The risks you need to concern yourself with no longer follow a linear path; they no longer allow for days and weeks of response time. They come fast and furious, seemingly out of nowhere, and they can wallop your company faster than you can tweet a first response.
The story is well known. It was just about five years ago that Dave Carroll posted a video to YouTube to express his frustration with United Airlines. As multiple passengers on the plane watched, the company's baggage handlers pitched around his band's guitars, breaking his $3,500 Taylor guitar, and then United spent months denying responsibility for the incident. Carroll informed the company that he'd get his revenge using his own medium -- songwriting. Carroll's humorous music video about the incident, "United Breaks Guitars," went viral. Within days, the resulting bad press arguably cost United shareholders $180 million as they watched their share value drop by 10 percent, according to some press coverage. Carroll went on to write a book to examine "the power of one voice in the age of social media." And he's gone on the speaker circuit to tell companies how to avoid the fate that befell United.
What this says to me -- a long-time risk management professional -- is that the airline's board of directors had fallen into the same trap that's catching many other companies: They failed to recognize that no organization exists in isolation and that the risks they face no longer follow neat supply chain lines. If that weren't true, the company would have responded very differently to Carroll's complaints and market reaction would have gone quite differently.
In fact, the concept of the "supply chain" is insufficient in describing this "extended enterprise," which requires the same kind of rapid-fire response Roger Federer gives a tennis ball. In this article I offer a new approach for understanding risk and preparing your company to manage it well.
More from Jeremy Harrison
Read an earlier interview with Jeremy Harrison on exploiting risk at Network Rail.
The Stretch of the Extended Enterprise
The connections of an enterprise extended out in all directions both through its operations and customers and stakeholders, and so should its risk considerations. We need to think differently about these risks and how we identify and control them.
We're accustomed to monitoring the risks inherent in the supply chain -- that a critical supplier's one and only factory is built on a fault line or in a flood plain. Getting visibility into the operations of those providers is fairly straightforward.
That approach is no longer sufficient. In the era of the instant trending tweet, we need to classify risk as a truly complex problem. It's often unstructured, adaptive, cross-disciplined, data oriented, hard to control, unpredictable, unbounded and fraught with ethical considerations.
Companies need to have a worldview that looks at the suppliers' suppliers and their suppliers. And not only them, but also customers. And not just the impact of natural disasters, but other kinds of challenges: how consumers perceive the supplier's working conditions; how secure its data privacy practices and policies are; how well it responds to complaints on social media.
The Three Cs of Risk Identification
I've created an approach for identifying risk in new ways that I call the "three Cs":
- Complexity; and
Like eyeglasses designed as all-in-one for multiple, specific purposes (reading, computer work, bright sunlight), the three Cs provide different perspectives for considering project risks outside of the typical areas of scheduling, budgeting, and resources.
Connectivity addresses both loose and tight connections among people, companies and other entities, each posing what could turn out to be a weak link in the various chains binding the project. When examining projects seek out connections that are beyond those that are obvious which could prove important.
During a 1994 construction project at Heathrow Airport to lay a tunnel for an express line, the tunnel collapsed. Nobody was hurt; but the recovery effort took two years and added £150 million to the project. The culprit, according to an investigation by the Health & Safety Executive, was "poor design and planning, a lack of quality during construction, a lack of engineering control...and a lack of safety management." The project was using an innovative form of concrete spraying or "shotcrete” technique which -- done properly -- is a fine technique. The shotcrete was also being used on a tunnel project to extend the Jubilee Line. As a result of the collapse, the Jubilee line project -- completely unconnected with Heathrow -- was suspended for a year at great additional expense. Guilt by association or common mode failure, can be a powerful risk area that isn't easily identified.
Complexity refers to granularity: How much is one object affected when another is touched? Connectivity and complexity go together.
A famous example profiled in Charles Fine's 1998 book, Clockspeed, involved Chrysler and its highly-profitable Jeep Grand Cherokee line. The company's procurement and supply organization decided in the early 1990s to "map out" its extended enterprise in order to understand just how vulnerable its supply chain was. The team started with the engine, a V-8 made in one of its plants. From there, it looked at the "roller lifter valve -- a small but critical component in the engine." That vital piece was made by a large global automotive supplier from raw metal castings that came from a nearby "small" provider. The clay that made those castings came from another supplier that "had for some time lost money in its business." Without informing anybody else, the owner of that latter company had decided to get out of the "unprofitable" business and redirect the clay resource to the production of another product for which the clay was well suited: kitty litter. In other words, this near-invisible supplier single-handedly could have brought manufacturing of an important line for a major automaker to a halt.
Conflict helps flesh out the types of connections that surface in projects. Those connections may be adversarial or positive. They could involve stakeholders or non-participants who still want to influence the outcome. They may draw political impact.
During my work at Railtrack many years ago as a business risk manager I found myself immersed in an interesting state of affairs. The company was building a car park in a town north of London where Railtrack's chief executive happened to live. When an issue with the project surfaced, opponents of the project put great pressure on him as a resident of the area to change the outcome. The situation became a major political concern, all because we never considered the importance of that kind of loose personal connection.
Extended Enterprise 2014
On the 9th October, as part of a one-day conference to be held at Cass Business School in London, the Institute of Risk Management will be publishing an extensive report that examines the extended enterprise and how to manage risk in complex 21st century organizations. One chapter in that report offers "questions for the board," such as "How extended is our enterprise?" and "What risks will be exacerbated by a change in the business model?" (such as doing a joint venture). Each of these encompasses additional questions to drill down into the topic. I encourage you to read the complete work and to attend the event.
So What's a Board Member to Do?
No company can plan for every eventuality. Chances are, the scenarios worked out by even the best risk managers will not be the ones that happen. The organization has to build up its muscles for the ability to react. And that work begins with the board.
It is the board's responsibility to ask the right questions in order to understand the nature of the risks the company faces today, in a hyper-link-paced culture, and to make decisions regarding responses to those risks based on its risk appetite.
Many boards are composed of people who may not be fully tuned into the wildfire aspects of social media. That means they need to reach further into the organization to open new channels of communication, find people willing to provide honest, informed feedback and then make a greater effort to listen and understand what these individuals are telling them about appropriate ways to respond to given situations.
One technique -- instead of asking what the risks are -- is to pose the question this way: For you to be successful, what assumptions do you need to be true? Then test how sensitive the company is to those assumptions: If that assumption turns out not to be so, what impact will that have on the organization? Will it knock you out or could you easily manage your way through it? From that, you can prioritize significant risks.
The tentacles of risk go off in all directions now. Risks will surface in your organization that you didn't even realize you were connected to. If you ignore the reach of the extended enterprise, it's a fair bet that you're going to miss something critical, creating an outcome that could quickly be heard around the world.