Facing major risks: Getting it right
by Stefano Milanese, Emanuele Salvador, Michele Piola, Richard Eagar
April 2020
Rethinking risk management to enhance organizations’ resilience

Many governments, organizations and companies were not adequately prepared to respond to a risk of the scale of COVID-19. Over the last decades various epidemics have occurred, and some leaders and organizations had warned about the possibility of a pandemic crisis causing dramatic global consequences. However, conventional risk and crisis management frameworks have once again proved to be lacking in today’s business environment of uncertainty, complexity and continuous change. Despite the terrible damage, the crisis also provides an excellent opportunity to rethink risk management approaches, processes and tools; accelerate innovation; and strengthen organizations’ resilience for the future.

The world has been overwhelmed by the COVID-19 crisis, with more than 200,000 fatalities as of mid-April 2020, and most economic forecasts predicting a more intense recession than even the 2009 global financial crisis. Health and sanitary facilities in most of the affected countries have been unable to cope. Only a few countries have been adequately prepared and equipped, mainly Asian countries that had exposure to the SARS virus in the early 2000s.

Few in western countries were aware that a virus could strike the entire world and our daily life so hard. The initial reaction in both Europe and the US to the COVID-19 outbreak was to downplay its significance, comparing it to a seasonal flu. This is indicative of a well-established human trait of “optimism bias”, which tends to make humans neglect risks, especially those with perceived low likelihood of occurrence and those for which multiple failures need to occur before serious consequences ensue.

The increasing globalization and integration between the world’s economies, cultures and populations also plays a major role in the speed and severity of events such as COVID-19. Since the beginning of the emergency, there has been debate concerning how predictable it really was.

Was COVID-19 predictable?

Although a few organizations have wrongly referred to COVID-19 as a “black swan” event (an unpredictable or extremely rare event), the reality is that a pandemic of this type is predictable. The risk of similar events was discussed during conferences and panels. In 2018 and 2019, the John Hopkins Center for Health Security hosted two pandemic tabletop exercises aimed at illustrating strategic decisions that the US and other countries would have needed to make to deal with pandemics. Bill Gates warned about the potential consequences of a virus pandemic ina TED talk in 2015. 

If anything kills over 10 million people in the next few decades, it’s most likely to be a highly infectious virus rather than a war

Bill Gates, 2015

So, if we had a known risk with extreme consequences and reasonable likelihood of occurring in the medium term, why did governments and companies choose to ignore it, at least in terms of investing in the necessary control and response measures? To help answer this question, it is helpful to consider the recent history of major crisis events.

Major crisis events happen regularly

History shows that major crises occur fairly regularly, as illustrated by the examples in the figure below.

Most of these events have been analyzed in depth, and with the benefit of hindsight, causes have been identified and shortcomings in risk controls and responses highlighted. For example, one year after the 2011 Fukushima accident, the investigation commission declared that the causes of the accident could have been foreseen, and that the company had failed to meet basic safety requirements. One year after the explosion of the Deepwater Horizon drilling rig, investigators defined the accidents as an “entirely preventable disaster” caused by “poor decisions by management”. Even with 9/11, a previously unimagined terrorist event, several investigations identified critical issues that should have been better recognized and acted upon prior to the attack.

So, history tells us not only that catastrophic events happen regularly, but also that, in most cases, they could have been either prevented or at least had their consequences better mitigated if the right actions had been taken. However, hindsight is a wonderful thing.

Underlying factors leading to risk management failures

From our work with many large companies in risk and business resilience management, we have identified key factors that most often contribute to repeated poor management of major catastrophic risks.

Firstly, it is clear that there are shortcomings in the conventional Enterprise Risk Management approaches that companies use. In previous publications* we pointed out how conventional risk management approaches are all too often ineffective in a complex, uncertain and continuously changing environment: they are poor at dealing with complexity, too slow to adapt, and focused on formalism and reporting outcomes rather than supporting decision-making.

However, we have also identified some more fundamental weaknesses that relate to leadership, strategy and organizational culture. Being aware of these underlying weaknesses is equally as important for organizations as having the right risk management systems.

The “can-do” mentality trap: Management cultures typically value leadership traits such as positivity, dynamism, ambition and entrepreneurship. Indeed, all of these qualities are important for good leaders. However, in many organizations the corollary of this is that traits such as caution, attention to detail, and concern for what could go wrong are not valued, or even sometimes discouraged in top leaders. Although consideration of what could go wrong and how to respond should be an integral part of any strategy, in practice these are often perceived as negative or pessimistic topics. Consequently, they are often passed down to risk management functions and treated more as unavoidable red tape than as value-adding activities for the business.

The pressures of the short term: Governments and business leaders alike tend to be judged over timescales of a few years at most. The average tenure of CEOs has been falling steadily over the last 20 years to no more than five or six years, and governments stand or fall based on their performances between elections. Catastrophic risks tend to be infrequent (high impact, low likelihood), and it is therefore attractive to park or postpone them, especially given more pressing short-term priorities and the demands of shareholders or the electorate.

The difficulties of investment prioritization: In theory, prioritizing investments in risk management is straightforward: for each risk, calculate the expected loss over an agreed period by multiplying the likelihood by the impact. The value of the “averted loss” through investing in risk control measures is then compared to the costs of those measures to obtain a figure for return on investment. In practice, however, this is often not enough to prompt boards to invest large sums of money to control major catastrophic risks. Firstly, the calculation usually involves a whole series of modeled assumptions based on likelihoods, impact, and cause/effect chains, which are often easy to challenge. Secondly, the sums of money involved in major risk control are often significant, and when compared to necessary spend on other risks, which may be lower impact but much more likely, they often get deprioritized.

The need to feel it to believe it: It is sometimes said that people do not learn from history. However, it is more accurate to say that people do not learn from someone else’s history. The countries that were properly prepared for COVID-19 were the ones that had previously been through SARS. We can be sure that in the post COVID-19 world there will be huge investment in risk controls to manage future pandemics better, because so many countries have been through it. But this would never have happened based only on prediction, however well-informed.

Rethinking risk management

Given these underlying factors, how can we rethink our approach to management of major risks? We believe there are several areas where significant changes are needed:

Moving to “sensing and responding”: If we accept that companies and governments are unwilling to prioritize large investments to prevent relatively low-likelihood catastrophic events, we need to have better systems for providing early warnings when these events might be getting more likely. This means having risk management approaches which are not based on static risk registers, but rather, on constantly analyzing data and intelligence to sense and predict when risks might be maturing (emerging risks). This might have been a pipe dream 10 years ago, but it is now becoming possible through new predictive data analytics and AI/ML technology. ADL already has experience in developing and implementing such forwardlooking systems.

Monitoring forward-looking Key Risk Indicators: Risk management systems need to focus more on monitoring leading risk metrics as opposed to lagging ones (Key Risk Indicators). Once these have been defined and processes have been put in place to monitor them, it is possible to track them continuously to see whether they have reached a “red flag” status that requires new management action.

Adopting a broader perspective: Frequently, a risk scenario is denied as not credible (“We’ve never seen this scenario happen in our organization”). Organizations need to take a much broader perspective and extend their risk radars. This means looking more at experiences in other comparable organizations, including other industry sectors and fields. It also means engaging much more with the supply chain and other ecosystem partners to share insight and better understand linkages and dependencies.

Stress-testing crisis management plans: Risk and crisis management scenarios are often not effectively tested, instead relying too much on “desk tests”. One of the lessons from COVID-19 has been the velocity at which the crisis developed, which rendered many crisis management plans unworkable because they were too slow and rigid. Stress-testing of crisis management plans needs to be more realistic and rigorous.

Better cause-effect modelling: Traditional approaches to consequence assessment often underestimate catastrophic consequences, on the basis that multiple simultaneous failures are unlikely to happen. However, experience shows that multiple failures can and do occur, especially in emergency situations when the velocity of the risk becomes overwhelming. Moreover, more could be done to identify and assess risk precursors and how these could lead to unwanted events.

A value-based, dynamic risk management approach that incorporates these features and is supported with enabling digital tools can help companies become truly resilient.

Never waste a good crisis!

Despite the damage done, times of crisis often lead to improvements and new opportunities. There are already some valuable lessons in how countries such as Singapore, South Korea and Australia have handled the emergency. In our recent best practice-sharing meetings with 25 CEOs, numerous valuable lessons were identified from the response to COVID-19 so far**. These included, for example:

  • Move fast, assume the worst and be comprehensive (not step by step); secure employee safety first and operational continuity next; be agile and flexible, but with a firm underlying framework.
  • Keep staff closely informed, be straight, be detailed, and be prepared to spend most of your time on this; focus on positivity and morale and listen as well as talk.
  • Create physically separate A and B teams for critical operations; support suppliers and ecosystem partners; be innovative with cash management.
  • Collaborate closely and openly with government and authorities; engage with unions; reach out to and support local communities.
  • Be realistic but start planning for recovery now; use separate teams to work on recovery when the crisis is still happening; leverage the potential of opportunities in the “new normal” of the future.

Conclusion

Catastrophic events are far from unpredictable. Yet consistently through history, governments and companies have failed to take suitable precautions to mitigate and respond to them. Of course, it’s easy to criticize with the benefit of hindsight, but it’s impossible not to conclude that current risk and resilience management approaches are inadequate. The world will learn from COVID-19, as it learned from 9/11, and numerous new controls and measures will be put in place to guard against future pandemics. But what about the next global disaster that looks different to COVID-19? Will we have to wait again until the damage has been done before we take any action?

What is needed is a major rethink of risk management, recognizing the underlying weaknesses and moving towards a much more dynamic, sensing and responding approach enabled by new digital technologies. Until then, are we really prepared to face the next major risk?