Catastrophic Risk
On the Agenda

• Lori Chordas
• October 2018
• 

Key Points

• Risky Business: Companies are dealing with constant risk, including natural disasters, data breaches and internal crises.
• Change Management: Risk is no longer an afterthought, and companies are increasingly becoming more self-conscious about appraising, measuring and managing risk.
• At the Ready: Firms needs to think long-term about unpredictable low-probability events and evaluate near-misses to help cope with disruption.

Companies face a constant barrage of disruptive threats that could destroy physical assets, cripple business operations and halt global supply chains.

Natural disasters, such as earthquakes, hurricanes and tsunamis, pose a significant risk. Other threats include globalization, political volatility, financial upheavals and man-made disasters. Data breaches and cybersecurity are another growing concern.

While these types of disasters cause billions of dollars in damage each year, few organizations think that such a catastrophe will happen to them.

These low-probability events fall beneath a company's level of concern, causing leaders to become complacent, said Howard Kunreuther, a James G. Dinan professor of decision sciences and public policy and co-director of the Center for Risk Management and Decision Processes at the Wharton School of the University of Pennsylvania.

Failing to think long-term, create worst-case scenarios and place risk higher on the firm's agenda can skew decision-makers' perception of risk and make it difficult to prepare for and recover from those adverse disruptions, he said.

Kunreuther is co-author of the book Mastering Catastrophic Risk: How Companies Are Coping with Disruption, along with Michael Useem, a William and Jaclyn Egan professor of management and director of Wharton's Center for Leadership and Change Management.

The book was supported by the Travelers Foundation and Travelers Cos.' former chairman and CEO Jay S. Fishman.

Decision-makers, especially those at smaller organizations, tend to be shortsighted when choosing whether to invest in catastrophic risk protection.

That's a mistake, said Kunreuther,

Company executives, risk officers and boards need to build a systematic framework to identify and define their risk appetite and risk tolerance in order to improve their readiness and resilience against future shocks, Useem said.

Best's Review talked to Kunreuther and Useem about how companies no longer view risk management as an afterthought and how they're strategically managing and assessing low-probability, high-impact disruptions.

How did the idea for Mastering Catastrophic Risk come about?

Useem: We began to hear from companies that they were increasingly concerned about how they think about, manage and tolerate risk.

Also, risk was on the agenda of the World Economic Forum in Davos, Switzerland, highlighting the importance of managing risk and preparing for what happens if a catastrophe occurs.

We decided to talk to senior managers at more than 100 of the Standard &Poor's 500, an index of the 500 largest U.S. publicly traded companies by market value, to get a better understanding of how they are dealing with catastrophic disruptions.

What kinds of new and evolving large-scale risks do organizations face, and how are companies strategically managing and accurately assessing those risks, especially given today's new reality filled with financial, technological, regulatory and environmental changes?

Kunreuther: When we asked key decision-makers to tell us about the most severe adverse risk their company had experienced, a number of them mentioned natural disasters such as Hurricane Katrina in 2005 and the 2011 Fukushima earthquake and 15-meter tsunami that disabled the power supply and cooling of three nuclear reactors in Japan.

Natural disasters are occurring at increased frequency and they're having a much more serious impact on firms. These issues now need to be placed on the agendas of both large and small companies and their boards.

Useem: Another risk that's become evident over the last 24 months is cyberrisk. Cyber, or more broadly digital security and digital disruption, was a concern we didn't even think about five years ago. But recent data breaches at companies like Facebook and Equifax show that cybersecurity failure is part of a growing list of catastrophic risk considerations facing companies today.

Are firms prepared to handle those risks? The likelihood of those types of events affecting companies often appears smaller, thereby causing some risk managers to dismiss the risks completely. Is that a risk in itself?

Kunreuther: It is. Often leaders become complacent because they view the likelihood of those adverse events as below their threshold level of concern and, hence, do not focus on the potential consequences to their organization.

Useem: The book is designed to help risk officers, executives and nonexecutive directors become savvier about risk and think about the unthinkable before it happens.

Company executives repeatedly reminded us in our interviews that when they put a risk system in place, it often stems from a past hit or from seeing another company affected by an incident.

In the wake of the BP oil disaster in the Gulf of Mexico, for example, other energy companies said, “There but for the grace of God go I.” It was a near-miss that forced them to proactively think about safety, security and efforts to mitigate another such disaster.

Some catastrophes, such as hurricanes and earthquakes, are just going to happen; they can't be prevented. But preparedness and thinking deliberatively about what could happen is important so you aren't caught flat-footed when an event occurs.

It's also important to learn from other's experiences and not ignore successful strategies that are developed outside of the organization.

Decision-makers tend to be shortsighted when choosing whether to invest in protection against catastrophic risks, and they're often reluctant to incur upfront costs for loss mitigation measures. How should companies be thinking about catastrophic risk?

Kunreuther: Intuitive thinking, which is based on emotional reactions and simple rules of thumb, works well for evaluating disruptive risk. But it works very poorly for low-probability events and can lead to mismanagement of recovery efforts.

When companies are dealing with those kinds of risk, it's important to think deliberatively. Deliberative thinking allows companies to use guidelines to assess major risks they face and to choose among alternative courses of action.

However, that's a difficult task because of our myopia, or shortsightedness.

Companies are concerned about short-term events, such as their balance sheet, annual bonuses and future returns on investment. But they also have to think long term.

Upfront costs is a good example. Unless you get something back in the short term you may decide that you don't want to invest in a particular loss-reduction measure, even though it may have very long-lasting benefits. Firms need to find ways to stretch their time horizons so they pay attention to the likelihood of an adverse event occurring over the next 10 or 20 years and then focus on ways to reduce the potential consequences.

In the book you talk about the DISRUPT model and seven primary drivers of disruption. What are those drivers and what should companies do to prepare for and handle those challenging disturbances?

Kunreuther: The subtitle of our book is “How companies are coping with disruption.” So the acronym DISRUPT was a natural way for us to highlight a set of features that are important to consider when firms are dealing with low-frequency adverse events.

We start with the notion of drivers (“D”) of disruption. The “I” in DISRUPT is interdependencies that increase exposure and the linkage between what happens to one firm and its impact on other companies, or what happens in one country and its impact on other countries. The Fukushima nuclear accident is an example of the interdependencies that U.S. automobile companies faced by supply chain issues caused by the disaster.

“S” stands for the short-term focus or myopia of companies not wanting to invest in upfront costs and thinking that the probability of an event is so low that it's not worth worrying about.

“R” refers to regulation, which is another factor that requires attention. In some ways, firms have been concerned about being straitjacketed by regulations, but regulations also create a level playing field so there are positive aspects associated with them as well.

Useem: Two other drivers are urbanization (“U”), which increases the costs of disasters, and probabilities (“P”) of disasters, which have been trending upward in recent years.

There's an increasing concentration of people and businesses in highly populated areas. Bangkok, Thailand, for example, is very urban and has become a large global center for auto parts and assembly.

When Bangkok suffered an unexpected massive flood a few years ago, several major auto parts suppliers were forced to shut down.

That gets to the final factor—transparency (“T”), which has enhanced public awareness of problems and impacts on companies' reputations.

There's increasing demand on firms from the outside world to be more transparent. Social media and the requirements of the Securities and Exchange Commission are examples of that. SEC now requires in Section 1A of its 10K report to investors that firms describe in some detail the risks they face and what they're doing to mitigate against those risks.

Being transparent can be difficult because companies have so many things on their agenda. That's especially challenging for small businesses. But one way companies can deal with that is to buy insurance at a relatively low premium and tell their insurer that they're taking protective measures so they can get a premium reduction.

In the book, you highlight a checklist of 15 steps that companies should take toward mastering catastrophic risk. What are some of the steps and management practices company leaders need to take to overcome their systemic decision biases and reduce the likelihood and impacts of large-scale disruptions?

Useem: We came up with 15 management principles that we sum up in a checklist. There's no single silver bullet here.

One vital step is thinking long term. However, that's a difficult task. Every year companies are under enormous pressure to deliver results, and investors are pretty unforgiving if they're not delivered.

It's incumbent upon management and directors to think three, five or even more years out. A case in point is what we learned from Morgan Stanley, which was housed in the South Tower of the World Trade Center on Sept. 11.

In 1993, a truck bomb exploded in the basement of the World Trade Center, killing several people. While it didn't directly affect Morgan Stanley, the company's director of security, Rick Rescorla, said, “You know, thinking longer term, are we prepared to get people out of our building if something goes terribly wrong?”

For the next eight years, Rescorla insisted the company practice an annual evacuation drill of evacuating the tower.

On the morning of 9/11 when the North Tower was initially hit, Rescorla told Morgan Stanley chief executive Phil Purcell, “I think we ought to get out of this building now.” The CEO authorized that request.

In the few minutes between the initial hit and the second aircraft coming into the South Tower, Rescorla was able to escort 4,000 employees out of the building. Almost everybody got out. Six did not, including Rescorla, who went back into the building to look for stragglers.

Kunreuther: Morgan Stanley took preparatory steps, but it took the 1993 World Trade Center disaster for them to actually say, “Let's put this on our agenda.”

In our checklist, one of the things that we recommend firms do—and many are already doing it—is to consider worst-case scenarios and “stress test” those scenarios by assessing their company's ability to withstand an event.

Also, companies should stretch the time horizon when they're judging disasters so that risks are taken more seriously by the firm. This could mean redefining the probability of an event with a 1-in-100 likelihood of happening next year to a 1-in-5 chance of happening in the next 20 years.

What other steps should directors and executives take to think long term and define and balance their risk appetite and risk tolerance?

Useem: Years ago very few boards put risk management and risk mitigation on the agenda. Today, almost every board is making risk a topic for discussion. They're having active, pre-emptive dialogues with their top management teams about the risks they face, their tolerance for those exposures and how much they're willing to spend on risk prevention.

Kunreuther: Balancing risk appetite and risk tolerance is a critical issue that firms need to do and are doing more of today.

The 2008-2009 financial crisis was a good example of a past disruption that forced financial institutions to say, “Maybe we really need to think about our risk appetite and risk tolerance.”

Companies can balance the two by mapping an overall strategy and giving priority to the most demanding enterprise risks.

It's also important for companies to advocate a culture of learning from their own adverse events and near-misses and to spread the upfront cost of risk mitigation measures through multiyear loans and budgets so they can focus on the short-term benefits in relation to the lower costs in developing a long-term strategy for managing and mastering catastrophic risks.

Before the attacks of Sept. 11, there was very little emphasis by companies on low-probability events. But starting with 9/11 and continuing today, firms are really starting to pay attention and place these events high on the agenda.

What role does the insurance industry play in helping companies to master catastrophic risk?

Kunreuther: Transferring some of the risk via insurance and reinsurance allows companies to protect against future losses.

Insurers are now playing a much more important role in mitigating future disruptions and the related financial losses that companies may experience by stressing the importance of investing in preventive measures now.

In this regard, insurers, too, can benefit from lower claims for future adverse events when these risk-reduction measures are undertaken by firms. There's a challenge in how insurers package their product so that firms will not only want to buy coverage but also want to invest in mitigation measures to reduce their risk.

It's been said that enterprise risk management is everyone's responsibility. What can we learn from one another about handling catastrophic risk management?

Kunreuther: One of the most important steps in our checklist is that everybody is responsible for risk identification and mitigation.

Firms now recognize that enterprise risk management is a way of bringing together many individuals in the organization, not just those at the top but also frontline managers, risk analysis teams and internal audit groups.

They have knowledge that can actually highlight some of the challenges that executives now face, but with much better detail than those at the top would otherwise have. That's a role that ERM can play.

Because catastrophe disruptions often fail to provide sufficient warning, what do companies need to do going forward to expect the unexpected and improve readiness and resilience against future shocks?

Useem: Decision-makers need to think about and plan for risk and put an apparatus or emergency plan in place so they have a preset assignment of responsibilities for response.

The 15 guidelines highlighted in the book are the essence of being more self-conscious, deliberative and thoughtful about potential big shocks and disruptions that can be better appreciated in advance.

Many firms now have an incident commander or someone designated to take charge during a crisis. That individual is trained to offer guidance and take steps under great duress. Understanding the world around us before it collapses for whatever reason, and then being ready to dig out and become resilient if it does, is critical.

Kunreuther: The biggest challenge we all have is myopia and the focus on short-run returns. Anything we can do to overcome that, such as funding risk prevention measures, is important.

The point we are making in constructing the checklist for action is that risk management is a value-creating strategy. When companies take steps to reduce their risk, they're also improving their reputation by valuing certain activities that they might not have otherwise considered, such as finding more than one supplier before an adverse event.

Companies need to be unsurprised by surprise and place risk preparedness very high on their agenda. Doing so gives everyone confidence that they'll be in a better position later on rather than having to scramble when a disaster occurs.