Fall World 2014

Conference & Exhibit

Attend The #1 BC/DR Event!

Summer Journal

Volume 27, Issue 3

Full Contents Now Available!

Aesop’s Take on Enterprise Risk Management

The One-eyed Doe

A doe that had but one eye used to graze near a lake, so that she might keep her blind eye toward the water, the other eye toward the land that no hunters could approach unnoticed. But one day a hunter in a boat saw the doe from some distance, approached her quietly, and shot an arrow into her heart. In her dying agony, she cried out, “Alas, sad fate, that I should die from a wound to the side I thought was safe, while yet safe where I most expected danger!”

It isn’t likely this is where the term “getting blindsided” originated, but it does nicely illustrate the concept. Organizations and their managements are blindsided daily by events large and small. Risk management may prevent such catastrophes.

While this fable is a dire portrayal of a “downside” risk event, risk actually is a neutral concept. Risk is defined as the uncertain probability of gain or loss. Investing money in stocks is risk taking. Gambling is risk taking. Driving your car to work or to the grocery is risk taking. Operating a business is risk taking and on many levels as well. When one does pretty much anything, one cannot be absolutely certain of the outcome.

A primary objective of management is to make decisions, wherein also is risk taking: whether to invest in new capital equipment, acquire a company that will expand market share, expand and integrate operations vertically or horizontally, or even enter a new market. These are all risks of considerable proportion. Further, managers are responsible to protect the enterprise from losing its value to customers (market share) and stockholders (fiduciary responsibility). Thus, risk management must address both the up and down side of doing business.

Managing Upside Risk

One may ask, “Why would a firm need to manage upside risk?” A good question deserves an answer. Upside risk, a windfall profit from a risky investment or explosive growth in market share from a fortuitous product enhancement may not seem like a problem that needs managing, but it is. In fact, one of the most difficult things in life, be it personal or business, is sudden, a particularly overwhelming success. Winning $30 million in the lottery can ruin a family not accustomed to handling money on that scale.

So it is with business. A firm with average sales of $50 million lands a five-year contract for $2 billion – 40 times current revenues! Sounds great at first blush, but what does it actually mean to the enterprise? At a minimum, there is explosive, rapid growth of the workforce to accommodate the workload. But there is certainly more: acquisition of additional floor space, furniture, capital equipment, more and likely newer, bigger vendors, et cetera. The increased level of operational complexity alone can become a nightmare for management, particularly because none of them may have experience in a major company expansion, and thus are unprepared to cope with it.

Organizations are like animals. They are born (founded), they grow to maturity, level off, and start to decline until they die, unless… The nice thing about corporations is that they are, from a purely legal view, immortal: they can live in perpetuity.

Though technically true, there is nothing chiseled in stone saying a firm can’t just simply go out of business. Occasionally, it happens to a company that gets tagged with “flash in the pan,” an overnight success story gone sour. That is what happens when a company fails to manage upside risk.

What does this growing “animal” do to accommodate fortuitous outcomes? A good example is the lobster. As it grows, it sheds its shell and grows a new, larger one to suit the growing body inside. During the transition, it is very vulnerable, since it takes time for the new coating of armor-like shell to harden sufficiently to protect against predators.

The enterprise analogy, as applied to our “lucky” winner of the major contract, is that the growth must be carefully managed to protect against “predators,” including competitors, potential hostile takeover suitors, and, curiously, even auditors. Whether a company faces a significant surge in hiring to fulfill an obligation, or because a newly released product line has produced demand for a production volume well beyond current capacity, the effect is the same: the organization must “grow a new shell.”

A particularly fine example of this was captured in a television commercial for IBM in the early days of e-commerce. A gaggle of young entrepreneurs gather around a monitor and count down to the “go-live” of their new e-commerce website. For a moment, the “orders received” counter remains at zero; they begin to fidget, wondering if orders would ever come. Then, “1” pops onto the screen, and wild cheering breaks out. Then “2, 3, 8, 12” and more hits register, and the crowd goes crazy. But then, they fall silent, a look of growing panic and fear replaces their gleeful expressions as the counter accelerates past the 10,000 mark. They hadn’t the remotest expectation of that level of demand for their product, and they now face the desperate task of figuring out how to fill all those orders. Gulp! It’s not hard to see how success can become a difficult thing to survive. That’s upside risk turned upside down, which is why it must be managed.

Key elements in managing upside risk, i.e., surviving success, include:
  • Enlist the aid of a consultant with mergers and acquisitions experience; rapid expansion has similar issues to M&A’s, and some consultancies may have assisted clients with this specific challenge.
  • Carefully assess the scope and characteristics of the impacts:
  • Growth in revenue, projected as far as seems reasonable (be realistic, don’t assume the boom will last forever);
  • Growth in headcount, by functional department (hint: instead of hiring, weigh using contractors for projects);
  • Consider the need for building/buying/leasing new floor space;
  • Kinds and amounts of capital equipment to buy or lease.
  • Carefully evaluate where added levels of management are needed:
  • Functional departments/business processes that will bear the greatest growth in headcount;
  • Need for maintaining process control to ensure profitable productivity.
  • Consider whether separating the growth-spurred operations from the rest would enhance productivity for both.

Managing Downside Risk

There is far more written on this end of the paradigm than the other, mainly because it’s what worries managers and stockholders more because bad things happen more often. The strategies for managing downside risk are increasingly well documented and discussed in a variety of business magazines. To understand this side of risk management, the table (above) shows a sampling of risk management strategies to be employed, as appropriate.

Managing in Perilous Waters

The Ship and the Sailors

Some sailors, whose ship had made little progress toward their intended port for lack of wind, begged the captain to allow them to throw some of the ballast over the side to lighten the ship. They argued that, once lightened, the ship would move through the water more quickly. No sooner was this done than a breeze came up, which, in a few hours became a furious gale. The ship, deprived of the ballast which would have kept her steady, heeled over, and all on board perished.

An analog of this tale is the use of downsizing to lower operating costs when sales suffer prolonged drops. Like ballast, employees are the resource that gets the work of the enterprise done. A decision to permanently shed otherwise productive staff means losing their productive capacity. (It doesn’t do much for morale among the “survivors” either.) A sudden upswing in sales could result in poor delivery performance, causing loss of market share to competitors who can deliver in a more timely manner.

Operational risk is a fundamental aspect of being in business. One need not DO anything for the outcomes of risk, for better or for worse, to visit its impacts across the enterprise. But the nature of business, and more specifically, of management is to get people to get work done.

Executives and managers necessarily operate in a risky environment, navigating their “ship” through the seas of risk to ports of opportunity. Wise navigation can ensure reaching one’s destination, or bring one to ruin. And therein is the paradigm: like the ship’s captain, the CEO and his/her senior staff are duty-bound to set a prudent course for the intended port(s), weighing the factors of wind, tides, weather, other vessels at sea, and be ready for anything that may arise without warning.

In business, this is risk management, which includes a variety of sub-disciplines, including business interruption insurance, emergency management, continuity of operations (COOP) or business continuity planning, IT service continuity, to name a few of the more common ones. There are different strategies that may be used to address a given threat or risk. The following list is not comprehensive, but examples of various approaches:

Avoidance measures – things to be done to get out of harm’s way.

Move from sites with high inherent risk:

  • High crime area;
  • In a 50- or 100-year flood plain;
  • Subject to windstorms or earthquakes;
  • Close to railroads or federal and/or interstate highways where hazardous materials are regularly transported;
  • Close to airports and their flight paths;
  • Nearby facilities using and/or storing hazardous and/or explosive materials.
Preventive measures – things to avoid or eliminate the threat before it can impact operations
  • Limit access to facilities, including parking areas;
  • Install and maintain fire detection and suppression systems;
  • Educate personnel about shutting off power at main controls;
  • Install sensors near air conditioning intakes that automatically close the vents to prevent harmful materials into the facility;
  • Employ personnel access controls, e.g., photo id badges for employees, special ids for visitors, and for vendors.
Mitigating measures – things to enable timely recovery after an unplanned interruption
  • Establish and implement plans for business operations continuity, i.e., ensure measures are in place and regularly tested;
  • Create, implement, and exercise business continuity (resiliency) plans. For the purposes of this article, implementation means all mitigating measures are in place and regularly tested to ensure they meet business requirements;
  • Pre-position response materials, tools, response and recovery plans, list of emergency response vendor contact information, protective gear, and communications gear;
  • For firms reaching a “critical mass” in size that makes this economically feasible, establish a second production site that can absorb the initial site’s workload if necessary.
Third-party agreements – divest the downside risk impact by paying an outside entity to accept all or most of the downside risk
  • Insurance for multiple risks, e.g., property damage, business interruption, executive malfeasance. This doesn’t deliver any products or services to customers, which is certainly a boon to unaffected competitors.
  • No pre-planned measures – by spending no money to prevent or mitigate risks, a company is accepting the full financial impact of any catastrophe. Executives choosing this option may well be regarded as geniuses, just so long as they never experience a disaster.

Each strategy offers characteristics that must be considered in terms of the probability-weighted impact of losses from that threat. An interesting point to note is: no matter which one or combination is chosen, the probability of any given disaster remains the same. The important thing is each strategy must be implemented to be effective. Saying, “We’ve got a plan!” will not do. A contingency plan worth implementing should be regularly tested to maintain effectiveness and regularly reviewed to ensure it addresses relevant risks and threats, since these can and do change over time.

Gregg Jacobsen, MBA, CBCP, has 15 years of experience in business and IT service continuity consulting with clients in a wide variety of industries. He is an outspoken advocate for the BCM profession, mainly through the Association of Contingency Planners, where he is currently chair of the ACP Distinguished Service Award Selection Committee, and immediate past president of the Los Angeles Chapter. He lives in Westlake Village, Calif.