As one of the world’s leading oil companies, ExxonMobil is no stranger to the vagaries of international politics, but that didn’t prevent the company from succumbing to the revolutionary zeal of Venezuela’s former leader, Hugo Chavez. In 2007, he nationalised a swathe of oil projects in the Orinoco belt. ExxonMobil pulled out of the country in protest, and more than a decade later is still fighting for compensation.
No matter how tightly a company controls its own operations or minimises risk in its personnel and procedures, threats can emerge from places beyond the company’s control. These external risks can be difficult to spot and harder to remedy.
Companies can start by distinguishing between events that can be anticipated and mitigated—such as labour conflicts or regulatory change—and unexpected developments, such as coups d’état, bank runs or surprise devaluations. Although some investors seem content to do nothing and hope for the best, a systematic and carefully planned approach allows companies to anticipate many risks, understand their relative importance to the company and then plan appropriate remedial action.
‘Managing risk not only requires companies to identify a threat, but also understand how it intersects with their interests.’
Unfortunately, effective risk management is complex, because every company views risks differently. Even close competitors operating in similar product markets have their own unique dynamics. So managing risk not only requires companies to identify a threat, but also understand how it intersects with their interests.
However, a simple framework based on the five actions can help executives react effectively:
- Scan the horizon: What is the range of risk events out there, and their probability of occurring? General Motors, the US carmaker, has some 400 major partners in its supply chain, manufacturing plants in 20 countries from Argentina to Vietnam, and consumers in just about every market in the world. Disruption in any of these locations could affect operations much further afield, denting sales and profits. Companies similarly exposed across multiple markets need teams to gather and interpret intelligence on developments that may affect operations, whether to do with local politics, security, laws and regulations or the myriad other vagaries of the external environment that are affected by political dynamics.
- Calculate exposure: For each risk, how much does the company have at stake. Even where the likelihood and timing of a risk event is clear, every companies’ exposure will differ. For General Motors, a failure at Lear Corporation, with which it spends around $250bn a year on seats and other equipment, would be costlier than one at Remy International, a maker of alternators and other electronic equipment, with which it spends a tenth of that amount. A company might be exposed, for example, through falling revenues, lost production days, supply chain disruption, reputation damage.
- Determine your risk appetite: How much risk is the company willing to take? This depends on several factors. Well-funded start-ups in fast-growing industries may be hungry for risk; established corporations operating on narrow margins in heavily regulated industries, less so. Ultimately, the willingness to accept a certain level of risk depends on the trade-off between potential cost and reward. If such a cost-benefit calculation can be expressed in dollar terms, it can be made quite precise, though many CEOs prefer a ‘seat of the pants’ test to what might be viewed as a spurious formula.
- Assess your resilience: How prepared is the company to confront the risk? What mechanisms/skills/hedges are already in place to mitigate potential damage? Resilience is largely a function of how well a company has performed the above three steps, and its readiness to respond. Building resilience—a company’s protective armour—is the purpose of risk management. Resilience is developed by making well-informed, timely decisions about where and how to set up operations, and deploying people and resources to address threats and exploit opportunities as they arise. For example, Royal Dutch Shell protects itself from potential protesters disrupting exploration by consulting with Greenpeace.
- Respond: Broadly speaking, there are three meaningful responses to a threat. First, accept it. If it’s unlikely to occur and its impact on your business likely to be modest, one might simply say ‘bring it on’ and deal with the consequences when they arise. Second, transfer the risk. A broad range of complex insurance and hedging instruments are available allowing you to shift the risk to specialist companies. Third, increase your preparedness and resilience—hiring additional expertise or investing in otherwise redundant systems might make the risk more tolerable and allows you to stay in the market. And it is this third option where managers must draw up their own, company-specific, taxonomy of scenarios, vulnerabilities and actions that will guide leaders how to act when a crisis hits.