BreachExchange mailing list archives
Change How You Think About Risk. Your Company May Depend on It
From: Destry Winant <destry () riskbasedsecurity com>
Date: Tue, 21 Aug 2018 22:24:10 -0500
https://www.inc.com/leigh-buchanan/how-to-protect-yourself-from-very-bad-things.html Entrepreneurs know they face a high likelihood of failure. What they're not prepared for is being knocked violently from the playing field by some catastrophic event: floods that destroy their operations, hurricanes that wipe out key suppliers, financial meltdowns that obliterate demand. While large corporations front-burner risk management, smaller companies are too busy putting out metaphorical fires to worry about real ones. That's a mistake, say Wharton professors Howard Kunreuther and Michael Useem, authors of the new book Mastering Catastrophic Risk: How Companies Are Coping with Disruption. "Disruptive events are not only here to stay but their intensity is growing," Useem says. "If you think about really major disruptions, such as the Japanese earthquake and the resulting tsunami, they affected supply chains all over the world. These events are consequential for just about everybody." Small companies are especially vulnerable. A vast majority of small businesses are either un- or under-insured, according to research from Insureon and Manta. JPMorgan Chase reports that only half have sufficient cash cushions to survive 27 days of typical outlays. And few possess the resources required to build redundant supply chains or the clout to require vendors to bolster their own resilience. The menace of myopia The authors say that small-company leaders are prone to mental biases that prevent them from taking steps to limit their vulnerability. Chief among them is myopia. Low on resources, leaders of small and new businesses generally favor investments that provide a near-term payoff. Convincing them to spend on protections against some future that may never arrive is a tough sell. Leaders believe low-probability events like hurricanes, earthquakes, and floods are beneath their level of concern, Kunreuther says. That leads to complacency. "But if you tell them that over the next 25 years there is a greater than one in five chance that at least one of those disasters will occur to you," he says, "they start to pay attention." Kunreuther urges leaders to approach risk-mitigation as a value creator, even if nothing bad ever happens. For example, it may make financial sense to reduce inventory levels, a step that also limits your exposure if a tornado flattens your warehouse. And he would like to see financial institutions--particularly lenders and insurers--incentivize small business leaders to invest in risk mitigation. "If you do something to make your factory safer, then that investment doesn't just vanish. It benefits you over the life of the building," Kunreuther says. It can happen to you Excessive optimism and overconfidence can also skew leaders' perception of risk. Entrepreneurs believe against all reason that they'll succeed, and often possess an unrealistic view of their control over outcomes. "If you are optimistic with low-probability events then you are in big trouble, because you say, 'It is not going to happen to me,'" Useem says. "And it may very well." A more realistic, data-based understanding of risk can help. Data on low-probability events can be hard to come by, and predictive algorithms used by large companies have their limits. Kunreuther and Useem recommend compiling a list of possible future disasters--not just extreme weather but also things like cyberattacks, a deadly product malfunction, or imposition of regulations that cut the company's feet from under it. Then "stress test" the business by calculating its ability to withstand such assaults, and for how long. Getting risk under control Catastrophic, low-probability events are, by definition, unpredictable. Like the Coast Guard, leaders must become semper paratus (always ready) by baking risk mitigation into every level of the business. That requires a risk-management culture, Useem says, in which "everyone is asked by top executives to be mindful on a regular basis of potential disruptive risks that can lead to a sudden downdraft in demand or cash." Of course, all businesses--and entrepreneurial businesses in particular--must take risks to grow. It is up to the CEO to determine the company's level of risk appetite and risk tolerance. Most leaders are pretty clear about their companies' risk appetites, the amount of risk they're willing to assume to achieve their goals. But they may not have specified or even considered their risk tolerance, the willingness to accept loss and disruption. "And it's not just how much loss I will accept this year but also over the next few years if they want to stay in business for a while," Kunreuther says. Chief risk officers are standard issue at large companies but virtually nonexistent at small ones. CEOs instead should make a top executive--perhaps their No. 2 or No. 3--responsible for getting up to speed on risk, the authors suggest. That person consults with everyone, including functional peers, front-line employees, and board members whose expertise and experience in other industries is particularly valuable. The question: What are the two or three most likely downside risks in the next 12 months, and how can we mitigate them? Starting with cyber Cyberattacks are one category of catastrophic event that has lately breached small companies' perimeters of concern. For years, entrepreneurial leaders considered their relatively diminutive businesses uninteresting to hackers seeking vast stores of data or hefty ransoms to restore blocked access. But with more small businesses targeted--almost a quarter of companies with 250 employees or fewer have been attacked, according to the Better Business Bureau--leaders no longer see hacking as a black swan. In response, small companies have begun girding their digital loins. They should take the opportunity to extend their newfound risk awareness to other parts of the business. "Address this tangible threat and then say, 'OK, now that we have protected our digital records, what other potential vulnerabilities should we be thinking about?'" Useem says. "We have got to start somewhere, and that is about as good a place as any." _______________________________________________ BreachExchange mailing list sponsored by Risk Based Security BreachExchange () lists riskbasedsecurity com If you wish to Edit your membership or Unsubscribe you can do so at the following link: https://lists.riskbasedsecurity.com/listinfo/breachexchange
Current thread:
- Change How You Think About Risk. Your Company May Depend on It Destry Winant (Aug 22)