Gaining a New Understanding of Risk

In these days of uncertain markets – and an uncertain economy – risk can seem almost omnipresent. But how do you manage risk prudently – yet still grow your company?

Harvard Business School professor Robert S. Kaplan began exploring risk management in the wake of the 2008 financial crisis, after he saw venerable firms such as Lehman Brothers and Bear Stearns collapse – despite having risk management functions. Here are a few of his insights on the topic of risk management.

Reading Time: 3 min 


In these days of uncertain markets – and an uncertain economy – risk can seem almost omnipresent in business. But how do you manage risk prudently – yet still grow your company?

Harvard Business School Professor Robert S. Kaplan

That timely question reminds me of an interesting talk I heard this past summer by Harvard Business School professor (and MIT alumnus) Robert S. Kaplan. Kaplan is perhaps best known for his work codeveloping the Balanced Scorecard concept.

But, as Kaplan explained to a Harvard Business School Executive Education class this summer, he began exploring the topic of risk management in the wake of the 2008 financial crisis, after he saw venerable firms such as Lehman Brothers and Bear Stearns collapse – despite having risk management functions.

Here are a few of Kaplan’s insights on the topic of risk management.

There are three categories of risks. The first category, Kaplan said, are risks from employees’ undesirable and unauthorized actions. “These risks are the ‘known knowns,’ and the organization gets no benefits from allowing them to occur,” according to Kaplan. So, he advised, “enterprises should strive to completely avoid ‘Category I’ risks.”

Category II risks, on the other hand, are the kind of risks a company can’t avoid:  the risks of not achieving the enterprise’s strategic objectives. “All interesting strategies have some kind of risk,” Kaplan pointed out.

And the third category of risk, according to Kaplan? Risks from certain uncontrollable external events, such as a volcano eruption that affects air travel — or a tsunami that affects your supply chain. Many companies, he observed,  don’t even know that they don’t know about how such external events can undermine their strategies.

Learn from close calls. When it comes to Category I risk from employee actions, “you’ve got to look at…‘near misses’ and why they occur,” Kaplan observed. In particular he noted, as your business expands and gets more complicated, your internal auditors may not have the control systems and competencies to understand your new businesses – which can be a problem, because new business are where you’re more likely to have problems. In Kaplan’s view, the recent trading failure at UBS, which cost the CEO his job, is an example of a Category I risk that should have been avoided.

If you have high-powered incentives, you’d better have even higher-powered control systems,” Kaplan said – to make sure the way people achieve the goals is consistent with the company’s mission. (One analogy Kaplan gave: What determines how fast you can drive a car safely is not just the size of the engine – but also the power of the brakes.) Strategies for dealing with risk from employee actions, he observed, start with mission statements and values and extend to strong internal control systems.

Ask: What are the risks associated with your strategy? When it comes to mitigating Category II risk associated with strategy execution, it’s important to identify what could go wrong, Kaplan observed – and what could prevent the organization from achieving its strategic objectives.

One option Kaplan described for increasing awareness of Category II risks: a key risk indicator scorecard that seeks to give advance indications of when a significant risk to the organization’s strategic objectives has become more likely or more consequential. He also described how the Jet Propulsion Laboratory (JPL) holds risk review meetings – with a risk review board created for each of its complex projects.

On the other hand, it’s not easy measuring risk – something Kaplan acknowledged. What makes risk management so hard, he observed, is that you’re trying to quantify things that may have never occurred and may never occur. “You can’t rely totally on measurement,” he said.

Ask yourself what different scenarios for the future would mean for your company. When assessing Category III risks – risks from noncontrollable events in your external environment – scenario planning can be helpful, according to Kaplan.




More Like This

Add a comment

You must to post a comment.

First time here? Sign up for a free account: Comment on articles and get access to many more articles.

Comments (6)
Unfortunately, risk in any category is unavoidable because the inevitable does occurs. Since no one can guarantee the future in an imperfect system, we speculate based on data or experience. Our entire emotions alone are designed basically to how we manage different situations and most time the risks we take revolves around the discussion of growth.  Every event or time is different and even though there are similarities, the weather forecast at the last minute can change either for a good or bad situation.
nick chandrasekera
Ongoing simulation of potential catastrophic scenarios may be an option. Flight simulators have cut down aircraft crashes significantly as pilots train for extreme events. I think if senior management take catastrophic consequences of black swan events mainly on their profit centres seriously these events will be less. Shareholders (passengers)  will also begin to fly on safer aircraft (companies) once risk management focus becomes visible. It might even become a competitive advantage.
Ronald Rwakigumba
The new driver for companies today, is how they tap into the innovation and creativity of their workforce. In comes the danger of being vulnerable to Category1 risk. Therefore, the role for management is more how they achieve the delicate balance of having the right measure of internal control, without stifling creativity.
David Chola
One thing that stands out for me is that with the changing climatical issues from the greenhouse effect and matters such as terrorism world wide, category 3 risks seem to be growing in influence over businesses worldwide. 
I do agree with the observations made in this article that companies need to strive to ensure internal risks are well mitigated against, and that risks being posed from the business environment and other category II risks are actively addressed. SWOT analysis of a company's current position needs to be consistently analyzed  and amendments made to ensure that business entities do not fail due to risks that they could have done something about.
Niels Andersen
This is great insight from Prof. Kaplan as always.
Risk is closely linked to Enterprise Rigidity. I have seen many companies trying to deal with risk by adding more padding in the form of more procedures, more testing and higher inventory levels. It tends to fail as they are often treating the symptoms of the risk and not the root cause of the risk, the results are that these companies become rigid and unable to respond. Unfortunately risk is often a result of the unknown, and hence often unpredictable.
Companies need the following to be able to reduce risk:
1. The ability to SEE (measure) what is going on. You cannot improve what you cannot measure.
2. The ability to UNDERSTAND what is going on and how this relates to their business.
3. The ability to RESPOND to changes, threats and opportunities. These companies must be able to control their business.
We wrote a whitepaper on this subject, it can be downloaded for free from here:
Neil "BoardRiskMan" Jackson
Another point that needs to be raised and was part of the reason Lehman fell was the lack of information getting to the persons who oversee risk in most companies sighted - the Board of Directors. In the case of Lehman, the board never understood the complexity of the products, nor how to assess their risks and counter risks that were executed far below the executive level.  No board member ever went to a trader's desk to learn, they relied on executives to tell them and there resides a risk in itself. If the internal and external auditors knew the complex products, then they failed the board by not reporting to them their concerns relating to the risks. Systems fail due to the inadequacy of information and the communication thereof.