With the goal of investigating the impacts of major risk events, analyzing the causes of the events, and considering the implication of these events on risk management at companies, Case Business School of London examined some of the largest corporate crises of the last decade. Some of the companies examined include AIG, Arthur Andersen, BP, Cadbury, Coca-Cola, Enron, Firestone, Northern Rock, and Shell.
Case Business School’s research found seven underlying risk categories that were present at least to some extent in all of the situations studied. These categorizations are:
- Board Skill and NED Control: These are risks that arise due to the board’s limited skills and knowledge, which affects its effectiveness in monitoring and controlling the C-suite.
- Board Risk Blindness: These risks result from the board not realizing and taking on the risks that are inherent in the business.
- Inadequate Leadership on Ethos and Culture: This is a failure to set a strong corporate culture.
- Defective Internal Communication: Many risks arise from poor internal communication between silos of risk. Risks also arise from poor communication from leadership to line employees.
- Risks from Organizational Complexity & Change: When companies make a large number of acquisitions, they make the organizational structure more complex, making it easier for risks to arise and harder to manage.
- Risks from Incentives: Salary structures can also create risks for a company.
- Risk ‘Glass Ceiling’: Risk can come from the inability of risk management and internal audit teams to report on and discuss risks that come from positions ranking higher than themselves because of their fear of ridicule and dismissal.
A common theme among those risks is “groupthink” seeping into an organization. Four dangers can arise from these risks and were also found in the companies studied:
- All the risks posed a lethal threat to the business and its business model.
- Whenever the risks materialized, they were devastating and presented insurable losses to the company.
- Otherwise manageable risks compounded into devastating problems.
- Current risk analysis techniques and the knowledge base of risk managers would not be able to predict the event the company encountered.
Implications and Lessons Learned
Many of the dangers arising from the categories listed are taboo to talk about within the walls of a company because boards usually only want to look at the company in a mirror and not as part of an industry. A major part of enterprise risk management is understanding the risks that are inherently part of the industry in which the company operates. Also, a company needs to work to evolve its understanding of risk and work as an entity to understand how it will tackle each risk.
The researchers identified four enhancements to a company’s enterprise risk management that help address risk issues:
- Management needs to rethink the scope, purpose, and technique of their risk analysis to ensure they do not overlook any potential devastating risks.
- Risk professionals need to keep learning about how to identify, analyze, and discuss risks with upper management in order to learn how to mitigate risks effectively in the future.
- There needs to be an atmosphere that allows risk managers to feel comfortable talking about underlying risks at all levels.
- Boards need to appreciate that any risk management process has “blind spots” and risk management needs to evolve to fully create value for the enterprise.
Download a summary of this research.