[BreachExchange] Change How You Think About Risk. Your Company May Depend on It
Destry Winant
destry at riskbasedsecurity.com
Tue Aug 21 23:24:10 EDT 2018
https://www.inc.com/leigh-buchanan/how-to-protect-yourself-from-very-bad-things.html
Entrepreneurs know they face a high likelihood of failure. What
they're not prepared for is being knocked violently from the playing
field by some catastrophic event: floods that destroy their
operations, hurricanes that wipe out key suppliers, financial
meltdowns that obliterate demand.
While large corporations front-burner risk management, smaller
companies are too busy putting out metaphorical fires to worry about
real ones. That's a mistake, say Wharton professors Howard Kunreuther
and Michael Useem, authors of the new book Mastering Catastrophic
Risk: How Companies Are Coping with Disruption.
"Disruptive events are not only here to stay but their intensity is
growing," Useem says. "If you think about really major disruptions,
such as the Japanese earthquake and the resulting tsunami, they
affected supply chains all over the world. These events are
consequential for just about everybody."
Small companies are especially vulnerable. A vast majority of small
businesses are either un- or under-insured, according to research from
Insureon and Manta. JPMorgan Chase reports that only half have
sufficient cash cushions to survive 27 days of typical outlays. And
few possess the resources required to build redundant supply chains or
the clout to require vendors to bolster their own resilience.
The menace of myopia
The authors say that small-company leaders are prone to mental biases
that prevent them from taking steps to limit their vulnerability.
Chief among them is myopia. Low on resources, leaders of small and new
businesses generally favor investments that provide a near-term
payoff. Convincing them to spend on protections against some future
that may never arrive is a tough sell.
Leaders believe low-probability events like hurricanes, earthquakes,
and floods are beneath their level of concern, Kunreuther says. That
leads to complacency. "But if you tell them that over the next 25
years there is a greater than one in five chance that at least one of
those disasters will occur to you," he says, "they start to pay
attention."
Kunreuther urges leaders to approach risk-mitigation as a value
creator, even if nothing bad ever happens. For example, it may make
financial sense to reduce inventory levels, a step that also limits
your exposure if a tornado flattens your warehouse. And he would like
to see financial institutions--particularly lenders and
insurers--incentivize small business leaders to invest in risk
mitigation. "If you do something to make your factory safer, then that
investment doesn't just vanish. It benefits you over the life of the
building," Kunreuther says.
It can happen to you
Excessive optimism and overconfidence can also skew leaders'
perception of risk. Entrepreneurs believe against all reason that
they'll succeed, and often possess an unrealistic view of their
control over outcomes. "If you are optimistic with low-probability
events then you are in big trouble, because you say, 'It is not going
to happen to me,'" Useem says. "And it may very well."
A more realistic, data-based understanding of risk can help. Data on
low-probability events can be hard to come by, and predictive
algorithms used by large companies have their limits. Kunreuther and
Useem recommend compiling a list of possible future disasters--not
just extreme weather but also things like cyberattacks, a deadly
product malfunction, or imposition of regulations that cut the
company's feet from under it. Then "stress test" the business by
calculating its ability to withstand such assaults, and for how long.
Getting risk under control
Catastrophic, low-probability events are, by definition,
unpredictable. Like the Coast Guard, leaders must become semper
paratus (always ready) by baking risk mitigation into every level of
the business. That requires a risk-management culture, Useem says, in
which "everyone is asked by top executives to be mindful on a regular
basis of potential disruptive risks that can lead to a sudden
downdraft in demand or cash."
Of course, all businesses--and entrepreneurial businesses in
particular--must take risks to grow. It is up to the CEO to determine
the company's level of risk appetite and risk tolerance. Most leaders
are pretty clear about their companies' risk appetites, the amount of
risk they're willing to assume to achieve their goals. But they may
not have specified or even considered their risk tolerance, the
willingness to accept loss and disruption. "And it's not just how much
loss I will accept this year but also over the next few years if they
want to stay in business for a while," Kunreuther says.
Chief risk officers are standard issue at large companies but
virtually nonexistent at small ones. CEOs instead should make a top
executive--perhaps their No. 2 or No. 3--responsible for getting up to
speed on risk, the authors suggest. That person consults with
everyone, including functional peers, front-line employees, and board
members whose expertise and experience in other industries is
particularly valuable. The question: What are the two or three most
likely downside risks in the next 12 months, and how can we mitigate
them?
Starting with cyber
Cyberattacks are one category of catastrophic event that has lately
breached small companies' perimeters of concern. For years,
entrepreneurial leaders considered their relatively diminutive
businesses uninteresting to hackers seeking vast stores of data or
hefty ransoms to restore blocked access. But with more small
businesses targeted--almost a quarter of companies with 250 employees
or fewer have been attacked, according to the Better Business
Bureau--leaders no longer see hacking as a black swan.
In response, small companies have begun girding their digital loins.
They should take the opportunity to extend their newfound risk
awareness to other parts of the business. "Address this tangible
threat and then say, 'OK, now that we have protected our digital
records, what other potential vulnerabilities should we be thinking
about?'" Useem says. "We have got to start somewhere, and that is
about as good a place as any."
More information about the BreachExchange
mailing list