Risks are unavoidable, but, by anticipating disasters and their consequences, the damage to business can be mitigated. Nigel Ash speaks to W Lee Howell of the World Economic Forum about black swan events and how to see clearly when you get blindsided.
Immediately after the Fukushima nuclear incident, text messages flew around Beijing advising people to buy salt to protect themselves against clouds of radiation blown from Japan toward China.
W Lee Howell, MD of the Risk Response Network at the World Economic Forum (WEF), who was in an office in the Chinese capital when the texts started appearing on workers' mobiles, says it was a fascinating example of the power of instant communication to get things wrong. Iodised salt bore no relation to the iodine used as a preliminary treatment for radiation exposure. And in any event, the prevailing winds blew from China to Japan. Hawaii and California had reason to be concerned, but there was no risk to the people of Beijing.
The London Olympics, says Howell, will be the first ever Games when instant communication tools such as Twitter and Facebook will play key roles in disseminating rumour, gossip and information about the event. The risk, however, is that they will also spread misinformation in the form of messages that the authorities will have no chance to control or influence.
Seeds of dystopia
In the seventh edition of their 'Global Risks' report, Howell and his colleagues at the Risk Response Network re-examine five basic hazard categories facing organisations in the coming decade and identify 50 related risks, each of which could have a knock-on impact in terms of adjacent perils. From the five risk categories - economic, environmental, geopolitical, societal and technological - three principal concerns arise.
The first is characterised as 'Seeds of Dystopia' whereby a constellation of fiscal, demographic and societal risks could produce the very opposite of a Utopian world for much of humanity. In parts of the globe, large youth populations could face high levels of unemployment while in countries such as Japan and Italy, aging populations will become fiscal burdens for already heavily indebted governments.
"The multiple of people over the age of 65 vs those under the age of 16 that we are now seeing in certain countries is a demographic that has never appeared in human history," says Howell. "We have never experienced that inverted pyramid at any period in any civilisation."
The challenge of compliance
The second core risk the report identifies is the robustness of global safeguards in an increasingly complex and interdependent world. Are these safeguards really safe? Because they are largely still managed at a national level, the regulation of emerging technologies, resource depletion and climate change is still weak and brittle. Since 2008, the major regulatory issue has been the financial sector, the collapse of which has plunged much of the world into recession.
Financial institutions face an ever-increasing regulatory burden. As a consequence, says Howell, the bigger an organisation's global footprint, the more challenging the issues surrounding compliance in every country in which it operates.
"The regulatory regimes are complex," he continues. "They tend to evolve as more problems occur. The standard reaction is not to simplify the regulatory environment, but to actually try to adapt it to those new contingencies. This makes it very complicated to comply, but it can also mean that at times you are not going to be able to comply precisely because it is so complex."
Howell's team characterises the third most significant risk as 'The Dark Side of Connectivity'. With five billion mobile phones in circulation worldwide, internet connectivity and the rapid emergence of cloud computing, daily life is ever more vulnerable to cyber threats and disruptions to digital services, either through systems failure or power loss.
Nothing, says Howell, can make an organisation risk-free. The complex nature of global risk is also systemic. "In terms of corporate governance, a company is obviously looking at operational risk and the other classic forms of risk; for instance, if they invest in a new country, with political or financial risk. Yet how often do they look at systemic risk? This is interesting, because many of these corporations depend on systems, yet they do not feel that they are the people responsible for the maintenance of those systems. Indeed they say in particular that that is the domain of the public sector."
Yet how, asks Howell, can organisations work on that premise when the systems are so critical to them? He believes that not enough businesses ask themselves about the real health of the systems on which they rely, be they internet, telephony, power or transport, where GPS signals play an increasingly important role.
"People say, 'We don't own the system, we rely on our national regulators to make sure that the systems are working worldwide and that they are robust, but ultimately it is not our responsibility.' That is very dangerous," he says.
Organisations need to have a way to evaluate and calibrate their own vulnerability to a systems failure and formulate a 'Plan B'. However, if no such fall-back is possible, a business needs to know what impact the failure of something as fundamental as the GPS satellite system will have on operations.
The importance of flexibility
Within the 'Global Risks 2012' report, there is a section that looks at the resilience of businesses that were impacted by the Japanese tsunami and subsequent nuclear emergency. This demonstrates a difference between rules-based and principles-based organisations. The former, tending toward management hierarchies, had a more challenging time responding to the disruptions, particularly in relation to supply chains, than did the latter, which were generally networked operations with distributed leadership and higher degrees of local management independence and initiative.
"Let's be clear, though," says Howell. "Most organisations are a little bit of both. But the bottom line we came out with is that if an organisation is policy and procedure-driven and black swan events happen, it will be very hard to be adaptive. You will look to see if it is a problem that has arisen in the past. If it is, then you'll have the solution for it, and you will execute as trained.
"However," he continues, "if it is a totally novel problem, a scenario that you have not encountered, then you will do one of two things; either you'll apply the solution that you have been trained for, even though it's not effective or might even exacerbate the problem, or you will freeze because you don't know what to do, whereas the networked organisation is guided by flexible rules. In that situation you are much more adaptive and if it is indeed a novel problem, it is likely that there will be scope for a novel solution."
Looking at the schematics in the 'Global Risks 2012' report, the world is clearly a very dangerous place. Howell takes the view that it's not possible to predict and foresee, then manage and mitigate even half of future risks. Nevertheless, the best risk analysis should be coupled with the creation of resilient organisations, adaptable and flexible enough to cope with and survive the effects of disaster.
Globally, the tendency to regulate retrospectively needs to be resisted, because it will result in complacency about problems that have already arisen, not new risks ahead. But risk, says Howell, has to be viewed as part of business. "Any society that is risk-averse will not advance," he states. The trick will always be to understand those risks, the 'known unknowns', while building organisations and systems that will respond successfully to the 'unknown unknowns', the black swans.