While the risk of business disruption can come from anything ranging from natural disasters to economic and political crises, the big question many business leaders ask is how to plan for the unknown.
Richard Nason, a partner at financial risk consulting firm RSD Solutions and associate professor of finance at the Rowe School of Business, Dalhousie University, says predicting risk in itself may be risky. And Greg Cybulski of Aon Global Risk Strategy says there are potential risks the business community may not even be considering.
Is the greatest risk of business disruption in the next five to six years from political, economic, or natural disaster events?
Richard Nason: I think trying to predict five to six years down the road what the biggest risk will be is itself a risky activity. It's next to impossible to say what the next business disruption event is going to be but, stepping away from it, the biggest risk in particular in a Canadian context is companies not taking enough of a risk. One of the things that has happened in my time dealing with risk is we've come to think of risk as this scientific machine, a complicated system. We assume that risk can be regulated or managed away and the reality is it's anything but that. I actually see the biggest risk to an individual company, or perhaps even a systemic risk, for example the financial system, is the rigidity of the risk management frameworks that we have in place.
Greg Cybulski: I agree with Rick an awful lot. You really can't look at risk going out five or six years. There are a number of studies and reports that you can look at that can kind of project it at that point in time, but it really depends on each individual business or organization as to what is their risk, what's their appetite for risk and what are the changes that are occurring in their organization that will actually change their internal risk. If they have a global footprint, their risk is going to be very different than an organization that is operating domestically. Their risks really do change over time and an organization needs to understand how that changes, how it affects the organization and how they need to address the risk.
RN: Just to build on that, I think if you're talking about systemic risk, almost by definition, we can't see systemic risk. We're always risk managing in the rear-view mirror, particularly from the regulatory side. So the big systemic paradigm-changing risks, they're the ones that we have to be flexible and creative on in trying to solve. We're almost always going to be so focused on something that we get blindsided by the elephant that we didn't see coming from our right or our left.
Is having risk management as a field a fad?
RN: I think it's pretty easy to look at risk management currently as a fad. For the good companies, it's something that they've been doing all along. What's come into play, though, is the confluence of regulation, compliance and, probably the biggest change in the use of risk management, where risk management is not so much a fad, is in its use by investors. I think the good corporations were always using risk management, the poor corporations are trying to catch up and investors and regulators are ultimately driving the very reasonable perception that risk might be seen as a fad.
GC: I'll take the other side of the fence here as more of a risk manager in the field. There are an awful lot of businesses out there that need to report to shareholders because they're stock organizations. But what they find is that they're not really integrating a lot of risk into the organization. Even though you'll have departments or operations, such as the supply chain manager that is optimizing the supply chain, what they're not doing is bringing that risk into the organization. You'll have a manufacturing manager who may be aware of production bottlenecks, limited spare parts inventory or their inability to outsource operations. Or even, for that matter, IT having to understand what to do with their budget: Am I truly identifying all critical systems, applications and data and am I understanding my risk around it? If you look at a domestic or a global footprint, or you look at internal or external dependencies, they're measuring and understanding what the impacts of risks or threats are to the organization. Because what you'll find is that a risk is not a linear path. You can have any single location that is now affecting multiple locations and you get a ripple effect throughout the organization.
How do you prepare for something that you may not even know will happen?
RN: I think one part of it is to have a creative imagination. Basically, create lots of stories and scenarios, and the richer your stories, the better. Not because they're necessarily going to come true, but it gets to what I call the first law of risk management: the mere fact that you acknowledge that something might exist, you automatically increase the probability and magnitude of it happening if it's a good risk and decrease the probability and severity if it's a bad risk. The things that are there and existing all the way along, you then are in a better position to notice them and see them.
Mathematicians understand the mathematics, but they don't necessarily understand business. Whereas the grey hairs who understand business, don't understand the mathematics. To manage this better, you need better integration between what I respectfully call the grey hairs and the PhDs.
GC: I'm a little bit more program and process driven because what I do for a living is business continuity management or planning. The process requires that you identify and quantify those continuity business processes and you look at the availability of resources to make sure that they're available when you need them. Understand the risks of the organization and really define a process to understand that risk and quantify it and then you can develop resiliency and recovery strategies to mitigate an incident. If you look at what a program includes – it's emergency management and response, crisis management, communications and then operational recovery and restoration. It all hinges upon developing and defining the teams, the programs, the training, so that when they are faced with the situation or a crisis they can react, respond, mitigate and recover from an incident.
What isn't even on the radar now that may be later?
RN: Some of the obvious ones that people are looking at is demographic, cybersecurity, etcetera. Some of the leading companies are also starting to recognize that we're really only in the first period of social media and exactly what does that mean? Again, from the business disruption, I think that a lot of the leading companies are really concerned about whether they have the thinking power, which is very different from the knowing power. Knowledge is almost a commodity now; do we have the thinking power to deal with whatever may come our way? I think in the next five years, demographics and cybersecurity and the tangential effects of us only being in the first period of social media are probably going to be the key themes, but beyond that, it becomes anyone's guess, in my opinion.
GC: When we look at risk, typically we find that many companies are looking at low-hanging fruit. So what we try to do is say "Let's look at the what-ifs."
For instance, the incidents that happened with Japan, where it was the year of the earthquake leading to the tsunami leading to the nuclear incident. There are still some medical issues that are out there, such as pandemics and drug-resistant superbugs, that most organizations don't really think about. But those that have got more of a global footprint and they are manufacturing outside the U.S. or they have supply chains outside the U.S., they really need to think about some of those issues and source from another location.
As far as the technology risks, there are certainly all of the cyber-attacks and they're just going to increase. Technology needs to be able to ramp up to be able to thwart those. There are still the earthquakes and hurricanes and all those activities. Rick has mentioned a number of them. They are still continuing and basically an organization really needs to grow and make sure they're not looking at those risks and saying, "That will never happen to us." Consider it and say, "What if it does happen? How do we control it, manage it, how do we recover from the situation?"
Answers have been edited and condensed.