How external events become internal concerns
- A political event isn’t a risk unless it affects your business
- Map out company-specific ‘pathways of impact’ from any crisis
- Simple measures, speedily implemented can mitigate potentially huge risks
- Determine beforehand which risks are worth mitigating to stay in your market
A favourite tactic of Shining Path guerrillas during Peru’s insurgent war was to topple electricity pylons on the outskirts of the capital, plunging shops, streets, houses, factories and offices into darkness. Businesses faced disaster. Yet some companies, with contingency plans for a sudden, prolonged power cut, survived and prospered. What mattered was not just their foresight but the way they assessed the risks to their operations.
To make an effective calculation of political risk, companies must understand four key variables: the likelihood of the risk event happening; the degree to which they are exposed; their level of resilience, and the amount of risk they are willing to accept.
How likely is a particular risk event to happen? Peru’s insurgency dragged on for years and disruption to the power supply was on everybody’s radar, so few should have been taken by surprise. Blackouts were a high-probability event. Just over the border in Chile peace reigned and blackouts were very rare.
Judging probability is a vital calculation because a company’s resources are scarce. One might anticipate any given external political event, but it can’t be classified as a risk to the business unless it can also affect business operations—otherwise, it is just a headline to be read and forgotten.
If we could predict future events with precision there would be no such thing as risk, so how do we assess probability? The past—a record of the event’s frequency over time—can be a guide, though the past is a notoriously unreliable predictor of the future. The most straightforward assessment technique is to rank events in order of their perceived likelihood. If you can’t say how likely event A is, you may be able to judge whether it is more or less likely than event B. Such a ranking can provide sufficient data for an effective risk model.
This qualitative approach is often required with political risk. Given the range and uncertainty of political variables, the kinds of quantitative techniques used in finance can be dangerously spurious.
2. Degree of exposure
How exposed is your company to the particular threat? The way an event affects business will vary from company to company, and will depend on what we can call the ‘pathway of impact’.
During Lima’s blackouts, primary healthcare providers faced disruption to surgery schedules and potential lawsuits over the effects of delayed medical attention. In the same circumstances steel company Siderperu faced disaster if blast furnaces cooled with semi-processed material in the production line. The computer systems and ATM networks of the country’s banks were exposed to power surges as the distribution network came back on line, with the potential for data loss, hardware damage and client disaffection.
In each case, the same event had different effects and worked its way through the organisation in different ways, with a cascade of primary and secondary impacts as the organisation responded.
Companies must also ask how important the disrupted part of the business is in the whole organisation. For Siderperu, whose entire operation was based in Peru, the consequences could have been catastrophic. For those commercial banks that were subsidiaries of major multinational institutions the impact on the wider group was more manageable.
Measuring exposure to political risk is an art rather than a science. Financial risk can be expressed in terms of the expected impact on revenue, but politics is less tangible and transparent. Again, a ranking system agreed in discussion with relevant department heads can provide the basis for calculation.
Judging resilience is not only a matter of how a company responds, but how fast
How protected is the company from the identified threat? Peru’s banks, along with many other local companies, had installed emergency generators that kicked in when the electricity grid failed (assuming diesel supplies held out), and batteries to keep the lights on while the generators started up. These mitigations made them resilient in the face of power disruptions.
Private clinics used flexible staffing rotas to bolster coverage when disruption prevented staff from getting to work. Public hospitals, victims of a crisis in public funding at the time, were unable to copy them and, as patients discovered to their cost, were less resilient.
For other companies, a simple system that enabled staff to work at home could mitigate the worst of the disruption; resilience need not be expensive.
Judging resilience is not only a matter of how a company responds, but how fast, which boils down to the following:
Decisive action – have responses to threats been identified, and are mitigation plans ready to be activated at short notice?
Clear responsibility – have the right people been given the responsibility and the skills to implement the plan, as well as the autonomy to adapt when circumstances change?
Practised procedures – does the company practise for crises in a realistic way, as one might in a fire drill? Mere box-ticking exercises are more likely to breed complacency than resilience.
4. Risk appetite
Risk is not a choice. The key question is how much risk can a company handle for a given reward. Sometimes, it’s the CEO who decides (given that it’s his head on the block). Companies with more sophisticated risk management processes can produce a formal risk appetite statement to cover every major risk identified. This statement recognises the relative importance of the company’s strategic and operational objectives, and the degree of risk the company would be willing to take to achieve each of them. For instance, a company might be willing to take more risk for an acquisition that opens a large new client base than for one that builds scale in small existing markets.
Companies, and even entire sectors, can be infused with a culture of risk (or risk avoidance). Silicon Valley start-ups are notoriously uncertain ventures and require a voracious appetite for risk. The private banking houses of London and Geneva are protective of their history and will set a high price for the risks they accept. For Siderperu, the quality and reliability of supply was the company’s most valuable asset, and therefore the area where there was least appetite for risk taking. For the private clinics, it was reputation.
The risk calculation
The above four variables —probability, exposure, resilience and appetite—have a critical part to play in planning a response to risk. Even highly unlikely events can push a company with high exposure and low resilience beyond its tolerance.
Once the risk horizon has been mapped, these four variables should determine the priority the company gives to each risk, and therefore the share of its resources it deploys against them. It will also form the basis of a simple framework for each company to categorise and prioritise the risks they face, and design appropriate responses.
This article was written for Headspring. A version of this article first appeared in CEO World magazine.