Roads to ruin: A study of major risk events

The crises examined involved substantial, well known organisations such as Coca-Cola, Firestone, Shell, BP, Airbus, Société Générale, Cadbury Schweppes, Northern Rock, AIG, Independent Insurance, Enron, Arthur Andersen, Railtrack, the UK Passport Agency and also some smaller firms. Several did not survive and most of the rest suffered severe damage.

The aims of the research were to trace the deeper causes of the crises, to assess the post-event resilience of the companies involved and to consider the implications for the risk management of companies in general.

The report is built around eighteen detailed case studies which analyse the impact of critical events both on the enterprises most directly affected and, in many cases, on other associated firms. There are references to around forty organisations in total.

The case studies provide a rich source of lessons about risk, risk analysis and risk management, in the context of critical events of many different types, ranging from fires and explosions, product-related and supply chain crises to fraud and IT failures. The report details over one hundred specific 'lessons about risk' which emerge from the case studies.

Much broader lessons have also been distilled from the case studies. Several of the firms studied were destroyed by the crises that struck them. While others survived, they often did so with their reputations in tatters, and faced an uphill task in rebuilding their businesses. The research concluded that the firms most badly affected had underlying weaknesses which made them especially prone both to crises and to the escalation of a crisis into a disaster.

These weaknesses were found to arise from seven key risk areas that are potentially inherent in all organisations and which can pose an existential threat to any firm, however substantial, which fails to recognise and manage them. These risk areas are beyond the scope of insurance and mainly beyond the reach of traditional risk analysis and management techniques as they have evolved so far. In our view, they should be drawn into the risk management process. They are as follows:

A. Board skill and NED control risks- limitations on board competence and the ability of the Non-Executive Directors (NEDs) effectively to monitor and, if necessary, control the Executives.
B. Board risk blindness- the failure of boards to engage with important risks, including risks to reputation and 'licence to operate', to the same degree that they engage with reward and opportunity.
C. Poor leadership on ethos and culture
D. Defective communication- risks arising from the defective flow of important information within the organisation, including to board-equivalent levels.
E. Risks arising from excessive complexity.
F. Risks arising from inappropriate incentives - whether explicit or implicit.
G. Risk 'Glass Ceilings'- arising from the inability of risk management and internal audit teams to report on risks originating from higher levels of their organisation's hierarchy.

The report concludes that a number of developments are necessary to deal with these risks.

• The scope, purpose and practicalities of risk management will need to be re-thought from board level downwards in order to capture these and other risks that are not identified by current techniques.
• The education of risk professionals will need to be extended so that they feel competent to identify and analyse risks emerging from their organisation's ethos, culture and strategy, and from their leaders' activities and behaviour.
• The role and status of risk professionals will need to change so that they can confidently report all that they find on these subjects to board level.

The full article can be downloaded from Airmic's website.