How do you manage risk for your business when there’s no standard playbook? Risks come in a variety of flavors, including “novel risks”—those that are hardly imaginable, seem too improbable to plan for, or are unprecedentedly massive. In a recent Harvard Business Review article, “The Risks You Can’t Foresee,” authors Robert S. Kaplan, Herman B. “Dutch” Leonard and Annette Mikes:
- define the characteristics that make a risk “novel,”
- describe how to identify novel risks within your organization, and
- provide recommendations for activating a unique response to mitigate the impact of novel risks.
What circumstances trigger novel risks?
The authors of the full HBR article, “The Risks You Can’t Foresee” categorize novel risks into three types and describe the circumstances characterizing each:
“Black swans” are risk-triggering events that are either beyond the risk bearer’s imagination or are occurring far away. While they are hard to predict, black swans are often not entirely unforeseen.
- The 2008 global financial crisis was a black swan for most financial institutions trading in mortgage-backed securities blind to their portfolio risk. However a small number of investors and banks did anticipate a mortgage market meltdown.
“Perfect storms” occur when multiple routine breakdowns combine to trigger a major failure. While each event is manageable in isolation, large, interconnected systems can coincide to create an unmanageable situation.
- Boeing’s 787 Dreamliner was described by one engineer as “a more complicated airplane, with newer ideas, new features, new systems, new technologies.” Too many changes at once led to seven major (costly) delays during development and a months-long grounding of planes after fires erupted from lithium batteries.
“Tsunami risks” are so big, and happen so fast, that they overwhelm all risk management planning and strategy. Organizations often judge it impractical to prepare for unforeseen events of a particularly enormous magnitude.
- The 2011 Fukushina nuclear plant catastrophe in Japan inspired the term “tsunami risk” when an extraordinary 14 meter tsunami broke the power plant’s seawall and completely overwhelmed the emergency systems in place. More than 100,000 people had to evacuate after three nuclear meltdowns.
- The Covid-19 pandemic is our most familiar example as it has spread much farther and faster than most nations and businesses could have imagined.
How can you recognize novel risks?
One word: anomalies. If things don’t seem quite right, they probably aren’t.
The HBR article highlights how in the Boeing example—a senior risk manager should have anticipated that novel risks would arise when nearly every element of the major project (suppliers, materials, processes) was entirely new.
The failure to detect anomalies is the result of well-rooted biases:
- Behavioral research shows that people pay most attention to information that confirms their beliefs, dismissing deviances.
- This “normalization of deviance” is reinforced by groupthink among leaders.
- Biases are further reinforced by standard procedures.
The bottom line: “recognizing a novel risk requires people to suppress their instincts, question their assumptions and think deeply about the situation.”
The full HBR article provides some tips to combat biases:
Identify a “chief worry officer.”
This role is distinct from a traditional chief risk officer’s focus on managing known risks and identifying new risks in that the worry officer is tasked with specifically recognizing the emergence of unforeseen, novel risks and mobilizing a response. The best person for this role holds few daily operational responsibilities.
- Example: At Nokia, information about any unusual supply chain event has to be reported to the senior vice president of operations, logistics and sourcing—also the identified “chief worry officer.” When a small March 2000 fire at a Phillips semiconductor plant appeared on the surface to be a nonevent for shipments, the Nokia troubleshooter further investigated the anomaly and realized it could potentially disrupt more than 5% of the company’s annual production. He was able to quickly mobilize a team to manage the potential threat.
Leverage digital technology.
Digital reporting tools are highly effective at identifying anomalies.
- Example: Swiss electricity company Swissgrid employs a mobile app, RiskTalk, to facilitate employee reporting of safety violations, maintenance problems and equipment failures. The company also connects via a digital platform to several federal and state agencies to track external risks like avalanches in the Alps. A team of control room analysts monitor the incoming data from these apps and is responsible for further analyzing any events that may appear to be novel risks. In this scenario, this control room team essentially serves the “chief worry officer” role.
In other words, study historical risk-triggering events in other companies, industries and countries. Then ask, “What if that happened to us?” Finally, plan your response.
Following the Swissgrid example—the senior risk officer routinely follows events like the Swissair bankruptcy and the newsworthy cyberattack on shipping giant Maersk. When such an event occurs, the risk officer creates a cross-company working group to create an action plan to follow should a similar future event trigger novel risks in the Swissgrid’s supply chain.
How can you effectively respond to novel risks?
All the planning and risk management in the world can’t completely eliminate the potential for novel risks. When risks do arise, the authors of the full HBR article assert the company should be focused on a “right of boom,” or after the event occurs, response that is:
- good enough,
- taken soon enough to make a difference,
- communicated well enough to be understood, and
- carried out well enough to be effective until a better option emerges.
In short, you’re not looking for perfection. Two “right of boom” response options:
Organize and deploy a “critical-incident-management team.”
This is the “standard approach” for managing novel risks and is most effective when an event has broad impact but does not necessarily require an immediate solution.
A checklist for critical incident management teams:
- The team includes a diverse stakeholder group—functions, levels within the company, as well as external partners.
- The team flexes to membership changes as the situation matures.
- The team coordinates all aspects of the response—from assessing the situation to delegating tasks to managing communications.
- The team design encourages inquiry and debate, and as such, someone other than the team leader facilitates meetings.
- The team meets at least daily, and sometimes more if the event is rapidly evolving.
- Communications among and out from the team must be transparent and empathetic with affected stakeholders.
Localize your response to the crisis.
In some novel risk situations, an immediate response is necessary, and/or the crisis event is not closely linked to company headquarters. In these situations, the response is best delegated to the local management team(s).
- Example: The full article highlights a U.S.-based adventure travel company that operated in multiple countries worldwide. In the company’s early days, it deployed U.S. tour guides to far-flung locations—but leadership quickly learned that novel risks ranging from political disruptions to extreme weather events were routine. Ultimately, the company determined these risks were best managed at the local level and replaced its tour guides with local experts in each country. In this example, neither the localized or centralized responses to novel risks would be perfect, but leadership believed the local reps were their best chance at making quick decisions, acting on them, learning from them, and gaining new information in the process that could be applied to future situations. This loop is sometimes referred to as “The OODA Loop.”
Spotlight on “The OODA Loop”
This approach was devised by a U.S. fighter pilot, Colonel John Boyd, who believed that pilots whose OODA loops were faster than those of their adversaries would control air battles. Applied to a novel risk event, the idea is that a response team with an OODA loop that outpaces changes in the environment will better mitigate the impact of the risk.
- Observe: The critical incident response team observes to learn all it can about the situation.
- Orient: The response team orients itself by making sense of the situation and identifying its key elements.
- Decide: Team members generate options, assess the likely consequences of each, and select the best one.
- Act: The team implements the chosen response—treating the decision not as a permanent commitment to a course of action but as part of an ongoing experiment.
Finally, the response team begins the next OODA loop by observing the impact of the implemented actions thus far.
Subscribe to ERM Insights
The latest research, insights and opportunities from the NC State ERM Initiative to help
you and your organization lead with confidence.