(cliché, sorry) Traditional risk management systems do work, until companies face “novel risks” [MK: or “uncertainty”], which either can’t be anticipated, or their likelihood is misjudged —> anyway, the standard playbook is not applicable.
It’s also now cliché to talk about “black swans” where the risk was understood, but the trigger looked remote. But the trigger doesn’t have to occur in the firm itself, it can happen in a supplier or major customer. [MK: That’s why Apple is trying to diversify away from Foxconn as the major supplier; however, there’s nothing new about as it’s the “Supplier Power” in Porter’s Five Forces. Also, investing in alternative suppliers is a viable strategy.]
The “Swiss cheese” of mistakes when several seemingly unrelated issues combine to create a devastating effect. [MK: Oftentimes this is a result of different divisions not sharing activities and risk information with each other, thus creating high risk of failure. When companies accelerate their initiatives in the COVID world, they can easily fall into this trap.]
The risk materializes very rapidly on an enormous scale. Firms don’t usually prepare for the 1% of negative events with large magnitude [MK: that’s why the NY subway is flooded at least twice a year] as it’s uneconomical or impractical. Having a risk response plan is good [MK: we used it extensively in Aviasales when pandemic hit], but no response plan has specific steps for a catastrophe. Hence, it’s the quality of the management and the people is what’s more important.
All novel risks initially look like anomalies – things that don’t make sense in the existing picture of the world. As simple as it sounds, doing something new for the first time is a risk in itself and has to be managed, and success should not be assumed.
While identifying biases is also cliché, the confirmation bias and groupthink are successful in making firms ignore the uncomfortable signals as just noise.
Many risks are ignored due to the standard operating procedures, and it takes personal courage to go against the SOPs and alert the others.
A firm can appoint a senior manager to worry about what could go wrong (i.e. the devil’s advocate). Obviously, this manager has to have authority to act and to have the CEO’s or C-1’s ear.
Generating new data points on failures and near failures (for instance, in electric grid) can lead to better analysis of the bigger picture and can identify issues (or attack vectors!) earlier. This information can be proprietary or shared with other stakeholders / value chain members to enrich the data set and identify a variety of possible issues and threats.
Imagining risk response plans for made-up events is helpful for responding to events with similar effect, but different triggers. [MK: for example, we at Aviasales toyed with an idea of the impact of and a response to a catastrophic event of two passenger planes going down. While, luckily, this hasn’t happened, the spread of COVID in early 2020 and subsequent lockdowns had effectively the same effect.]
Responding to Novel Risks
Since some novel risks will materialize anyway, firms will still be faced with a shock. It’s important to have an agreement within the top exec team that all decisions: a) don’t have to be perfect, but rather good enough; b) have to be taken soon enough to have an impact (i.e. a right decision at a wrong time is a wrong decision); c) have to be communicated well enough to be understood, and d) executed well enough to be effective until a better option emerges.
When there’s no Immediate Solution
If the event is widespread, there’s no immediate solution, there needs to be a risk response team (or control centre, or something of this kind).
It should consist of people with authority from all parts of the business at risk, plus (where practicable) with medical background in case of COVID. External expertise may be required. The team membership may change over time as the event unfolds.
There will most likely be an impact on the supply chain, so the communication with partners must increase and be transparent.
This team can outsource some tasks within the firm but will remain responsible for the outcome.
Needless to say, group dynamic has to be carefully managed, as the team emerged due to the crisis and didn’t naturally evolve into what it ended up being. So no big egos, everyone’s opinion matters, focusing on “what” and now “who”, etc.
When there’s no Time
When there’s no time to build a critical response team, the local team on the ground has to make decisions. The old command-and-control ways are no longer working, and the goal of the HQ is supporting people on the ground, not dictating what to do.
The OODA loop: observe, orient, decide, act. Source: North Korean war. If this loop is faster than the events unfold, there’s a chance to respond better to the emerging situation. Observe – learn all you can about the situation. Orient – make sense out of it and identify the key elements. Decide – generate options and the likely consequences of the chosen response. Act – execute the option. Since every option is temporary, do the OODA loop again and again based on the new observations and past actions.