Sinking, fast and slow

The road to ruin may be more comfortable than you imagine. In this article I:

  • examine the source and the speed of organisational failure
  • speculate on how this affects the market's response
  • consider the psychological factors at play as companies seek to face down their strategic risks
  • suggest that some rebalancing of risk management would help reduce corporate failure
  • calculate that that a successful rebalancing of risk management could increase company values by 35%-70%
  • look at what became of the UK FTSE 100's original members, 30 years after its 1984 debut

Introducing source and velocity

Companies sometimes blow up quickly, complete with press coverage. Others, like the frog, get slowly and less dramatically boiled. But boilings are more often fatal than blow ups and our risk management should reflect this. Others have already walked this path; time management gurus emphasise the important at least as much as the urgent, warning of dire consequences for those constantly firefighting.

We are not helped by traditional risk classification schemes, which often focus on probability and impact – suited only for a world of fixed impact blow ups.

Traditional versus proposed risk classifications

The table below compares a traditional type-probability-impact classification to the proposed type-source-velocity classification.

ItemTraditionalProposedComment
KnowledgeFar from unknown in e.g. decision analysis. Ranges from certainty through risk, uncertainty, ambiguity and chaos.
TypeUse with care. Credit risk, operational risk etc.
Probability Replaced by source (below)
Impact Replaced by source (below)
SourceInternal versus external: a more helpful replacement for probability and impact
Velocity The speed at which risk crystallises or uncertainty emerges.

This article focuses on the last two items of the proposed 4-way classification:

  • Source is a useful classification, indicating the scope and nature of the control that we might have over an area of risk or uncertainty.
  • Velocity is useful for the same reason, pointing especially to the practical constraints of limited time for decision making.

The worst kinds of failure

We can use the risk source and velocity concepts to give the four quadrants in the table below. The management of risks in one quadrant is likely to differ substantially from those in the others: different people, different techniques and different attitudes. But are some risks more serious than others?

The worst risks may not be those you think

Here are the four quadrants, in order of increasing seriousness:

  1. External, fast: An external disaster strikes suddenly, potentially affects everyone and is seemingly out of your control. So the market may be forgiving compared to the risks below. One might ask if the impact could have been reduced through insurance or diversification e.g. of supply chain risks.
  2. Internal, fast: A rogue trader exploits control loopholes, based on his knowledge of the firm. This is embarrassing. The company may use PR and contend that this is a "one off" and should be regarded as "sunk costs". This may not be enough to stop reputational damage or a regulatory "deep dive".
  3. External, slow: The "slow" part means that the company has had plenty of time to react, leaving it open to the "asleep at the wheel" charge. Worse: competitors may not be as slow to react. Excuses are less convincing; the market response and likely economic impact become increasingly severe.
  4. Internal, slow: In this quadrant risks emerge slowly, so are apparently visible each day over a long period. They are also internal, so are supposedly under management's control. For this reason markets are likely to take a particularly dim view. Recovery may be very challenging; in the pharmaceutical industry drug pipelines cannot be replenished quickly, due to safety and R&D constraints.

Surprise

I suggest that:

  • internal risks are likely to be more serious than external risks
  • slowly emerging risks are more likely than shocks to cause serious long term damage

This is often the reverse of how we act: risk management focuses on having enough capital, resilience to shocks, internal control systems etc. All excellent things, but not the most common cause of corporate failure and underperformance – see the FTSE 100 results below.

Acknowledgement

My ideas and presentation have been informed by the excellent paper Enterprise Risk Management for Non-Financial Companies – From Risk Control and Compliance to Creating Shareholder Value by Vladimir Antikarov.

Source: internal versus external

The occurrence and development of external risks is largely outside our control. A variety of techniques therefore focus mainly on impact management:

  • Exposure removal e.g. by withdrawing from a line or venture.
  • Exposure reduction e.g. through benefit design or contract wording.
  • Insurance, especially of event-like (aka hazard) risks and some operational risks.
  • Hedging: a form of financial risk insurance.

Both occurrence and development of internal risks are more under management's control than for external risks. This naturally leads to a greater focus on managing the probability of occurrence with more attention given to risks whose impact may be large.

  • Companies will readily acknowledge their limited control over external risks.
  • The greater potential to control internal risks may be confused with a lower level of actual control.
  • This can be exacerbated by self assessments and heatmaps, with their assurances that "all is well".

Summary

  • Using the source (internal/external) classification can highlight the level of attention given to each.
  • Some risks may be hybrid in nature, for example:
    • competitor risk may originate externally
    • but the net effect will be bound up with internal management capabilities.

Velocity: fast versus slow

In an obvious sense fast impact risks are hard to manage. There is a role for "old fashioned" contingency plans, so that we are not simply thrown back on our instincts in time of stress. Changes and risks which emerge slowly give opportunities to respond. So are shocks the big threat to survival?

Not so fast. The above analysis overlooks the role of competitors.

  • Fast risks. A shock to an entire industry may threaten each company's survival equally and new entrants may not benefit.
  • Slow risks. The current competitors and new entrants all have chance to respond; an easier test doesn't mean a better result.

Even if some companies are somewhat better at managing fast risks, the market may be somewhat forgiving; the narrative runs "we couldn't have known, it was outside of our control". That story will sound less convincing when a company has had years to respond to risks which were highlighted in the press.

Beyond logic: psychology and agency risks

External risks and fast risks are usually thought to be the most threatening. But we've seen an argument to suggest the reverse.

Staff, senior management and boards not only want to do a good job, they want to believe they are doing a good job. A slowly emerging threat doesn't play well to that need, as it suggests a potential need to change. There may be some comfort if the threat emerges external – "we couldn't have known" again – but a deteriorating internal capability may produce a message uncomfortable enough to ignore or suppress. Few want to be the bringer of bad news.

This is one aspect of the so-called "agency problem". Employees have positions and rewards based on the status quo. Senior management, to whom the agency challenge is most applicable, may have spent decades climbing the "greasy pole". Even if business model change is in shareholders' interests , it's easy to see why management would look for an alternative to preserve the status quo. And look, and look.

One way of avoiding the need to act is to focus on the short term problems of new competitors and to claim that these will prevent a substantial long term impact. This is especially relevant for development of "disruptive technologies". The quality of new products may be poor and they may lack features. But are all those features are needed, for all customers? Initially the competitors takes some business at the margins. Before long they're devouring or replacing your business.

By then it's too late to respond. The textbook example is Kodak, ironically the inventor of digital photography. Where next? With the maturing of the internet and the global financial crisis, we are seeing alternative banking models: peer-to-peer lending and "challenger" banks. After several false starts, the next decade may see the same for insurance: there are around two hundred UK mutual insurers and friendly societies. I am confident that not all will survive.

Accountants report dysfunctional behavior in their organisations

The Association of Chartered Certified Accountants' 2011 survey The reality of risk: culture, behaviour and the role of accountants covered over 2000 accountant. The survey's designer, risk management expert and accountant Matthew Leitch, produced the summary results below in his 2013 article.

ItemNeverSometimesUsually AlwaysDon't know
Underestimated risks26%46%13%4%12%
Overestimated predictability and control23%46%15%4%12%
Decisions biased by personal interests16%47%21%8%9%

About 20% of respondents suggested those unhelpful behaviours happened "usually" or "always". How do these items contribute to corporate failure?

From behaviour to failure

The top causes of failure, from the graph to the right:

  • A general underestimation of risk: reason 1 – 68%
  • A general overestimation of rewards: reason 5 – 23%
  • Overestimation of ability to predict and control: reason 2 – 59%
  • Wrong balance of risk and reward: reason 4 – 32%
  • Personal interest bias aka agency risk: reason 3 – 41%

Value from risk management

The c5% who reported such behaviors "always" occurred could be compared to the FTSE 100 3.8% annual failure rate below. Postulating causality:

  • Risk education could reduce "behaviour failure" rates from 5% to 2.5%.
  • This might reduce corporate failure rates from 4% to 2%.
  • Risk-adjusted value increases by c35% (discounting at 4%, no growth).
  • Or by c70% (discounting at 4%, 3% growth) – see the output below

Top causes of organisational failure

The strategic failure matrix

The table below develops Enterprise Risk Management for Non-Financial Companies – From Risk Control and Compliance to Creating Shareholder Value.

 InternalExternal
Slow deterioration
  • P: Political change
  • E: Economic change
  • S: Social/demographic changes reduce customer base
  • T: Disruptive Technology
Fast shock

Such presentations highlight a curious fact: risk management rarely seems to combine with other strategic management tools e.g. Five Forces, SWOT, PEST.

The original UK FTSE 100 companies: where are they now?

Background

The material below is adapted from the Longer Term Viability Statement (LTVS) article. Over there we considered a "super transparent" approach to risk reporting, laying down a marker for the use of risk management as a competitive weapon. Here we ignore the LTVS and just look at the FTSE results.

Reality check

How does the research below – an annual "failure rate" of a little under 4% – compare to other sources?

... risk of failure averages between 2% for the largest and most secure firms and 5% for all other firms Riskviews: Why isn’t strategic risk included in ERM?

The research

The FTSE100's constituent history shows that of the initial FTSE 100 members, 30 years later:

31 relatively successful

  • 31 had survived

61 relatively unsuccessful

  • 51 had been acquired
  • 10 had been relegated to a lower index

Those companies acquired may include successful results for shareholders, but inspection indicates this is "a few".

8 absolutely unsuccessful

  • 05 had been disbanded
  • 03 had gone bankrupt

Sobering: over 30 years only 31% survived as independent businesses. Equivalently, on average, about:

  • 03.8% of FTSE companies lost their "independently successful" status each year i.e. (1-3.8%)30 = 31%
  • 17.7% lost this status every 5 years i.e. (1-17.7%)30/6 = 31% (there are 6 non-overlapping 5-year periods)

Notes:

  1. British & Commonwealth Shipping, Ferranti and MFI furniture.
  2. This changes to 8 in 9 and 0.8% respectively, over a 3 year period.
  3. The situation is somewhat worse than this; the statistics look better, due to excluding:
    • FTSE100 companies taken over, unless they were there at the outset
    • relegations from the FTSE 100 for companies not initially present
    • the "bumpy rides" of relegation to the FTSE 250 and re-entry are never included

Conclusion

Strategic risk should be managed as much as the shocks. Tools such as a risk-enhanced Balanced Scorecard, together with better classification can help.

Where next?

References

© 2014-2017: 4A Risk Management; a trading name of Transformaction Development Limited