Senior Partner & Managing Director
If a picture is worth a thousand words, take a look at Exhibit 1. It illustrates the impact of various types of risk on the global airline industry in terms of both revenues and passenger kilometers flown. Airlines are highly sensitive to risks and their first cousin, uncertainties, which can be both competitive and noncompetitive in nature and include economic dips, fuel price swings, and terror incidents. A rational investor might seek safer harbor for his or her capital. But airlines make a lot of money when events are working in their favor, and they provide an essential modern-day service that millions of us regularly use. We rely on airline management teams to manage the risks that their companies face. This is not to say that we expect the risks to be eliminated, but we do count on them being minimized, planned for, and dealt with when things go wrong.
But what of other, less volatile industries? Do we as investors, customers, or business partners have similar expectations with respect to companies’ ability and preparedness to manage risk and uncertainty? Do companies themselves have adequate strategies and plans in place for the evils, mishaps, and misdeeds that could befall them?
In BCG’s experience, the answer to both questions is no. Many companies do a good job of analyzing and planning for competitive risks, such as new market entrants or the threat of substitution, but they give only pro forma attention to noncompetitive uncertainties, including cybersecurity, natural disasters, and geopolitical risk—even though the impact of these events can be immediate and catastrophic. And herein lies the proverbial problem and opportunity. The problem for companies—and sometimes also economies and societies—is what to do and how to react when things go awry (as they inevitably will) and there is no plan in place. Consider the many companies—and governments and institutions—that were unprepared for the massive global “ransomware” attack in May 2017, for example. Hospitals had to turn away patients; business operations were frozen. The opportunity is for companies that do make the necessary assessments and have the plans in place to deal with risk—and with uncertainty in general. The “risk advantaged” company knows immediately what its options are if its computer network is compromised. Not only has it planned how to proceed, it has considered the pluses, minuses, and costs of each available option under the particular circumstances of the catastrophe.
The world has always been an uncertain place. But it is becoming far more complex and volatile. Rising complexity exacerbates the types of risk that companies face, and volatility amplifies the potential impact. In this environment, when a single bad actor can undermine hundreds of companies and institutions in just a few hours, the ability to turn the tables on risk and establish a sustainable “risk advantage” will be as important for the companies of the future as creating a competitive advantage is today.
The concept of competitive advantage is well established: the ability to obtain higher returns from a given strategic position. Scale advantage is one example. Risk return is another well-established practice: investors regularly calculate the risk of a stock or a bond to assess the return they need in order to be adequately compensated for investing their funds. Risk advantage marries these two ideas: it is the ability to systematically manage the uncertainty (or uncertainties) inherent in any given strategic position in order to generate an attractive return with less risk taken. (See Exhibit 2.)
Risk assessment, or risk management, today is all too often purely a “checklist function.” It is owned and conducted by middle management. The emphasis is on detailed risk registers, compliance questionnaires, and process. Strategy, enterprise risk management (ERM), and business continuity processes operate in their own silos. Discussions about risk focus on extrapolations of the past.
Risk advantage means that companies integrate risk assessment and mitigation into their strategic decision making. Company executives at all levels embed the risk advantage approach into their daily activities, and accountability for risk is also established at all levels and across functions. Risk discussions are based on a systematic interrogation of the uncertainty of the future. The emphasis is on enabling better, more informed decisions rather than simply completing checklists.
Consider two companies in two very different industries: the Japanese engineering and construction firm JGC and the South African supermarket chain Shoprite. Both not only practice rigorous risk assessment, they also systemically incorporate, in their business and operating models, solutions to the uncertainties they face. In this way, they mitigate risk and build a risk advantage over other industry players.
JGC learned valuable lessons from its early forays into emerging markets in the 1970s and 1980s, when it was one of the first in its industry to test these nations as new sources of growth. Transplanting the traditional Japanese approach and work practices led to contractual and operational difficulties, big cost overruns, and jarring losses. JGC learned from experience: when it undertook a large-scale contract in India, it revised its entire risk management framework to address broader market and geopolitical perils and the uncertainties related to project and daily logistics. The company hedged and balanced market, foreign exchange, and country risks. It managed real estate risks, including the special protections afforded domestic landowners, by developing its own expertise in Indian real estate law and contracts. It sought out partners with extensive local experience and the knowledge of how to work in the Indian system. The choice of partners was crucial in addressing the risks and uncertainties of dealing with local labor—navigating differences in cultures and norms for payment procedures and negotiations—as well as in managing logistical issues.
JGC achieved its risk advantage largely by exercising risk-driven design and execution. It acquired or developed the capabilities it needed to offset or mitigate key risk exposures. Sometimes this involved outsourcing to local partners; in other areas, the company developed its own expertise. JGC adapted many of its existing norms and processes, revising its risk management framework and contract structure to address the different profile of risk exposure when operating outside its home territory. It also took a broad range of steps to foster good communication among local stakeholders and build goodwill with the local community.
This approach has led JGC to consistently deliver returns well above the norm for its risk exposure—the signature metric of risk advantage. The company ranks second within its peer set on the basis of risk-adjusted total shareholder return (TSR). (See Exhibit 3 and the sidebar, “Adjusting TSR for Risk and Uncertainty.”) We believe this is a critical metric for companies in the 21st century because it tracks not only return to shareholders but also the return companies deliver with a significant degree of uncertainty and volatility removed from their business. The return might be somewhat lower in absolute terms, but it is also much more dependable and stable—attributes of high value to investors (as well as employees and other stakeholders).
As Africa’s largest retailer, with nearly 1,000 stores in 15 countries, Shoprite faces a host of risks and uncertainties that have driven multiple would-be competitors from the market. Inadequate infrastructure is one issue; it can take four months for stock to clear port in Lagos, for example. Unpredictable bureaucracy and regulation are other problems that can wreak havoc on a company’s supply chain. Yet Shoprite has more than doubled its number of stores since 2010, and its non–South African revenue is growing at 30% a year. It is the seventh-fastest-growing supermarket chain among the world’s top 25, and its ten-year TSR, both risk-adjusted and absolute, tops that of many companies operating in much more stable markets.
The traditional way of assessing risk versus return is to compare variability in TSR (risk) against overall TSR (return). This is the method commonly used to analyze stock portfolio risk.
As one would intuitively expect, these two TSR measures are correlated, with higher TSR return (more reward) coming at the cost of higher TSR volatility (more risk). Using this relationship we can calculate the “fair” or “expected” level of return for a particular company within its industry and the multiple between this “fair” level of return and the “actual” return.
The companies in the top quartile of risk-adjusted TSR have demonstrated an ability to consistently deliver returns well above the norm for the given risk exposure. This is the signature of risk advantage.
How does Shoprite do it? The company recognizes that removing or minimizing operational risks is a business imperative. It invests time and resources in building local relationships and contacts as a means of managing and anticipating risk. For example, before entering the Nigerian market, Shoprite invested heavily in building relationships with local authorities, which enabled it to secure a “fast lane” for imported goods from South Africa to stock its stores. The retailer also invests in developing local suppliers and sources to secure steady stock and reduce exposure to import and foreign exchange uncertainties (both big issues in many African markets). For example, the company hires agronomists to train local farmers to grow fresh produce that meets Shoprite’s standards. One result: in Zambia up to 80% of all vegetables sold in Shoprite stores are grown locally.
To mitigate and address supply chain crises, the company has developed a culture that is at once strict and flexible. A policy of distributed leadership empowers employees to plan ahead and address crises as they occur. Shoprite’s zero tolerance for error helps ensure that suppliers deliver on time with consistent quality.
Fifteen years ago, the then US secretary of defense Donald Rumsfeld famously argued, with respect to the US invasion of Iraq, “There are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns—the ones we don’t know we don’t know. And if one looks throughout the history of our country and other free countries, it is the latter category that tend to be the difficult ones.”
Susceptibility to the “known unknowns” (risk) and the “unknown unknowns” (uncertainty) is, if not a defining characteristic of the human condition, at least an oft-recurring theme. The goal is not necessarily to eliminate risk, which is impossible; rather, it is to reduce and manage surprises. A risk-advantaged Rumsfeld, for example, might have had the US Department of Defense put a lot more effort into thinking through the unknown unknowns.
Consider a few other examples from recent history.
Leading up to 2008, numerous otherwise rational financial institutions piled ever more risky investments and complex trades on already teetering balance sheets against the bet that the US housing market would rise in perpetuity. Digital technologies have upended countless companies in multiple industries—retailing, print media, and music, to name three—that failed to see, or were slow to react to, changing market and industry dynamics. In similar fashion, in the 1980s and 1990s, highly successful, fast-moving companies such as Digital Computer, Wang Laboratories, and Gateway Computer ceased to exist when they missed major shifts in their basic technologies. US automakers vastly underestimated the impact of the OPEC oil embargoes in the 1970s on the market for their large cars and trucks. They allowed more nimble imports to seize major market share that they have yet to give up. Today, incident after incident of cyber intrusion reminds us that many, if not most, companies (and governments) have yet to come to grips with this threat.
The results of the failures to account for risk or uncertainty were often catastrophic for the companies involved and sometimes, as in 2008, much more broadly.
But the company catastrophes were far from inevitable. Many financial institutions managed their exposures more carefully than Lehman Brothers and Bear Stearns; they came through the financial crisis not unscathed but substantially intact. Companies such as IBM and Microsoft have deftly dealt with major shifts in their fast-changing industry landscapes. At the individual auto company level, the impact of the OPEC oil embargoes varied widely.
As we move forward, it’s hard not to see many more companies needing to adopt approaches similar to those used by JGC and Shoprite as risk and uncertainty play bigger roles in the future of more industries. New technologies such as artificial intelligence and the Internet of Things open up whole new categories of risk. Climate change appears to be leading to greater weather unpredictability and more extreme storms and conditions. The geopolitical future is anything but clear. Indeed, the current US president sees unpredictability as a strategic asset: “[President Trump] has said many times that he thinks America has been too predictable. I think he relishes that, to sort of keep adversaries and competitors alike off balance,” said Michael Anton, a senior White House national security official, earlier this year. Some are taking the rise of existential threats more than seriously. A January 2017 article in the New Yorker magazine reported on the survivalist plans and techniques of wealthy US entrepreneurs and executives, including building bunkers, bitcoin hoards, and boltholes in remote locations.
But if more companies need to act like JGC and Shoprite, do they know how?
Many companies that want to establish a risk advantage will first need to change the way they think about the subject. Too many management teams, in our experience, operate under four common fallacies that lead them to believe they have risk under control, or at least under active attention, when in fact they are not effectively addressing the real exposures that they face.
The ERM Mindset
ERM programs are common at large companies (in the US they are required by the 2002 Sarbanes-Oxley Act), and while the intention is good, the execution more often than not is flawed. The biggest problem is that ERM leads to the establishment of a risk management function that operates in its own corporate silo and typically approaches risk purely from a compliance, rather than a strategic, point of view. As a result, companies can check off the risk compliance box, but they do not factor risk into their strategic thinking. If anything, while they may feel protected, CEOs and boards of directors are even less sensitive to uncertainty than they were before.
“Blind” Planning Cycles
Most companies make their plans on cycles dictated by fiscal or financial reporting calendars rather than establishing plans when they have the best information regarding the uncertainties inherent in their businesses. Companies need to adapt or update planning processes to incorporate current risk-related information as it becomes available.
Deterministic Rather Than Probabilistic Thinking
Companies typically suffer from “most likely” myopia—that is, they embed the most likely scenario or foreseen state of the world as the essential assumption underpinning their strategic and financial planning. This myopia can lead to several problems. For one thing, companies give little or no consideration to the second- or third-most-likely scenarios or states of the world (even though these collectively might have a greater probability of coming to pass). For another, they look at risks as if they are entirely independent of one another instead of assessing the correlation among risks when they do their rankings; as a result, the rankings can be way off. For a third, they do not take into account velocity—the speed at which a risk can hit. Social media risk is very different from talent risk, for example, not because of probability or size of impact but because of speed of impact. Strategies to mitigate must be adjusted accordingly. Cyber events often have such a big impact not because companies didn’t see them coming but because the companies were ill equipped to deal with the speed of impact and therefore the required decision making.
Conventional wisdom is mostly right—and often wrong. The UK was not going to leave the EU. The last US election was supposed to turn out quite differently. Energy prices can only continue to rise. Following the herd is a common tendency that needs to be resisted because it too often leads to the lazy acceptance of what others think rather than pursuing one’s own original, disciplined, and systematic process of thought and analysis.
Lots of organizations deal with risk and uncertainty every day. The military is one example; disaster preparedness and response agencies are another. Financial managers assess risk for a living. As we have seen with respect to airlines, management teams in uncertain industries juggle risks and contingencies as part of their job. The US Marine Corps has four principles of risk management and a specific roadmap for the risk process in decision making. The principles are:
We studied the practices of the US Marines and other risk-advantaged experts to distill some common wisdoms and approaches. The result is our risk advantage framework, which companies can use to establish competitive strength in an age of uncertainty. (See Exhibit 4.) The framework has three components: expansive anticipation, discipline, and resilience.
Seventeenth-century Londoners often talked of “black swans,” an expression that dates from Roman times, to describe something that was impossible. In 1697, however, European explorers in Western Australia happened upon—you guessed it—a black swan. The phrase took on a new meaning—that of an impossibility that is later disproven.
It’s easy to see in retrospect that the US housing bubble that led to the 2008 financial crisis was built on the back of a big black swan: the perception that the housing market could only go up. For decades after the 1970s, companies and countries built strategies and policies on the black swan of ever-increasing energy prices. They failed to factor in the impact of improved efficiency. Companies need to think much more broadly than they typically do about the dimensions of uncertainty and about risks that are outside their immediate universe or control—natural disasters, for example, or a substantive change in regulation. In the US right now, for instance, uncertainties over the direction of trade and immigration policy need to be factored into strategic thinking. What are the relevant scenarios that could take place? What are the expected likelihoods of adverse or unforeseen events (and even of outcomes that were foreseen but deemed to be second and third most likely) coming to pass? Where are the black swans that hide organizational failings?
Traditional corporate strategy analyzes the business portfolio using such metrics as market share, growth, margin, and profit potential. Risk-advantaged companies add risk assessment and risk accountability to portfolio decision making. They look at the potential levels of volatility in cash flow, for example, for each of their investments and factor the impact of various scenarios into the expected overall cash flow of the company. This analysis enables the appropriate reweighting, hedging, insuring, or divesting actions to be taken, according to the outlook and conviction of decision makers.
Risk discipline does require that companies adopt a more up-to-date approach to planning. Risks are dynamic, and the traditional annual strategic-planning processes at most large companies (corporate strategy defined in the second quarter of the year, business unit strategies formulated and aligned in the third quarter, and budgeting during the fourth quarter) are not nearly flexible enough. As our colleagues observed recently, leading companies are increasing their odds of success in today’s turbulent environment by complementing their traditional annual strategy-setting processes with what we call always-on strategy.
This approach provides a systematic way to scan for signs of disruption and explore unexpected changes to the strategic environment. Companies identify the most pressing strategic issues and regularly engage senior leaders in formulating a response. And they carefully monitor the progress of strategic initiatives to increase the speed and impact of execution. Risk-advantaged companies use always-on strategy to build risk discipline into their strategy and planning. As ExxonMobil’s vice president of investor relations said during a 2015 conference call, “We’re in the risk management business. Everything that we do has a level of risk that we’ve got to judge, whether it be geopolitical risk, economic risk, technical uncertainty… That is the world we live in. And I think the organization has demonstrated over the years that it’s got the expertise and the capability to take on these more challenging resources, and convert them into value propositions for our shareholders.”
You might be interested in
Always-On StrategyRead the article
It’s impossible to eliminate risk. Bad things happen. When they do, how prepared is the organization to take the blow and bounce back? For example, as other colleagues observed earlier this year, building organizational cyberresilience entails understanding the three phases of a successful attack: the before, the during, and the after. How effectively a company is prepared for each phase can make an enormous difference in whether a cyberbreach proves relatively innocuous or takes a massive toll on the business. Military commands play war games (including cyberwar games). Practicing the implementation of incident response, business continuity, and disaster recovery can give a business’s board members and senior executives a comprehensive understanding of how these events unfold, the variety of potential impacts, and their individual roles during a response.
Read more about cyberresilience
Companies need to use both systems and culture change to embed risk advantage into their organizations. Systems are the formalized processes, tools, and techniques through which the organization coordinates and makes decisions. Culture refers to the implicit assumptions and beliefs that guide organizational interaction and decision making.
Practicing regular scenario planning, in which the impacts of various risks are modeled and played out, is one system that helps establish expansive anticipation as a way of operating. At the same time, encouraging and rewarding a distributed culture of anticipation makes the entire organization more risk aware.
Developing a risk portfolio view and linking it to strategy and planning is a risk discipline system that complements the traditional growth and market share approach to corporate strategy. Holding managers accountable for factoring risk and uncertainty into their planning and taking into account the risks taken when reviewing the results achieved are two steps in building a culture of risk advantage. ExxonMobil directly ties executive compensation to risk management through performance shares with long vesting periods that are directly tied to return on invested capital and other key metrics, for example. Linking risk to human resources and corporate governance builds resilience, as does pushing a culture of distributed leadership at all levels of the organization.
Read more about cyberresilience
Automaker Nissan provides a telling example of risk advantage in action, highlighting the benefits of building both noncompetitive and competitive uncertainty into strategy and planning. Of Japan’s three big automakers, Nissan was the hardest hit when the Tōhoku earthquake struck on March 11, 2011. The company’s Iwaki engine plant and Tochigi assembly plant were badly damaged. Yet it took only 38 days for Nissan to resume production at the facilities—about the same amount of time that it took other OEMs that sustained much less damage and disruption. In the succeeding months, Thailand, home to many automotive parts manufacturers, experienced extreme flooding, with 65 of 77 provinces and more than 7,510 industrial plants affected. Once again, Nissan took only 29 days to recover, the least of any Japanese automaker. And it lost production of only about 30,000 vehicles, a small fraction of the losses sustained by its competitors.
Nissan benefited from actions in all three risk advantage components:
Read more about cyberresilience
The 17th-century Spaniard Joaquín Setantí, who was celebrated for his aphorisms, advised, “Be wary of the man who urges an action in which he himself incurs no risk.” Three hundred years later, the US Army general George Patton, also known for speaking to the point, observed, “Take calculated risks. That is quite different from being rash.”
In the 21st century, companies will want to heed both men’s advice. Managers with strategies and plans that have not been explicitly vetted for risk are to be treated warily. This does not mean companies should not take risks, even big risks. Making bets on the future is fundamental to creating value. And the risk-advantaged company will make sure that its bets are grounded in a thorough assessment of the uncertainties involved. That company’s performance will be much more predictable, stable—and valuable—as a result.
Read more about cyberresilience