How to Sharpen Focus on Risk to Performance (and Avoid the “Emerging Excuse”)

by Brian Barnier, Value Bridge Advisors
Stop, Look, and Listen

Stop being alarmed by the clanging bells of so-called “emerging” risks. There is very little new in the world—including to observant people in your organization, industry and beyond. “Emerging risk” noise hurts when it distracts from the full range of risks to the business. As board members, we need to help management keep their eye on the ball—turning risk into performance.

Recent noise on cyber risk is really just about one of many cyber risks, data breaches of personally identifiable information (PII). Even this isn’t new. The first data breach law is a decade old. Further, actual risk didn’t arise with the law; it arose decades earlier with technology and bad guys.

Nearly 30 years ago Newsweek spotlighted cyber risk in an issue focused around the movie WarGames. That Newsweek issue also questioned whether Ronald Reagan could revive the economy, examined GM’s latest profit plan and wondered if the Titantic’s resting place would ever be found. Today, the Reagan recovery is fondly remembered, Robert Ballard is trying to save the Titanic’s remains and GM is, well, working on its latest profit plan.
Cyber risks go back farther mirroring each turn of the technology crank. While PII data breach laws mandate compliance, don’t get distracted from risks such as breach of trade secrets or broader IT-related risks to the business:
• Strategic (prioritizing business-IT investments)
• Program/project (new capabilities on-time, on-budget and on-requirements)
• Daily operations (operationally stable, available, protected and recoverable)

These categories are echoed in the Risk IT guidance from ISACA (a 95,000 member IT professional organization).

Where’s the most IT risk? The more complex and changing the organization, the more risk tends to be in investments, followed by program/project and lastly operations. Typically, IT security is 5-8% of total IT-related risk.

Noise about “emerging risks” goes beyond cyber.  One CFO publication trumpeted financial volatility, failing governments, asset price blow-up and economic hard landing in China as “emerging.” New? To whom?
• Asset bubbles probably trace back to the early 1700s British South Sea Bubble (high company valuations in a new market) or prior “manias” (such as Tulip prices in 1637).
• In AD 410 many thought Rome was safe—despite centuries of decline—right before Alaric attacked and sacked.
• Persians were perfecting political risk analysis millennia ago.

With little new, beyond nanotechnology or HIV jumping species, most all “emerging” risks are just head-in-sand risks.
Look and Listen, focus. Reviewing 1Q12 earnings, 68 S&P 500 members reported significant negative earnings surprises. About half of surprises sprung from strategic risks, about a third from operational risks, and just over 11% from strategic or operational risk-driven one-time situations.

Thus, the real question is why people are surprised when history repeats itself. Worse, why is the “emerging excuse” accepted when history and warnings were ignored?

As board members, we need to know “who knows what now,” not later after a financial hit or a smoking gun memo is found in litigation.

We can probe whether management has penetrating insight into the business environment and capabilities, is rigorously asking “what if?,” proactively watching for warnings, prioritizing appropriately and responding by repositioning in the environment, strengthening capabilities and being ready to act to avoid danger or seize opportunity.

We need to ask ourselves these questions as we make decisions on strategy, asset allocation, succession and more.

To actively see into dark corners, the need is for realistic scenario analysis—the heart of managing risk to performance. Then we test by the quality of our library of plan B’s. Sports fanatics will dream up mountains of scenarios based on detailed data; can’t we do the same in our organizations?

Your opportunity is to help stop distractions and then focus on risk to performance. It’s what helps organizations and economies to grow in challenging times.
Brian Barnier has served on non-profit and private company boards, is an OCEG Fellow, and author of The Operational Risk Handbook (Harriman House, London, 2011).