Clem Sunter

Risk management: why the flags matter

2015-10-11 15:55

Clem Sunter

If anything has shown why risk management should be one of the premier disciplines in any business, the VW saga stands out as probably the most powerful example in recent years.

Manipulating official interest rates and coping with the consequences of an accidental oil spill cost the companies involved huge sums of money; but deliberately fiddling with exhaust emissions in laboratory tests may go down as the single most expensive transgression in corporate history.

Estimates of the ensuing penalties reach as high as €35 billion, but that is only the financial cost. Until the news came out, VW was regarded as one of the best-managed companies on this planet. Now it has to rebuild its reputation piece by piece. Then there are the retrenchments which have already been announced in VW’s own plants and the knock-on effect of this scandal on the dealerships.

Recalling all the models involved and modifying them to comply with the law will be an enormous task. Simultaneously, convincing existing drivers and new customers that the problems have been satisfactorily resolved will need a public relations campaign extending to every corner of the globe.

So, could this commercial catastrophe have been avoided? My view is that the proper implementation of the basic principles of risk management would have had a good chance of averting the disaster.

First let me explain the three critical steps involved in risk management. The initial step is to identify the current threats to the business. The second step is to assess the impact and probability of each threat. The final step is to determine the best option to cope with each individual threat based on its potential impact and probability.

The range of options available to a company is to eliminate the threat altogether; to determine the most cost-effective way of reducing it to an acceptable level; to share the consequences of the threat by, for example, insuring against it; or to live with the threat because it has a sufficiently low probability of occurrence or an impact within tolerable limits, or both.

While the procedure looks simple, risk management in practice requires a degree of foresight, data collection and judgement of the facts that elude all but the best practitioners in the field. Many companies mention the discipline in their protocol of corporate governance and go through the motions by parking it in their internal audit departments. However, they do not commit the resources to make it happen in a way that adds real value to the strategy and wellbeing of the overall operation.

Consider the first step. To identify the risks, you have to understand how the context within which you are doing business is changing. In my terminology, you need to make a list of all the flags that are changing the game. For your continued existence, the external environment matters as much as the integrity of your internal production processes. The flags can be clockwork-like trends ticking away in the background or cloudy uncertainties creating various scenarios for the future of your industry. Whichever kind they are, they have to be figured into the evaluation of the threats which could bring down your organisation.

To begin with, a flag may be slow in its ascent up the flagpole to the extent that its subtle influence on the game is hard to detect. Then all hell breaks loose with one incident. The widespread hacking of phones by journalists in the UK suddenly became a massive liability for several newspapers after the murder of British teenager Milly Dowler in 2002. Her voicemail had been hacked and the News of the World closed down.

VW failed to see or underestimated the significance of two flags. Both are featured in a book I am publishing in mid-November entitled Flagwatching. The first one is the green flag and the fact that pollution caused by carbon dioxide and other noxious gases is now being taken much more seriously by political leaders like Barack Obama, as well as the public at large. Thus, the downside of any measure to disguise the real environmental impact of a product has gone up exponentially in the past five years.

The second one is the anti-establishment flag. This has risen as a result of general cynicism concerning the behaviour of celebrities, politicians and big business. The gap between the image you portray and your actual conduct is now under a more searching microscope. For instance, tax avoidance and tax evasion are now regarded as one and the same thing. Consequently dishonesty, when it is revealed, carries the possibility of life-threatening retribution. Ask any celebrity who has been named and shamed in this regard.

These flags when combined have not only introduced additional risks into the business world. They have also added strength to each other in terms of severity of impact, the appraisal of which forms an essential element of the second step. Hence, the interconnection between risks has to be understood together with the velocity with which they can manifest themselves as actual crises. The Institute of Risk Management South Africa completely endorses these last two points.

But that is not where it ends. Many of the categories of risk in the surveys undertaken internally by a company are simply too broad to constitute an effective screening mechanism. You get the feeling that boxes are being ticked under appropriate headings so that the board of directors can move on to more important items in the agenda.

Yet, by their very nature, some of the most lethal risks are granular in nature and buried deep in the organisation. At the very least you need a fully operational whistle-blowing system to expose them. Better still, you need expert sleuths to pay regular visits to the factory floor and pick up any scent of actions which contravene the flags.

In VW’s case, could they ever have imagined that a tiny bit of software would have repercussions more harmful than any other event in the history of the company? I doubt it, especially when the offending algorithm was not directly related to the safety of the vehicle. But there lies the rub. If they had pursued risk management in as dedicated a fashion as they do in designing a new car, they might have averted the nightmare.

I do not want to appear vindictive in this article because I am well aware that what happened to VW has happened and will continue to happen to a host of other companies. Nevertheless, I hope the VW experience has put everybody on their toes. Indeed, it is a flag which should indicate to every CEO in charge of a business anywhere in the world that the corporate game has changed for good - in all senses of the word “good”.

In short, get your risk managers to construct a dashboard and watch it continuously for warning lights. When one of them blinks, take action to prevent a calamity.

- Send your comments to Clem.


News24 encourages freedom of speech and the expression of diverse views. The views of columnists published on News24 are therefore their own and do not necessarily represent the views of News24.



Inside News24

Traffic Alerts
There are new stories on the homepage. Click here to see them.


Create Profile

Creating your profile will enable you to submit photos and stories to get published on News24.

Please provide a username for your profile page:

This username must be unique, cannot be edited and will be used in the URL to your profile page across the entire network.