― Dieter F. Uchtdorf
Blog 7 of the Business Strategy Series
‘From risk monitoring to business resilience’. How many companies had put pandemics as a risk factor in their risk register and were well prepared? This is despite infectious diseases being logged as a medium likelihood and a high impact risk in the World Economic Forum’s Annual Global Risks report. And, since the beginning of this new millennia, in the last 20 years, we have had Sars, Swine Flu, Mers, and Ebola. Clearly, there were not many companies prepared or we would not have needed government economic support of up to 15% of GDP in wealthy nations.
In addition, how many companies were prepared for the financial crash in 2008, have fully considered the risks from global warming, the challenges of political, economic or climate based refugee movements, or the full range of risks from different forms of cyber attacks? This discussion follows on naturally from the previous blog on the need for macro modelling beyond traditional industry analysis.
The first area of attention is to add macro risks with multi-horizon views into the risk monitoring (Figure 7-1)
As the world is getting more complex and more interlinked, the likelihood of an event occurring increases. In addition, the risk and impact of an event is increasing due to inherent trends that we are facing. These trends include climate change, population growth, increasing reliance on technology and data, increased population concentration in cities, globalisation and increased levels of debt per capita. The optimistic view is that behind each of these trends should also be some great opportunities and this is where the great companies will be focusing. Rigorous analysis should help to identify opportunities out of a risk assessment.
In the World Economic Forum’s Global Risk Report 2020, they have surveyed their member base to get their view of the likelihood of a risk occurring and its potential impact on a scale of 1 to 5. The higher risk and likelihood events are listed in Figure 7-2.
The outcome of this survey is set out in Figure 7-3 which shows the set of risks with a combination of high likelihood and high impact. You can see the clustering of environmental concerns in the top right quadrant. It is interesting to note that infectious diseases/pandemics were not ranked as high; although, still seen as serious.
The perceptions of risk are not static over time with some of the perceptions being influenced by events that are occurring at the time, such as the 2008 financial crisis. Since 2007, there are 2 visible trends. Firstly, the escalation in the risk levels related to climate and environmental issues. Secondly, a growing view of risk levels on the technological front. The good thing to take away from this risk assessment is that this indicates a growing understanding and view of the risks of climate change and environmental degradation.
Another interesting aspect of this report is that they compare the views of the WEF members against their Global Shapers Community which is the WEFs network of young people driving dialogue, action and change. In most cases the Shapers see a higher likelihood of an event occurring and in virtually all cases a higher potential impact.
What is not fully evident, and not addressed in the report, is the extent of government and business response in light of these risk assessments. You would think that this could be one of the productive outcomes of the WEF Davos Meeting that happen annually.
For a specific business, the ratings of the risks would be affected by a combination of the sector and geography where they are involved. Business risks can be divided into two broad categories of risk, direct risks (Figure 7-4) and macro, or indirect, risks (Figure 7-5).
Behind the direct risk, is the ongoing risk of one of the events occurring and the potential impact of that risk; however, there is also an implementation risk that occurs on an activity when you are undertaking a material action that is new and within your plan, or you are taking a substantive action to either mitigate a risk or respond to a risk that has occurred.
Similarly, with Macro Risks, there is the physical risk which is the fallout related to the specific event. This would include second and third order effects as we have seen with the current pandemic. However, there is also a transition risk which involves a fundamental change to the operating environment of the business; and, in these cases there are risks related to the period of change to a new environment. Examples of transition risk are the risks arising from a transition from our current energy provision to a clean energy sector or a transition from a linear economy to a circular economy in a specific sector.
Against these risks, the management and their boards clearly need to think through how to build resilience. Resilience strategies can take several forms. Firstly ‘Shaping’, the company could eliminate or at least partially eliminate risk by boldly implementing a plan upfront. This approach would also be deployed where there were also business opportunities. An example of shaping, would be a technology company building a second manufacturing facility outside of China due to geopolitical concerns and trade risks. This approach is clearly bolder and requires more upfront investment; and if there is a market opportunity involved it may well be the right approach. Another interesting example of this is IBM, who started as a mainframe computer business, then separately invested in mini computer business in case the market took off; and then finally, did the same thing with the micro-computer market.
Secondly ‘Hedging’, the company could build a specific risk mitigation response capability that would be pre-planned and tested. This would include optioning, if there are a set of discrete scenarios that would require quite diverse responses. The goal is to limit the upfront expenditure, but keep the company in the game and help accelerate the speed of response if required; thereby, mitigating the risk. Thirdly ‘Reacting’, a company could build the information and systems requirements that would give better pre-risk warnings, improve in-risk analysis to help the response, and provide post occurrence monitoring. Finally ‘Dry Powder’, is to ensure that you have the financial capacity to react to any residual risks including known risks with unknown outcomes and unknown risks.
In addition to defining risks in terms of likelihood and impact, it is important to categorise the risk. There are effectively three risk categories. The first risk category is ‘Clear Outcome’. An example of this would be the binary decision of a competitor to build a new plant in a key market that would significantly affect the supply – demand dynamics.
The second category is ‘Range of Outcomes’. In this case there are a set of different scenarios that could describe the future. In some of these situations, it may link to scenarios of the outcome and timing of regulations related to a sector. The third category is ‘Unknown Outcomes’. In these situations, they are known risks but no true understanding on the likely scope of outcomes. An interesting example of this would be during the development of the electric car market. In 2010, I think it would be safe to say that the categorization of the development of this market and its implication on diesel and fuel cars would be ‘Unknown Outcomes’. In 2016, Norway agreed to ban all conventional cars by 2025 and then other countries and cities started announcing bans in 2017. By this time the risk category in the EU had turned to ‘Range of Outcomes’ and it was just a question of when the bans would be enforced by country across the EU. Clearly, different types of risk need different option evaluation approaches. Doing additional research and analysis to be able to shift to a clearer set of outcomes can add significant value.
Linked to evaluating resilience responses, a business should be able to see that certain actions can create resilience against several, and often unrelated, risk types. This is clustering. For example, having two manufacturing facilities in two countries rather than a single facility could mitigate risks for floods, fires, geopolitical trade risks and foreign currency risks. Another example would be, moving to an environmentally friendly strategy would help mitigate the risks from changing consumer purchasing behaviour, reduce employee retention risks, get the company ahead of potential new regulations, and reduce the potential of brand and reputation damage from climate action groups.
The other side of resilience response is to evaluate whether or not risk reduction can be coupled with a new business opportunity. Pressure test your resilience thinking to see if you can turn some of the needed activities into opportunities to create deeper strategic advantages and further customer differentiation. A simple example of this, has been the Covid 19 based rush of many retailers to build an online channel for remote ordering and home shopping. Many of these retailers somehow missed understanding that adding a home shopping channel market is a basic requirement today and should have been part of their strategy long ago to grow sales anyway.
These different components can be pulled together into an overall approach to resilience management (Figure 7-6).
There are a number of ways to build resilience. The most important starting place is to have the right leadership and team in place that have the knowledge and the capacity to build resilience, and rapidly and effectively respond to risks. This pandemic has shown some stark differences in country and company abilities to respond to risk and significant differences in speed and effectiveness of response.
There are different ways to think of building resilience and some of them are noted in Figure 7-7 Firstly, diversification is a classic way of reducing risk. Points of potential diversification would include raw material sourcing, manufacturing locations, distribution channels, data centre locations, geographic focus, and product range. Secondly digital innovation, which would include adding the ability to work remotely, home shopping, using cloud based systems, remote servicing. Thirdly, product service innovation which would include having a more diversified set of products; but, also being able to rapidly change and adjust products and services for example as new regulations are put in place, software language use changes, and responding to disruptive new entrants into the market. Fourthly, business model innovation is becoming increasingly important to look at. We are now seeing a shift in some areas from single product purchasing models to locked in monthly payment models such as with digital news services vs. daily purchases of a newspaper. Building reliability in revenue flows is a also critical part of resilience.
Next is financial capacity management. In times of crisis, a strong balance sheet always wins. It is increasingly hard to insure against all potential risks so residual risk may need to be covered off by a stronger balance sheet. Just like at home, a business needs a cushion for a rainy day! A strong balance sheet is also critical if a company is seeing increasing volatility of revenues and/or increasing seasonality of the business. Private equity owned companies that are tightly financed and highly levered are particularly susceptible to small changes in trend lines. I think everyone would agree that believing that the last line of defense of a business is a rescue by the government is not something worth relying on.
Finally, having partnerships-alliances or reliable third party support to help deal with, or be on call for, certain crisis types is usually a core part of a resilience strategy. In technology based risks, having a specialised help to deal with cyber attacks is a common use of a third party. They can help help reduce the risk of an attack succeeding as well as helping to respond to a threat that occurs. Other examples could include having back up manufacturing capacity and some outsourced service capacity. For many companies, having your data and software in the cloud results in the cloud supplier (eg. AWS, Google, Microsoft) providing the resources and skills to deal with a cyber attack risk.
Against this whole discussion of risk and resilience, it should be clear that resilience is a core component of strategy. As noted in a 2016 HBR article, The Biology of Corporate Survival, companies are disappearing faster than ever before. “Public companies have a one in three chance of being delisted in the next five years, whether because of bankruptcy, liquidation, M&A, or other causes. That’s six times the delisting rate of companies 40 years ago.” If you are focused on long term sustainable performance in a complex and rapidly changing world, resilience, speed, agility and innovation capability will outperform a low cost strategy.
Source: McKinsey wrote an excellent article in the HBR that helped shape some of this thinking. “Strategy Under Uncertainty”, Harvard Business Review, November-December 1997
REBOOT 