ROADS TO RUIN – A STUDY OF MAJOR RISK EVENTS: THEIR ORIGINS, IMPACT AND IMPLICATIONS – A report by Cass Business School on behalf of Airmic sponsored by Crawford and Lockton
We investigated 18 high profile corporate crises of the last decade. Companies involved in these crises include AIG, Arthur Andersen, BP, Cadbury Schweppes, Coca-Cola, EADS Airbus, Enron, Firestone, Maclaren, Northern Rock, Shell and Société Générale. Their aggregate pre crisis value was over $6 trillion. In seven cases a company involved faced bankruptcy, of which three were ‘rescued’ by Government. In 11 cases the Chairman and/or CEO lost their jobs, and in others senior executives and non-executive directors (NEDs) lost their positions. In 16 cases the companies and/or executives personally suffered financial penalties or fines, and in four cases executives received prison sentences. Most companies – and their shareholders – suffered severe, uninsurable losses and most reputations suffered severe damage. None of the companies emerged without obvious immediate harm. The research identified the key lessons associated with the failure to prevent each crisis and thereafter manage the consequences. The failures that gave rise to each crisis were analysed and seven key issues emerged, described in this report as the underlying risks that caused the crises. In summary, these underlying risks arise from:
- Inadequate board skills and inability of NED members to exercise control
- Blindness to inherent risks, such as risks to the business model or reputation
- Inadequate leadership on ethos and culture
- Defective internal communication and information flow
- Organisational complexity and change
- Inappropriate incentives, both implicit and explicit
- ‘Glass Ceiling’ effects that prevent risk managers from addressing risks emanating from top echelons.
The key conclusions of the research in relation to the risk management role and responsibilities of board members are:
- Current techniques were not designed to find or deal with these dangerous underlying risks and the engagement with risk professionals needs to be enhanced
- Boards, particularly chairmen and NEDs, have a large, important blind spot – their leadership is essential if these dangerous risks are to be identified and managed.
Scope of the Study
We (Cass Business School) were asked by Airmic to investigate a sample of major corporate risk events, spread over the last decade or so, in order to find lessons that could be learned from them. Our terms of reference were:
- to investigate the impact on companies of major risk events of various types
- to analyse the causes of these events; and
- to consider the implications for the risk management of companies in general
Almost all the organisations we studied were private sector companies, varying in size from medium-sized businesses to large multi-national corporations. They were selected to cover a range of business sectors, including manufacturing, engineering, financial services, energy and transport. Companies involved in the events investigated included AIG, Arthur Andersen, BP, Cadbury Schweppes, Coca-Cola, EADS Airbus, Enron, Firestone, Maclaren, Northern Rock, Shell and Société Générale. The ‘risk events’ that triggered the crises were chosen to include different types, including events causing major loss of life, fire and explosion, regulatory action, management and employee behaviour (including fraud), product defects and IT-related problems.
Each of the 18 individual case studies provides background information on the primary company involved, describes the risk event, outlines the management response and discusses the consequences for the company, as well as other companies and stakeholders. The role of insurance is noted, where appropriate, and most importantly, each case study analyses in detail the risk management implications of the event and the lessons that can be drawn from it.
Results of the Research
It became clear that there was much more to these corporate crises than is usually discussed. Once we had filtered out the specific ‘triggers’ for each crisis, other, deep-seated issues were seen to be at work across the sample of case studies. We have called these key issues, which transcended business sectors, ‘underlying risks’.
These underlying risks were dangerous in four ways:
- Many posed a potentially lethal threat to the organisation’s business and business model and continued existence
- When they materialised, they often caused serious, sometimes devastating and almost always uninsurable losses to the business, its reputation and its owners, often putting the positions of the CEO and/or Chairman in jeopardy
- Many were also instrumental in transforming serious, but potentially manageable crises, into catastrophes that destroyed reputations and licences to operate
- Most of these risks are both beyond the reach of current risk analysis techniques and beyond the remit and expertise of typical risk managers. Unidentified and thus unmanaged, these risks remain unnecessarily dangerous.
Following detailed evaluation, we have classified these underlying risks into seven broad categories, although these are not mutually exclusive:
- Board Skill and NED Control: Risks arising from limitations on board skills and competence and on the ability of NEDs effectively to monitor and, as necessary, control the executive arm of the company
- Board Risk Blindness: Risks from board failure to recognise and engage with risks inherent in the business, including risks to business model, reputation and ‘licence to operate’, to the same degree as they engage with reward and opportunity
- Inadequate Leadership on Ethos and Culture:Risks from a failure of board leadership and implementation on ethos and culture
- Defective Internal Communication: Risks from the defective flow of important information within the organisation, including up to board level
- Risks from Organisational Complexity and Change: This includes risks following acquisitions
- Risks from Incentives: This includes the effects on behaviour that results from both explicit and implicit incentives
- Risk ‘Glass Ceiling’: Risks arising from the inability of risk management and internal audit teams to report on and discuss, with both executive and non executive directors, risks emanating from higher levels of their company hierarchy, including risks from ethos, behaviour, strategy and perceptions. A number of the underlying risks we identified predispose organisations to, or are examples of, ‘groupthink’
Since each case study is the detailed story of a specific crisis, they also contain many lessons on the practicalities of crisis management and planning. They provide a valuable and extensive opportunity to learn painlessly from the misfortunes of others, and so have enabled us to compile a series of observations on good and bad crisis management.
The important lessons from this research are related to the need for boards, particularly NEDs, to be more effective in their approach to risk management, seek full information and ask challenging questions about the underlying risks that we identified. Many risk managers and internal auditors will feel uncomfortable working in the areas highlighted in this report until they have been able to gain the skills and experience necessary effectively to question and discuss both corporate strategy and the leadership style of senior management. Furthermore, many of these risk areas are difficult for risk professionals to explore, let alone report on, because the need to question and sometimes criticize those above them in the hierarchy could be seen as a putting their careers at risk. We have concluded that four important developments are necessary if boards are to effectively address these important risk issues:
- The scope, purpose and techniques of risk analysis and management will need to be re-thought in order to capture risks, such as those we have identified, that are not routinely covered by current approaches
- Risk professionals may need to extend their skills so that they become competent to identify, analyse and discuss risks emerging from the ethos, culture and strategy of their company and the activities and behaviour of their leaders
- The role and status of risk professionals will have to change so that they can safely evaluate, report and discuss all they find on these underlying risks at all levels, including at board level
- Boards, and particularly the Chairman and NEDs, need to recognise the importance of risks that are not captured by current approaches – they also need to focus on how to ensure missing risks are captured
How this can all best be achieved is a question beyond the scope of this current report, although the work involved in these four areas, particularly the first two, would be a natural extension of our research. We suspect that there is also a need for more sophisticated NED and executive education directed towards the understanding of, evaluation of and engagement with risk. This needs to go far beyond risk analysis and aversion, to bring risk andrisk appetite routinely into board discussions about risks, opportunities and reward.
Many of the risks we have highlighted are inherent in every organisation. Unrecognised and unmanaged, these underlying risks pose a potentially lethal threat to the future of even the largest and most successful businesses. Boards, particularly chairmen and NEDs, have a large, important blind spot in this dangerous area.
Without board leadership, these risks will remain hidden because only boards can ensure that enough light shines on these hard to see risks.
The complete report can be obtained from: