 2005 it no doubt seems to many executives to be so. Risk is something to be managed, reduced, hedged, or sold to others. But it is worth recalling that the original concept of risk, derived from early European sea-faring adventurism, contained a powerful sense of opportunity and reward as well as downside and danger. We believe that winning businesses in the future will be those that are best able to balance coping strategies, which are defensive and focused on avoiding downside risks, with an increasing mix of exploitation and exploration strategies, which embrace risk and make the most of the opportunities it presents. This will require more than just continuous improvement in traditional risk management tools – it will also involve a shift in mindset and focus.
There are good reasons executives tend to think of risk as something to be avoided. Part is simply the hard-wired human psychology of loss aversion – for most people it hurts more to be at risk of losing ten dollars, than it feels good to have a chance to gain an equivalent amount. Part is the left-over experience of the 1990s – in a highly permissive and opportunity-rich business environment where it was remarkably hard to fail, a smart and simple risk strategy is just to protect against catastrophic downsides and then let the engine run. And part is the extraordinary innovation in risk management tools, which allow sophisticated hedging, re-packaging, and pricing of risk within increasingly liquid marketplaces. These tools are increasingly valuable and important for business today – but they are unlikely over the longer term to confer much in the way of sustainable advantage. A business that gives in to loss-aversion psychology, sells off its risk to others, and simply lets the engine run, will in the future most probably be described by one word: unprofitable.
The world has always been a complex and uncertain place from the perspective of anyone trying to create value over time. But without inappropriately flattening out the past and indulging in the fantasy that the ‘good old days’ were simple and straightforward, we should acknowledge the obvious fact that business ecosystems today are indeed faster moving, more interconnected, increasingly global, and both bigger (in scale and scope) and broader (more players, and more unfamiliar players) than they have ever been. Moreover, competitive pressures frequently lead to radical changes in our business models and behaviour that can generate unanticipated problems – think of BA’s recent troubles arising from the outsourcing of its catering. As the pace of change accelerates, many executives have the very understandable feeling that uncertainty and risk increasing at a faster rate than is quantifiable and manageable. That sounds like a scary proposition, but does it need to be so? In fact, a bigger menu of uncertainties provides daring innovators new opportunities to create upside risk.
To see this more clearly, ask yourself if you think contemporary changes in the external business environment make the business ecosystem as a whole more fragile - or more robust. Is the larger system within which your business operates fragile, brittle, stretched to a tipping point at the edge of chaos? Or is it meta-stable, protected by layers of redundancy, resistant to shocks, and survivable? In fact we don’t really know enough about the behavior of complex systems to be certain. For example, in July, a series of terrorist bombs hit the London underground. We can interpret the consequences of such attacks for the ongoing operation of the city in two very different ways. First, we can believe that ‘a modern city is such a tightly interconnected organism, with all its resources stretched in a relentless drive for efficiency, that it would not take much to bring the whole thing crashing down.’ But there is an alternative perspective - that ‘a modern city is such a complex organism with so many redundant pathways available to intelligent agents, that it is incredibly and surprisingly robust. When hit somewhere, it routes around the damage to self-heal in ways hard to foresee.’
The prevalent mood today is arguably to default to the first interpretation – that we occupy systems that are essentially fragile and vulnerable. Paradoxically, from the perspective of a generic actor in any system, that may be the more reassuring belief – after all, the more robust and meta-stable the system as whole, the less it needs any specific company, country, or person to flourish or even survive. In a meta-stable system, nobody is too big or too important to fail. But from the perspective of a strategic actor, both interpretations signal opportunity. Knowing more than others do about the nature of the system and where it sits on the fragile-robust continuum is a critical source of advantage – and it requires us to think about the larger and more external context within which we operate.
But how much attention do executives pay to the external features of their business ecosystem? In our work with major corporations, Global Business Network often draws a distinction between three critical environments for every business. The first is the internal environment – the organization itself, and its people, systems, assets, processes, culture, etc. The second is the market environment – the world of customers and competitors, products and substitutes, suppliers and partners. The third is the external environment – the world of political dynamics, economic growth, technological development, social and demographic shifts and changes in the physical environment. In our experience, most organizations pay far, far more attention to the first two than they do to the third. What beliefs could lie behind this allocation of executive bandwidth? One hypothesis is that the big, messy external world is just so hard to understand, that the returns to investing the next marginal bit of attention there are too small to matter. A second hypothesis is that the external space contains too much irrelevant risk; the risks that matter to the business eventually will filter inwards toward the inner circles; and you can pick up those signals and respond as risk crosses the boundary to enter the transactional space.
These hypotheses are not entirely wrong. But they are also not in and of themselves satisfactory, because they provide no real source of sustainable advantage. The observation that externally originated risk is hard to understand spells opportunity for someone who can separate, even partially, signal from noise. And if you wait until upside risk is clarified within the transactional space inhabited by your customers and competitors, it’s already too late to seize the most attractive opportunities.
Yet most risk management today is based on coping strategies that manage downside risk. Such defensive measures are needed, of course - but they also have their limitations. Consider the most common coping strategies adopted today. Many companies cope with downside risk by using increasingly sophisticated econometric and other mathematical models and paying increasing attention to them. This is good, so far as it goes. But models have limitations, and it’s often the case that the more finely-tuned the model, the more catastrophically it tends to fail when the world moves outside the parameters for which it was designed (think Long Term Capital Management). And those parameters are often much less transparent than they need to be - in part because they become deeply buried within the assumptions of the models, and in part because the models typically do not deal well with external uncertainty.
Companies also cope with downside risk by elevating the risk function within the corporate hierarchy – for example, establishing risk management committees at the board level. This is also good, because it ensures that risk receives greater resources and attention and that risk management and mitigation enjoy greater clout. But too much attention to risk at the board level can yield an overly defensive posture, because quantifiable (and often disaggregated) data becomes a fixation for decision-making and the tacit, tactile understanding that is present in other forms of knowledge within the organization is undervalued.
Companies increasingly cope with downside risk by throwing money at the problem. At some price, it’s almost always possible to offload to others at least the risks you know about, through multiple layers of hedging and insurance. This is good, because it offers re-allocation, specialization, economies of scale and scope, and all the other benefits that come with disaggregating and marketizing business functions. But giving away risk (or, more precisely, paying someone to take it away) at some point means giving up control of significant pieces of the value chain, and allowing others to control it to their advantage.
And finally, companies cope with risk by acting conservatively. Caution, discretion, and prudence are sensible ways to view a complex world. But it is remarkably easy, particularly for large and successful organizations with lots to protect, to become overly conservative. Conservatism at some point simply has to yield to growth strategies; the key is to know when to move. Cost-cutting can only go so far. Loss-aversion is not a long-term way to win. In expanding markets the smart hopeful will always beat the fearful.
This can be a deeper problem even than Christensen’s “innovator’s dilemma”, although it certainly overlaps with and reinforces his important insight. Combine the organizationally-incentivized conservatism of incumbents with the loss aversion hard-wired into individual human brains, and you have a recipe for disruptive market change. That is just fine for the disruptive entrants and for the business ecosystem as a whole; indeed it is a big part of what makes some ecosystems meta-stable overall. But it is not so good for the companies that are eaten up along the way. They need a more aggressive and advantage-seeking way to think about risk.
And they need it now more than ever. We believe that coping strategies, while remaining a necessary part of any corporate strategy, will in the future increasingly be seen, used, and priced like utilities that everyone simply must have. But they will not be a source of significant and sustained advantage – that will come from seizing the upsides of risk. There are two simple but important claims behind this argument. First, we believe that the information revolution has made ‘that which is known’ more evenly distributed around the world, and in close to real time. Put differently, facts (including factually-based probabilistic assessments of risk) will be available to everyone, all the time, at commoditized (and thus nearly equal) pricing. There will be precious little and diminishing differentiation available in access to ‘that which is known’. This, of course, means that the ‘unknown’ or at least ‘the uncertain’ will become increasingly important as a source of competitive advantage.
Our second claim lies at the intersection of technology and ideology. Information technologies combined with market-friendly ideologies have led to the increasing application of markets as a way of allocating resources and solving problems, in many aspects of economic, social, and political life. It is axiomatic within simple microeconomic theory that externalities – situations where the full costs and benefits of a decision do not fall on the decision maker but on someone else -- are a source of inefficiency in market settings. And so a critical piece of the re-engineering of marketplaces, enabled by information technology, has been the internalization of many externalities. Polluters increasingly have to pay the costs of their pollution.
This is good for the system as a whole of course. But it is not good for actors that have previously been able to capture the benefits of a product or an action, and externalize the costs on to others. Nice work if you can get it, but it is increasingly hard to get. And there lies the second emerging challenge for corporate risk thinking. It was socially inefficient, but wonderful for the company that could get away with it, when you could hold the return piece of the risk-return combination to yourself, and impose the risk part on someone else. Technology is making it easier to break up those deals, and ideology is making it more defensible and attractive to do so. As companies have less of this ‘risk externality inefficiency’ to capitalize on, they’ve got to find something else to replace it.
And that means moving to re-embrace risk as a source of adaptive advantage. In the future, managing the standard downside risks will increasingly become a ‘hygiene factor’ in business planning – simply part of the cost of playing. The notion that some companies are too big or too important to fail, and thus can manage risk differently, will become less prevalent. In the 1960s it really was true that ‘as goes GM so goes America,’ but there really is no equivalent of that today, and it will become less likely over time that any company could achieve that threshold. Sustained advantage will come from the capacity to adapt faster and more effectively than the rest of the pack. That’s familiar as rhetoric, but still unfulfilled as practice in many respects. When advantage lies mostly profoundly in the unknown and the uncertain, the ability to sense and learn faster, to correct mistakes and drop losing bets, to tolerate ambiguity and live with, even embrace, ambivalence, becomes absolutely essential.
In the future, the discipline of business risk practice will have to help people and organizations navigate these challenges. This will require much greater allocation of attention to the external world beyond the immediate business environment, and the mapping of risks within more integrated frameworks that highlight their sensitivity to external uncertainty. It will require the systematic development of new competencies and capabilities that work from the ‘outside-in’ - such as early warning and scanning systems, scenario planning, systems thinking and real options. It will require new approaches to experimentation and learning and greater investment in the on-going development of decision-making executives. It will require more emphasis on the nurturing and sustenance of internal and external human networks, and strategic conversation that places risk as a source of discovery and opportunity.
Most important, however, it will require treating uncertainty as a powerful starting point for innovation and renewal, rather than simply as a threat to be minimized. The new discipline of risk will eradicate from our mental lexicon, once and for all, the mistaken 19th century notion of "survival of the fittest". In a constantly changing environment, the organism that is optimally tuned for today’s world is a dead organism in tomorrow’s very different world. Forget survival of the fittest, and replace it with survival of the most adaptable. After all, as Darwin himself observed, "It is not the strongest of the species that survive, nor the most intelligent, rather, it is those most responsive to change".
Savvy executives don't think of risk as something to be avoided - they think of it as something to be managed. They determine their organizational appetite for risk, and identify internal and external events that might affect their business - events which could be opportunities or risks. They assess the likelihood and impact of the identified events. They then plan appropriate responses to the risks, based on their business strategy and risk appetite - the responses can be accepting, reducing, sharing, or avoiding risk. The risk responses are triggered by policies and procedures put into place in a top-down manner. The risk management tasks described above are iterative, to deal with a dynamic and fast changing world.
Posted by: Martin Moderi | 13 September 2005 at 02:26 PM
Thanks for interesting facts...
Posted by: Jenny | 09 November 2005 at 05:23 PM
tnaks
Posted by: baker | 13 August 2006 at 12:03 AM
http://oiwemenn.iespana.es
http://poewnej.iquebec.com
http://inrnnmmm.awardspace.com
Posted by: Markouhgdr | 23 August 2007 at 02:51 PM
I like your work! 000-disallowed.lk7vnd.us/ ">Patrick dan zimbrick memo $150 djsls
Posted by: radhy | 08 March 2009 at 02:35 PM
How much has your thinking about risk changed since you wrote this piece? Do you think companies and others are approaching risk and uncertainly differently now? Obviously there are many narratives about uncertainty out there - especially right now. thanks!
Posted by: Sara | 30 March 2009 at 01:03 PM