The Risks of Getting Risk Management Wrong

Nearly all business risks can be sorted into one of four categories: financial, operational, external, and strategic.

Typically, senior managers are tasked with looking out for financial, external, and strategic risks — with good reason. Over a 20-year period, these rogue risks accounted for 92% of major sustained losses in value in large organizations. Meanwhile, mid-level and junior managers are taught to focus myopically on operational risks, which are generally less threatening. This approach works well when you’re sure you can see a wave building from the bridge. In a more volatile environment, though, you need to be aware of the whole system, which requires more than a pair of binoculars.

When change is rapid, what you really need is a risk radar. Everyone needs to be looking out at the ocean, providing you with a 360-degree view. Your junior people on the ground will often see an issue first, but not know what it means. You need to teach them what to look for and when to sound the klaxon. You need to install mechanisms that ensure those warnings are heeded.

Rogue Waves

This matters for risk in general, but it matters much more when you’re talking about rogue waves. We tend to think of them as edge cases, but as the world moves faster and becomes more connected, they impact us more often.

Over the past century, external events of this magnitude — wars, financial crises, large natural disasters — affected large companies on average every seven years, from which it took several years to recover, if they ever did. Leaders of these organizations were responding to radical external change as much as 45% of the time.

While you can’t prepare for every possible rogue wave, they can be categorized according to the types of impact they have on you, your customers, your competitors, and your vendors. This means that you can prepare to exploit entire categories, even if you don’t know the precise wave that will hit.

Rogue waves have one characteristic from each of these categories. For instance, Covid was a dynamic, symmetrical, synchronous wave. In many ways, it was much like the impact of a world war on the European real-estate market or the impact of a drought on almond growers in California’s Central Valley. The probabilities change over time, but they impact every company in the category within the same timeframe.

This is very different from a static, asymmetrical, asynchronous wave. For instance, thousands of focused cyberattacks occur each year. It could sink you but not touch your competitors. This happened to Mount Gox, the currency exchange that once managed 70% of global bitcoin trade. In 2014, they had to shut down days after they discovered that a hacker had been syphoning off crypto for years.

Starting to think through the impact of different rogue wave categories on financial, operational, external, and strategic risks is a great way to start building systemic intuition about the threats and opportunities they create.

The Choice to Be Wrong Rather Than Uncertain

The idea that it’s useful to forecast probabilities, even when we can’t make specific predictions, should be self-evident. We have ever greater tools to make sense of systems that seem chaotic at first glance.

But medium and large companies and government agencies are typically run in heavily deterministic ways. Their forecasts are based on the extrapolation of current realities and outdated metrics. They make almost no acknowledgement of uncertainty beyond what has been experienced in the recent past; yet we know that rogue waves are becoming more and more likely.

A lot of this is just inertia, leftovers from the early days of modern companies, when change was relatively slow and knowledge of your inventory and customers was enough to keep you competitive. This is compounded by the demands of institutional shareholders who reassess their positions every few months. They are driven by quarterly results and are less impressed by portfolios of risk that can weather long-term uncertainty.

The result is that — while only fools believe that the biggest wave they have seen is the biggest they’ll see— fundamentally, large organizations incentivize an unhealthy discomfort with ambiguity. Their cultural identities are tied to their decisiveness. They like having a clear, single answer when the question is what’s going to happen next.

Often, this preference is so strong that organizations would rather be wrong than uncertain. Even more dangerously, they may answer the wrong questions because they rely on the data they have instead of considering the implications of the data they are missing. They often make decisions designed to reduce or prevent near-term change that ultimately leaves them more vulnerable to volatility.

The Prevalence of Cynicism

Recently, it has become fashionable to respond to uncertainty with cynicism. Many authors and pundits have effectively thrown up their hands, saying that if nothing can be predicted, why bother?

Ideas like the Butterfly Effect (in which a tiny change in circumstances can have massive unanticipated consequences) and the Black Swan (unique, unpredictable events that swamp mitigation efforts) have led to a rash of pessimism: It’s all chaos, so let’s just do what we’ve always done and hope for the best.

The problem with this perspective is that it mistakes forecasting for prediction, massively discounting the value of knowing what’s possible and what’s likely.

One classic example that helps illustrate this is the assassination of Archduke Franz Ferdinand by a Slavic nationalist named Gavrilo Princip, which was the ostensible trigger of WW I. Many popular histories treat it as a Black Swan that set off a Butterfly Effect — a random event whose repercussions upended the entire world. But if the Great War was triggered by an unpredictable occurrence, the cascade of events that followed it was inevitable because of the conditions within the system in which they played out.

In his classic book War By Time-Table, A.J.P. Taylor recounts how the Archduke’s chauffeur took a wrong turn, serendipitously delivering his passenger to the assassin. Here’s how he tells it:

“Potiorek called out: ‘Stop! You are going the wrong way.’ The driver stopped and began to back up into the quay. Princip was sitting in the cafe exactly at this corner. To his astonishment, he saw the Archduke immediately before him. He pulled out his revolver . . . [and] fired twice.”

If the driver hadn’t erred, the Archduke would’ve stayed alive. But the war would not have been avoided; some other event would have set it off. If the Archduke’s murder wasn’t predictable, the breakdown of the political and power dynamics that had kept the European continent at peace for decades guaranteed that the peace would end. This is the knowable thing about systems. They break, and when they do, they unleash the forces they kept in check.

By 1914 it was already evident that a conflict between the U.K. and Germany was likely. English military leaders felt that the growth of German naval capabilities posed a direct threat and needed to be contained. This wouldn’t be possible without coordination with France. Once the first shot was fired, the system of secret alliances, decades-old battle plans, and the logistical realities of war would necessarily drag the rest of Europe into the conflict. Blaming the assassination for the war that followed is a bit like blaming a forest fire on the discarded cigarette that ignited it, while ignoring the drought and mismanagement that made it inevitable.

As Edward Grey, Britain’s prime minister wrote, “There was little for me to do. Circumstances and events were compelling decision.”

Every management decision you make, every policy you install is based on a prediction of what will happen next. All policies will eventually fail because nothing stays static forever. This isn’t just about engineering yourself to benefit from or avoid a rogue wave. It’s also about the more important lesson: how to build an organization that can patch its own hull when an oncoming wave inevitably cracks it.