What to Read Next
In these days of uncertain markets – and an uncertain economy – risk can seem almost omnipresent in business. But how do you manage risk prudently – yet still grow your company?
That timely question reminds me of an interesting talk I heard this past summer by Harvard Business School professor (and MIT alumnus) Robert S. Kaplan. Kaplan is perhaps best known for his work codeveloping the Balanced Scorecard concept.
But, as Kaplan explained to a Harvard Business School Executive Education class this summer, he began exploring the topic of risk management in the wake of the 2008 financial crisis, after he saw venerable firms such as Lehman Brothers and Bear Stearns collapse – despite having risk management functions.
Here are a few of Kaplan’s insights on the topic of risk management.
There are three categories of risks. The first category, Kaplan said, are risks from employees’ undesirable and unauthorized actions. “These risks are the ‘known knowns,’ and the organization gets no benefits from allowing them to occur,” according to Kaplan. So, he advised, “enterprises should strive to completely avoid ‘Category I’ risks.”
Category II risks, on the other hand, are the kind of risks a company can’t avoid: the risks of not achieving the enterprise’s strategic objectives. “All interesting strategies have some kind of risk,” Kaplan pointed out.
And the third category of risk, according to Kaplan? Risks from certain uncontrollable external events, such as a volcano eruption that affects air travel — or a tsunami that affects your supply chain. Many companies, he observed, don’t even know that they don’t know about how such external events can undermine their strategies.
Learn from close calls. When it comes to Category I risk from employee actions, “you’ve got to look at…‘near misses’ and why they occur,” Kaplan observed. In particular he noted, as your business expands and gets more complicated, your internal auditors may not have the control systems and competencies to understand your new businesses – which can be a problem, because new business are where you’re more likely to have problems. In Kaplan’s view, the recent trading failure at UBS, which cost the CEO his job, is an example of a Category I risk that should have been avoided.
“If you have high-powered incentives, you’d better have even higher-powered control systems,” Kaplan said – to make sure the way people achieve the goals is consistent with the company’s mission. (One analogy Kaplan gave: What determines how fast you can drive a car safely is not just the size of the engine – but also the power of the brakes.) Strategies for dealing with risk from employee actions, he observed, start with mission statements and values and extend to strong internal control systems.
Ask: What are the risks associated with your strategy? When it comes to mitigating Category II risk associated with strategy execution, it’s important to identify what could go wrong, Kaplan observed – and what could prevent the organization from achieving its strategic objectives.
One option Kaplan described for increasing awareness of Category II risks: a key risk indicator scorecard that seeks to give advance indications of when a significant risk to the organization’s strategic objectives has become more likely or more consequential. He also described how the Jet Propulsion Laboratory (JPL) holds risk review meetings – with a risk review board created for each of its complex projects.
On the other hand, it’s not easy measuring risk – something Kaplan acknowledged. What makes risk management so hard, he observed, is that you’re trying to quantify things that may have never occurred and may never occur. “You can’t rely totally on measurement,” he said.
Ask yourself what different scenarios for the future would mean for your company. When assessing Category III risks – risks from noncontrollable events in your external environment – scenario planning can be helpful, according to Kaplan.