From extreme weather, tornados, earthquakes; or poor safety practices leading to explosions or equipment failures; or activities such as illicit trade, counterfeiting, or hacking of valuable assets, risk is a daily issue that business must confront.
Full Article Below -
The Impact of Risk
Risk is a topic of growing interest to the business community, yet even the risk industry grapples with it. We have witnessed global challenges in the industry over the last few years. Estimated losses just from the Japanese earthquake could cost upwards of $34B to insurers. (See WSJ article) The US property and casualty industry had the largest losses in years.1 Big firms like AIG, Berkshire Hathaway, Allstate and more posted losses of over $5B in this sector.
And risk causes both macro and micro economic consequences.2
Firms grapple with understanding causes, as well as predicting and targeting the events, and then estimating the damage and costs to recover. Also, the concept of damage is increasing as the risk industry attempts to launch new products that aim to address some of these new concepts of risk.
Recent statements in the press from the biggest and best indicate that they have less than adequate approaches to understanding the likelihood of an event and its total impact. Events, as we have written about before, can have distal causes (the underlying vulnerabilities) (Figure 1), as well as proximate (or secondary) causes for any particular event. So we struggle to understand the causes as well as the full impact (cost) when a disaster occurs.
As corporate results roll in quarter by quarter, cascading negative results are being revealed. The immediate event produced a significant disruption for many businesses, but longer term impacts might be on the horizon. Often, the latter impacts are masked in the short run due to existing stockpiles of inventory, or low demand within that quarter.
SONY, HP, Dell, Panasonic, Hitachi, and others all indicated that they suffered impacts from Japan. If global demand for products picks up, as it often does in the fall, companies need to be fully recovered to meet demand. Longer-lead-time products which go on allocation become truly problematic for these industries.
The steel industry in Japan also posted losses due to plant and port damage. This damage, of course, then impacted auto and industrial sectors whose production slowed due to late and short shipments of material. These events, as painful as they are, often do not stimulate corporate change. All too often, an attitude of ‘we are all in the same situation’ within a group or industry coupled with commiseration by shareholders causes a certain lethargy in taking action. Although, certain companies do perform better during these disruptive events and, in general, manage their risk better. Therefore, their shareholder and customer interests are better secured. And in most of these cases, these companies gain increased sales, as well as a long-term competitive advantage, when others stall.
Cyber, Counterfeits, and Stolen Value
Cyber risk is a truly interesting and costly issue. Recent PlayStation hacks, impacting 100 million customers, caused some shareholders to call for Chairman Sir Howard Stringer to resign from his post. In an article by the Associated Press, Stringer was described apologizing to a ‘less than happy crowd’ at a shareholder meeting in Tokyo. Sony’s estimate for the cost of this little episode is about $178M. Not chump change for an already challenged company. One wonders if there had been more attention paid to security, what might have been different. (And the budget for better security is more modest than their losses were.)
The US government, under the auspices of DHS (and in cooperation with the EU, as well as with India, China, and other countries) is currently considering cyber security legislation and policies. There is a lot of dialogue, and although there is disagreement on the final legislation, the journey will begin on a federal level. Debates will center on how best to protect governments and consumers from increasing exposure and losses. Until now, consumers have gotten short shrift. (Read about Cyber Security rights and supply chain security in the brief.)
Here again, the cost of compliance rather than the cost of loss and recovery seems to dominate the conversation. Sony can estimate their losses, but consumer losses are yet unknown: what long term effect will the exposure of personal information have on them? Often, hackers just want to demonstrate their prowess. In these cases, companies dodge a bullet. But in the recent government breaches, national security secrets were surely stolen.3 So the motivation is higher now to deal with cyber risk across both public and private institutions.
We know companies are already severely impacted by intellectual property (IP) losses—stolen plans, stolen designs—and counterfeiting losses. With a challenged economy, these numbers have been increasing (go to No To Fakes for statistics by sector on this growing crisis). And there are organizations and activists within each industry lobbying for better IP protection world-wide.
We know intuitively that one event often precipitates others. “He lost his kingdom for want of a nail,”4 or so goes the story of the fall of Richard the lll. The battle of Bosworth Field, made famous by Shakespeare in his play Richard the III, has Richard calling out, “A horse, a horse, my kingdom for a horse.”
This would be called proximate cause (refer to Figure 1), the one people can see most immediately. Typical thinking about risk management would say, “Richard, you need better field logistics to reduce your risks in battle.” And that is true. But is not the distal (underlying) cause the fact that Richard was one nasty dude? Corruption in the court was the real reason for his situation.5
We talked to ImpactFactor 6 about these challenges. They have been tracking events and their impact on corporate performance for some time now. We all know this issue—earthquake leads to tsunami which leads to nuclear crisis; all lead to the deterioration of the manufacturing capabilities.
For example, if you had some earthquake or flood damage, the first response to your customers might be, “We can fix this and be back online in two weeks.” So your customers will, based on that information, plan production and make their sales commitments to their customers down the line.
In Japan, post-tsunami, (building on the fault line is the distal cause) the subsequent nuclear crisis did occur (proximate) causing some facilities to be inaccessible. Manufacturers had a compounding problem and the challenge of revising their estimates about when their factories would come online.
Within the supplier’s company this same issue occurs. They may pick up the slack for their sister plant. But they may not actually know if they have the material, the capacity, and the know-how to produce the products. The problem is that most organizations will scramble to determine if their other facilities can now shoulder that load. Ultimately, we are talking—at best—about shortages. And that means some kind of allocation scheme has to kick in.
I attended a meeting with many semiconductor and high tech firms and talked about post-Japan recovery. Although the allocation processes and methods have some backing in great systems and algorithms, these companies agreed that they did not have confidence in the data, nor did they feel confident about the decisions they had to make about recovery and allocations as events unfolded. And this lack of confidence propagates through the supply chain.
“The challenge,” says Lisa Grossman at ImpactFactor, “is that firms in the 1990s thought a lot about locating partners and plants in supply markets from an economic perspective only—great sources of capital, tax advantages, labor costs and local know-how, or market reach. The cost of risk was never part of the equation.”
In fact, risk management has been buried, until recently, in the finance or HR departments. Often, when working with risk managers over the last few years, this author had to help the risk manager find their supply-chain counterpart in order to work on new initiatives and business continuity efforts.
Everybody’s role has to change to include risk and continuity as part of the job. Many companies have started corporate-wide programs to address continuity from multiple angles: from cash to culture. And as the cost of risk goes up—from internal program management, to supply chain process enhancement, to the cost of risk transfer programs (read about rate increases here at Bloomberg ),7 it behooves companies to take a deeper look at the impact of events and recognize the ROI from these programs.
Figure 2 – Management of Risk Across Multiple Tiers
Why should a retailer, for example, know who is the button or thread manufacturer for the shirts they sell, you may ask. Is that not the shirt manufacturer’s responsibility? The retailer really shouldn’t have to. However, when things go wrong, that tier-3 supplier is not the one who has to face the cameras. So some firms are starting initiatives that map their whole chain. But the cost entailed can be huge and feel very unrewarding.
There is a current wave of start-ups chasing this approach. And yes, we will need supply chain maps that link supplier upon supplier with enhanced Meta data models from the traditional Bills-of-Material (or the recipes) we use today. And although these maps are important, the software to build these enhanced supply chain ‘chains’ is trivial compared to the real problem—the data. Every day, something changes in the supply chain. There is no steady state situation within a supply network!
And since it is totally impractical for every company in the supply chain to build a supply network for all of their suppliers, their suppliers’ suppliers, and so on, a different approach needs to be developed. We will discuss more of these issues in our webinar series on Risk.
Many of the problems are beyond the ability of one company to solve, and require industry groups to take a hard look at their role in geo-political activities. To date, the business community has been very active in protecting their IP rights (as they should) and managing the bottom line, but less interested in the communities and government in which they operate. Unfortunately, this approach actually increases their risk exposure. For example, industries like apparel and high-tech have done massive outsourcing and now suffer from a glut of counterfeits on the market, sponsored by criminal elements in the supply countries and fed by the endemic poverty and poor working conditions in many of those locations. ‘Responsibility,’ ‘sustainability,’ ‘green,’ and other such terms have become très fashionable in the business community, but few companies have dug deep enough to ascertain the accuracy of these claims.
The consequences are now rolling in and growing, with cyber attacks and viruses installed in electronic components or software developed in outsourced countries. It is not the nationality that is to blame; it is that companies have not given their employees a compelling reason to protect the assets and long term health of the company for their customers. If you remain poor even with a job, if your working conditions are poor, if you have no healthcare or worker protection/workers compensation for workplace injuries, no incentive plan for performance or opportunities for advancement, you have no incentive for worker loyalty! And this goes for any country where workers are not valued.
Supplier due diligence needs to include a broader perspective based on a broader concept of risks. And the customer needs to get involved in order to improve the conditions if there are issues such as those described above. It might make a huge difference in risk calculation in the future.
We will continue this discussion in the next article of this series.
Attend the series on Risk Management – Register here.
2On CNBC, Squawk Box, Representative Barney Frank from the Finance Committee indicated that the Japanese earthquake and the Greek crisis were big contributors to the currently stalled recovery in the US.
3Stalin was calm while the US demonstrated their nuclear prowess, since he had already stolen the US H bomb. Much of the cold war costs—financial, political, and the impact on millions of people’s lives—had to do with stolen secrets. Will the US suffer these losses and more due to these stolen secrets?
For want of a nail the shoe was lost.
For want of a shoe the horse was lost.
For want of a horse the rider was lost.
For want of a rider the battle was lost.
For want of a battle the kingdom was lost.
And all for the want of a horseshoe nail.