More and more firms are now putting low probability catastrophic risks higher on their agenda. According to the authors of a recently published book, the reason for this is simple: these events are happening more often.
Howard Kunreuther and Michael Unseem, who together wrote Mastering catastrophic risk: how companies are coping with disruption, argue that recent massive data breaches at organisations such as Facebook, Yahoo and Equifax mean that organisations must add cyber security failure to a list of catastrophic risk considerations that already includes terrorism, financial crises and natural disasters.
The authors interviewed senior management at more than a hundred American companies in the Standard & Poor’s 500– an index of the 500 largest U.S. publicly traded companies by market value. In the process, they found a significant increase in focus on catastrophic risk following a sequence of disasters, starting with the September 11 attacksand including the 2008 sub-prime mortgage crisis, the 2011 Fukushima nuclear disasterand Hurricane Sandyin 2012.
For some risk managers, the likelihood of such events affecting their organisation appears to be so small that it may well be dismissed completely. However, Kunreuther and Unseem argue that this type of short-sighted thinking is a risk in itself. The authors draw on the experience of their interviewees to develop recommendations to help risk managers pre-empt and deal with catastrophic risk. This includes learning from the experience of others and not ignoring successful strategies simply because they were developed outside of the organisation.
As part of an eight-point checklist for risk managers, Kunreuther and Unseem recommend developing five potential disruptive scenarios that could affect the whole organisation, including a worst-case scenario. They advise that risk managers should be cognisant of any behavioural biases within the firm that could lead to improper company decisions, warning against intuitive thinking that could lead to underestimations of low-probability risks and mismanagement of recovery efforts.
The authors suggest a fresh approach to presenting the timeframe for judging disasters so that they are taken more seriously by the organisation. This could mean redefining the probability of an event with a 1-in-100 likelihood of happening next year to a 1-in-5 chance of happening in the next 25 years.
They also recommend that risk managers define and balance their organisation’s risk appetite and risk tolerance by mapping its overall strategy, with priority given to the most demanding enterprise risks.
As well as advocating a culture that learns from its own adverse events and near misses, Kunreuther and Unseem propose that organisations spread the cost of risk-mitigation measures through multi-year budgets to help justify their long-term benefits.
Transferring some of the risk via insurance is also recommended, as it allows organisations to protect against extreme losses, while the authors also argue that the next generation of leaders should be properly prepared to help build risk management capabilities across the organisation.
Mastering catastrophic risk: how companies are coping with disruptionis available now through Oxford University Press. IRM members can receive 30 per cent off the retail price by entering the discount code ASFLYQ6.