Is it worth the risk?
November 2019
Why investors are increasingly weighing the risk from climate change
The future of risk in a volatile, complex and ambiguous world
As 2019 draws to a close, the business environment is facing ever more uncertainty. We’ve seen Brexit negotiations polarise the country, climate change protestors in many major cities globally, well-known high street chains (including the newly bailed-out Thomas Cook) going into liquidation, and the landmark GDPR case for British Airways in the courts.
We recently had World Anti-Slavery Day to help draw attention to modern slavery. According to Anti-Slavery UK, the UK government estimates there are tens of thousands of people in slavery in Britain today. In 2017, over 5,000 people were referred to British authorities as potential victims of slavery. Up one third from 2016, this included over 2,000 children. 2016 saw the first conviction and sentencing of a British businessman for human trafficking. Businesses need to be cognisant of their working practices and aware of every link in the supply chain and the impact if something goes wrong. Can you safely say you know every link and its provenance?
It may be a common misconception that only food and agricultural industries are at risk of exploitation in their supply chains, but we have also seen instances in retail – particularly clothing, where huge well-known companies have been shown to have been using child labour at the root of the supply chain.
All businesses are under a legal obligation to be able to check and verify the robustness of their supply chains. It is imperative that businesses consider supply chain risks as part of their enterprise-wide business models. The UK’s Modern Slavery Act 2015 includes an innovative transparency and reporting clause (Section 54 – Transparency in Supply Chains) requiring larger organisations to make an annual “slavery and human trafficking report” that sets out what they do to “ensure that slavery and human trafficking is not taking place in any of its supply chains, and in any part of its own business.”
It may be a common misconception that only food and agricultural industries are at risk of exploitation in their supply chains, but we have also seen instances in retail – particularly clothing, where huge well-known companies have been shown to have been using child labour at the root of the supply chain. Clearly this is not good for brand perception and reputation – and somehow consumers are shocked but not altogether surprised. Interestingly two historic cases focused on companies that preached good CSR practices in their advertising.
There is always scope for inappropriate behaviour where people and processes are involved and our stance is that these vulnerabilities should be considered as part of risk-modelling to protect human rights as part of the overall risk management strategy.
IRM is playing its part in raising standards in this area: we are launching our new Supply Chain Risk Management Certificate imminently.
We’re also launching two new reports in partnership with the Cambridge Centre for Risk Studies (University of Cambridge Judge Business School): Risk Management for the Consumer Sectors, and Scenario Applications: Stress Testing Companies in the Energy Value Chain. We’re also launching our guide, How to Hire a Great Chief Risk Officer, at our Risk Leaders conference this month. All of these documents will be available for download through our website which has itself been updated and refreshed.
This year the IRM will place significant emphasis on supporting businesses and risk professionals on how to understand, manage and take advantage of game-changing risks such as cyber-crime, AI and big data, operational risk and risks in the supply chain. The recent launch of our new Digital Risk Management Certificate, which was developed with support from Warwick University, is part of this initiative.
The world is a volatile and uncertain place and all of these micro and macro factors have an effect on how businesses trade and manage their day-to-day. The role of a risk manager has never been more important.
by Victoria Robinson, Head of Marketing and Communications, Institute of Risk Management
Global banking watchdog to study capital requirements for crypto assets
Emerging risks: are you turning a blind eye?
What’s the risk? An inconvenient necessity or a source of competitive advantage?
Recent changes in company law and corporate governance, such as those made to the UK Corporate Governance Code, have emphasised the need for companies to have better strategic risk management and change leadership. They must recalibrate their tolerance for well-managed and calculated risk-taking, improve their capabilities in managing risk, have better horizon scanning and the ability to address uncertainties and emerging risks, place more emphasis on culture and behaviour, and their boards need to focus on the things that matter with clear ownership and accountability for risks.
The culture and behaviour of the CEO and the board with regards to risk is key to ensuring effective decision-making, which drives the success of the business.
There is a balance to be struck between taking measured strategic risks involving innovation and the reduction or elimination of undesired negative risks. A manufacturing plant cannot totally eliminate the production of faulty components, for example, but it can ensure that there is a relatively small number of them and they do not get as far as the final assembly line.
In addition to prioritising strategic risks then, we can introduce the concept of risk tolerance where the board clearly defines and articulates the acceptable levels of risk that it will tolerate.
In other words, don’t put all your eggs into one basket. A prudent bank, for example, would not attempt to transfer all its customers from one software platform to another over a weekend – instead it would run pilot phases, using batches of customers to ensure all wrinkles were ironed out before undertaking a mass migration of accounts.
Introducing new products, services or technology, or addressing new markets all require risk tolerances to be set and monitored in order that the board can be satisfied of the likely success of the strategy before an unacceptable level of expenditure has been reached or the organisation has been exposed to an unacceptable level of reputational risk.
Operational risks, which usually arise from internal causes or known external factors, can be mitigated by using a rules-based treatment which ensures that appropriate policies, procedures and employee training are in place.
As a general rule, the higher the level of risk, the greater the number of monitoring and decision points that are needed to allow the board to proceed with the strategy. HS2, for example, has already cost £7 billion, even though there is a high chance that it will be cancelled due to spiralling final costs – more monitoring and decision points would have limited the spend on HS2 and reduced the financial and reputational risks to the project.
Taking or managing identified risks involves costs to the organisation, so the board needs to rank risks in order to focus the organisation’s resources on managing them with the highest likelihood of occurrence and the greatest potential impact to the organisation.
There should be relatively few strategic risks for the board to focus on and it should not be too arduous a task to review the risks at each board meeting – they should be used to shape the board’s agenda as they are inherently linked to the performance of the organisation.
Operational risk management is the responsibility of the executive and the senior management team. The board needs assurance that the operational risks are being managed and that there is alignment with the strategic risks.
BP is now worth half of what it was in 2010, when the Deepwater Horizon oil rig explosion caused one of the worst man-made disasters in history. Oil exploration is inherently a risky business, but it was the mismanagement of the reputation risk by CEO Tony Hayward which caused the most damage to the organisation, rather than the environmental risk. The US investigation commission attributed the Gulf of Mexico disaster to BP’s management failures that crippled “the ability of individuals involved to identify the risks they faced and to properly evaluate, communicate, and address them.”
The speed with which crises go viral on social media means that it is reputation risk which is far more likely to impact on an organisation’s strategy than financial or environmental risks by themselves.
This evaluation of the cause of the failure could equally well be applied to, for example, the failure of many financial institutions during the 2007-08 credit crisis, Volkswagen and the “Diesel Gate” scandal, or indeed any of the high-profile corporate collapses that have occurred in the last few years.
Traditional approaches to risk management use formulaic analysis tools and rules-based systems to produce a risk register and assurance framework, where the board’s discussion focus is too often on the numbers created by the estimates of likelihood and impact rather than the nature of the risks themselves.
Operational risks, which usually arise from internal causes or known external factors, can be mitigated by using a rules-based treatment which ensures that appropriate policies, procedures and employee training are in place.
Strategic risks, on the other hand, are much more likely to involve unknown or unknowable factors and therefore require a different approach.
We also see this in the financial sector with regulation and compliance, which is very similar to the management of strategic risks. Ever-increasing regulations and the excessive costs of compliance are severely impacting the ability of banks and financial institutions to address the rapidly changing needs of customers, while at the same time having very little impact in reducing fraud, financial crime or money laundering.
Rather than continuing to produce more rules and regulations, the alternative approach, as adopted in the case of GDPR and health and safety, is to have a regulation-light regime with punitive fines and even prison sentences for the worst infringements.
For strategic risks, then, the corollary to that approach is to not worry about the causes or likelihood of external, uncertain risks but to concentrate on limiting the impact of the risks themselves.
As reputational risk is potentially the most damaging category of risk, because it can destroy the value of the organisation entirely, many organisations are focusing on ensuring that their communications and crisis management strategies are in place and regularly tested via simulation.
Pre-mortems are a useful tool for boards when considering their strategic risks. The technique imagines a scenario – say, imagining that the liquidator has just been called in, then examining how the company could arrive at that scenario from where it is now, and what could have happened to cause such a situation. Going from the familiar to the unimaginable is easier than just thinking of catastrophic outcomes as abstract risks.
These new ways of categorising risk enable boards to decide which risks can be managed through a rules-based model and which require alternative approaches.
Key to successfully managing existential strategic risks is the ability of the board, its executives and non-executives, to engage in open, constructive, discussions about managing the risks relating to strategic choices, and embedding the treatment of those risks in their strategy formulation and implementation processes.
As reputational risk is potentially the most damaging category of risk, because it can destroy the value of the organisation entirely, many organisations are focusing on ensuring that their communications and crisis management strategies are in place and regularly tested via simulation.
Most importantly for organisations, this includes identifying and preparing for non-preventable risks that arise externally to their strategy and operations, such as significant swings in global markets, trade wars and global conflicts.
George W Bush’s defence secretary Donald Rumsfeld famously talked of “known knowns”, “known unknowns” and “unknown unknowns” during the weapons of mass destruction controversy that led to the Iraq war in 2003. We can map those to the three main types of risks that organisations face: preventable risks, strategic risks and non-preventable risks.
Preventable risks are the internal “never events” that are controllable and should not be tolerated. Avoidable deaths in hospitals should never happen, for example.
The usual cause of preventable errors is that procedures, policies and staff training are either not in place, are inadequate or are not being followed – in extreme cases they are the result of fraudulent, illegal or unethical actions by employees.
By definition, preventable risks should have a very low or zero tolerance as they are, at best, an unnecessary cost to the organisation and at worse a possible source of a much greater failure – particularly if reputation or brand are negatively impacted.
Strategic risks, on the other hand – the known unknowns – are an inherent part of doing business. Without them, businesses stagnate and eventually decline. Banks, for example, take strategic risks when they lend money to customers.
Strategic risks do not lend themselves to a rules-based control model. The aim is not to reduce or eliminate them, it is to manage them in order to achieve the benefits of the adopted strategy.
What is required is a full understanding of the risks that are being taken, and a coherent system to monitor those risks and ensure that they continue to be inside the acceptable risk tolerance. This means that the board has to be comfortable living with a certain degree of uncertainty, ready to take immediate and decisive action if required, to bring the strategy back on track.
The we have earthquakes, hurricanes, extreme weather conditions, trade wars and sanctions, all examples of external risks that businesses have no control over – they are the unknown unknowns.
As they are neither preventable nor created by the company’s strategy, these risks can only be managed by identification and preparation. A business with thorough, well-tested business continuity and crisis management plans is much more resilient in the face of natural and political disasters and major macroeconomic shifts.
Despite the fact that there are tried and tested tools and techniques available for the management of these different types of risk, there are still many boards who find thinking and talking about risk uncomfortable until it is too late to do anything about it.
Close inspection of any of the recent dramatic corporate collapses, such as those of Thomas Cook, Debenhams or Carillion, will show that the warning signs were there many months before the companies’ actual demise. Going back to the financial crash of 2008 and the fall of Northern Rock, analysts had warned that the business models were unsustainable. So why did the boards of these companies seemingly just carry on regardless?
Whether it is ignorance, arrogance or just sheer incompetence, the common factor in these corporate catastrophes is a failure of the board to identify, manage and mitigate the strategic risks. Not only did they take their collective eyes off the ball, it is often unclear whether they actually knew which game they were playing in the first place.
Lack of board diversity is also a factor, with boards often guilty of groupthink, and reinforcing their commitment to a failing strategy without having the will to challenge it or change direction.
A diverse board, with members from other sectors and different backgrounds, is more likely to question actions and challenge its executives, drawing on their backgrounds, experiences and values to recognise when a change to the adopted strategy is required.
Nowhere is this lack of ability to address strategic more evident than in a company’s treatment of whistleblowers – something that has been reported as particularly bad in the NHS, where staff highlighting bad practices are often hounded out of their jobs and prevented from ever working in the NHS again, rather than being congratulated on bringing the issues to the attention of management to be dealt with effectively.
With the increasing emphasis on an organisation’s culture and values comes the need for business leaders to embrace risks, rather than trying to avoid them or deny their existence. A risk-based approach to running a business involves having an open management culture with clear recognition of the risks, mitigations and assurances needed to enable all employees to play their part in the company’s success.
There is also a need for boards to learn from their mistakes. The Banks that failed in the 2007-08 financial crisis had relegated risk management to a compliance function, with their risk managers having limited access to senior management and the board, whereas the banks that survived – such as Goldman Sachs and JPMorgan Chase – had strong internal risk-management functions and leadership teams that understood and managed the companies’ multiple risk exposures.
The future of risk and risk management will be a continuation of the trend to make consideration of strategic risk a key element in the development of corporate strategy – recognising its importance as a source of competitive advantage and a means to avoid the dramatic corporate failures that seem to be occurring with increasing regularity.
by David Doughty, Chief Executive, Excellencia Ltd
Global insurers face quiet strain from hacker ransom demands
Global insurers that cover cyber-attacks are facing more claims related to ransom-demanding hackers who cripple businesses’ technology systems, and only stop after receiving substantial payments.
These hackers use malicious programmes known as ransomware to take down systems that control everything from supply chains to payments to manufacturing. The hackers have grown more sophisticated during the past year, cybersecurity experts say, shifting from individuals and smaller businesses to larger companies that can afford bigger ransoms.
The effort, known in the cyber-security industry as “big game hunting,” has been paying off for hackers. It has also been hurting insurers that provide cyber coverage for victims, which are often mid-sized companies desperate to get their systems restored and running quickly.
“They’re large enough to be worth extorting but not large enough to have sufficient network protections to defeat the ransomware,” said Brad Gow, global cyber product leader for insurer Sompo International.
Sompo has been fielding a spate of claims related to a ransomware strain known as “Ryuk,” Gow said. He described the victims as companies with annual revenue between $500 million (£390 million) and $1 billion.
The number of attacks and size of ransom demands have been soaring.
Businesses detected 365 per cent more ransomware attacks in the second quarter than they did a year earlier, according to Malwarebytes, which sells cyber-security software. The average ransom nearly tripled, to $36,295, from $12,762 between the first and second quarters of this year, according to Coveware, a firm that helps negotiate and facilitate cyber-ransom payments.
Criminals who dispatched the Ryuk strain have demanded as much as $5 million in bitcoin, the FBI said in May.
“We’ve seen an unprecedented amount of ransomware attacks in 2019,” said Eireann Leverett, a senior risk researcher at the University of Cambridge Centre for Risk Studies. The size of losses for those attacks poses a serious risk to the business, Leverett said.
Companies that have cyber-insurance are often covered for a variety of expenses. They include: data recovery, legal liabilities for exposing sensitive customer information, negotiators fluent in hackers’ native languages and the ultimate ransom payments.
Cyber-experts say the criminals launching ransomware against companies are organised gangs in Russia and eastern Europe, or hackers sponsored by foreign governments. Insurers sometimes have restrictions in their policies to avoid covering attacks by nations, but it can be difficult to know for sure what type of criminal is launching an attack.
Insurers interviewed by Reuters said ransomware attacks are accelerating but declined to say how much they have paid in total claims.
Lloyd’s of London insurer Beazley expects to handle double to triple the number of ransomware incidents in 2019 as it did last year, including at least another 800 claims by year-end, according to Katherine Keefe, Beazley’s global head of breach response services.
Ransomware incidents during the third quarter increased 37 per cent over the prior year quarter, Beazley said.
Similarly, Chubb Ltd had already responded to the same number of ransomware events by June of this year as it did for all of 2018, said Michael Tanenbaum, its head of cyber for North America.
The average Ryuk ransomware attack claim from large companies is roughly $2 million, said Wade Chmielinski, a cyber-consultant for commercial property insurer FM Global. Claims from smaller companies are typically between $150,000 and $250,000. FM Global does not pay for ransoms, he said.
One prominent attack in March against Norwegian aluminium maker Norsk Hydro turned out to be a lot more expensive.
Norsk Hydro is among the few public examples available of ransomware striking a business, because publicising such events can invite more attacks, experts said.
After its systems were paralysed by the LockerGoga strain of ransomware, Hydro experienced $60.1 million to $71.1 million (£55 million) in related losses during the first half of 2019, the company said in a filing on Wednesday.
In March, Norsk Hydro identified American International Group Inc as its lead cyber-insurer. An AIG spokesman declined to comment.
Norsk received a $3.6 million insurance payout during the quarter and will report additional payouts when “deemed virtually certain,” the company said.
Global insurers collected $7 billion to $8 billion in cyber-insurance premiums during 2018, up by about 13 per cent from 2017, according to ratings agency AM Best.
But insurers are grappling with pricing as ransomware attacks become more common. Many of those attacks occur in the dark, making their frequency or how severe losses are hard to gague. Although a simple ransom payment is often the cheapest, easiest solution, it also emboldens hackers, said Robert Hudock, a lawyer in Washington who advises clients on dealing with cyber attacks.
“It’s going to be a hard problem to solve,” he said, “if people keep paying the ransoms and the systems keep getting compromised.”
Source: Reuters Connect
