Publish date: 9 January 2019
Trust and Loyalty By Jim Blair
2018 was a tough year with risks at an increasing frequency and magnitude; accumulating into something north of an average $3 MM loss per incident. The best way to prepare for 2019 is to focus on proactively managing organizational risk.
The 21st Century customer/client expects a lot. Not only do they want a quality product and a great price, but they equally expect grade A service, top notch customer contact and response, zero defects and the highest quality. Quality! – meaning that the product works, is reliable, simple to operate, meets expectations, is easy to integrate into their systems, is serviceable and efficient. The 21st Century customer/client expects products and services in which they have trust; and when delivered they grant you loyalty. These customer/clients assume that you will deliver what is promised on a consistent and reliable basis with no excuses. So, how can you meet your customer’s expectations with hurricanes, earthquakes, fires (wild fires), snow storms, tornados, floods, train wrecks, refinery explosions, work stoppages, power outages, internet disruptions and cyber-crime? The answer is either luck, or hard-core planning, anticipation and exceptional risk management. In short, the 21st Century customer/client expects you to anticipate and mitigate the disruptions that could cause a missed commitment. Those companies who practice proactive risk management will distinguish themselves from competitors.
Natural disasters are hard to predict and mitigate. And disruptions caused by human interventions continue to grow with more than 70% of service interruptions occurring as the result of error, inattention, inadequate policies/procedures and/or intentional misconduct. The solution to these ‘human’ challenges is straight forward but challenging. Fundamentally, all processes must be thoroughly developed with a keen eye on the risks surrounding each, including the interrelated flow between processes. Documentation is imperative and employees must be trained with rhythmic and unwavering discipline. Actual operations must be assured through rigorous measurement, observation and review. The same practice must apply to all third-party suppliers in the supply/service chain. Attention to detail is an absolute imperative.
Disruptions can and still do occur despite successful implementation of these risk management-based actions. The final leg of proactive risk management is preparation to respond to business interruptions. To meet 21st Century customer/client expectations, organizations must develop and practice Business Interruption Plans that can recognize, respond and recover when operations are disrupted for any reason. Scenario planning will assist leaders in developing the skills to monitor operations and to respond to minimize the impact of unanticipated situations on the customer/client. The “bottom line” is that if the best risk management practice still is unable to guarantee continuous service delivery, then the key measure of success is the speed of recovery and return to normal.
Business leaders usually appreciate time to consider situations, facts and data, and alternatives. When an operational disruption occurs, time is not our friend. Proactive risk management anticipates the unexpected, implements key monitoring schemes that measure the assurance of operations (recognition), insists on immediate notification when a disruption occurs, deploys the organization’s Business Interruption Plan (response), initiates internal and external communications, secures the operational environment and begins trouble shooting and recovery. Inclusion of every element of the impacted operations chain is imperative (including the supply chain). The entire process should be under the direct supervision of the risk management governance process.
The 21st Century customer/client will recognize excellence in response and recovery. Proactive risk management confirms the trust and loyalty described above. Pundits report the daily uncertainties and speculate on the challenges ahead in 2019. It’s a certainty that operational risks will continue to grow in frequency and intensity. We see daily reports of new cyber breaches and hacks. Ransomware attacks are at an all-time high, the majority of which occur as the result of an employee or vendor clicking on an infected e-mail. Cities are major targets since hackers know they might get paid, but more importantly they know the expansive community disruption that can be caused if the information systems are locked up. The Cambridge Centre for Risk Studies estimates a potential $320 billion annual liability from the 279 largest global cities from natural and cyber disruptions making risk management discipline is a big deal! A single employee, supplier or hacker can undo all the investment in products and systems. People are the only solution to people-caused risks! Proactive risk management and governance is the key solution.
Publish date: 19 October 2018
Can our global risks get any crazier? By Jim Blair
In the short nine months of 2018 the magnitude, frequency and velocity of exogenous risk events seems out of control. We’re frankly amazed that our colleagues are able to stay focused on the business fundamentals which appear to define the spirited stock market and solid quarterly performance. Consider the sizable impacts of the following risk events:
Costs of recent global disasters (including Hurricane Florence - $50 billion) are in the range of $100 billon
Costs of major cyber breaches of transportation companies Maersk and FedEx are in excess of $600 MM; the Equifax breach of $150 MM citizens had associated costs of $150 - $250 MM
Cyber-crime losses are in the range of $600 billion (headed toward $1 trillion by 2020)
These massive losses are further compounded by the geo-political impacts of trade-tensions with Russia, Korea, Canada, Mexico and the EU, the EU General Data Protection Regulation (GDPR), and the ever-increasing array of state cyber/privacy Protection regulations, with California exceeding the most stringent requirements on organizations. The increased presence of workplace violence and sexual harassment is shocking and creates a real drag on the positive business culture companies are trying to create. The added rancor of US politics adds a further strain. These factors are largely beyond the control of business leaders. So, how do you plan for the future, when the current state is so uncertain? Our instinctive answer is to focus on the risks that attach to your business and prepare the best mitigation strategies you can. You should engage your team in regular discussions about your day-to-day operational risks and prepare to respond individually and collectively in a nimble and focused manner. Think of the incidents that can disrupt your operations, draft your response plans and then diligently practice those plans. Incidentally, a recent study of C-suite leaders indicated that 90% believe that response plans are in place – only 17% actually practice the execution of those plans. While planning and practice may feel like adding weights in your pockets the opposite is really true. Planning for how to respond to risk events can be part of the normal business planning processes and is a natural complement to what your teams are already doing to forecast the future needs of your business. As the planning proceeds, encourage all team members to think creatively about how major risk incidents can be anticipated and mitigated. Keep track and document these exercises. You’ll be amazed at the improved results.
Duty of Care! By Jim Blair, Affiliate Partner
Employers are of course accountable for the health and safety of their employees, customers and suppliers who operate on company facilities while performing company work. This includes business travel, working spaces, parking lots, hotels, tools and equipment, air supply, water, waste facilities, manufacturing lines, shipping centers and more. The bottom line is that employers must provide safe and secure work environments. A major challenge is workplace violence in the form of sexual harassment, bullying, insufficient cyber-security policies and procedures, physical security, inadequate supervision, active shooters and terrorist attacks. Often the Duty of Care expectations are assigned to HR and do not receive adequate attention from the C-suite and the Board. This is a major risk factor that should be periodically addressed by your Risk Management Governance Council.
Within the notion of Duty of Care is the physical well-being of everyone associated with your business. For example, most have not contemplated the human safety risks and physical perils associated with cyber-breaches. Imagine a hacker captures control of your manufacturing facility and disables all your fire response systems. The hacker ignites a fire by overheating a generator placing the buildings and equipment in peril and your employees at risk. The Duty of Care expectations will roll up to the front door of the CEO and Board. Scenario Planning for incidents like this, along with floods, hurricanes, wild fires, earthquakes, geo-political foreign government actions and failures in the supply chain is urgently needed to ensure the success and sustainability of your operations. Regular and robust governance discussions by the C-leaders is the best way to anticipate, prepare for and hone the nimble thinking required to recognize and respond to a major incident. This is what head football coaches and staffs do every weekend. With this background we all have work to do. Safety and security are hard work! All the investment in hardware and software cannot achieve what employee attention, awareness, and action can. A single employee or supplier can undo all the investment in systems. A well trained and risk aware workforce is the only solution to people-caused risks and solid governance and leadership are the keys to success.
Publish date: 15 March 2018
Compliance as a Valued Market Imperative! By Jim Blair, Affiliate Partner
No-one on the planet likes rules! Rules and regulations feel like constraints on creativity and proactive business progress. However, the global solution to any problem seems to be new rules and regulations. Businesses of all size are challenged to understand and operate under increasingly complex rules that govern financials, products, transportation, order fulfillment, employment, safety, health, environment, behavior and rapidly growing information security. Our clients increasingly feel like Compliance is becoming their purpose.
Shouldn’t we be more focused on meeting customer’s expectations? And then the expectations of owners/shareholders? The temptation might be to focus on expectations of regulators ahead of customers and owners. The risks of operating in the market where the priorities of customers, owners and regulators become unbalanced are real and we offer some perspective. Remember that we take risk to generate cash – we spend cash when risk is not managed. Compliance does not generate cash – inadequate compliance spends cash. Further, Compliance is “what happened yesterday” – risk management is “what may happen today and tomorrow”. So, how can these two factors co-exist?
Proactive risk management treats compliance as a market imperative, equally valued with customers and owners (or shareholders). Risk-based performance serves all the key stakeholders:
The Customer with products and services that exceed their expectations.
The Owners with return on investment from effective operational performance and financial management that exceed expectations.
The Regulator with performance, products and integrity that exceeds expectations.
Viewing Compliance with regulations as a market imperative changes the risk paradigm. The priorities become providing 1) products and services, 2) financial performance and 3) Regulatory Compliance better than anyone else. If we fail, the customer gets their money back! Managing risk better than your competitors becomes part of your reputation and your brand.
Black Swan has experience creating proactive Compliance programs that improve customer service and financial performance. We can also help deploy proactive Risk Management governance structures that engage the C-suite and Board levels to deliver performance that exceeds customer, owner and regulator expectations. p
Publish date: 15 March 2018
World Economic Risk Priorities in 2018, By Jim Blair, Affiliate Partner
The World Economic Forum met in Davos, Switzerland for its annual assessment of global financial and operational risk. It is intriguing to see the world’s most talented government leaders and educators come together to evaluate and project the major risks facing the global population. The risk priorities are listed on the attached Risk Highlights and little changed from 2017, other than ranking. Notable from government and educational leaders are the top 4 Risks of Extreme weather events, Natural disasters, Failure of climate-change mitigation/adaptation and Water crisis. These Risks offer little opportunity for more effective management. Risk management resources are faced with the imperative of planning and preparation to effectively recognize, respond, and recover (3 “R’s”).
Business executives forecast a more manageable set of risks, including under employment, fiscal crisis, failure of national governance, energy stock prices, cyber and terrorist attacks and Interstate conflict. These examples lend themselves to proactive Risk Management that enables prioritization of material risks, allocation of resources to assess and develop mitigation strategies, measurement of progress and nimble adjustment to changed circumstances while preparing to deploy the 3 “R’s” when needed. World business leaders do understand the benefits of managing risk!
Potential Future Shocks – WEF experts did outline the potential for the truly unexpected. Consider the following 10 potential future shock risks.
1. The breakup of the internet Food supply crisis
2. Global financial crisis
3. Algorithms that lock the internet
4. The rise of inequity
5. End of global trade as we know it
6. War without rules (cyber)
7. Democracy buckles
8. Who we are?
9. Extinction of fish
10. The breakup of the internet
These risks lend themselves to improved risk management governance and action on the part of country and global leaders. Business leaders appear to comprehend the opportunity to improve.
Cyber incidents remain out of control. Cyber-breaches increased 45% and hacks were higher by 122% over 2016, costing more than $400 billion. Forecasters estimate the global costs could reach $6 trillion by 2020. These Risks are manageable under the stewardship of a top-level risk management governance process (C-suite & Board).
Black Swan can help strengthen your business. We look forward to your thoughts and questions – please contact us.
Publish Date: 08 January 2018
By Jim Blair, Affiliate Partner
While hurricanes, earthquakes and wild fires are consuming personal, business, government and insurance dollars by the billons in 2017, closely followed by the billions expended on cyber-breaches, Human behavior is capturing the headlines. And, more importantly it is impacting the lives of workers, business leaders and the public. There are more than enough material risks from uncontrollable risks to occupy the risk agenda. BUT, unacceptable human behavior is upstaging it all. Most captivating are the reports of sexual harassment and misconduct in virtually every business sector and many governmental entities in the country. Compounded by business miss-treatment of customers and employees by Wells Fargo, pricing and employee manipulation by Uber, sexual harassment by public figures at FOX and NBC, and intentional misstatements regarding cyber-breaches at Yahoo and Equifax, public confidence in businesses is a major risk to be mitigated through proactive communications, strengthened Risk-based governance and a return to strong ethical behavior.
So, what is this notion of ethical behavior? Leaders are expected to produce business strategy, sales and consumer services, operational excellence and nimble adjustments to business conditions that produce results to satisfy shareholders and stakeholders. Hundreds of books are written about ethics and leadership, but simply said: leaders achieve success through 1) clear and rhythmic communications to all stakeholders, 2) a risk based strategy that anticipates disruptions, 3) alignment of all parts of the organization toward common goals, 4) regular measurement of progress and the passion to adjust when unexpected risks arise and 5) recognition of success. It is imperative that these steps are conducted within a culture of honesty, trust, integrity, passionate assessment of progress, nimble adjustment to circumstances, and operational excellence. The establishment of an ethical culture is the duty of the Board, owners and the leaders of the organization. Now the concept is easy to talk about, but putting it into action is another matter. Given the demand for an ethical organization, top leaders/board must establish a governance process that 1) establishes expectations, 2) communicates the “tone” and 3) rhythmically measures the pulse and performance. Use of internal and external measurement systems is critical to a Board committee focused on risk, ethics and culture. I
Effective management of risk is every business leader’s and member’s responsibility. Certainly, organizational culture is established by top management and the board. Unfortunately, responsibility is often schlepped off to HR or the Compensation Committee. An urgent change is needed that can be achieved by top-level risk governance practiced by a Risk Management Executive Council (RMEC). Tackling the risk of human behavior as a material and urgent imperative. A creative example is Fox’s establishment of a board level Workplace Culture Panel to oversee the internal h Human Behavior of the organization – a very positive action! This Quarterly Advisory would be incomplete if we didn’t discuss the facts regarding magnitude of disaster risk and the evolving risks of cyber. This year more than $370 billion in global physical damage has been caused by unexpected events of nature ($200+billion in the US). These numbers understate the costs of business disruptions, revenue loss and human costs – the numbers could easily be double. We simply cannot avoid a hurricane, and FEMA has reported “they are out of bandwidth” to deal with more dam
We look forward to your thoughts and questions – please contact us.
Publish Date: November 11, 2017
In the aftermath of the 2008 financial crisis, the Risk and Insurance Management Society, Inc. (RIMS) published an Executive Report in 2011 entitled “An Evolving Model for Board Risk Governance,” co-authored by Carol Fox, John Bugalla and Kristina Narvaez. Rather than simply update the report, the authors looked more deeply at the 30 companies that comprise the Dow Jones Industrial Average to examine trends in risk governance, and these companies are advising their investors about their boards’ involvement with the oversight of risk. According to the report only one member of the Dow’s 30 companies has formalized a board-level Risk Governance Committee (JP Morgan Chase).
According to Black Swan affiliate partner Jim Blair, "the shock is the limited number of large and well-resourced organizations that have taken the art of Risk Governance seriously. I share this since you have implemented, or are implementing, a top-level Governance approach that is a confirmation of good business judgment and positive impact on your business."
To download the full report, visit RIMS Risk Knowledge Library at www.RIMS.org/RiskKnowledge.