Risks are Everywhere; How Can You Protect Your Businesses?
Jean Pousson, strategy and finance consultant for the Institute of Directors gives advice on how to protect your business.
Every business faces risk. Every strategy faces some degree of risk. Risk is part of the fabric of capitalism.
Risk has been part of society from the very early days. In the biblical story, David took a huge risk but beat Goliath by competing differently and was successful. But did David have a Plan B? Probably not. So Plan A so had to work! Likewise, Goliath assumed that David would compete in a certain way and did not even consider what was to come. Both are examples of strategic risks which were not understood!
There are numerous frameworks, professional bodies, regulations even, that address this topic and serve as guidance for boards and directors. This article takes a slightly different approach based on my experiences of working with boards and directors worldwide.
Things to Remember About Risk
The level of risk complexity is not necessarily commensurate with size. Apple may be the largest company in the world as measured by Stock Market capitalisation ($888bn at the time of writing) with annual revenues of $229bn, but the risks are not as intricate as one would think. iPhone sales make up some 60% of total sales and, in truth, Apple does not have many products. That is not to say that it is a company without risks; far from it. But risks do not get elevated by size alone. Conversely a small company (however measured) can be laced with a multitude of complex risks that can be difficult to manage or mitigate.
New risks emerge all the time. Apple has been using its immense cash pile to invest and dabble in financial transactions and hedging to the point that it is now attracting the attention of the USA financial regulators. In its last full year accounts for the year ended September 2017, its cash and investments totalled some $268bn, enough to buy both HSBC Bank plc and Barclays Bank plc.
New business models inevitably bring about new risks that no one had thought about. Ask Facebook! Its costs will double this year as it seeks to filter false information and prevent user data to be used for inappropriate purposes.
Increasingly companies are registering the possibility of being blindsided by fake news and the digital battles that can ensue. What boards should consider
· Does your Risk Register contain new risks?
· Reflecting on the last twelve months, what has surprised you? Should you have been surprised?
· What strategies do you have in place to manage yourself out of a crisis?
Supply chain fragmentation. As supply chains become more and more fragmented, aided by technology, risk visibility becomes even more blurry. No longer can boards be content with counterparty risk analysis; this has now to be extended to counterparty’s counterparties’ risk.
Risks need to be monetised i.e. what would the financial impact be of this event happening on our revenues, profitability, cash flow, solvency and financial flexibility? Netflix took a hit of $39m on its financials this year. That was the cost associated with replacing actor Kevin Spacey from the popular TV hit show House of Cards because of alleged sexual misconduct. On that note, what policy (-ies) does your business have in place to deal with such matters?
At the same time over-reliance on numbers, and numbers only, can be fatal. In his book The Tyranny of Numbers, David Boyle quotes the economist Robert Chambers:
“Quantification brings credibility. But figures and tables can deceive, and nunbers construct their own realities. What can be measured and manipulated statistically is then not only seen as real; it comes to be seen as the only or whole reality”
And he sums it up beautifully:
“Economists have come to feel
What can’t be measured isn’t real
The truth is always an amount
Count numbers; only numbers count”
So the point here is that risk assessment has to be both quantitative and qualitative.
Reverse Stress Testing. Sometimes different questions have to be asked. A few years ago an Icelandic volcanic eruption caused havoc over European skies with travel. Directors often ask me: ”Show me a model that would have predicted this!” Smart question but the wrong question. The question should have been: ”What is key to our business? What if we are prevented from performing this activity? How would we react? Could we carry on?” The conversation should not be about the reason but what to do in the event of. We call this Reverse Stress Testing.
Decomposing Risks. Risks are often not sufficiently decomposed. Cyber Risk, for example, is not one risk. It is merely a heading that should be dissected into all its constituent parts. Cyber risk can manifest itself in a multiplicity of events. It is that granularity that needs to be understood. As an acquaintance with a technology background keeps reminding me, the top three cyber risks are 1)People 2)People 3)People. He also takes pleasure in reminding his clients that they are not a food company, or a retailer, or logistics etc: ”You are a data company! What are you doing to protect your digital assets?”
Strategic Risks. All too often, risk conversations tend to ignore this. Questions for the board:
· What is the craziest thing that your competitor(s) could do?
· Do you understand your competitors’ strategy?
· Those who choose to live by the sword get shot by those who don’t! (Indiana Jones Movie) so have you considered different ways of competing? Unlike Goliath?
· What if we win? Amazingly enough this is rarely considered. What if you exceed even your most optimistic forecasts? Could you cope with this scenario?
· Are you able to attract new customers? If not why not?
· How do you measure customer loyalty? Frequency of purchase doesn’t necessarily equates to loyalty.
· Are you confident that your process of strategy creation is robust and would stand up to scrutiny?
The disrupters. When platforms attack! Technology has caused untold damage to many industries from books, travel, retail, newspapers, music, gambling, advertising, and even the taxi industry. Could you be disrupted? What are typical forces that could cause this? Most industries that I can think of have seen some level of changing dynamics. My industry (management consultancy)has not been immune. Knowledge is now free and available in abundance. Just ask Dr Google!
Board Risks. What are the greatest risks facing the BOARD over the next few years. This is different to the company’s own risk analysis. Is group thinking creeping in? Are the Board dynamics changing? What about behaviour risks ie who is making the key decisions? Board malfunction is a big risk in itself and should never be ignored.
Risk Reviews. A good practice, of course, and there are many ways of doing this. Try the following different approach. Go and locate your Chief Sarcastic Officer (you have one, we all do!) and assemble a team of creative people to work with him/her with one brief. What would you do if you wanted to destroy this company? This will expose all your risk frailties in a way that outside consultants would probably not. And all it will cost you is time.
In Summary: The ABC of Risk
I have never forgotten a lesson taught to me very early in my banking career about risk assessment.
· Assume nothing
· Believe nobody
· Check everything