Embed Size (px)
Citation preview
Corporate Strategies
for Managing Catastrophic Risks in the S&P 500:
Linking Intuitive and Deliberative Thinking
Howard Kunreuther, Erwann Michel-Kerjan, and Michael Useem
The Wharton School, University of Pennsylvania
Interim Report – Preliminary – Do Not Quote
November 22, 2013
i
Table of Contents
Foreword: Riding the Wave .............................................................................................................iii
Section 1. Setting the Scene: A More Risky World for Corporations ........................................... 1
Section 2. A Framework for Understanding and Managing Catastrophic Risks by Key
Decision Makers in Firms ................................................................................................................. 5
Section 3. Twelve Preliminary Findings from the Interviews...................................................... 21
Section 4. Preliminary Findings from our Analysis of 10K Risk Sections ................................. 29
Section 5. Preliminary Findings from our Analysis of S&P 500 Stock Prices ........................... 35
Section 6. Overcoming Challenges through the Development of Long-term Strategies ........... 47
Section 7. Open Questions for the Next Phase of the Project ...................................................... 50
Appendix 1. Statistics on the 100 Firms Interviewed ................................................................... 52
Appendix 2A. 10K Risk Factor Mentions across Industry Sectors ............................................. 54
Appendix 2B. Percentage of the 10Ks Discussing Specific Risks (across sectors) ..................... 57
Appendix 3. Methodology for Analyzing Stock Price Changes ................................................... 59
Appendix 4. Leadership and Governance Lessons from Three Case Studies ............................ 61
Study Directors ……….…………………………………………………………………………77
ii
Acknowledgements
The study on Effective Corporate Leadership and Governance Practices in Catastrophe Risk Management
started in 2011 and will continue through 2015. It is being undertaken under the direction of Howard
Kunreuther, Erwann Michel-Kerjan and Mike Useem of the Wharton School of the University of
Pennsylvania.
The research team includes Karen Campbell, Preston Cline, Rebecca Henderson, Matthew Hill (who
served as project manager), Richard Hong, Carol Heller and Ann Miller and Greg Nini. Sourav Bose,
Laura Boudreau, Danbi Hwang, Nicole Kwok, Shaun Lee, Wing Li, Joy McKenzie and Sean Niznik
provided excellent research assistance.
We would like to thank all the experienced managers, executives and directors of the over 100 firms
we interviewed for taking the time to talk to us about their firm’s practices, lessons learned from past
experiences with severe events, and the way they foresee the future of (catastrophe) risk management.
A dedicated advisory board had provided us with strategic guidance on several aspects of the project.
The board is chaired by Jay Fishman, Chairman and CEO of The Travelers Companies; other
members of the Board are, in alphabetical order: Paul C. Curnin (Simpson Thacher & Bartlett LLP),
Luis G. Custodio (IBM Corporation), William J. Egan (Bank of America - Merrill Lynch), Peter
Kellogg (Merck & Co., Inc.), Joe Morton (IBM Corporation), Stephen Propper (Merck & Co., Inc.),
Tom Ridge, (former Governor of Pennsylvania and U.S. Secretary of Homeland Security), Paul
Slovic, (President, Decision Research) and J. Eric Smith (Swiss Re America),
This ongoing initiative benefited from the financial support of the Travelers Foundation through the
Travelers-Wharton Partnership for Risk Management and Leadership Fund, the Wharton Risk
Management and Decision Processes Center and the Wharton Center for Leadership and Change
Management.
iii
Foreword: Riding the Wave
Many of Morgan Stanley’s more than 4,000 employees had already started their work day at the
World Trade Center on twenty floors of the South Tower on Tuesday, September 11, 2001, when
American Airlines flight 11 slammed into the North Tower at 8:46 am. Morgan Stanley’s director of
security, Richard Rescorla, called the Port Authority, the center’s landlord, for guidance, and then
called the company chief executive, Philip J. Purcell.
The World Trade Center’s owner recommended against evacuating the South Tower, but Rescorla
nonetheless urged his CEO to approve immediate evacuation of all employees. Rescorla had lived
through the 1993 truck bombing of the World Trade Center that had killed six people; that experience
led him to institute quarterly evacuation drills ever since. Now, he started an evacuation for real. He
and his staff managed to move virtually all of their on-site employees out of the South Tower before
it was hit at 9:03 am and then collapsed at 9:59 am. Just six staff members were lost -- among them
were Rescorla himself and three deputies who had returned to make sure no one remained in the
building. In reflecting on Rescorla’s preparations and Morgan Stanley’s remarkably swift and nearly
complete evacuation on 9/11, chief operating officer Robert Scott later offered, “If you wait for a
crisis to begin to lead, it’s too late.”1
By contrast, when Lehman failed on September 15, 2008, the leadership of insurance giant AIG
proved woefully ill-prepared to avert its own collapse that resulted from the actions of one small part
of its entire organization. The board, the chief executive, and the managing director for its Financial
Products subsidiary (AIGFP) – which at the time had only 400 employees – had not anticipated that
the company’s credit rating would be downgraded, requiring that it post tens of billions of dollars of
collateral to back the insurance policies that it had written against defaults on debt, including massive
amounts of subprime mortgage debt. But in the wake of Lehman’s failure, rating agencies turned to
see if AIG held large amounts of the same toxic subprime mortgages that had pushed Lehman over
the edge. AIG-Financial Products did, and a major rating agency downgraded the parent to A-. Due
to industry convention of requiring collateral if an insurer is not top-rated, the drop instigated
collateral calls from AIG’s customers. By the end of the month, AIG had lost $32 billion, and by the
end of the year, $61 billion, the largest annual shortfall in corporate history. The U.S. federal
government injected more than $182 billion to save the company from complete collapse and took
control of it.2 Remarkably, the firm is back on track today: it paid all its debt to the government, with
interest: a total $205 billion, for a profit of $23 billion to the U.S. federal government. To do so, it
had to go through a very significant restructuring of its leadership and of its portfolio of activities.
Morgan Stanley’s experience in 1993 created a readiness to save itself in 2001. By contrast, AIG’s
years of success might have ill-prepared it to save itself in 2008. The firm is now reinventing itself;
something that would have certainly been hard to do before the financial crisis.
iv
Examples such as these abound across industry sectors. We often learn as much from setbacks as
successes, often even more, and with unflinching study of our stumbles, we believe, companies can
become better prepared for the hazards ahead.3
This is partly why Cisco Systems’ John Chambers had been one of the longest surviving chief
executives in Silicon Valley. Chambers took the Cisco helm in 1995 and rode the Internet wave in
the late 1990s to make his company one of the world’s most valued entities, with a market
capitalization soaring above $500 billion. But when the Internet bubble burst at the end of that decade,
Cisco flipped from extraordinary growth to stunning contraction. Chambers and Cisco survived the
collapse, and he attributed much of the company’s success in the decade that followed to what he
learned when it felt as if he were touching the void.4
Until one undergoes a rare but wrenching experience, there is little natural impetus for preparing for
catastrophic risk. But we believe that executives and directors of large, publicly-traded companies
need not – and indeed should not – have to wait for such an experience before building their own
company’s capacity to avert or overcome low-probability but high-consequence events. They can
learn from one another and from other’s disasters without having to live it themselves. How they can
do so is the focus of the findings of this Wharton initiative.
In the pages ahead, we speak to those who are responsible for company enterprise, their managers,
executives, and directors. We try to better understand how risk management has evolved over time
and how it is conducted in large publicly traded companies today. Leadership of these enterprises
calls for thinking deliberatively, imaging the unimaginable, and acting strategically; recognizing the
shortcomings of human behavior; and preparing for the long-term even when short-term pressures
prevail. Company leaders can and should move their firm to a state of readiness for extreme events,
and we draw upon their experience to offer guidance on doing so well before a disaster strikes.
1
Section 1. Setting the Scene: A More Risky World for Corporations
1.1. Introduction
In today’s world, as a senior manager, executive or director of a large company, you cannot afford to
ignore the necessity of having an effective catastrophe risk management strategy in place. What
constitutes a catastrophic risk depends on your company and industry sector.
Given the unprecedented series of extreme events and crises that have occurred in recent years, it is
becoming clear to many more top decision makers in firms that we have indeed entered a new era of
catastrophes, with disasters, accidents and crises occurring at a more frequent rate and having greater
ripple effects across continents than in the past.5
Natural disasters such as hurricanes, floods and earthquakes have increased in intensity and
frequency, leading to historic records of economic losses given increased numbers residing in hazard-
prone areas. Also of concern are technological disasters such as large-scale chemical and nuclear
power plant accidents, environmental disasters such as oil spills, and externally caused events such
as terrorist attacks. These events could also be considered catastrophic: legal or reputational issues,
fraud, losing key personnel, stringent regulations that change the firm’s business model, and strategic
errors and competition that has a severe impact on market share.
All of these have caused firms to pay more attention to taking steps in advance of the next catastrophe
rather than treating them below their threshold level of concern. Firms have also learned the hard
way that global financial crises, intercontinental pandemics and cyber-attacks can have systemic
impacts.6 Some firms have been successful in addressing situations that could or have had severe
negative impacts on their bottom line.
In a recent survey of over 1,300 CEOs worldwide, the majority considered that “increasing
accountability in risk management” (62%) and “increasing resources devoted to risk management”
(53%) were two statements that “appropriately described their approach to managing their
organization in a complex and changing competitive environment.”7 This is a sea change compared
to where the corporate world was just a decade ago.
1.2. The Wharton S&P 500 Initiative
The Wharton Risk Management and Decision Processes Center and the Wharton Center for
Leadership and Change Management recently teamed up on a multi-year research initiative supported
by the Travelers Foundation to more fully understand how Standard & Poor’s (S&P hereafter) 500
firms approach catastrophe risk management today.
We define catastrophic risk broadly as events that can have severe physical, financial or
reputational impacts on the conduct of the firm’s activities. These can be internal or external to
the firm and typically require the involvement of top management and their Board of Directors.
2
We have now interviewed over 100 CEOs, Chief Risk Officers, other executives and Board members
concerned with these issues to address the following questions:
What extreme events have those firms experienced?
What insights have they gained from them?
Why is the risk management function playing a more central role in these firms?
What processes were in place in those firms, from risk identification, risk prioritization, and
risk assessment, to risk and crisis management?
What can we learn from leaders in the C-suite and at the Board level as to how they have
interacted with others in the organization on these issues in recent years?
How is the risk management function organized internally?
Has the Board become more active and if so, in what ways?
The distribution of the nearly 100 S&P 500 firms we interviewed during the past 18 months is highly
representative of the entire S&P 500 group (Figure 1). They differ in size, industry sector and their
risk management practices. Their annual revenues range from $1 billion to over $400 billion (median:
$12 billion; average: $29 billion); their human capital base ranges from 2,100 to over two million
employees (median: 20,000; average: 70,000). (See Appendix 1 for more details on the distribution
of firms in our sample compared to the full S&P 500 group of firms.)
Almost all the leading executives and risk managers we interviewed confirmed that risk management
has assumed a much more important role in their firm’s activities as well as having a higher profile
on their Board’s agenda. To a large extent this is due to recent experiences they have had in dealing
with events affecting their balance sheet and/or impacting on their long-term operations due to
changes in the business environment. The companies also provided us with lessons they have learned
from these events and steps they have taken to reduce the future likelihood and resulting
consequences of these events.
3
FIGURE 1.1: DISTRIBUTION OF THE INTERVIEWED FIRMS VERSUS FULL S&P 500
Interviewed Firms
Full S&P 500
Consumer
Discretionary
18%
Consumer
Staples
7%
Energy
7%
Financials
25%
Health Care
11%
Industrials
7%
Information
Technology
15%
Materials
4%
Telecommunication
Services
1%
Utilities
5%
Consumer
Discretionary
16%
Consumer
Staples
8%
Energy
9%
Financials
17%Health Care
10%
Industrials
11%
Information
Technology
15%
Materials
6%
Telecommunication
Services
2%
Utilities
6%
4
Organization of the Interim Report
This interim report is organized as follows. Section 2 develops a framework for understanding how
firms have dealt with risks that, if they were to materialize, could have a serious negative impact on
the firm, the changing role that catastrophic risk is playing in their organizations and how to manage
these risks in a more proactive manner. We propose themes and findings that can be tested both
quantitatively and qualitatively. In Section 3 these findings are illustrated with comments from our
interviewees. The names will remain confidential, but the lessons that can be gleaned from their
experiences will be highlighted so others can learn from them.
The data from these interviews were complemented by analyzing risks officially disclosed in the risk
section of these firms’ 10K annual reports, the results of which are provided in Section 4. We
were able to compare how risk disclosure practices have evolved over time, across industry sectors
and risk types. The majority of the firms have significantly expanded their discussion of risks they
have faced or dealt with than they did just five or six years ago. The top risk for almost all these
firms is Government.
We also conducted a series of analyses of the stock prices of the entire S&P 500 (as of 2011) over
time. Our goal was to examine cases where the stock price of a firm dropped significantly over a short
period of time compared to its competitors in the same industry sector and to understand factors that
may have led to significant drops. We also analyze the resilience of these firms (i.e., how long did it
take for the stock to bounce back to a pre-drop level). Section 5 focuses on the lessons learned from
the stock price analysis.
Section 6 provides guidelines for improving the effectiveness of risk management strategies for
decision-makers. Section 7 raises questions for your consideration as we update and revise this report.
The Appendices provide statistics on the firms interviewed (Appendix 1); complementary analyses
of the 10Ks (Appendix 2); stock price changes at a more granular level than presented in the body of
the report, and the methodology for analyzing the stock price changes (Appendix 3). We also present
three detailed case studies of firms that went through specific crises and highlight the key governance
and leadership lessons learned from each case (Appendix 4).
5
Section 2. A Framework for Understanding and Managing Catastrophic
Risks by Key Decision Makers in Firms
In dealing with issues associated with events that have the potential to have a severe adverse impact
on the firm, key decision makers are concerned with ways to reduce the likelihood of potential losses
in the future and how to deal with these extreme events should they occur. We first specify some of
the key decision makers internal to the firm and then delineate the following two key features that
characterize a framework for determining what actions these individuals or groups should take for
understanding and managing catastrophic risks in firms and in guiding a firm’s strategy:
Their risk analysis and management process
Their intuitive and deliberative thinking process
2.1. Key Internal Decision Makers
There are a number of different stakeholders within the firm itself who play a role in firms’ decision
making with respect to catastrophic events.
Board of Directors The board of directors acts as an independent, third party entity that oversees
the management of risk by a firm’s top executives. The Sarbanes Oxley Act (2002) furthered the
independence of the corporate boards of listed companies by requiring that a majority of board
members must be independent, and that certain committees (e.g., audit and compensation) must be
comprised of entirely independent directors. Board members are often current or former Chief
Executive Officers (CEOs) who bring a wealth of experience and connections with them from other
industries. Today, boards are hearing about risk management practices more often than in the past,
and hence are becoming more informed about risks facing the firm. In our interviews, the majority of
risk management leaders who discussed board involvement said that they reported to the full board
or to a board committee more than twice a year.
As we will discuss in more detail below, risk management is indeed now entering the board room in
an unprecedented way. Boards are often responsible for helping to define the risk appetite for the firm
in consultation with senior management company and are ultimately responsible for the risks that
face the firm. Board members leverage their knowledge to help set broad risk goals for the firm,
provide a governance function by overseeing the risk-related activities of the firms and provide
guidance as to how the firm can strengthen their risk mitigation efforts. Firms also use board
members as thought partners to test their ideas, to make connections with other industry leaders as a
means of benchmarking their operations, and to receive advice and feedback on enterprise risk
management (ERM) initiatives. While boards may help decide which risks companies should focus,
they are rarely involved in the everyday decision making as to how to deal with these risks. The CEO
of a firm in the travel services industry responded to a question on the role of the Board by saying
that its primary role was to ask tough questions such as whether the firm is prepared for future adverse
events, and to oversee how the company will deal with the situations, should they occur.
6
Senior Management Senior managers play a critical role in enterprise management by both setting
the tone and promoting a risk culture throughout the organization. This culture extends both upwards
to the board and downwards through the ranks of the organization. More firms have developed
enterprise-wide risk management functions and processes, even though the nature of it varies widely
from one firm to another. As the ERM director of an oil exploration and production company said:
Top management sets the tone, the war tone at the top, if you will. They are influencers of
doing the right thing. Senior management needed to set an example, by encouraging open
discussions around risk as well as honesty, forthrightness, clarity, and crispness rather than
letting concerns about risk be buried deep in the organization.
Chief Risk Officers (CROs) and their management teams play an important, executive-level role in
managing the risks related to a business and its various units. For instance, the CRO of an information
technology (IT) software products company pointed out that he works with the board, senior
management and the various divisions of the company to identify the company’s most significant
risks and their likelihood and potential impacts to set the tone for how the company deals with extreme
events. We also heard this message from the CRO of a North American bank, who noted that top
management plays a critical role in the success or failure of a financial institution.
CROs carry out this role by putting into place processes and procedures to facilitate risk management
across the firm. Through our interview process it becomes clear that, while many companies do not
have a CRO, the functions and responsibilities of this position are often assumed by the chief financial
officer (CFO) or the General Counsel and their teams.
Front Line Managers and Employees Almost all of those interviewed view frontline managers as
critical players in the risk management process because they are more in tune with specific risks that
an organization might face in a particular division, business unit or country. This is particularly true
for multi-national corporations operating in a large number of countries around the world, where
crises can be local. As previously noted, CROs (or those who assume similar functions) attempt to
harvest the local knowledge about specific risks by putting processes into place that help managers
communicate this information up the chain of command. The most proactive companies cast a wide
net, querying frontline managers through formal processes that take place on a regular basis.
7
2.2. Risk Analysis and Management Process
The risk analysis and management process in most firms that we interviewed typically follows the
steps depicted in Figure 2.1.
FIGURE 2.1: EIGHT STEPS OF THE RISK ANALYSIS AND MANAGEMENT PROCESS
Step 1: Identify the risks. Understand the risks the organization faces (likelihood, magnitude, and
cascading effect). Typically this process can identify a number of risks that need to be considered.
Step 2: Prioritize the risks. Determine several key risks that have been judged critical for the
organization and should be considered more seriously.
Step 3: Undertake risk assessment. Collecting data to quantify the risk can be time-consuming so
one needs to consider the purposes of undertaking such an analysis and what information end users
with require. For example, engineers will require a different type of risk assessment than financiers,
emergency planners or lawyers.
Step 4: Identify risk management options. The risk culture of an organization will set the tone for
managing the risks that firms face. This process involves determining options to consider in advance
of a severe event to reduce potential physical, economic and reputational losses and their likelihood
of occurrence as well as well as actions required following such events to limit further losses.
Step 5: Design a risk management strategy. After risk management options are developed, a strategy
needs to be implemented to reduce potential losses from adverse events and facilitate the recovery
process should a catastrophe occur.
4. Identify Risk
Management Options
5. Design Risk
Management Strategy
7. Implementation
8. Monitor Progress and
Update the Strategy.
1. Identify Risks
2. Prioritize Top Risks
3. Undertake Risk
Assessment
6. Design Crisis
Management Strategy
8
Step 6: Design a crisis management strategy. It is important for firms to clearly define roles and
communication procedures to make decisions and take actions for dealing with a crisis when it occurs.
The strategy often includes plans for dealing with the emergency, preserving business continuity and
informing top management and directors as to what actions are required to deal with the crisis and
over what time period.
Step 7: Implement the strategy. Depending on the priorities of top management and the board,
implementing a risk and crisis management strategy can be achieved over several years. It is
important to obtain tangible results early, to demonstrate that progress is occurring. As for any
project, it is also important to establish deadlines and adhere to a timeline.
Step 8: Monitor progress and update the strategy. This last step involves monitoring progress toward
achieving goals of risk and crisis management in light of changes in the risk environment and the
firm’s strategy.
Below we discuss what we have learned as to how S&P 500 firms approach different aspects of the
risk analysis process. We provide paraphrased comments from some of our interviews to highlight
these points.
Risk Identification and Prioritization
More than three-quarters of the firms we interviewed noted the importance of risk identification and
prioritization. The process is usually formalized; some firms have more ad-hoc procedures, but most
of them are moving to a more systematic process.
FIGURE 2.2: WHO IS INVOLVED IN RISK IDENTIFICATION AND PRIORITIZATION
Enterprise Risk
Management
(ERM)
Heads of Division,
Business UnitsFrontline
Employees
Managers
Consultants
Board
Audit/Risk
Committee
Executives
Executive
Committee Internal
Audit
Others
9
The process often begins with front-line employees, managers and heads of divisions or business
units playing a key role, as depicted in Figure 2.2. The CEO and CRO often play a role as does the
board through specific committees such as internal audit/risk. Consultants are rarely used to identify
risks, as there is a sense by most firms that nobody knows your business like you know your business.
The risk identification process normally involves characterizing risks from the bottom-up through
required reporting systems and meetings or workshops that bring cross-functional teams together to
review and assess potential risks and then recommend how best to manage them. Those involved in
developing Enterprise Risk Management (ERM) strategies play a key role by synthesizing the data,
and presenting a report to the executives, the Board and their committees on the important risks facing
the firm. This process can lead to a large number of risks being considered, in some cases over one
hundred.
Top executives, often in consultation with the Board, make final decisions on the three or four risks
that have top priority because of negative impact they would have on the firm’s operations and
balance sheet should they occur. Figure 2.3 indicates the frequency of mentions of different risk
identification and prioritization processes by firms that we interviewed.
FIGURE 2.3: HOW ARE RISKS IDENTIFIED AND PRIORITIZED
Checkpoints or Self-
Audits
Interviews
Meetings
& Workshops
Reporting
Listing/Matrix
Synthesis of
Findings by ERM
team
Event Specific
Auditing points of
failure
Research
Software
10
Risk Assessment
By risk assessment we mean the process by which firms characterize and rank key risks on which to
focus attention based on selected criteria. Risk assessment is normally distinct from risk
identification, requiring a much more specialized set of skills on the part of its ERM professionals.
For some firms, it is also part of the process by which the senior leadership and the board of directors
define the firm’s willingness to assume certain risks. Figure 2.4 characterizes parts of the organization
that are involved in risk assessment.
FIGURE 2.4: WHO IS INVOLVED IN RISK ASSESSMENT?
The ERM team or risk management personnel generally play a supportive role by presenting the most
important risks to the Board, and helping them determine priorities by specifying metrics that should
be monitored. For example, the General Counsel in a real-estate firm classified its leverage ratio
(i.e., debt/equity) as dry, damp or wet. If it is in the damp range, you need to indicate how you are
going to get it back to dry. You never want your leverage ratio to be so high that it is in the wet zone.
The director of corporate risk management in a healthcare industry firm classified its risks into 21
different categories and indicated that those that should get the most scrutiny by the Board, as those
are the ones that are likely to make the most significant difference in the performance of the
organization. They are often ones requiring more effort and investment to manage so they need to be
discussed at a strategic level by the top management and the Board.
Board
ERM
Executive
Internal Audit
Others
Senior Management
11
The risk assessment process was nearly always highly formalized and conducted regularly and
systematically in firms as shown in Figure 2.5, with 45% of firms meeting annually on risk
management issues, 37% either bi-annually, quarterly or monthly, and 8% on a continuous basis.
Only 4 percent of firms undertake risk assessments less frequently than annually basis. As noted by
the director of risk management of a beverage distributor, “We want to meet quarterly with the audit
committee of the Board to assess the potential impacts of the five critical risks of facing the firm,
mitigation measures currently in place to reduce the likelihood and impact of specific events.”
FIGURE 2.5: FREQUENCY OF RISK ASSESSMENT
Annually
Bi-Annually
ContinuouslyLess than anually
Monthly
Quarterly
12
Firms use a variety of methods for assessing risk ranging from quantitative methodologies such as
scenario analysis, stress tests and ranking/scoring metrics to prioritizing key risks on a qualitative
basis. The CRO of a firm in the financial sector indicated that they stressed their system such that
they would be prepared for any type of extreme or tail risk. Many firms go through this process more
quantitatively, through the examination of metrics in meetings and discussions — an important
distinction we discuss below. Figure 2.6 depicts how often each of the different risk assessment
approaches was mentioned by firms that we interviewed.
FIGURE 2.6: HOW RISK IS ASSESSED
With respect to scenario analysis, the CRO of an insurance firm noted that one has to fully test the
spectrum of scenarios in identifying and quantifying the key risk factors that are at the core of
preventing tail events. The risk manager of a retail store that uses ranking and scoring methods
indicated that the firm defined risk families based on their similarity with respect to implications,
ramifications, outcomes and damage. One bank noted that it utilized stress tests with respect to their
contingent capital plans by examining whether there is a scenario where it would have insufficient
capital. Another firm wanted to stress their system to ensure that it can take care of the tails and
extreme events that could occur.
A mapping approach involves categorizing risk into the frequency and their potential severity. An
industrial firm noted that it has to do a lot of work in identifying some of the tails or extreme risks to
make sure that it has stressed their system to be able to take care of decisions to reduce the risk if
either its frequency and/or severity were classified as high. After it imposed appropriate controls,
most of these risks shift down to low frequency, and especially low severity.
Mapping
Meeting or
Discussion
Ranking, scoring or
metrics
Scenerio Analysis or
Modeling
Stress Test
13
Many interviewees commented on the relative merits and use of quantitative or qualitative methods
for the full risk assessment process. The majority of firms we interviewed relied upon numbers to
conduct risk assessments, others undertook qualitative analyses and some utilized both approaches.
Figure 2.7 indicates the distribution of firms that specifically noted the type of approach they were
utilizing in the process.
FIGURE 2.7: NATURE OF RISK ASSESSMENT PROCESS
The arguments supporting a qualitative approach focused on the inaccuracy of numbers, and noted
that firms relying on them were often blindsided, especially when they tried to quantify probability.
We introduce the distinction between “intuitive” and “deliberative” thinking in the following
subsection to highlight the need for a combination of qualitative and quantitative risk assessments.
For example, the risk manager of a large bank noted that there is an element of judgment regarding
the likelihood of particular events occurring that make them difficult to quantify. The more
quantitatively oriented firms in the interviews we conducted tend to be in the financial and insurance
industry. One bank models its portfolio and balance sheet by constructing many different scenarios
and developing a loss distribution through a Monte Carlo simulation process. It then specifies the
amount of capital needed to withstand a 1 in 10,000 year shock. An insurer looks at the probability
and potential impact that low-probability events may have on the enterprise and revise these estimates
on an annual basis.
Quantitative
Qualitative
14
Risk Management
By risk management we mean the activities that firms select to modify their exposure to internal or
external events that could critically impact the firm’s operations and functions (i.e., steps 4 and 5
depicted in Figure 2.1). The types of strategies undertaken will be guided by the firm’s risk appetite
to reflect the level of risk that an organization is prepared to accept to achieve its objectives such as
profitability and safety goals. The degree of risk taking or risk aversion exhibited by a firm reflects
the tradeoffs between the potential benefits of a specific business decision and the possible negative
impacts to the firm.
Firms we interviewed dedicate a great deal of attention to the risk management process; 90 of our
interviews discussed concrete measures they deploy to mitigate risks they face and to facilitate the
recovery process following a disaster. There were over 500 mentions of risk management strategies.
A larger group of interviewees (82) discussed activities focused on reducing the risk of a catastrophic
event ex ante, while a smaller group (56) described measures to facilitate the recovery process
following a negative event. Many firms discussed both types of measures. They are partly determined
by the risk appetite of the firm and include the following strategies that are discussed below.
Mitigation measures are steps taken by firms to reduce losses from adverse events. For example, a
health care firm designed a plant in Japan to withstand an earthquake of 7.0 magnitude and protect
their employees. Following a fire at one of their warehouses, a distributor created underground
channels, so any materials that were ignited could be extinguished due to lack of oxygen so as to
prevent the fire from spreading to other buildings. A chemical manufacturing firm designed a facility
that was resistant to flooding, and a supplier designed a building that has a communications center
that is capable of withstanding a Category 5 hurricane.
Accountability measures provide organizational or behavioral controls that are put in place by the
firm to limit unauthorized risk taking. Sometimes these measures are implemented after an adverse
event creates a problem for the firm from external sources. For example, an investment management
and services company began auditing its third party suppliers when it discovered after 9/11 that the
backup communication line that it had purchased was rerouted by its supplier to the same location as
its primary line, resulting in a total communications failure. Similarly, an IT company started to audit
the risk management practices of one of its suppliers after a fire severely impacted its operations.
Internally, firms hire third parties to determine how effective they are at mitigating risks once they
have been identified. Some use evaluations and financial incentives to discourage employees from
taking unnecessary risks. In this regard, a real estate firm implemented a system where local
construction managers are held accountable for identifying and taking responsibility for risks
associated with building projects.
Supply chain diversification refers to the process of maintaining alternative sources of raw materials,
supplies and suppliers to maintain business continuity. A health care services company relies on two
suppliers so that if one is not functional, they can turn to the other to pick up the slack. A distributor
that requires a four month lead time to purchase copper now has a large supply on hand in the event
15
of a crisis with its supplier. A computer firm maintains an excess inventory of finished products and
supplies to hedge against sudden fluctuations in the availability of materials and the prices to purchase
them. And a chemical company maintains a global warehouse and works closely with its suppliers to
ensure that there are continuity plans in place in the event of a catastrophe.
Avoiding less profitable risks by discontinuing or reducing the activity that gives rise to the risk, or
by shedding risks that do not reflect a significant driver of profits is especially common among firms
that are too small to take on large risks. For example, one firm in the oil and gas industry decided to
sell their deep water exploration division even before the 2010 Deepwater Horizon accident; they
determined that it comprised a small percentage of their overall business mix and was not worth the
risk. Another firm in the same industry decided to avoid partnering with companies it considers too
small to cover the cost of the indemnities for a drilling disaster in the wake of the 2010 Deepwater
Horizon accident, out of fear that they might be left holding the bag. A chemical manufacturing firm
decided that it was too small to take on the risk of having its products used in medical devices
implanted in the human body, so it chose to avoid that market.
Transferring the risk by buying liability, property and/or business interruption insurance or hedging
its risk by sharing it with another party is an approach utilized by many firms that we interviewed.
To illustrate, a biotech company purchases insurance to cover risks related to product liability and
business interruption, and has started its own captive insurance company to cover some of its own
risks internally. This is a common practice in many industry sectors. A firm in the financial industry
prices credit risk in its derivative transactions so that it can generate funds for purchasing insurance
to protect itself against problems created by the insolvency of a lower quality counterparty.
Retaining the risk by setting aside sufficient reserves to cover the cost of a catastrophic loss is a
strategy that can be used by firms that recognize that it would be too costly to transfer the risk through
insurance, as was the case for a food processing company after it experienced an explosion in one of
its storage facilities and then saw the price of insurance spike, as is often the case after a disaster.
Retaining the risk is often a good strategy when the firm assesses the risk as being low probability
and has started implementing a more rigorous risk management strategy to make sure such events do
not happen. Sometimes risk retention is not by choice. For instance, an IT firm could not transfer its
risks in emerging markets because the company was unable to find an insurer who would offer
coverage for protection against adverse events occurring in these markets.
Early warning systems alert firms to the likely occurrence of a natural disaster, political crisis,
financial downturn, or severe cyber-attack so that steps can be taken to prepare and effectively
respond to the event should they be affected by it. A retail firm with numerous stores in the United
States has a storm-tracking team that does satellite checks for threat of potential hurricanes off the
coast of Africa, giving one to two weeks to prepare before it crosses the Atlantic. Within 72 hours of
a storm likely to hit the U.S., the team issues regular bulletins to senior management, store operations
and distribution-center operations and those on the catastrophic response team to let them know it is
closely monitoring the event.
16
Simulations and tabletop exercises on a regular (often annual) basis provide the firm an opportunity
to discover gaps in existing crisis plans and weaknesses in its continuity plans. One investment bank
undertakes a triage approach to test its plans by which it suddenly makes certain critical staff
unavailable, and then has the remaining employees try to run their continuity plans. While a number
of firms we interviewed indicated they undertook these exercises, the level of involvement from the
top management and line employees varies widely. Some exercises were conducted by small team in
a crisis room for several hours; others involved a large number of employees, including the top
management of the organization for a full day- or two-day-long exercise; significant brainstorming
occurred afterwards to capture lessons learned and integrate them into the firm’s risk management
strategy.
Back-up sites provide continuity should a severe adverse event occur. Measures include establishing
alternative worksites or manufacturing facilities, diversifying sites so that no single event impacts all
of them and facilitating the ability for employees to work remotely. A parts distributor created an
offsite back-up location for their IT systems since their main headquarters was located in an
earthquake-prone area. A bank in the financial services sector diversifies the location of its business
groups so that if two are out of commission, a third can continue to perform functions that are critical
to the firm’s financial infrastructure. Another bank maintains sites throughout the world where the
business can be quickly moved in the event of a crisis elsewhere. A health care company maintains
two mobile satellite ground stations that enable it to set up call centers with voice and data in the
event of a telecommunications outage.
Crisis Management
Most firms we interviewed highlighted the importance of preparing for a crisis in advance and have
clearly defined structure of roles during a crisis for all parts of the company. This allows the firm to
practice emergency procedures in advance to improve their thinking when a crisis occurs.
To know who the key leaders are in a crisis, firms need procedures to define the relevant decision
makers. The leader is normally someone who has specific knowledge of the crisis and hence may not
be the CEO. There was a general consensus among our interviewees that as a crisis grows more
serious, the situation must be brought to the attention of top management. Following the 2011 Japan
earthquake, one firm in the financial industry with significant operations in Japan held a series of
crisis management team meetings where the most senior level of the business actively engaged in
designing a strategy for going forward.
An important finding from our interviews is that top management feels it cannot be too involved in
crisis management, so that it has to define the roles that others in the firm will play should an extreme
event occur. This is especially true for multi-national corporations operating in many countries
around the world where the number of crises the firm has to manage on a yearly basis is large. In
these cases, the local business leader needs to be the senior management line of defense before the
crisis management process is escalated to worldwide headquarters. Several firms we talked to
17
expressed mixed feelings by the CEO about not wanting to be the person managing the crisis given
that he or she might not be the most qualified person to do so. Clearly defining when the CEO will
be informed of the crisis, and what his or her role will be depending on its nature, are two key elements
in developing a crisis management strategy. While some local crises are unlikely to require the CEO’s
involvement, other crises will require him or her to play an active role.
The most common crisis management strategy on the operational side is business continuity planning
(BCP). It refers to a variety of organizational capabilities, pre-approved by senior management, to
continue operations at a pre-defined level during and after a catastrophe occurs. BCP was mentioned
more than twice as often as other strategies such as preventing losses (i.e., insuring, hedging,
retaining, or shedding specific risks), internal and external communication measures or accountability
measures. The interview data suggests that continuity planning consists of three different types of
activities:
Past event specific plans are designed so the firm has the strategic capability to respond to
specific adverse events that the firm has previously experienced. The plans incorporate
lessons that the firm has learned from dealing with the situation in the past. Firms in the
consumer discretionary, utilities and energy sectors (e.g., hotels, retail outlets, energy
companies, etc.) show the greatest reliance on these types of plans as they face continuous
exposure to predictable types of risks either due to geography (for example, retail chains with
business concentration in hurricane prone areas) or the nature of their business (for example,
energy companies maintaining large power grids).
Could happen scenarios plans are used for the types of events the firm has not yet
experienced, but that could potentially happen in the future. These plans are designed for
events where it is difficult to quantify the probability of occurrence so the firm can respond
to them. These unanticipated, high-risk event perils arise in environments characterized by
interdependencies, complexity, and rapid change such as financial crises, political unrest,
supply chain disruptions and terrorism. Our interviews revealed that firms in the financial
sector demonstrate the largest reliance on such scenario planning since they face exposure to
risks that are not easily foreseen on the basis of past experience.
General crisis plans manage a variety of events that could impact any key operation. They
focus on general resilience by creating redundancies so that the firm can continue operating
in spite of the loss of mission critical processes. Key features of these plans include
determining which operations are critical to maintain in the event of a crisis, and developing
predefined strategies for a variety of different crisis situations. Financial, health care and
information technology firms are the ones most likely to develop general crisis plans,
presumably because their industries have faced severe risks in recent years (e.g., the financial
crisis, pandemics, cyber risks).
18
Overall, the firms we interviewed are actively developing their risk analysis and risk management
strategies. The level of detail, sophistication and involvement of the senior management varies across
firms, as one would expect. Still, the strategies we discussed above can often be replicated across
industry sectors and produce significant benefits. Some policies are more technical in nature while
others build on leadership at the top and rely on altering the ways that risk management is perceived
by the organization.
2.3. Approaching Risk Analysis and Management via Intuitive and Deliberative Thinking
Our preliminary analyses reveal that while many firms use quantitative tools to assess and manage
their risks, there is a large range of situations where it is difficult to determine the likelihood of
extreme events that could adversely affect the activities of the firm. While many interviewees
recognized the need for a systematic approach to catastrophe risk management, almost all of them
shared situations with us describing instances when very important risk management decisions were
made without carefully thinking through their long-term impacts on the firm. It soon became clear to
us from comments made during the interviews that the psychology of catastrophic risk management
was a critical dimension we needed to integrate into the analysis.
A large body of cognitive psychology and behavioral decision research conducted during the past 30
years has indeed revealed that individuals, small groups and organizations often make decisions under
risk and uncertainty by undertaking processes that can be characterized as intuitive thinking which
can be distinguished from deliberative thinking. These are two different systems of collecting and
processing information that have been labelled System 1 and System 2, respectively, in the literature.
In his thought provoking recent book Thinking, Fast and Slow, Nobel Laureate Daniel Kahneman has
characterized the differences between these two systems of thinking as summarized in Box 2.18.
NOTE: In developing risk management strategies, it is important to link intuitive and
deliberative thinking.
BOX 2.1. INTUITIVE AND DELIBERATIVE DECISION MAKING
Intuitive Thinking, System 1:
- Operates automatically and quickly, with little or no effort and no voluntary control.
- Uses simple and concrete associations, including emotional reactions or simple rules of conduct
that have been acquired by personal experience with events and their consequences.
Deliberative Thinking, System 2:
- Initiates and executes effortful and intentional abstract cognitive operations when needed.
- Cognitive operations include complex computations and formal logic.
19
Decisions made intuitively are often characterized by emotional reactions and opinions based on
personal experience. There is a tendency to misjudge probability, focus on short time horizons, utilize
simplified rules in choosing between alternatives, and selectively attend to subsets of goals and
objectives. Intuitive thinking works well when decision makers have extensive data on the outcomes
of different decisions and when recent experience is a meaningful guide for the future. These
processes are problematic for low-probability, high-consequence events where the decision maker
has limited experience and/or circumstances have significantly changed. Reliance on intuitive
processes will often lead to maintaining the status quo—that is, a decision to do nothing differently.
The negative consequences of changing current behavior are weighted much more heavily than the
potential gains, often leading the decision maker not to take action, referred to as the status quo bias.9
Deliberative thinking often involves the use of formal methods and decision aids to evaluate
alternative options and make choices in a systematic manner even when probabilities are difficult to
characterize and/or outcomes are uncertain. These methodologies often focus attention to potential
short- and long-term consequences and evaluate a wide range of options in an even manner rather
than deciding to maintain the status quo. The relevance of these methodologies and decision aids for
making more informed choices depends on how the problem is formulated and framed, the nature of
the institutional arrangements and the interactions between the relevant interested parties involved in
the risk management process.
Catastrophic risk management offers many examples where decision makers focus their attention on
the consequences of a recent disaster without considering the likelihood of a similar event occurring
again. A large retailer reacted to the H5N1 (avian flu) outbreak by preparing for another outbreak of
an H5 type virus. But when the next influenza outbreak hit a couple of years later, it took the form of
the H1 strain, so the H5 plan wasn’t applicable. As a top executive from this firm says:
A lesson coming out of that was that, number one, you can spend a lot of time building out
intricate plans for different scenarios, but the odds are what you’re actually going to face is
not going to be exact. So your planning, to some sense, while it can be specific, also has to
have more of generic elements to it that you can then modify and tailor to the specific event.
More broadly, the General Counsel of a large real estate investment firm highlighted the challenges
he faces in dealing with low-probability, high-consequences events:
The thing that worries me the most is a large-style, BP-style casualty. I mean, we build high-
rises over subway stations, and what if a building were to crash down and the people die and
the subway station is shut for a year and it’s just a mess? You’ve never had a casualty so you
don’t do anything about the situation. You think you’re so brilliant, and some terrible
casualty happens and when you peel back the onion you find you weren’t as smart as you
thought you were. That’s the thing that I worry about.
Firms also face problems of interdependencies since the risks they manage depend not only on their
own choices but also on those of others. One weak link in the supply chain network can undermine
the risk mitigation actions of all others in the system. Making global supply chains less vulnerable
20
may require coordination across the network. To deal with these interdependencies, some firms have
designed options to more effectively cope with disasters both before and after they occur in the spirit
of deliberative thinking. For example, as noted earlier, some firms maintain a diversified supply chain
and an extra stock of critical supplies in the event of a crisis. Another example is a pharmaceutical
company that makes contractual agreements with their customers to maintain continuity because they
feel they have a moral obligation to provide products to critically ill customers.
Deliberative thinking focuses attention on both short- and long-term events and their likelihood of
occurrence. It normally leads to a more even-handed evaluation of options under consideration rather
than relying on recent past experience or assuming that the disaster will not happen to them. As a
senior executive in a large energy company put it:
So, the chances of that actually happening again are fairly low, but the consequences are very
high. Even though this may be classified as a black swan event, we are willing to assess the
risk and try to mitigate the risk as far as it makes sense to take these steps. The one thing that
we’ve learned over the years is those high-consequence, low-likelihood events will happen,
and therefore people absolutely have to plan for them. They have to practice on how they’re
going to deal with those kinds of events
Today, many of the firms we interviewed are engaging in more deliberative thinking when
developing risk management strategies so that they reduce the potential damage from these low-
probability, high-consequence events and are better prepared for dealing with crises should they
occur. The CRO of a financial institution highlighted the role that deliberative thinking plays in its
current risk management process with the following comment:
We have discovered that the models that are retrospective in nature don’t always accurately
predict the future. What we were missing was a component that asks what if something
changes from the past. By adding stress testing and scenario analysis to our models, we ask
questions such as what bad things could happen this calamity occurs or if this economic
scenario happens to take place.
There are many risks for which determining the exact probability of occurrence could be extremely
difficult. Rather than doing nothing about these risks, firms should focus on “what if” scenarios first,
then try to evaluate the relative likelihood of these events and be able to continuously monitor those
risks so when the business environment changes one can trigger the alarm. As the chief risk officer
of a large insurance company says:
Sometimes I find probabilities very difficult to quantify. Severities are much easier to quantify
in my mind. I can tell you how much equity linked exposure I have and I can tell you what
happens if the equity market fell to 0, if it fell by 90, 80, 70, 60, 50, 40, 30, 20, 10. It’s very
hard to predict obviously what the probability of the S&P reaching those levels is precisely,
or validating it. And so for a CRO, thinking of all the key risks, worrying about severity first,
worrying about perfectly assessing the severity first and then perfectly assessing the
probability is how I would approach the order of operations because, as I said, it’s very easy
psychologically to be convinced that various things are okay, things are fine, the probability
of that event is remote. And so getting that balance right is the key part of my job.
We now turn to the preliminary findings from our interviews.
21
Section 3. Twelve Preliminary Findings from the Interviews
This section highlights findings that have emerged from the 100 interviews from the S&P 500 firms
that relate to the framework for understanding and managing catastrophic risks in firms. The findings
also reveal the nature of intuitive thinking by some firms prior to a disaster and how more deliberative
thinking following a catastrophic event has improved their performance in the wake of these events.
These findings will be examined more carefully in a later phase of the study, the using quantitative
and qualitative data from 10Ks, stock prices and other sources of information to supplement the
interview data we have collected.
3.1. Findings Related to Risk Identification
Under- and Over-Reacting to Catastrophes
Individuals have a tendency to focus on the recent past in making decisions with respect to extreme
events. People’s intuitive assessment of the likelihood of an uncertain event is often based on the ease
with which instances of its occurrence can be brought to mind, a mechanism called availability.10
Availability is influenced by recent personal experience and can lead to an underestimation of the
likelihood of a disaster before it occurs. After a catastrophic event, availability causes an
overestimation of likelihood of similar events, often triggered by emotions such as fear and anxiety.
In line with the availability bias, prior to experiencing a disaster there is a tendency for firms to focus
on the low probability of its occurrence and treat the possibility of a catastrophic loss as below their
threshold level of concern that put it in the category of “It will not happen to us.” Following a
catastrophe, there is a tendency to focus on the consequences of the event and take steps to reduce
the likelihood and outcomes from future disasters of this type. This behavior that reflects intuitive
thinking can be illustrated by the following findings:
Finding 1: Prior to a catastrophic event, firms often focus on the low-probability of its
occurrence. This estimate tends to be below the threshold of concern for many executives and
directors.
Finding 2: Following a catastrophic event, firms focus on worst-case scenarios of a repeat of
the event, but ignore the low likelihood of their occurrence in the future.
Comments from many of the interviews we conducted with S&P 500 firms provide support for these
two findings. A CRO from a financial firm highlighted the process he felt most firms in his industry
exhibited when he noted that prior to the financial crisis very few financial institutions had a defined
risk appetite, which is like sailing in the Atlantic Ocean without a rudder. “Unless you have a rudder
to direct you, you never know where you’re going to wind up until it’s too late. The CRO from an
insurance firm noted that a lot of people are anchored to scenarios and events that have occurred
and not the ones that they haven’t personally experienced. He felt it was important to take the position
that you can never know what will happen and need to think that way in developing risk management
strategies.
22
An enterprise risk manager from an energy firm explicitly noted the role that threshold models play
a role in the firm’s decision-making process. More specifically, senior management defines certain
thresholds above which risks are elevated for review. So for example, a $100 million loss event is
one that typically is elevated to regional leadership. Anything that could, we believe, plausibly result
in a fatality has to be explicitly elevated to the overall leadership team.
The senior vice president from an IT firm noted that it took a disaster for them to pay attention to the
design of their plants. The firm could not imagine more than one or two production lines going down
in an earthquake so didn’t plan for what actually happened—all seven production lines in the plant
not functioning. After the Japanese earthquake/tsunami, the firm invested $400 million in specialized
equipment in their manufacturing plants in Japan, and did structural design work so that the plants
could withstand higher shocks.
It took the 9/11 disaster for the CRO of an investment bank to highlight the importance of undertaking
deliberative thinking by taking “black swan” events far more seriously than before. The head of
operational risks indicated that before the terrorist attacks there was a sense that things happen in
places like Nigeria, but they don't happen in places like New York City. In the same spirit, another
investment bank indicated that one should not chop off the tails of the probability distribution because
of a perception that gold markets spiking, or liquidity dissipating will not occur in your lifetime. You
are doomed if you think this way because you know that these events could happen to you.
Avoiding the Next Disaster
An organization can often benefit from its past history by considering near misses (for example,
planes that almost crashed) as object lessons and learning experiences. In an article with the thought-
provoking title, Learning from Samples of One or Fewer, March, Sproull, and Tamuz provide
examples as to how historical events that are sufficiently similar to the hazard in question provide
insight as to how the firm can reduce their risks in the future.11
Some organizations might ignore the data and interpret past successes as evidence of its competence
rather than carefully examining whether it was just fortunate that some adverse event did not happen.
The case of the Challenger accident illustrates this point. Considerable evidence from previous flights
indicated that the O-rings presented potential problems. NASA and Thiokol personnel ignored the
evidence because no failure had occurred.12 This behavior suggests the following finding:
Finding 3. Firms that learn from near misses and catastrophic losses by doing post-mortems
are likely to be proactive in managing catastrophe risks.
The following comments from our interviews show that firms that have learned from previous
disasters and near misses are likely to be better prepared for the next one. A risk control manager
from an energy company indicated that the mistakes they made during Hurricane Rita in 2005 helped
them to prepare for Hurricane Ike in 2008. The firm inadvertently sent all of the repair crews to one
area during Rita, resulting in a bottleneck, which made it look to the media like they were doing
nothing. Following the Japan earthquake of 2011, the CEO of a retailer that experienced severe
23
damage to its facilities buildings had every building inspected structurally to make sure each one was
earthquake proof.
Hurricane Katrina was a wake-up call for several firms we interviewed. One firm that lost a number
of its stores in the disaster due to a lack of preparation took several steps to get their stores up and
running more quickly than the competition after a hurricane by working out a special arrangement
with their insurance carrier that allows them to adjust their own claims, rather than waiting for an
adjustor to come out to evaluate the damage. A chemical company that did a post-mortem after
Katrina can now obtain supplies and equipment much more quickly by working with local authorities
to get trucks through police barricades in the event of a natural-disaster.
A manufacturer that has plants throughout the world indicated that they learned from the Telecom
Crash of 2002 not to combine financial risk with operating risk. After the 2008 financial crisis, the
CRO of an investment bank created a formal process to define the firm’s risk appetite, and made
changes in risk governance. The vice president for corporate strategy of an auto parts supplier
indicated that watching what happened at Enron and WorldCom, they decided to look at enterprise
risk management in a different way.
Sometimes, however, actions taken in response to one disaster may not enable the firm to deal with
a catastrophe that takes a different form. The visceral memories of their building in downtown
Bangkok being burnt to the ground in the context of political unrest in Thailand, led a firm in the
service industry to build a contingency office near the airport, and provide their workers with laptops
so that they could work remotely. But when the 2011 Thailand floods occurred they couldn’t use their
office and their workers’ homes were underwater, so they had to house them in hotels with free
bandwidth.
3.2. Findings Related to Risk Assessment
Analyzing Catastrophic Risk in a Systematic Manner
The availability bias also suggests that paying attention to the outcomes of events will focus people’s
attention on what steps to take to reduce the likelihood of the reoccurrence of the event in the future.
One can first examine the impacts of a catastrophe and then focus on the likelihood of these events
occurring. This implies the following two findings:
Finding 4: Creating worst-case scenarios helps senior management and employees focus on
ways to manage catastrophic risks before they occur.
Finding 5: While some firms use quantitative tools for estimating the likelihood of specific
scenarios, some firms simply focus on the severity of the scenario and what to do about it,
disregarding the probability of it happening.
24
Supporting these two findings, we learned that some firms have teams from each of their divisions
undertaking risk assessments while others do a strategic risk assessment of their top risks.
One publishing firm exposes senior management to different worst-case scenarios each quarter so it
can determine what changes are required. The vice president of safety and environment in an energy
firm highlighted the importance of undertaking more systematic risk assessments by noting that they
have learned over the years that high-consequence, low-likelihood events will happen, and therefore
the firm has to plan for them.
Prioritizing Risks
Given the number of potentially severe adverse events that can impact a firm, it is important for the
firm to prioritize their risks so that they can devote attention to those that really matter. Decision
makers that undertake this type of activity in a systematic manner are likely to be prepared for the
relevant risks that their organization faces in the future. This behavior implies the following finding:
Finding 6: If the firm’s management can prioritize the risks that they face and develop plans
that are modular so they can triage their activities, they will be better prepared for the next
catastrophe than decision makers who do not follow this procedure.
Several firms indicated the importance of prioritizing their risks to see where they are vulnerable.
The CEO of a retailer indicated his firm picked 15 or 20 items that are really important and made
sure that everybody is involved and understands their role in controlling the risk. An investment bank
makes plans modular for dealing with a disaster. Should the crisis occur, the management team can
either rearrange the modules or pick and choose within the modules.
3.3. Findings Related to Risk Management
Learning from Others
The literature on organizational behavior points out the importance of gaining insight from other
firms with respect to developing strategies for improving performance. By developing formal and
informal channels of communication with competitors facing similar challenges, there is an
opportunity to learn about other approaches for taking steps to reduce the likelihood and
consequences of the next disaster and develop recovery plans should the event occur.
In the uncertain or ambiguous climate that characterizes the management of catastrophic risks, firms
frequently look to their competitors to provide guidance for their own behavior and to help determine
their core competencies. There is also a tendency to imitate what others have done well by
transporting these concepts to their own organizations and avoiding actions that could be costly.
Where there is substantial commonality in experience, such influence has been labeled mimetic
behavior.13 Such learning is a major mechanism for diffusion of information across firms.14
25
As an illustration of this behavior, executives in a chemical firm stated that one reason for selling one
of their businesses was that current industry practice is to produce the raw materials and the finished
goods at the same location. This approach obviates having to ship potentially dangerous materials,
even if the chance of a transportation accident is estimated to be extremely low. The firm sold the
business to a competitor that followed this practice.15 This behavior implies the following finding:
Finding 7: Firms that systematically learn from the catastrophic losses of others are likely to
improve their own operations.
Here are some actions that firms have taken in this regard that suggest they will improve their risk
management strategy: One firm in the energy industry looked to investment banks following the
financial crisis of 2008 to understand how they view risk and determine whether their firm has some
blind spots. The BP oil spill caused many firms to think a lot more about operational risk. Following
the Japan earthquake, a publishing firm began thinking about what could happen to the nearby nuclear
power plant if an earthquake occurred. The firm recognized that the probability of having an
earthquake at this location was less than 1 in 10,000, but felt it was something that could happen. As
one senior executive noted, after any catastrophe the firm needs to take a look and ask, Am I okay
with the status quo? Do I know what’s happening? How can I determine what I should do differently?
Comprehensive Management of Catastrophic Risk
Firms are now striving to manage catastrophic risk in a more comprehensive fashion by focusing on
enterprise risk management rather than decentralizing their analysis by divisions or departments. In
firms that effectively manage catastrophic risk using ERM, a chief risk officer normally reports to
the board on a range of activities for dealing with extreme events. The organization has transparent
metrics in place to measure investment in catastrophic risk management and output. It interacts with
a range of outside agencies and organizations on issues of catastrophic risk. This behavior implies
the following finding:
Finding 8: Firms that have had active dialogue among their board of directors, company
leaders, and government officials about managing exceptionally adverse risks are likely to be
more aware of the diverse risks that can impact them. They prepare for these adverse events
more systematically than companies without such dialogues and interactions.
Those proactive firms recognize that there are risks they will not be able to handle by themselves
should they occur. Establishing an open dialogue across the organization and with other firms is a
key step to creating trust, an essential element during a crisis. The following comments from our
interviews provide qualitative support for this finding. A firm in the financial industry utilizes their
committees to make people in their company more aware of how they are currently and should be
making decisions. Another firm in the same industry indicated that it needed to have a very strong
line of communication both within the company as well as with their customers. The head of
corporate and information security in an energy company emphasized the importance of interacting
with the public sector, indicating that one cannot develop a plan if one doesn’t know where the threat
26
vectors are. This means having good liaisons with the federal, state and local government and law
enforcement. The CRO of an information technology company noted that his firm has developed a
methodology for identifying top risks by establishing a risk infrastructure and governance structure
within the company in collaboration with the board of directors and other members of executive
management so that there is a well-defined risk universe shared with everyone in the organization.
Dealing with Interdependencies
Firms face challenges in dealing with a catastrophic events if others in their network have not taken
steps to reduce the risks they face. Following the Fukushima, Japan earthquake of 2011 there were
supply chain interruptions that caused shutdowns of plants in other parts of the world. To illustrate
this point, car manufacturers in Detroit utilized automotive microcontroller chips from Renesas, a
company north of Tokyo that was heavily damaged by the earthquake. With no alternative suppliers
of these chips, car production temporarily shut down.16 This behavior implies the following finding:
Finding 9: Firms are now recognizing that they must better appreciate risk interdependencies
as part of their overall risk management strategy. These interdependencies can emerge across
the world, across industry sectors, across divisions within the firm and may only become
apparent over time.
An executive from an investment bank that operates internationally commented that contagion across
borders and across businesses is much higher and faster than it used to be. Several firms noted that
the loss of a facility in the global supply chain would be catastrophic for them.
3.4. Findings Related to Crisis Management
Firms must make sure that when they are thinking and acting fast, they are doing so with deliberative
and systematic activity in advance of the crisis. They must develop well-articulated plans, designate
the structure for managing the crisis and specify information-gathering techniques to avoid falling
into intuitive traps. Firms emphasized that during a crisis, it is important to ensure that fast thinking
is high quality thinking. In order to make good decisions, in the moment, many firms we interviewed
indicated that they needed to have a concrete plan that included clearly defined roles and
communication procedures, such as emergency plans and business continuity. This behavior implies
the following finding:
Finding 10: Firms that have invested time, human resources and money into preparing for
catastrophic situations are likely to bounce back quickly and enhance their reputations.
Firms, particularly those in banking and in the retail/service industries emphasized the importance of
identifying the most crucial roles during the crisis and focusing on individuals within the company
having these responsibilities. One bank ranked critical areas by tiers, recognizing the importance of
making sure their core operations units were functional as soon as possible. Another consumer
services firm felt their customer agents had to be up and running within an hour.
27
3.5. Findings Related to the Role of the Board
The board of directors can provide input to the firm from a neutral but concerned perspective with
respect to dealing with catastrophic risks. The increase in extreme events in recent years has put
catastrophic risk management high on their agendas. This behavior implies the following finding:
Finding 11: Many more boards of directors are becoming proactive at overseeing risk management
activities. This trend is fairly recent and the level of involvement still varies widely.
An overwhelming majority of those we interviewed reported increase in involvement over the past
ten years by the board of directors; firm’s risk management activities are depicted in Figure 3.1. Some
firms cited specific events such as the financial crisis, 9/11, Hurricane Katrina as instigating board
changes. Risk managers noted that board members may serve on multiple boards, and thus have
often experienced a crisis first-hand in some capacity. However, they also cautioned that board
members who do not have risk management expertise may engage in primarily intuitive thinking,
such as focusing unduly on recent events, rather than thinking deliberately about possible long-term
challenges that firms face. They pointed out that it is the job of the risk managers to guide the board
towards more deliberative thinking.
FIGURE 3.1: HOW MANY YEARS AGO DID THE BOARD BECOME MORE INVOLVED IN RISK
MANAGEMENT IN YOUR FIRM?
0 to 3 years
(30%)
4 to 7 years
(35%)
8+ years
(35%)
28
There seems to be a continuum of levels of board involvement, rather than discrete categories.
Different boards participate in the process to different levels, based not only on the company but also
on characteristics of the industry and background of board members. Over time board involvement
in catastrophe and crisis management seems to have increased from simply relying on the audit
committee to set broad risk management goals to overseeing and being involved in in the decision
making process of the firm with respect to taking steps in advance to reduce the risks of future adverse
events.
An insurance firm indicated that there is a part of the Board that focuses on risk management where
in the past it was part of an audit committee. It took the BP oil spill in 2010 for another firm in the
oil industry to spend time with their Board running through all of their risk-management practices for
both upstream, downstream and company reputational risk to make sure that they were comfortable
with what they were doing.
Finding 12. More senior executives in top management want the Board to work with them in
defining the risk appetite of the firm by sharing information and responsibility for their actions
in this regard.
As the risk landscape is widening and more companies expand their activities outside of the U.S. the
top management often expects directors to support a specific risk appetite and to be aware of the
catastrophe risks that could seriously impact the firm. This is a way for senior management to more
systematically include directors in risk taking decisions and also to share responsibility when a crisis
occurs.
We now turn to our analysis of the 10K risk section of the annual reports of the firms that we have
interviewed. These reports reflect key risks these firms consider today and show how they have
evolved over time.
29
Section 4. Preliminary Findings from our Analysis of 10K Risk Sections
4.1. Methodology and Data
Another source of data we used as part of our analysis is the risk factor disclosure section of firm’s
Form 10K annual reports. Firms are required to disclose risks that could negatively impact their
activities. One can observe how the ranking of the top risks evolved over time in firms’ 10Ks and
across the ten S&P 500 industry sectors specified in Table 4.1.
TABLE 4.1: TEN S&P 500 INDUSTRY SECTORS (ALPHABETICAL ORDER)
We selected 21 risk categories building on previous work in the field,17 to facilitate comparisons of
risk factor disclosures across industry sectors. Our research team coded the sample set of 10Ks of the
firms we interviewed by utilizing these risk categories. (In this context, “coding” means reading and
manually tagging the text relevant to a specific risk factor based on a set of definitions and keywords
for each of the risk factors listed in Table 4.2.)
Given that the sample of interviewed firms is representative of the entire S&P 500 we feel that the
results discussed below apply more generally. To capture variation in the risk factors over time and
between industry sectors, we coded the 10Ks these firms submitted in 2007 and in 2011 using the
qualitative data analysis software program NVIVO, a relational database developed by QSR
International. After completing the coding, we calculated the industry-wide variation in coverage of
each risk factor. Risk coverage was identified for both (a) the number of risk factor mentions; and (b)
percentage distribution of text dedicated to the discussion of a particular risk factor in a given 10K
risk factor section.
Industry
Consumer Discretionary
Consumer Staples
Energy
Financials
Healthcare
Industrials
Information Technology
Materials
Telecommunications
Utilities
30
TABLE 4.2. DEFINITION OF KEY RISK FACTORS; ILLUSTRATIVE EXAMPLES AND KEYWORDS
Risk Factor Definition Example Keywords
Accounting Change in accounting regulations that can
affect the financial standing of the company.
We must comply with generally accepted accounting principles
established by the Financial Accounting Standards Board
Accounting, accounting practices, books,
auditor, audit, accounting irregularities,
financial statements, disclose
Acquisition Risk associated with all phases of acquisition
(pre, during, post) that may result in business
value loss (e.g., unmet synergy, operational
disruption, changes in management).
The integration of firm A and other acquired businesses may
present significant challenges to us.
Acquisitions, acquire, divest, sell unit,
sale, merger, merger agreement, joint
venture, synergies, spin off, split,
buyout, alliance, offer, bid, restructuring,
hostile takeover
Capital
Expenditure
Investment in a company’s business
requiring substantial funds for items such as
facilities, equipment, fixed assets, R&D or
new product development
We are developing new products that complement our traditional
memory products or leverage their underlying design or process
technology.
Debt, cash position, credit rating,
covenants, highly levered, refinancing,
interest rates, commercial paper, lines of
credit, credit line, junk status, equity, financing, equity offering, dilute shares,
share dilution, lenders, buyback, raise
capital, bonds, loan
Capital
Structure
The debt to equity ratio on a firm's balance
sheet. The debt/equity ratio affects the firm's
stock price
“We are subject to the risks associated with debt financing,
including the risk that our cash flow will be insufficient to meet
required payments of principal and interest.”
Plant expenditures, plant expansion,
capital investment, plant closing costs,
capital-spending expenses.
Catastrophes Environmental conditions/terrorist activities/acts of wars/pandemics. Cyber risk
is also coded in this category.
“Extreme weather conditions in the areas in which the Company's stores are located could adversely affect the Company's business.”
oil spill, terrorism, September 11, hurricane, weather, war, disaster,
catastrophe, storms, tornado, tsunami,
tropical storm
Competition Potential disadvantage in the market as a
direct result of the competitors’ activity or a
business’s strategic mishap.
Increased competition could result in fewer submissions, lower
premium rates and less favorable policy terms and conditions,
which could reduce our margins.
Competition, competitor, competing
product, decreased market share,
increased market share, strategic
advantage
Credit Risk Risk's related to not receiving payment for
delivered goods or services; the risk of
companies defaulting on payments
“EME's operations are exposed to the risk that counterparties will
not perform their obligations.”
Credit risk (this one is extremely similar
to "capital structure" and all of the terms
are nearly identical)
Customer
Concentration
Growth in specific customer segments (by
geography, industry, large-players) that
creates an over-reliance on a small group of
clients, posing business risks.
Since we depend on a few brokers for a large portion of our
revenues, loss of business provided by any one of them could
adversely affect us.
Reliance on a small number of firms
Distribution Changes or unforeseen events during the
passing of goods from a business to its
external B2B or B2C customers.
In the event that commercial transportation is curtailed or
substantially delayed, our business may be adversely impacted, as
we may have difficulty shipping merchandise to our distribution
centers and stores.
Distribution, distribution channels
Government Governmental acts and regulations that
affect the way a company conducts its
business.
We are subject to extensive government regulation and
supervision, including regulation and supervision in non-U.S.
jurisdictions, which may limit our ability to pay dividends or
make other capital distributions and violations of which could
have a material adverse effect on our business, financial condition and results of operations.
Government, Congress, Supreme Court,
regulation, SEC, Securities and
Exchange Commission, President,
Obamacare, healthcare plan, government
contract, economic stimulus, bailout, troubled asset relief program, TARP,
US Treasury, Regulation, oversight.
31
Industry Industry risks not only affect the company,
but also other players in the industry.
“The payments industry is highly competitive and includes, in
addition to credit card networks, evolving alternative payment
mechanisms and systems.”
Industry risks
Intellectual
Property
Risk associated with security of or changes
to the sustained advantage from the
business’s intellectual property. Any threats
to IP.
With respect to patents and patent applications we have licensed-
in, there can be no assurance that additional patents will be issued
to any of the third parties from whom we have licensed patent
rights
Patents
International Currency fluctuations in a company’s
international business operations. Any risks
associated with operations abroad
(government/legal).
“The enactment of provincial legislation or regulations in Canada
to lower pharmaceutical product pricing and service fees may
adversely affect our pharmaceutical distribution business in
Canada, including the profitability of that business.”
Foreign currencies, foreign currency
changes, exchange rate, currency
translations, strong US dollar,
international economies
Investments Pension/retirement benefits and any capital
put into other firms.
“Our pension plans are underfunded, and may require significant
future contributions, which could have an adverse impact on our
business.”
Pension liability, pension liabilities,
investment
Key
Personnel
The loss of potential key executives in the
company that may result in adverse effects.
Reliance of a company’s success on key
executives.
There is substantial competition for qualified personnel in the real
estate industry, and the loss of several of our key personnel could
adversely affect the Company.”
resigned, fired, CEO, COO, CFO, board
member; deaths; injured
Labor Recruiting and retaining employees, errors
that employees may incur.
“Our businesses require the retention and recruitment of a skilled
workforce and the loss of employees could result in the failure to
implement our business plans.”
Legal The possibility that legal action will be taken
because of a corporation's actions, inactions,
products, services or other events.
Potential/ongoing lawsuits that will affect
the company adversely.
“We are involved in numerous legal proceedings arising out of the
conduct of our business, including litigation with customers,
employment-related lawsuits, class actions, purported class
actions, and actions brought by governmental authorities.”
Lawsuit, legal proceedings, court, sued,
suing, damages, litigation, ruling, judge,
penalties, hearing, appeal, evidence,
legal costs, liability, allegations,
defendant, plaintiff, lawyers, trial, federal panel, jurisdiction
Macro Activities happening in the aggregate
economy that affect the operations of the company; demand for its products/services.
Demand contraction; low economic
growth
Marketing Any risks related to the firm’s brand,
reputation, image, product pricing, and
market share.
“The success of our branded products relies in large part on the
favorable image they enjoy with consumers.”
Marketing, reputation, market share,
market expansion, customer focus,
segmenting, brand, image, product mix,
pricing
Operations Risk associated with mismanaged or
unforeseen activities in the internal operation
of a business, e.g., production,
manufacturing, etc.
The size and complexity of our computer systems make them
potentially vulnerable to breakdown, malicious intrusion and
random attack.
Quality control, product quality, product
launch (this one is too broad/requires a
lot of human intuition to determine
whether an event falls under it)
Suppliers Variations in the supply delivery processes
that pose business risks; and changes in the
bargaining power of suppliers driven by
supply availability.
In order to sustain and grow its business, the Company must
successfully replace the crude oil and natural gas it produces with
additional reserves.
Suppliers, supplies, input costs, raw
material costs, high oil prices, high fuel
costs, fuel expenses, smaller margin
Sources: Authors
32
4.2. Number of Risk Factor Mentions in the 2007 and 2011 10Ks of the Interviewed Firms
Figure 4.1 compares the number of risk factor mentions between 2007 and 2011 across the 21 risk
factors we studied for the 100 firms we interviewed. “Risk factor mentions” refers to the number of
times one of the risk factors described above is discussed in the firms’ annual reports.
FIGURE 4.1: NUMBER OF 10K RISK MENTIONS ACROSS INDUSTRY SECTORS
Several interesting results emerge from the analysis:
Finding 13: There is an increase in the number of risk factor mentions in the 10K sections
between 2007 and 2011.
This confirms the finding from our interviews that firms are more concerned about a large number of
risks today and provide much more detail in the way a specific risk category can affect its operation
and its shareholders. The top risks in 2007 remain the same in 2011: government-related risks (e.g.,
a new regulation that may adversely affect future firm revenue), legal risks, marketing and
international markets.
We found that four out of five firms have increased the number of risk mentions in their 2011 annual
reports compared to 2007. This trend is not specific to any industry sector. At one extreme, a firm
which is not a financial institution, increased the number of risk factor mentions tenfold between
2007 (4 mentions) and 2011 (40 mentions). The highest number of risk factor mentions across all
firms that we interviewed was 92.
0
100
200
300
400
500
600
700
800
2007 2011
33
Finding 14: According to the 10Ks, Government is perceived as the most critical risk to almost
all firms and industry sectors.
While government was already ranked top risk in 2007 (354 risk factor mentions across all firms we
interviewed), the number of mentions in the risk section of the 10K reports has risen sharply in 2011,
with 674 mentions.
The fact that firms in the financial sector consider risks related to government decisions as one of the
key risks they face in the aftermath of the financial crisis and the new regulations that have emerged
is not surprising. However, our analysis reveals that this is not just a concern of the financial
sector. Government is the top risk in all the industry sectors (except for consumer staples where
it ranks second, and telecommunications where it ranks third). (See Appendix 2A for the distribution
of the top risks for each of the ten industry sectors in the S&P 500).
We also coded the portion of each 10K risk section devoted to a discussion of a specific risk factor.
Figure 4.2 depicts this distribution over all 21 risk factors by aggregating all 10Ks (in 2007 and 2011)
of the 100 firms we have interviewed in the S&P 500.
FIGURE 4.2: PERCENTAGE OF THE 10K RISK SECTION DEVOTED TO A SPECIFIC RISK FACTOR; 2007 & 2011
Sources: Authors - Based on the S&P 500 firms interviewed by the research team
0%
5%
10%
15%
20%
25%
30%
35%
2007 2011
34
Note here again the prevalence of government-related risk actions: one-third of the discussion of risk
in the 10K reports was devoted to this risk factor in 2011. Legal issues were ranked second with 13%
of the 10K report devoted to this risk factor, followed by risks related to international operations (e.g.,
currency risks). Across all firms, only 3% of the 10K reports are devoted to catastrophes such as
terrorism, natural disasters and technological accidents, perhaps because most firms feel they have
the appropriate risk management practices in place to deal with these risks and/or are not highly
exposed to them.
The analysis of the 10K reveals that firms need to manage a large number of risks to avoid future
crises and the possibility of losing market share to their competitor in a fast changing environment
where government actions such as new regulations are becoming the number one concern of the
business community. We now turn to our analysis of the stock market prices of those publicly-traded
companies that confirms this finding more quantitatively.
35
Section 5. Preliminary Findings from our Analysis of S&P 500 Stock Prices
The earlier part of this report focuses on what we learned from the interviews of the 100 firms
conducted by the research team and our studies of their 10Ks. In both cases the firms provided the
information and data for us to undertake these analyses.
We also wanted to have a more neutral view of the impact of risks with potential catastrophic
consequences on their performance and, at the same time, enlarge our sample to the entire S&P 500.
While many indicators could be examined, we decided to first look at the stock price of these firms
over time. Since the overall study focuses on catastrophe risks we were interested in testing whether
events that are traditionally seen as catastrophic (natural disasters, terrorist attacks, pandemics; cyber-
attacks, etc.) triggered significant stock price declines and if so, how large they were and for what
firm/industry. We were also interested in evaluating how these events compared to other factors that
may have been responsible for significant drops in stock prices.
To this end, we built a dedicated algorithm that determined 20% changes in stock price for individual
companies over a 10-day period relative to changes in the industry average. As an example, if the
industry average price dropped 5% during a 10-day period, then any firm in the industry whose stock
price dropped 25% or more during the same period would be put in this category. For any publicly-
traded company, losing 20% of its market value relative to its competitors over such a short period
of time would be considered a serious event. (See Appendix 3 for the methodology.)
During the period 2000-2011 there were more than fifteen hundred such events of interest. We could
then determine the sensitivity of each industry sector to specific types of events and measure the
resilience of firms to price declines by determining how long it took for the stock to recover to its
pre-drop level. As shown below, firms in some industry sectors are much more likely to bounce back
in a few months while others may take several years.
NOTE: This first phase is descriptive in nature and does not analyze the specific characteristics
of the S&P 500 firms that may have been partially responsible for causing the stock price
changes. We know that two firms of similar size can manage the crisis and recovery from an
exogenous shock very differently due to their financial situation (e.g., their debt ratio) and their
leadership in the C-suite and at the Board level. The second phase of the project (2014-2015)
will examine these elements in more details. The findings discussed here are a starting point for
this type of analysis.
The section is organized as follows. Section 5.1 introduces the data and methodology. Section 5.2
presents the findings on the significant event analysis focusing on significant drops: What types of
events triggered a large drop among the entire S&P 500 over the 11 years covered by our analysis?
What types of events are more likely to do so in your industry sector? What industry sectors have
been more affected by a given type of risk?
36
In section 5.3 we discuss the issue of resilience to shocks by examining how long it took for a firm’s
stock to return to the level it was before dropping at least 20% over 10 days compared to its industry
competitors. Are specific industry sectors more likely to bounce back more quickly than others? Are
specific risk categories more likely to trigger a longer recovery time across industry sectors, or just
for specific ones?
5.1. Data
We used daily trading stock returns for all firms in the S&P 500 over the period January 1, 2000 to
December 31, 2011; we focused on the S&P 500 group of firms as of December 31, 2011 and also
included a few other firms of interest (e.g., BP, given the 2010 oil spill). In total, we studied 503
firms. Stock price data came from the Center for Research in Security Prices (CRSP) to which
Wharton has a subscription access.18 We then split all companies into their corresponding industries
(as defined by Standard & Poor’s) (Table 5.1).
TABLE 5.1. DISTRIBUTION OF THE FIRMS COVERED BY THE STUDY ACROSS INDUSTRIES
Industry # of Companies
Consumer Discretionary 84
Financials 82
Information Technology 71
Industrials 61
Healthcare 53
Energy 41
Consumer Staples 40
Utilities 35
Materials 29
Telecommunications 7
Sources: Standard and Poor’s
We then used the same 21 risk factor categories introduced in the previous section on our 10K
analysis. Table 5.2 provides a summary of keywords and illustrative examples for the stock analysis.
A number of stock price drops were related to the announcement of quarterly or annual earnings
without necessarily be linked explicitly to a given risk factor. We thus created a new category called
“earnings” as well. The methodology for undertaking our analysis is detailed in Appendix 3.
37
TABLE 5.2. DEFINITION OF THE RISK FACTOR CATEGORIES USED IN THE STOCK ANALYSIS
Category Definition Keywords Example
Accounting/Release
of Quarterly results
Change in accounting regulations that can affect
financial standing of the company, anything related
to accounting
accounting control, accounting standards,
accounting fraud; accounting errors;
Company Y was involved in an accounting fraud
case
Acquisition Management, financial or accounting risks related
to two companies becoming one
acquisitions, cost savings, joint ventures,
merger benefits, restructuring
Company X acquired one of its main competitors
in a deal many perceived as a very risky decision.
Catastrophes Natural disasters, terrorism or war, and calamities natural disasters, terrorism / war, weather,
fatalities
Hurricane X has hit the oil refinery of Company Y.
Capital Expenditure
Investment in the company’s business – facilities,
equipment, fixed assets, R&D
capital expenditures, R&D Company X has invested $30 million into a key
R&D project, which is in its 4th stage of approval
from USDA and this was denied.
Capital Structure
Debt to equity ratio – how companies are financed, which affects stock price
assets: liens, capital availability, credit rating, debt: additional, debt: covenants,
debt: highly levered, debt: refinancing,
interest rates, restructuring charges
Company X was not able to refinance its debts given a recent downgrade of its bond rating by
rating agencies
Competition
Competitive gain or loss of market share to a
specific competitor
competition, competition: lower prices,
substitute products
Company X recently posted their market share
report, indicting a drop of 30% of their electronic
products – mostly to their rival Company ABC.
Credit Risk Not receiving payment for delivered goods or
services
credit risk, cash flow Company X was not able to receive payments from
Company Y which filed for bankruptcy.
Customer
Concentration
Firm revenue is dependent on a few large
customers or a high concentration of customers
within a region
customer concentration, regional
dependency
Company X’s recent quarterly report indicates a
drop in their sales due to low demands in the
southwest region of the US
Distribution
Outward flow of goods or services from the
company to the customer through different channels (online, in-store)
distribution channels, transportation,
supply chain, distribution partners
80% of all department stores have stopped selling
Company X’s products due to pricing conflicts.
Earnings earnings, estimated earnings, sales
subscriptions that explicitly affect earnings
Company X recently released their quarterly
earnings – a 40% decrease in sales.
Government
Actions taken by government, external to the firm,
which have an influence on the operations of the
firm
regulation, law, government oversight Government’s recent scrutiny on hiring practices
of Company X has triggered a change of
management.
Industry
Broad shifts in an industry-specific environment
which impacts how all players act
industry changes, industry condition, trend
change
Company X and four of its competitors have
suffered from customers’ switch to a new type of
technology
Intellectual Property
Threat to the security or value of intellectual
property and costs associated with protecting and
maintaining it
IP, legal defense, value, patents, copyright Company X lost a lawsuit concerning their
product’s design and how it closely resembled one
of their rival’s products.
International
Any risk associated with the challenge of doing
business in non-domestic settings
currency / exchange rates, international
(non-US) risk, international markets (challenges)
Company X’s huge investment in Country ABC
and the country’s recent announcement of inflation has triggered a spike in Company X’s cost of
operations.
Investments
Pension/retirement benefits and any capital put into
other firms, capital withdrawn from other firms,
named individuals that buy or sell shares en masse
(usually triggered by specific company event or
trend)
liquidity / investments, pension /
retirement benefits
Company X’s bankruptcy claim affects its parent
company, Company ABC who invested 300 MM
into the company 10 years ago.
Key Personnel Recruitment and retention of essential management
positions; references to specific names or positions
key personnel, key personnel: insurance,
new management
Company X’s CEO Joe Smith has recently been
arrested for insider trading and fraud.
Labor
The workforce required to maintain daily
operations in terms of quantity and quality
unions / labor, salary, hiring trend Company X’s labor union has gone on strike, and
the company’s inability to hire new employees in time adversely affects their operations.
Legal Liability, litigation and legal proceedings legal, lawsuit Company X recently lost their lawsuit against
Company Y.
Macro Uncontrollable or unpredictable changes in the
aggregate market
recession, trend, global trend Company X’s large did not allow it to survive the
recession.
Marketing
Firm’s reputation, image, pricing, and presence in
the market;
brand, brand concentration, consumer
preferences, market acceptance, market
share, marketing effectiveness, pricing,
reputation, scandal, analyst
recommendations
Company X’s series of product recall due to death-
related accidents have made the company’s brand
equity drop 30% and its perception plummet
among consumers.
Operations
Uncertainty and challenges associated with
production, development and implementation for
goods and services
leases, manufacturing / technical, new
products, new stores, operating risk,
product quality, production delay, single product, technological change, technology:
unproven, working capital
A firm did not make the necessary investments to
move to a new technology and was outpaced by its
competitors
Suppliers
The rise in costs or scarcity of necessary materials
for production of goods or services either for the
company or companies to which the company
supplies materials
energy prices, raw materials availability,
raw materials prices, suppliers:
concentration, suppliers: promotions,
supply chain, supply chain: foreign
Recently failing to reach a deal with the
government of Country A, Company X was unable
to monopolize the manufacturing capacity of
electronic equipment, and was outcompeted by its
rival, Company Z, in the supply chain.
38
5.2. Results
The research team then undertook a large-scale study to identify the most likely drivers of the 2,119
events through public documents searches on the Internet, Factiva and LexisNexis.i Firms
announcing negative news on earnings were by far the largest source of significant drops of the stock
price over a short period of time, with a total of 599 events (or 28% of all negative events) in this
category. We now consider the distribution of the 21 risk factors when one excludes these earnings-
related events over the 1,520 drops (Table 5.3).
TABLE 5.3. SUMMARY OF SIGNIFICANT PRICE DROPS ACROSS 21 RISK FACTOR CATEGORIES
2000-2011 – FULL S&P 500
Risk Factors Total Percentage
Marketing 192 12.6%
Operations 186 12.2%
Acquisition 150 9.9%
Legal 119 7.8%
Industry 108 7.1%
Key Personnel 102 6.7%
Capital Structure 100 6.6%
Macro 97 6.4%
Government 80 5.3%
Labor 66 4.3%
Competition 64 4.2%
Credit Risk 60 3.9%
Capital Expenditure 56 3.7%
International 38 2.5%
Investments 30 2.0%
Catastrophes 19 1.3%
Suppliers 14 0.9%
Accounting 13 0.9%
Distribution 12 0.8%
Intellectual Property 10 0.7%
Customer Concentration 4 0.3% Note: N= 1,520
i Some events have multiple drivers behind a stock price changes, and can be categorized with more than one risk category. Note also
that in several cases it was not necessarily clear whether an event had been driven by a specific risk factor.
39
Finding 15: The top risk factors that have led to the highest number of significant negative
stock price drops in the S&P 500 over the period 2000-2011 are Marketing (12.6%), Operations
(12.2%), and Acquisitions (9.9%) (See Definitions in Table 5.2).
We are also interested in seeing what risk factors drove more stock drops in recent years. Since our
analysis of the 10K used 2007 as a first reference point, we re-did the analysis for the entire S&P 500
firms by looking at two time periods: [2000-2006] and [2007-2011]. Table 5.4 shows for each risk
factor the number of negative drops across the full S&P 500 for each of the two periods and the
percentage change over time.
TABLE 5.4. SIGNIFICANT PRICE DROPS RELATED TO 21 RISK FACTOR CATEGORIES. FULL S&P 500
Risk Factors 01/2000-
12/2006
01/ 2007-
12/2011 Total Drops
Percentage change between
2001-2006 and 2007-2011
Credit Risk 22 38 60 73%
Macro 38 59 97 55%
Capital Structure 42 58 100 38%
Government 34 46 80 35%
Labor 31 35 66 13%
Suppliers 7 7 14 0%
Industry 56 52 108 -7%
Catastrophes 11 8 19 -27%
Distribution 7 5 12 -29%
Operations 110 76 186 -31%
Acquisition 89 61 150 -31%
International 23 15 38 -35%
Key Personnel 62 40 102 -35%
Legal 75 44 119 -41%
Investments 19 11 30 -42%
Marketing 126 66 192 -48%
Capital Expenditure 39 17 56 -56%
Competition 46 18 64 -61%
Accounting 11 2 13 -82%
Customer Concentration 4 0 4 -100%
Intellectual Property 10 0 10 -100% Note: Total events: 1,520. Percentage numbers are rounded. Significant price drop is defined as a 20% change or more in stock
price for individual companies over a 10-day period relative to changes in the industry average.
Not surprisingly, Credit Risk has the greatest increase in stock price drops between the two periods
(+72%) reflecting the financial crisis. The percentage increase in Macro (+55%) reflects the negative
impact of the economic recession on a number of firms. The percentage increase in Government
(+33%) confirms what we learned from the 10K risk section analysis in Section 4 of this report. It
appears that many firms rank this factor as their top risk in their annual reports to shareholders not
40
only because more stringent regulatory systems negatively impact their business, but also as a
reflection as to how they feel government actions can impact on their stock prices.
To gain more insight into the impact of the government risk factor on stock price drops, we undertook
a similar stock analysis on the sample of firms that took part of our interview process. We analyzed
their 10K risk reports where there was a significant increase in risk factor mentions of government
between 2007 and 2011. As Figure 5.1 reveals, this increasing concern about government seems
understandable if one looks at the significant percentage increase (367%) stock price drops that can
be attributed to government activities over the [2007-2011] period compared to [2000-2006] for the
100 firms that we interviewed.
FIGURE 5.1. PERCENTAGE INCREASE IN SIGNIFICANT STOCK PRICE DROPS.
2007-2011 VERSUS 2000-2006 FOR 100 S&P 500 FIRMS INTERVIEWED
Finding 16: For the publicly-traded firms we interviewed, the most significant percentage change
in the number of stock price drops in 2007-2011 compared to 2000-2006 was Government
(+367%), followed by Credit Risk (+200%) and Capital Structure (+190%).
5.3. Focus on Sudden Catastrophe Events as Drivers of Significant Stock Price Drops
The stock analysis shows that events that often come to mind when thinking of catastrophes (e.g.,
natural disasters, terrorist attacks, war, fatalities) represent only a very small portion of the risks that
have led to significant stock price drops (that is, a drop of at least 20% over a period of 10 trading
days, compared to the industry average).
-100%
-50%
0%
50%
100%
150%
200%
250%
300%
350%
400%
41
In fact we find that the Catastrophes risk factor (defined as including natural disasters, terrorist
attacks, technological accidents) ranked only 16th out of 21 risk factors in the number of severe stock
price drops over the period 2000-2011 in the entire S&P 500 (Table 5.1).
There are examples where the stock of the firm dropped at least 20% in the wake of a catastrophe as
reported in these media articles:
“In the wake of 9/11 transportation shares were hit hardest and Firm X in the transportation
part business was no exception. On this day, more than 80 percent of all stocks lost ground,
but transportation-related companies fared the worst among Northwest companies. The steep
declines on the first day of trading since terrorist attacks closed the markets a week prior
showed how nervous investors felt about companies that depend on travel or consumer
spending.” (September, 2001; trigger: 9/11 terrorist attacks)
“Analysts speculated that the financial devastation that hit the airline industry following the 9-
11 terrorist attacks the week prior would envelop Firm X, an online booking company. An
analyst lowered the company’s projected profit from 22 cents a share pre-attack to 10 cents a
share. X’s business involves customers bidding on airline tickets, but since the attacks, the
nation’s leading airlines had lost $1 billion due to diminished demand of nervous travelers, a
costly two-day shutdown of the airways, and higher security expenses. Analysts said X’s other
problem was that travelers who were skittish about flying would not know the airline or routing
details of their flight such as time of day they will fly when they buy the tickets online until
their bid was accepted and the transaction completed, which did not make the process feel any
more secure.” (September 2001; trigger: 9/11 terrorist attacks)
“Firm X settled asbestos injury claims for $2.7 billion and took a charge against earnings of
about $500 million. The manufacturing company and at least three-dozen insurers paid the
settlement over the next 21 years. X’s chief executive officer said most of the asbestos claims
were the result of the company's 50 percent ownership position in firm X, a company that
made asbestos pipe insulation before it filed for Chapter 11 bankruptcy protection in April
2000.” (2002; trigger: the asbestos crisis)
“Firm Z announced the alert it declared at the Susquehanna nuclear power plant in
Pennsylvania due to low oxygen levels in a pump room did not pose any danger to the public.
The alert was triggered when plant personnel working on a pipe that required the monitoring
of oxygen levels, detected low oxygen levels and immediately left the area. Operators
declared an alert as a matter of procedure.” (2008; trigger: perception of a possible nuclear
incident)
42
“On this day, the food company X pulled fresh ground beef from all of its stores in the second
E. coli outbreak linked to Nebraska Beef in as many months. The meat X recalled came from
Y, which unbeknownst to X had processed it at Nebraska Beef of Omaha. One of the nation's
largest meatpackers, Nebraska Beef has a history of food-safety and other violations” (2008;
trigger: product recall due to food disease)
“On this day, shares of Bank A plummeted and traded at more than 17-year lows after a report
that the firm will need a fresh cash infusion – up to $20 billion – from the federal government
to keep going after its acquisition of Y. The news came amidst growing popular concern over
the health of the banking sector, after a slew of other government bailouts.” (2009; trigger:
2008-2009 financial crisis)
“Firm X and Y Corporation, with a combined 90 percent stake in a ruptured Gulf of Mexico
oil well, could handle up to $35 billion in costs from the spill, independent research service
CreditSights said on this day. X and its partners Y and Z will be responsible for spill clean-
up costs and related damages, according to their leasing contract with the U.S. Minerals
Management Service and a drilling contract with K, the analysts said.” (2010: trigger: oil
spill in the Gulf of Mexico)
It is worth noting that of none of the stock price drops appears to have been triggered by a natural
disaster. Maybe it is because S&P 500 firms tend to be fairly diversified geographically, so even
though some of their operations were affected by a hurricane or earthquake for a short period of time,
the market did not view this disruption as a long term threat to the performance of the firm. We also
learned from our interviews that many more firms had prepared themselves to deal with natural
disasters through asset reallocation, protective measures, business continuity plan, insurance
(property and business interruption) in recent years.ii As such, investors in the financial markets
could expect these companies to bounce back fairly rapidly even following a severe natural disaster
such as Hurricane Katrina and the Japan earthquake of 2011.
Note that a stock price drop model with different parameters (e.g., 10% rather than 20% drop; 4 weeks
rather than 10 days) might yield different findings regarding events associated with the change in
price. For example, a large insurance company which did not drop 20% in the 10 day period
immediately after Katrina still lost 10.6% of its market cap within a month after the disaster. It took
that firm an entire year for its stock to recover to a pre-Katrina level.
A company in the energy sector saw its stock first increase 5% (as oil prices rose) but then its stock
dropped 13.1% during the month of October 2005. In our interview with the firm, it indicated that
return to normal operations following damage caused by Hurricane Katrina at our Louisiana facility
ii It might also be the case that a firm’s stock does not drop more than 20%, compared to their industry peers, in just 10 days, and thus
do not appear in the algorithm we have created.
43
was more complex and time consuming than anticipated. It took this firm nine months for its stock
to bounce back. In these two instances the financial impact was severe but those two events would
have not been captured by our algorithm. These two events had obviously serious economic impact
on those firms.
5.4. Bouncing Back: A Measure of Stock Price’s Resilience
Important questions to address with respect to the resilience of a firm to adverse events are:
What happens to the stock of these firms once the price drops significantly?
How long does it take to bounce back to the level it was before the price drop?
How does this resilience factor vary across industry sectors?
Are specific types of events more likely to require longer recovery time?
To answer these questions we looked at all the events that led to at least a 20% drop over a 10-day
period (including some related to earnings reports) across the entire S&P 500 over the period 2000
to 2011. The algorithm is continuously looped until the stock price returns to where it was just before
the 20% price drop. The difference between the “ending” date and the “starting” date is measured in
weeks, and classified as duration. It is then possible to calculate the mean, standard deviation and
min/max of this time period across industry sectors and risk type events.
Table 5.5 shows for each industry sector the mean recovery time in weeks over the 1,520 events of
interest. The Materials and Financial sectors had the shortest durations (mean of 34 and 61 weeks,
respectively). The longest recovery time is in the IT sector with 132 weeks duration (over 2½ years)
on average, followed by Utilities (131 weeks) and Healthcare (102 weeks). As one can see in Table
5.5, some recoveries have been fairly quick in all sectors (the minimum being two weeks) while
others have been extremely long, up to nearly ten years.
TABLE 5.5. STOCK PRICE RECOVERY TIME OF FIRMS ACROSS INDUSTRY SECTORS
AFTER A 20% DROP RELATIVE TO INDUSTRY
Industry
Number
of
Firms
Number
of Firms
Impacted
Number
of
Events
Mean
Recovery
Time (weeks)
Standard
Deviation
(weeks)
Max
(weeks)
Min
(weeks)
Information Technology 71 63 494 132 200 598 2
Utilities 35 13 54 131 148 581 2
Healthcare 53 38 143 102 171 596 2
Consumer Staples 40 18 53 84 105 500 4
Industrials 61 32 79 83 124 599 3
Energy 41 21 77 74 115 505 2
Consumer Discretionary 84 63 329 73 128 596 2
Telecommunications 7 2 13 66 81 230 2
Financials 82 68 264 61 89 564 2
Materials 29 20 47 34 41 169 2
44
Finding 17: The mean stock price recovery time for companies across the full S&P 500 after
the stock dropped 20% over a 10-day period compared to its industry peers is more than one
year for firms in all industry sectors except Materials.
Table 5.6 looks at the data in a different way by focusing on event types. As one would expect,
changes in Industry trends and Competition lead to the longest recovery time, indicating a shift in
investors’ view of the firm and of its capacity to produce as much value as before the price change.
Interestingly, the mean recovery time related to Government events is over one year (61 weeks),
confirming the importance for firms to integrate this external factor into their risk identification and
prioritization process as part of their risk analysis and management process described in Section 2 of
this report. In the 19 instances where the stock of a firm dropped more than 20% as a result of a
Catastrophe, the mean recovery time was just over one year (58 weeks). TABLE 5.6. STOCK PRICE RECOVERY TIME ACROSS RISK FACTORS
AFTER A 20% DROP RELATIVE TO INDUSTRY
Risk Factor Number of
Events
Mean
Recovery
Time (weeks)
Standard
Deviation
(weeks)
Max
(weeks)
Min
(weeks)
Competition 62 162 210 598 2
Industry 105 137 204 589 2
Acquisition 135 121 181 599 2
Investments 29 117 141 489 2
Operations 162 102 167 590 2
Macro 97 99 160 589 2
Legal 110 94 156 596 2
Earnings 546 93 147 589 2
Labor 62 90 162 569 2
Accounting 13 90 113 326 2
Marketing 164 80 144 596 2
Credit Risk 55 79 108 364 2
Capital Expenditure 49 78 128 584 2
Key Personnel 92 72 141 575 2
Distribution 9 66 79 215 2
Government 74 61 133 584 2
Capital Structure 84 61 107 584 2
Catastrophes 19 58 77 238 2
Suppliers 13 55 42 128 3
Customer Concentrations 4 54 61 159 12
International 34 46 106 588 2
Intellectual Property 10 22 22 83 2
Finding 18: The longest recovery time is for events related to significant changes in Competition
(162 weeks), Industry trends (137) and (bad) Acquisitions (121 weeks). Drops related to the
Government risk factor and Catastrophes have a mean recovery time of 61 and 58 weeks, respectively.
45
We then analyzed how the mean recovery time in weeks varies across industry sectors and risk
factors. Table 5.7 shows that not all risk factors event types affect firms in a given industry sector in
the same way. We will explore reasons why this is the case in the next phase of the research project.
TABLE 5.7. MEAN RECOVERY TIME ACROSS RISK FACTORS AND INDUSTRY SECTOR (IN WEEKS)
C
on
sum
er
Dis
cret
ion
ary
Fin
an
cia
ls
Tel
eco
mm
un
i
cati
on
s
Info
rma
tio
n
Tec
hn
olo
gy
Co
nsu
mer
Sta
ple
s
En
erg
y
Hea
lth
care
Ma
teria
ls
Uti
liti
es
Ind
ust
ria
ls
Av
era
ge
Accounting 28 - - 6 - - - 169 178 16 90
Acquisition 56 81 - 182 27 46 165 47 75 230 121
Catastrophes 8 109 - 75 51 20 - - 109 110 58
Capital Expenditure 48 41 - 145 - 18 100 - 66 126 78
Capital Structure 31 45 - 144 77 60 76 2 154 31 61
Competition 154 178 67 203 88 - 126 71 14 - 162
Credit Risk 48 77 - 5 - 6 4 20 188 18 79
Customer
Concentration 23 - - 12 - - - - 159 - 54
Distribution 5 2 - 96 41 - - - 215 - 66
Earnings 61 52 121 132 105 84 122 39 67 85 93
Government 23 31 23 172 - 22 25 31 51 13 61
Industry 56 47 114 217 7 21 99 5 303 16 137
Intellectual Property 8 - - 30 - - 15 - - - 22
International 49 17 - 58 28 - 82 14 87 34 46
Investments 255 99 - 10 5 74 84 - 329 - 117
Key Personnel 85 64 - 73 88 178 15 33 - 8 72
Labor 50 17 2 177 185 20 36 9 59 19 90
Legal 89 60 10 103 28 89 104 9 291 47 94
Macro 60 67 120 190 88 45 - 32 219 31 99
Marketing 82 65 73 93 56 - 59 56 - 45 80
Operations 74 38 4 141 55 123 88 20 219 57 102
Suppliers 30 - - 3 88 71 - 39 - - 55
Average 73 61 66 132 84 74 102 34 131 83
46
5.5. Conclusions of the Preliminary Stock Price Analysis
This quantitative analysis of how events of different natures can negatively impact the stock prices
of S&P 500 firms sheds new light on events that have led to massive drop in stock prices. There are
several lessons that can be gleaned from our findings.
While one often thinks of catastrophes as those triggered by sudden events such as natural disasters,
terrorism or industrial accidents, many other types of events were associated a firm’s stock price
drops of 20% or more over a 10-day period compared to its competitors. In the sample of firms we’ve
interviewed, the Government risk factor was by far the one that triggered the largest percentage
increase in the number of severe stock price drops over the period 2007-2011 relative to 2000-2006.
This may explain why so many of these firms are so concerned about government risk in their recent
10K reports.
Certain industry sectors are much more volatile in their stock price drops than others (and take longer
to recovery to bounce back to their pre-drop level. The mean recovery time for all industry sectors
(except Materials) is greater than one year. The recovery time will also vary with the risk factor
triggering the stock price decline.
In the next phase of our analysis of these data, we will consider factors that make firms more resilient
to adverse events, such as their financial characteristics (e.g. revenue, debt level, liquidity level) as
well as the adoption of good risk management practices and leadership. In this regard we will also
consider differences in how firms assess and communicate their risks internally and to the outside
world. The classification given by rating agencies may also be an indicator of a firm’s resilience after
its stock price declines significantly.
47
Section 6. Overcoming Challenges through the Development of Long-term Strategies
This section provides guidelines for firms to develop long-term strategies for managing crises and
catastrophic risks. As a starting point, firms should have a clear understanding of the nature of the
risk and uncertainties associated with events that could have a significant impact on their activities
and profitability in the short- and long-term. Given the importance of intuitive thinking in guiding
firms’ decision making processes, it is important to consider the relevant biases and heuristics that
managers make in designing their current programs for dealing with catastrophic risks. They also
need to take into account the role that government is likely to play in monitoring and controlling their
activities. Below we focus on a set of risk management strategies that link intuitive and deliberative
thinking processes so as to increase their acceptability by the relevant stakeholders and hence their
implementation.
Reframing the Time Horizon
One way to encourage firms to be better prepared to manage catastrophic risk is to reframe the
likelihood of a disaster so that it is above the key decision makers’ threshold level of concern.
Research shows that simply adjusting the time frame can have a significant impact on individuals’
perception of the risk. For example, people were more willing to buckle their seatbelts when they are
told they had a one-in-three chance of an accident over a 50-year lifetime of driving, rather than a
.00001 chance each trip.19 Similarly, a firm which has its facilities in a hurricane-prone area is far
more likely to take the risks of storm-surge and wind damage to its property more seriously if instead
of being told the chance of a flood is 1 in 100 in any given year, they are told that it has a greater than
one-in-five chance of happening in the next 25 years.20
Similarly, if directors and C-suite executives were provided with data on the likelihood of a severe
event over the next 10 years rather than focusing on the annual probability, or what could happen the
next quarter, they would be more likely to consider taking steps now to reduce these risks. Extending
this time horizon is also important for risks where it is difficult to estimate a probability
mathematically, as is the case for a number of risks we consider in this report. For instance, while a
firm might think that the probability of suffering from a cyber-attack will be extremely low in the
coming six months, it is likely to be significant in the coming 5 to 10 years given recent trends that
show an increasing number of attacks across many different types of firms.
Spreading Upfront Costs over Time
Extending the time horizon is also important to evaluate the return on investment of specific risk
reduction measures when the upfront cost is offset by losses avoided over a long period of time. To
take a simple example, the cost of installing air bags in an automobile would not be justified by
calculating the expected loss on a daily or weekly basis but is likely to be cost-effective in reducing
the consequences of severe injuries from an accident to the driver and passengers over the normal
length of time that families keeps their cars.
48
Firms operate on an annual cycle when it comes to bonuses, budgeting and financial statements. For
this reason it is understandable that decision makers are likely to focus on short-term horizons when
making their decisions, particularly if it involves large expenditures. To encourage managers to invest
in protective measures to reduce the likelihood and/or consequences of future catastrophic losses it
would be useful to spread the costs of these measures over time with short-term benefits to encourage
firms to adopt them.
One way to address this issue would be to amortize the upfront costs of the measure over a number
of years so the annual costs that appear on the firm’s balance sheet is relatively low. The firm may
be able to negotiate a lower annual insurance premium with the provider of coverage to reflect the
reduction in expected losses from a future catastrophe. If cost effective, the expected annual benefits
from a reduction in the price of insurance will then be higher than the annual cost of the investment
in reducing catastrophic risk.
Focusing on Salient Events
Calling attention to the benefits of investing in protective measures by focusing on the reduction in
losses from a specific storm, such as Sandy or Katrina, is likely to attract more concern than a general
message framed in terms of reducing damage from future hurricanes. Focusing on a well-known
scenario is also more likely to trigger attention by the firm. The data from the interviews highlighted
the importance of specific crises in getting firms to pay attention. Controlled experiments undertaken
before 9/11 revealed that consumers in the United States were willing to pay more for insurance
against a plane crash caused by terrorists than for flight insurance due to any cause, a finding that is
counterintuitive since, by definition, “any cause” includes a terrorist attack.21
Establishing a Level Playing Field
Well-enforced government regulations and standards may help establish a level playing field across
firms and lead them to take steps to reduce the risks of extreme events in future years. The Sarbanes–
Oxley Act of 2002 set new or enhanced standards for all U.S. boards of directors, management and
public accounting firms following the corporate scandals involving Enron, WorldCom and other
companies. Similarly the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010
brought the most significant changes to financial regulation in the United States since the regulatory
reform that followed the Great Depression of the 1930s. It involves all federal financial regulatory
agencies and has affected the nation's financial services industry.
In one interview, a CRO from a financial institution made the following comments regarding the role
of regulatory agencies in guiding firm behavior regarding catastrophic risks:
The regulators have really been pushing to raise the bar on risk governance and made many
mistakes themselves just like the industry did. In the process, they are doing some things that
are really good and other things that are really bad. They are trying to feel their way through
this and have a very important role to play in governance of the industry.
49
In another of our interviews, a CEO from a retail firm made the following positive comments
regarding the role that Sarbanes-Oxley has played in the firm’s operations: of regulatory agencies in
guiding firm behavior regarding catastrophic risks:
Like most people in business, I shuddered when Sarbanes-Oxley came out. But I have to tell
you that in the final analysis it has made us a better company. It forced us to think about those
items that were on the border of becoming a material weakness or, if they weren’t now, might
be in two or three years. It made us a much better company and made us all much more aware
of risk. As much of a critic as I was about Sarbanes-Oxley, I think the essential parts of it
probably made us better as a company.
When we asked the treasurer of a parts distributor: Are there any risks that keep you up at night? he
responded by saying:
Compliance. Just making sure we are crossing our ‘T’s and dotting the ‘I’s. In today’s
Sarbanes-Oxley world, it compliance is such a big deal. Just keeping everyone informed of
everything that could possibly be going on is a major challenge.
The enterprise risk officer of an IT company we interviewed was very concerned with the impact that
unexpected legislation would have on its operations as highlighted by the following comments:
The bill was designed to introduce new competition contrary to the way we’d been running the
business to date and to hamstring us on many of our competitive advantages. Regulators had
been given the authority to implement the law, which had many ambiguities and contradictions.
So we organized an effort to educate them, hoping they would adopt reasonable approaches
that would minimize the impact on our business. We thought that would be better policy. There
was also a lobbying effort to delay the implementation of the rules, which failed. For the last
year we’ve been engaged in a strategic exercise to figure out how to compete effectively in this
completely revamped business environment. And out of that exercise has fallen a lot of different
technology and processing and other marketing and contract projects.
Regulators are subject to the same behavioral biases as other decision makers; government agencies
and legislators often overreact following a crisis or catastrophic event. New regulations may have a
significant impact on an entire industry in ways that do not take into account the companies that have
invested heavily in risk management strategies and have much lower risk than the firm(s) responsible
for the catastrophe or crisis.
We should also note that for most of the events discussed in this report that could trigger catastrophic
consequences, firms are not always in a position to manage these impacts on their own. Partnering
with other companies and public sector organizations, leading research institutions and the public
sector to better assess and manage risks and crisis is also a critical element in designing and
implementing effective long-term catastrophic risk management strategies.
50
Section 7. Open Questions for the Next Phase of the Project
As we move into the next phase of this research project, we propose a few questions for readers to
reflect and comment on after reading this report:
Is the proposed framework an appropriate one for structuring our analysis of firm behavior with
respect to catastrophic risk? Are there other elements that should be incorporated in the
framework?
What data are available from publications and public documents to determine how firms’ roles
have changed over time and the factors that have influenced this process? Are there internal
documents and data from your own organization that you could share with us under a confidential
agreement?
What type of data analyses can we undertake to examine factors that may impact on catastrophe
risk management so we can specify additional findings? How can we test in a rigorous manner
the degree to which these findings are confirmed with available data from public documents and
interviews and other sources?
Are there specific case studies that we might undertake for a more in-depth analysis as to how
certain firms deal with catastrophic risks that could complement the interviews, reports and public
data that we are utilizing in this study?
What criteria would you propose for specifying benchmarks for providing guidelines to improve
firms’ catastrophe risk management?
What suggestions do you have for incorporating the role that public sector can play to encourage
firms to undertake protective measures prior to future crises to reduce their losses and those of
others?
What positive roles can the public sector play in making the recovery following a disaster a more
equitable and efficient process than it is currently?
51
Appendices
52
Appendix 1. Statistics on the 100 Firms Interviewed
As discussed in the introduction of the report, the distributions of the 100 firms we’ve interviewed
across industry sectors is fairly representative of the entire S&P 500. Below we also provide a
comparison on an annual revenue basis and number of employees, which confirm that the sample is
representative of the full S&P 500 group.
Number of Employees
1 to 5,000
16%
5,000 to 10,000
18%
10,000 to
20,000
19%
20,000 to
100,000
35%
>100,000
12%
S&P 500
1 to 5,000
11%
5,000 to 10,000
15%
10,000 to
20,000
23%
20,000 to
100,000
39%
>100,000
12%
Interviewed Companies
53
Annual Revenue (2010)
$1-to-$5 Billion
35%
$5-to-$10 Billion
23%
$10-to-$20
Billion
19%
$20-to-$100
Billion
20%
> $100 Billion
3%
S&P 500
$1-to-$5 Billion
28%
$5-to-$10 Billion
18%
$10-to-$20 Billion
18%
$20 –to-$100
Billion
33%
> $100 Billion
3%
Interviewed Companies
54
Appendix 2A. 10K Risk Factor Mentions across Industry Sectors
It is also interesting to compare Risk Factor mentions for each industry sector individually; that
analysis reveals important heterogeneity as one would expect.iii
FIGURE 2A. COMPARISON RISK FACTOR MENTIONS IN 10K OF SP500 INTERVIEWED FIRMS BY SECTOR
iii The number of interviewed firms varies by industry sector: consumer discretionary (17), consumer staples (6), energy
(7), financials (22), health care (11), industrials (6) information technology (14), materials (4), telecommunications (1)
and utilities (5).
55
0
10
20
30
40
50
Industrials
2007
2011
56
0
20
40
60
80
100
Information Technology
2007
2011
0
2
4
6
8
10
12
14
16
Materials
2007
2011
0
1
2
3
4
5
6
7
8
Telecommunications
2007
2011
0
5
10
15
20
25
Utilities
2007
2011
57
Appendix 2B. Percentage of the 10Ks Discussing Specific Risks (across sectors)
We combined the 2007 and 2011 10Ks and generated the ranking of the top 10 risk factors discussed
by firms for each industry sector.
FIGURE 2B. TOP TEN RISKS (AS PROPORTION OF THE 10K DISCUSSING THAT RISK FACTOR)
(2007 AND 2011 COMBINED)
58
59
Appendix 3. Methodology for Analyzing Stock Price Changes
Given our broader interest in events that lead to a significant change in stock return, we did not only
look at how stocks evolved one day to the next (since the market can overreact to a sudden event but
come back rapidly in just a few days) but developed an algorithm covering periods of 10-trading
days.
Let us consider the following example. Firm A had the following daily stock return for the period
October 27-November 7:
On a given day we can calculate the 10-day (forward) adjusted stock return. Let’s say the stock is X
on October 26. The 10-day return (for October 27 to November 5) is 32.6% in this example (X*1.05
* 0.92 * 1.02 * 1.03 * 1.08 * 1.09 * 1.07 * 0.98 * 1.08 * 0.98). The 10-day adjusted return for the
stock of firm A for October 28 is 30.2% (i.e. X*0.92 * 1.02 * 1.03 * 1.08 * 1.09 * 1.07 * 0.98% *
1.08 * 0.98 * 1.03), etc. This is then done for each one of the firms for all 251 trading days in a given
year (total of 2,761 trading days). In total we thus looked at 1.4 million trading-days/firm datapoints.
Adjusted 10-day Stock Return (10-day model)
5% -8% 2% 3% 8% 9% 7% -2% 8% -2% 3% 5%
10/27 10/28 10/29 10/30 10/31 11/1 11/2 11/3 11/4 11/5 11/6 11/7
10/27 10/28 10/29 10/30
32.6% 30.1% ? ?
60
We then control for industry-effects by calculating the difference between the 10-day adjusted stock
return for a specific firm and the industry average 10-day adjusted stockiv over the same 10-day
period. The algorithm then generates “events of interest” where this difference is higher than 20%
(up or down).
As a hypothetical illustration, let’s consider the month of October 2009 and four firms which compose
a given industry (or sub-category of that industry). For four consecutive trading days we calculate
the 10-day adjusted stock return for those firms (e.g., -19% for Firm A on October 27) and compare
it to the industry average, Δ measuring this difference. The algorithm then determines firmi/trading-
dayt where Δ is higher than 20 percentage points.
Illustrative example of event selection. 10-day adjusted stock return for firms and industry average.
Firm A Firm B Firm C Firm D Industry Average
10/27 -19% (Δ=-6.5) -22% (Δ=-9.5) -18% (Δ=-5.5) 9% (Δ=+21.5) -12.5%
10/26 3% (Δ=+1.75) 2% (Δ=+0.75) -4% (Δ=-5.25) 4% (Δ=+2.75) 1.25%
10/25 4% (Δ=-0.25) 6% (Δ=+1.75) 3% (Δ=-1.25) 4% (Δ=+0.25) 4.25%
10/24 10% (Δ=+8.5) 8% (Δ=+6.5) -20% (Δ=-21.5) 8% (Δ=+6.5) 1.5%
In this simple example, two events of interest would be selected: one “gain” for Firm D and one
“loss” for Firm C.
There were approximately 23,000 such events of interest that were picked up by the algorithm. Of
course since we look at a 10-day window it is likely that drop or gain events are related to the same
driver around this 10-day window. Another algorithm was thus built that clumps such events together:
If an event was less than 3 days away from the other events of interest, then it is clumped together as
one single event. We ended up with a total of 5,800 events that have moved the stock price of a given
company more than 20% than its competitors.
We then regrouped these events into a predefined set of categories called risk factors. The goal was
to better appreciate whether these events were mainly driven by specific risk factors, whether there
were noticeable patterns across industries in the S&P 500 and finally, whether firms were more likely
to bounce back after having seen their stock drop more than 20% in 10 trading days if this drop was
driven by specific types of risk. In other words, certain risk drivers might have more enduring effect
on the stock of these firms. In total there were 1,520 events of interest where the stock of a firm
dropped more than 20%. We analyze those 1,520 events in Section 5 of this report.
iv Industry average was calculated by averaging each 10-day number of all the companies in the industry.
61
Appendix 4. Leadership and Governance Lessons from Three Case Studies
As we conclude this preliminary report we would like to illustrate some key concepts with three concrete and
detailed cases of lessons of leadership at the top of organizations that had to go through significant crises in
recent years. Deutsche Bank—a German Bank operating worldwide—managed the 2011 Japan earthquake,
tsunami and nuclear accident. This case was written in collaboration with Deutsche Bank’s senior management
who gave us permission to include number of details and names. The other two cases are based on interactions
with firms we interviewed as part of our S&P 500 study. For this reason no names of individuals or the
companies are mentioned.
CASE A1. Deutsche Bank: An Unprecedented Disaster on the Other Side of the Planet
On Friday, March 11, 2011, the largest earthquake in Japanese history shook much of the country at 2:46 p.m.
Tokyo time. At 9.0 magnitude on the Richter scale, the Tōhoku earthquake was the fourth largest earthquake
to occur anywhere on Earth within the past century. By contrast, the Haiti earthquake on January 12, 2010,
which killed an estimated 300,000 people and injured another 300,000, registered only 7.0 magnitude.22
During the 6-minute Tōhoku earthquake, more than 200 miles of the Japanese coastline dropped 2 feet, Japan
moved 7.9 feet closer to North America, the Earth shifted its axis by 10 inches, and the globe’s rotation slowed
by 1.8 microseconds. Building damage was extensive, despite Japan’s tough earthquake-resistant building
codes. But, far more devastating – what indeed would prove catastrophic – was the earthquake’s after-effect
felt approximately 15 to 20 minutes later.
Just 45 miles off the peninsula of Tōhoku, a 10-foot upward thrust of the sea floor created an enormous outflow
of water in all directions. The resulting tsunami rose 30 feet above normal sea level in many coastal regions,
sweeping inland as much as 6 miles along Japan’s northeast shoreline, destroying almost everything in its path.
The Japanese government estimated that more than 15,000 people perished in the earthquake and resulting
tsunami and approximately 9,300 people were missing or injured, almost all in the country’s northeast.
Deutsche Bank AG, one of the world’s largest banks with offices in countries spanning the globe, had a
significant presence in Japan, concentrated mainly in Tokyo where most of its 1,500 staff was located when
the disaster struck. Within 24 hours of the event, Victor Meyer, the bank’s global head of Corporate Security
and Business Continuity (CSBC), confirmed that all of the bank’s employees were safe and secure. Though a
great relief in itself, this would provide only momentary respite for Meyer and the firm.
Minutes after the earthquake, an enormous wall of water swept down along the northeast coast of Japan toward
the Fukushima Daiichi nuclear power plant, one of the world’s 15 largest atomic power complexes with 6
nuclear reactors at the water’s edge. Japan is a famously active seismic area and protection from hazards
associated with seismic events had been engineered into the Fukushima plant. Under government regulatory
oversight, Tokyo Electric Power Company Incorporated (TEPCO), the plant’s owner/operator, had constructed
a water barrier to defend against a tsunami resulting from an 8.0-magnitude earthquake. But, the Japanese
earthquake, at 9.0-magnitude, was approximately 30 times more powerful. The Tōhoku earthquake sent a 45-
foot wave crashing over the plant’s 20-foot barrier, flooding a set of backup generators that were programmed
to kick in if the plant’s power supply was interrupted and if several hours of reserve battery power were also
exhausted. The tsunami cut off external power to the plant, and although the reserve batteries worked as
62
designed, they quickly reached their designed time limit, and without the backup generators, the plant’s main
water pumps were soon without power to cool the reactors’ cores and spent fuel rods nearby.23
In the ensuing days, three of the Fukushima plant’s reactor cores melted, three sets of spent fuel rods exploded,
and blasts ripped off two of the reactors’ outer containment structures, resulting in the spewing of significant
amounts of radiation into the air and water that would linger for weeks. The government first ordered
evacuation of all residents within 12 miles of the reactors and then expanded the evacuation zone out to 18
miles. As the crisis continued and seemed to worsen, a voluntary or even mandatory evacuation seemed
conceivable for a much larger region. An evacuation could have been extended to Tokyo, just 140 miles to the
southwest, with a regional concentration of approximately 35 million residents who had so far escaped the
effects of the tsunami.24
Victor Meyer started preparing for the worst-case scenario.
Global Director of Corporate Security and Business Continuity
Deutsche Bank was a full-service provider with offices in more than 70 countries around the world. The largest
financial institution incorporated in Europe, the bank employed more than 100,000 people, and, in 2010,
generated US$43 billion in annual revenue, ranking just behind Citigroup and ahead of HSBC Holdings. The
Tokyo operation served customers in Japan, the world’s third largest economy after the U.S. and the People’s
Republic of China.25 It also served as the franchise hub in northern Asia, managing everything from corporate
credit lines to private banking for wealthy customers throughout the region.
When Meyer joined Deutsche Bank in 2004 as head of Corporate Security and Business Continuity, he was
already familiar with dire threats and large-scale disasters. A graduate of the U.S. Naval Academy, he had
served for more than 15 years as a U.S. Navy SEAL before attending business school. He was responsible for
security in the recovery of the USS Cole in Aden, Yemen, in 2000 and had risen to be chief of Counter-
Terrorism & Contingency Plans for the U.S. Navy for the European and African regions. Just prior to joining
the bank, he had served on a task force to track and seize terrorist finances.
Crisis Management Training and Capabilities
Well before the events of March in Japan, Meyer and his staff had built an extensive crisis management training
program which inculcated response actions into the firm’s DNA, not only for operational events like natural
disasters, but for financial risks as well. They focused on countries where the sovereign risk rating was weakest,
natural disasters most frequent, or headcount largest. The way in which the exercises were incorporated into
the Risk Division’s flagship development program for managing directors, the International Center for Risk
Management, was particularly distinctive.26 Its crisis management exercise component was designed to assess
candidates’ ability to make decisions under pressure and with incomplete information. Candidates participated
in a two-day crisis simulation formulating a response to major crises, such as a pandemic or hurricane passing
in close proximity to a major city. Senior observers from external companies and service providers were added
to enhance realism.
To prioritize delivery of the crisis management exercises by location, the company created a three-tier training
regimen. Tier 1, the most critical, consisted of operations whose annual revenue exceeded €500 million, the
workforce numbered more than 1,000 full-time-equivalent employees, and its country risk rating was high or
63
extreme. Tier 1 operations were required to undergo an annual crisis management exercise and train their most
critical employees in catastrophic risk response. Tier 2 operations were required to conduct the exercise every
other year and train critical employees. Operations in Tier 3, the least critical, did not conduct the simulation
but were required, nonetheless, to provide the training. Even with intensive exercises limited to Tier 1, Meyer
and his staff mounted 26 major crisis management exercises worldwide in 2011, with simulations entailing
responses to crises such as financial collapse, cyber-attack, flu pandemic, fiber optic break, and terrorist
assault.
Meyer built the company’s crisis management training program on several premises that had emerged from
recent company experience: specific plans will be of less use than an ability to develop an impromptu plan;
partnerships are essential for intelligence and resources, but partners will be pulled back by their own biases
and constraints in a crisis; and, while catastrophic risks are increasingly global by virtue of greater degrees of
interconnectedness, local response is also vital.
Though working in banking might appear to be a far more sedate existence than that of combating terrorism,
Meyer’s years at Deutsche Bank had proven anything but routine. The financial meltdown of 2008 through
2009 and a series of major disruptive events, from the Mumbai terror attacks in 2008 to the threatened H1N1
flu pandemic in 2009, had dramatically increased the importance of good crisis management across all risk
disciplines.
Deutsche Bank’s disciplined approach to risk management, built up over many years under the leadership of
Chief Risk Officer Hugo Banziger, had served the bank well, particularly when compared to most peers.27 But
now Meyer faced still another seemingly once-in-a-lifetime event, his third black swan in three years, a
potentially catastrophic event, the real implications of which were just beginning to emerge.28 It appeared
increasingly probable that the events they were witnessing constituted a trifecta in which an earthquake, a
tsunami, and a meltdown would cascade to create a severe disruptive threat to the bank’s operations in Japan.
Preparing for the Worst
Meyer was in Hong Kong on the afternoon of Friday, March 11, when he learned of the terrible events
unfolding in northeast Japan. He watched in horror as CNN repeatedly showed video clips of the tsunami
sweeping inland. Within three hours, he had confirmed that the earthquake and tsunami had not, so far,
destabilized the financial markets or damaged company networks. Furthermore, there were no reported missing
or injured employees. He anticipated modest aftershocks, but as he boarded a flight to London, it appeared
that, overall, there would be minimal impact on the bank and little danger to business as usual for the Monday
opening. For the global bank, it seemed that the events would constitute little more than a local disruption; the
most critical problem was to ensure that all stranded employees reached their homes safely. The bank had thus
far been fortunate.
By the time Meyer landed in London, reports from Japan had turned ominous, and he began to reassess the
enormity of the earthquake’s aftermath. Colleagues in Asia were evaluating the impact in a more
comprehensive way. He had received e-mail messages from them that pointed to potential future problems.
They warned, for example, of rolling blackouts that could disrupt the power supply to the bank’s data centers.
Meyer realized that he could not yet quantify the risks, but he understood intuitively the disruptive potential
of the crisis. Meyer devoted his time in preparing for the possibility that the earthquake’s aftermath could have
a serious longer-term impact on the bank’s staff and business. The damage directly related to the tsunami on
64
the northeast coast was devastating. Reports of thousands of deaths and thousands of missing people with
scenes of destruction from floods and fires raging out of control had been broadcast across the nation. Whole
seaside villages had been swept away. Yet, it did not appear that these effects, though widespread, could
cascade in a way that would disrupt a broader area, including the capital city.
By contrast, the loss of generating capacity from the Fukushima plant was already disrupting Japan’s electrical
grid, with some reports suggesting that there could be some form of meltdown and release of nuclear material.
If radioactive debris spread to Tokyo, the bank could conceivably be confronted with the prospect of a sudden
evacuation of its staff. At the least, it could cause the inability of much of the bank’s staff to access its main
premises and support its most vital operations in Tokyo, such as its main data center. Meyer had no real-time
information on the rapidly worsening condition in the Fukushima plant’s reactors, but the situation seemed to
be, at best, highly uncertain, and he began to compare it to one of the worst disasters in history: What if the
overheating nuclear complex degenerated into a situation similar to the Chernobyl disaster?29 He worked
nonstop to prepare for the worst, and he initiated a daily briefing of Deutsche Bank’s chief executive Josef
Ackermann and chief risk officer Hug Banziger.30
By March 17, six days after the earthquake, the Japanese government had ordered 200,000 people who resided
within 12 miles of the Fukushima plant to evacuate and the U.S. Department of Defense authorized family
members of military personnel who were stationed in Honshu – Japan’s largest island, the mainland where the
damaged power plants were located – to evacuate the entire island. The U.S. Department of Defense also
suspended travel of families of military personnel into Honshu.31
Meyer learned that CNN – which routinely reported on the ground from critical places worldwide – was pulling
out of Tokyo. It was rumored that Lufthansa Airlines flight crews were balking at landing in Tokyo. The
government of France recommended that its nationals leave Tokyo, and as Meyer noted to his colleagues, “The
French know a thing or two about nuclear reactors.” He began to wonder if they knew something he didn’t.
As daily reports from Tokyo offered increasingly apocalyptic scenarios for the nuclear power plants whose
cooling had now been completely compromised, Meyer considered what his immediate priorities should be,
in addition to the people with whom he should communicate as well as the method of communication he should
utilize. Because of the highly uncertain and possibly rapidly deteriorating conditions, Meyer escalated
management response to the highest level – Deutsche Bank’s Management Board. Meyer began briefing the
Board every day at 11 a.m. Eastern Standard Time. In London and Frankfurt, where most of the senior
executives operated, the daily briefing was held at 4 p.m. and 5 p.m. in local time. It was the first incident
since he had joined the bank that Meyer had confronted a disaster serious enough that it required daily crisis
briefings with the Board. Meyer also had to consider whether his team was ready for what was shaping up to
be a high-intensity, multiday crisis. And perhaps the most uncertain factor was whether the nuclear crisis would
spiral out of control, necessitating the rapid relocation of Deutsche Bank’s employees and their families at a
time when greater Tokyo’s some 35 million residents would all be trying to do the same thing. Meyer asked
himself, “Was he ready to order an evacuation, what should be the final trigger, and did he have a realistic,
executable plan?”
The Evacuation Decision
Six concerns dominated Meyer’s report to the Board on the sixth day after the earthquake. First, he paid close
attention to the announcements made by the Japanese government, and, at the moment, the government was
65
not recommending a widespread evacuation. As a supplement, Meyer also monitored what the U.S. Nuclear
Regulatory Commission (NRC) disclosed. It was initially reassuring that Japanese regulators were stressing
business as usual, but as NRC administrators and Japanese reporters began to suggest that the situation was
continuing to deteriorate, the government’s reticence became increasingly concerning.
Second, Meyer monitored activity on the Tokyo Stock Exchange since he was concerned that it might suddenly
be shut down, though authorities were, thus far, silent about this possibility. Third, he considered a scenario
where power and other critical infrastructure in Tokyo would be disrupted, severely affecting the bank’s ability
to operate. Fourth, he tracked the status of the compromised Fukushima plant’s containment vessels and
monitored the weather, as the direction of the winds could potentially send any radioactive release toward
Tokyo. Fifth, he was concerned that the German media would confront the Board about the bank’s actions to
protect its employees in Japan, especially as the crisis appeared to worsen by the hour.
And, sixth, while the German media was likely to focus on the bank’s 38 German nationals in Tokyo, the
Japanese media would be concerned about the bank’s locally hired staff. Meyer believed that the bank’s
expatriates and locals would have to be supported equitably, but also distinctly, particularly because their needs
differed. The bank knew that local staff would be reluctant to leave extended family members behind if it
offered relocation options and the expatriate staff would likely be eager to leave.
After conferring with the bank’s regional management in Tokyo, the Board decided to authorize temporary
relocation of any expatriate families who opted to evacuate. It also authorized the Tokyo office to book hotel
rooms in southern Japan for local employees in the event of a mass evacuation. Meanwhile, as a precaution,
the bank was already moving staff members and their families who were critical to the management of the
firm’s risk positions abroad, dispersing the bank’s Tokyo traders to Singapore, Hong Kong, Mumbai, Sydney,
and London, and its operations staff to Manila.
All of these actions required moving quickly within a network of constraints. Visas were required for many to
work elsewhere, as well as regulatory approval to trade in new jurisdictions. And, bringing emergency supplies
into Japan – food, batteries, sleeping bags, and satellite phones – created their own time-consuming hurdles.
At the time, Japan did not allow the import of food with preservatives or batteries, and customs officials and
other regulators did not ease these rules in the face of the unprecedented conditions.
Some contingency planning proved expensive. Deutsche Bank rented 600 hotel rooms in various cities in
southern Japan. Fukuoka, one of the largest Japanese cities most distant from Tokyo, was the destination
preferred by planners at several companies, and Deutsche Bank found itself competing not only with other
firms but also with a local sport tournament. Even when it offered US$100,000 to one hotel for the option of
reserving all its rooms over the next 20 days, the request was denied. Chartering a Boeing 747 aircraft to fly
employees and their families from Tokyo to Hong Kong would have cost approximately US$1.3 million per
trip – a price that fluctuated daily, and sometimes hourly, as both charter companies and potential buyers
monitored the media coverage.
Loss of Trading
Given the high volume of the bank’s Japan-based sales and trading, Meyer knew that the business flow could
not be interrupted without dire consequences. “If we lose a trading floor for an extended time,” Meyer said,
“we are in a worst-case scenario that requires activation of our secondary trading floor, redeployment of staff,
and dynamic management of open risk positions.” Worldwide, the company executed more than one million
66
transactions per day and cleared more than US$1 trillion in euro/dollar exchanges, the lifeblood of the bank.
A Japanese regulatory authority had deemed Deutsche Bank to be one of the most systemically important
banks in the world. If its Tokyo operations were suspended, it could disrupt sales and trading in Hong Kong,
Seoul, and other capital centers.
Deutsche Bank’s primary trading floor was adjacent to the Imperial Palace in Tokyo, and Meyer reasoned that
it was least likely to suffer blackouts if power supplies fluctuated or were compromised altogether. But other
centers did not enjoy the same protective geography. Meyer concluded, “We may have to move some trading
and operations activities out of Japan,” and he and his staff had to be ready to brief the decision makers in the
various business lines about this contingency.
As Meyer and his colleagues were escalating their crisis management activities, by the second week of the
crisis at the Fukushima plant, they had concluded that they had to raise decision making up to the highest level
in the risk hierarchy. This required making an independent appraisal of whether the disaster at the Fukushima
plant complex could spin further out of control as the core meltdowns deteriorated. Though it was a highly
technical issue, Meyer had become skeptical of appraisals coming from TEPCO. He began to draw upon his
own indicators: Were the crews battling to stabilize the stricken plant on-site or had they been evacuated due
to excessive radiation levels? How low were the water levels in the reactors and over the fuel rods? What were
the forecasts by independent experts? Could a fire in one of the damaged reactors waft radioactive isotopes
into the atmosphere? Which way were winds likely to prevail in the days ahead? When would electrical power
be established to the cooling pumps, and how badly had they been damaged by the tsunami? The unreliability
and variability of reports from external sources forced Meyer and his team to quickly gather primary
information from a network of experts in nuclear safety and management of nuclear accidents and then to draw
their own conclusions on which to base risk management decisions.
Key Risk Indicators
Meyer established a set of key risk indicators (KRIs) which he and his team carefully monitored for any
movement. “When we put these KRIs in place,” he said, “we would start every morning by going through our
intelligence, culling that information, going risk by risk, and talking about each. Is it getting better? Is it getting
worse? Is there no change?” Then, when he briefed the Board later in the day, he relied on his own trend data.
He began the briefing with what had occurred the night before. “This is what happened overnight,” he
explained. “This indicator is trending up, this indicator is trending down. This is why we take this view, this
is what we don’t know, and here are the gaps in our information.”
Information provided by competitors was one source that proved especially valuable. Meyer participated in
regular conference calls with his counterparts at rival banks where he learned that their public declarations
were not always in accord with their private actions. While some banks were publicly asserting that they were
operating as business as usual, Meyer learned that they were covertly evacuating employees out of Tokyo and
had booked hotel rooms in southern Japan.
Because of the bank’s global footprint, Meyer sustained his intelligence gathering around the clock. As night
fell in Japan, the process continued in Singapore, then Frankfurt, and then New York. In the morning, Meyer
received a summary of the night’s developments which he used for his daily briefing. In one of these briefings,
he reported great uncertainty and complexity: the Fukushima plant had suffered explosions resulting in
radiation leakage and the evacuation of nearby residents; the Japanese government had urged companies to
stay while the German government had recommended the opposite.
67
Global Strategy and Local Action
Though the bank was headquartered in Frankfurt, Meyer had decided to devolve as much of the crisis decision
making as possible to management in the local region. He depended heavily on the local CEO and COO, who
held formal roles as crisis managers in the bank’s Crisis Management organization. A chief of security,
Operational Risk/Business Continuity Management for the region, reporting to Meyer, was based in Tokyo.32
Meyer had built a risk team around him in Japan, including a corps of first responders who could render aid
and stage a rescue within one hour if necessary. This local network made sense because local managers were
better positioned to appraise the risks on the ground. It was their own operations that would be affected, as
well as their own health and safety. They had the greatest stake in making optimal decisions. Since this was a
crisis with global consequences for the company, strategic oversight from headquarters was required, but
Meyer ran the tactical-level crisis management from Tokyo.
Despite the evident advantages of a local approach, Meyer was aware that the crisis managers on the scene
would need help and that they would be heavily influenced by the local situation. As fatigue set in, their
decisions would require independent oversight. The Japanese government appeared to be downplaying the
crisis and its direction, suggesting that the power plants were under control while other factors suggested the
contrary. Meyer wondered if local managers were being affected by calls for patriotic stoicism and thus not
accurately assessing the situation. Local managers were also eager to get back to business as usual. Since the
company policy was to apply most of the costs of the crisis to the budgets of the affected local business units,
a less severe crisis would entail fewer costs for these units. Accordingly, Meyer warned the local risk managers,
“not to go native, succumb to groupthink, or give in to stress and fatigue.”
The German government recommended that companies evacuate their German staff from Tokyo, and the
German reporters asked the chief risk officer and regional managers whether they would do so. Meyer and his
team decided to respond in a limited way: three expatriate German managers were evacuated; non-German
expatriate staff were given the option to move their families out of Japan; and 30 foreign employees who had
been in Japan on business travel were extricated. In all, 100 bank employees were moved offshore.
For the bank employees who remained in the country, all Japanese nationals, Meyer considered the
contingencies: If a mass evacuation of Tokyo were desirable, or even required, could the company obtain the
aircraft, the supplies, and the hotel rooms that would be required at a time when millions of others might be
vying for the same resources?
Epilogue
By the end of March, TEPCO was gradually gaining control over the leakage of the Fukushima plant’s reactors,
and though modest levels of radiation continued to spread across the region and into the food chain, it became
evident to Meyer that a mass evacuation and business closure in Tokyo was unlikely. The company had
suffered from rolling blackouts at some of its facilities and fear-fueled distraction had been widespread among
both employees and customers. Meyer estimated that productivity at its nadir was down to about one-third of
what was considered normal, but was now climbing back to pre-crisis levels.
Meyer suspended the daily briefings with the Board, and the company dispatched a Board member to visit the
Japanese operations, signifying that inbound traffic was once again safe enough to authorize. “We’re
committed to the franchise,” Meyer paraphrased the Board’s message to the Tokyo staff. “This has been a
traumatic event, but it’s time to look forward. The best way to put this behind us is to get out there and generate
more business.”
68
Crisis Preparedness
There was much to be learned from these events. Not even a week into the unfolding calamity, Meyer began
taking mental notes for future reference. The Risk Division’s planning for catastrophe had proven effective for
managing the unexpected. Meyer’s daily briefings with the Board had proved to be invaluable, mainly for the
two-way exchange of information, though far less useful for directives from the Board or requests from
himself.
After these events, Meyer knew he had to more aggressively prepare for the worst-case scenario in the future.
“If anybody had told us to anticipate the collapse of the [World Trade Center’s] Twin Towers or a meltdown
of four reactors,” he said, “I would not have worried about it before, but now I do.” He had no catastrophic
plans to execute. If he had wanted to prepare blueprints before these events, Meyer felt that his supervisors
would have responded with, in Meyer’s words, “You’re out of your mind.” After the events of March 2011 in
Japan, Meyer knew that he would have to prepare for the most extreme crises.
He also better appreciated how difficult it could be to obtain reliable and actionable information in the middle
of a crisis. Much of the essential real-time technical data on the evolving conditions at the Fukushima plant
was either not released to the public or was altered to appear less disastrous. Securing the kind of information
that was vital for the biggest decision that he faced – whether to evacuate all bank employees and their families
from Tokyo – was difficult, and the information he had obtained depended on preexisting relationships. The
media had overstated the risks and provoked anxieties while the information released by the government
downplayed the risks. Both elicited distrust. Meyer learned that it was critical for managers to provide informed
and accurate appraisals of their own. And, anticipating and responding to employees’ fears and concerns were
an important part of risk management.
Meyer also knew that, for future crisis leadership, he had to factor that Deutsche Bank, like most financial
institutions, was sensitive to market and regulatory perceptions and conscious of the interests and concerns of
policy makers. Taking actions that suggested that the government of Japan was being less than forthcoming in
its reporting on the crisis could only be conducted covertly.
A final lesson of the Fukushima plant experience for Meyer was the importance of global dependency; though
the bank was headquartered in Germany, an earthquake on the other side of the globe had sent Meyer, his
team, and senior management into crisis mode for more than one month. He knew that intercontinental
dependency was likely to become even more prominent in the future. The bank’s footprint would be more
extended, including more offshore staff and satellite operations that would be more vulnerable to disruption.
Even before the Japanese crisis of March 2011, Deutsche Bank had been moving toward greater catastrophic
risk preparedness. In the wake of the Indian Ocean tsunami of 2004, the 2010 Haiti and Chile earthquakes, and
the 2010 Pakistan floods, the company, in the words of an internal planning document, “became convinced of
the need to better clarify the bank’s response to catastrophic events in locations with a presence and/or
travelers.” The agenda, the company stated, was to, “better define the bank’s legal, reputational, operational,
and ethical responsibilities during a large-scale catastrophic event.” This meant emphasizing the firm’s
commitment to each of its country operations; constructing a command and control system all the way from
front-line managers to Board members; placing a priority on the security of employees; ensuring uninterrupted
clearing, settlement, and payment services; adjusting liquidity; and creating a global coordination group that
had the ability to make well-informed decisions during a crisis.
69
Looking Ahead for Leadership during the Next Crisis
The Tōhoku trifecta served as a real-life stress test of the catastrophic risk management system that Meyer and
his staff had built. Like all such trials, it reinforced current practices, such as training simulations for extreme
risks, and defined new ones, such as creating a means for better intelligence gathering during a crisis. It also
reinforced Meyer’s long-standing emphasis on strategic planning and tactical flexibility that allowed him to,
as he stated, “make decisions very, very quickly.”
While catastrophic risk management at Deutsche Bank was arguably stronger for having been put to a real
test, the tsunami’s calamitous breaching of the barriers at the Fukushima plant complex forced Meyer to look
back on the past month of crisis management and wonder what he could have done differently with the benefit
of hindsight: Had he sufficiently engaged the CEO and the Board? What else should he have put in place to
react rationally to the evolving disaster? Did the company have the mindset, the leadership, and the governance
in place to successfully handle the next low-probability, high-impact event? What were the most important
leadership and governance lessons from his experience during the crisis in Japan?
In answer to the last question – at the center of this study – we can extract several lessons from Deutsche
Bank’s experience in the wake of the earthquake and tsunami. They will certainly not be of universal value,
but we believe that they can usefully guide the leadership and governance of other large companies. Box A1
provides an extrapolated summary of the emergent leadership and governance principles from both Deutsche
Bank and Morgan Stanley.
70
Box A1. Leadership and Governance Principles from Deutsche Bank in Japan
Leadership
L1.1. Prepare for the worst-case scenario, as Victor Meyer did in the wake of initial indications that the
Fukushima meltdown could lead to a mass evacuation of the Tokyo region.
L1.2. Build a comprehensive crisis management training program well before a disaster strikes – as seen in
at Deutsche Bank’s International Center for Risk Management – that includes general managers, hands-on
simulations, and an appreciation for what can unexpectedly go wrong in management during a crisis, such as
tactical responses and biased decisions.
L1.3. Think deliberatively and act strategically, as evident in the bank’s cautious approach to evacuating
Tokyo when it appreciated the enduring damage that a precipitous exit could cause in its long-term relations
with the national government.
L1.4. Gather detailed real-time data on a prospective catastrophe from independent and reliable sources, as
Deutsche Bank did in asking nuclear experts and competitor banks for their reading on the power-plant
meltdown.
L1.5. Prepare for worst-case scenarios, and when it appeared that a Tokyo evacuation may be necessary, the
bank began dispersing key staff members abroad and arranged for hotel rooms in southern Japan, charter
flights to secure destinations, and possible disruptions in trading.
L1.6. Delegate decisions to local operations and first responders most affected by the crisis, but work
centrally to prevent local decisions biases that can stem from fatigue, stoicism, and group think, as seen in
Victor Meyer’s work with the Tokyo office.
L1.7. Create a company capacity for fast decisions that are both strategic in concept and tactically flexible,
as Victor Meyer had appreciated were essential from both this and prior experiences.
L1.8. Use each crisis moment to strengthen the next encounter, encoding past experience into active risk
management going forward. When Deutsche Bank’s New York operations were battered by Hurricane
Sandy in 2011, the principles in this box, now strengthened by their more salient understanding from the
Japanese experience, informed the bank’s response to Sandy, just as Morgan Stanley had learned from the
1993 World Trade Center bombing.
Governance
G1. When it appears that a mild crisis could escalate into a catastrophic event, take the issues and decisions
up to top management and even the board of directors – as Victor Meyer did in the wake of CNN’s
withdrawal from Tokyo and flight crews’ unwillingness to land in Tokyo.
G2. Define, monitor, and repeatedly communicate key risk indicators to executives and directors, as
Deutsche Bank’s management did as the problems with Fukushima escalated.
G3. Disengage executives and directors at the crisis subsides, as seen in Victor Meyer’s de-escalation of
their involvement once TEPCO brought the nuclear crisis under better control.
G4. Develop metrics of global interdependency that can alert risk managers, company executives, and board
directors about local and regional developments that can place the firm’s operations at risk, as seen in
Deutsche Bank before and during the Japanese crisis.
G5. Institute a crisis command-and-control system from front-line employees to the board of directors for
reacting to catastrophic risks before they emerge, as Deutsche Bank had come to stress.
71
CASE A2. Disaster Salience at a Major Retailer
In completing our interviews with managers, executives, and directors of companies included in the Standard
and Poor’s 500 – America’s 500 largest firms by market capital – we have identified a number of firms that
had adopted a range of practices that we believe will enhance a readiness for catastrophic risks. Many of their
practices are evident in what we have already seen at Deutsche Bank, but they are not identical, and by looking
at these companies, we see still additional leadership and governance principles in action. We have also
identified several firms whose practices are more limited. To appreciate the difference, we first offer a brief
account of one of the firms with an extensive set of catastrophic practices – and then by contrast a firm with
less risk readiness.
The first enterprise is a major retailer with 37,000 employees and 2012 revenue of more than $8 billion.
Founded more than 30 years ago, it operates more than 5,000 stores, almost entirely in the U.S. The company
had not faced a catastrophic threat of the scale that confronted Deutsche Bank in Japan, but it has encountered
a number of significant threats, topped by the impact of Hurricane Katina on a number of outlets in the New
Orleans region. The loss was less than $15 million altogether, little more than rounding error for an $8-billion
firm, but the storm affected so many stores that a number of senior managers became exercised about the losses
and more committed to building resilience before the next super-storm.
Though still without a personally-experienced catastrophic experience to learn from, the company had
nonetheless created a host of risk defenses, including:
Insertion of risk recognition and mitigation into all management functions and levels.
Continuous refinement of the risk-protection devices from on-going experience.
Pinpointing responsibility for risk in the company the audit function and the board’s audit committee
– but as the same time holding all managers responsible for risk in their own arena.
Periodic reporting of top company risks to the board of directors.
As described by a senior manager at the company, “from our perspective everybody in this corporation has
responsibility for risk mitigation – identifying and mitigating that risk.” That’s a “broad statement,” said the
executive, “but it’s really true here.” The internal audit committee took the lead, compiling data on the 50
greatest risks to the company – some major, most minor – and reporting the ten gravest to the board every
quarter. But management of the risks was not confined to that office. The firm mandated hazard identification
and mitigation all the way down from divisional vice presidents down to front-line employees.
The retailer insisted that store managers play an inductive role in foreseeing emergent threats. A company
task force annually worked to identify ways of cutting costs, for example, and it deemed major risks a
significant source of loss. The task force reached down to store managers for what they saw, and then
aggregated their front-line experiences up the chain. The executive characterized the process as “bottoms up,”
with every front-line unit required to identify its risks and ways of reducing them. The company initiated the
annual “bubble-up process” in the fall and brought it to a head by February.
By way of one example, the company learned that a competitor had been hit by significant legal losses from
its misallocation and misuse of vendor funds. Aware that the same could happen in the decentralized
operations of this company, internal audit instituted a set of procedures to guard against what it had not
previously anticipated but now feared. The auditors would likely not have seen this from their functional
72
perch, but lower levels in marketing and merchandising brought it up to their attention. In response, the
company created a training program to ensure that the risks here did not become material.
By way of a second example, mid-level employees came to worry about a loss of the company’s information
backbone. The primary location for its hardware happened to be in an earthquake-prone region, and
management as a result set up an expensive backup system in case the main system was lost. Human factors
mattered as much as their machines. To avoid disruption of the information system failed, the firm instituted
an incident command system in which responsible parties were pre-identified and solution protocols pre-
approved.
Besides extending down to the front-lines, the audit function reached upward as well, with staff annually
interviewing at least the top three layers of senior management about what they saw as the firm’s greatest
threats. The company then targeted two or three of the year’s greatest hazards for reduction. To build risk
into woodwork, the company also required that every division’s annual operating plan address the major risks
that it faced.
The directors jumped into the issue matrix as well. The board for instance, became worried about the firm’s
aging inventory, potentially tying up or destroying its capital as customers bypassed older products for newer
items.
The governing board explicitly came to make management responsible for executing its risk mandates. Board
materials came to carry a summary of risk-reduction actions that management had taken as of the prior meeting,
and new actions since then. In the summary words of one executive who worked with the board, directors are
“very active and preemptive in everything,” constantly raising “what-if” scenarios with the executive team.
At one board meeting, for instance, the directors asked about terrorist threats to the company’s distribution
centers whose disruption could result in huge losses to the company. If one of the company’s half-dozen
shipping centers were closed by a bomb or fire, its just-in-time resupply systems could force a closing of
dozens of stores, the lifeblood of the company. In response to the board’s anxiety, management created a
protocol for creation of a temporary distribution center if need be. And it took the more tangible step of
building still another distribution center, not yet dictated by business needs but wise to have for buffering risk.
The new center would bring some savings in logistics, but it was also seen, reported the executive, as an
“offset” to “what we felt was a material risk if something were to happen.”
Directors pressed executives both to better understand the likelihood and target of terrorist threats and what
the company should be doing to prevent such threats. They have been “very preemptive about making sure
that [executives] understand that risk,” reported the executive. They are “not here just to collect a board of
directors check. They really want to perform a really good corporate governance role for us.”
As the center of the directors and executives’ engagement – and wiring that center together – were the
company’s top executives. Without their consistent insistence that catastrophic risk be center stage, it would
have been. At the very top, reported the company’s former chief executive, “getting it on the agenda has to
come from a leader, and it either has to come from a concerned board member or a CEO or somebody at that
level.” A lower-level manager, as senior as she or he might be in the firm, could never garner the attention
required. “Unless it’s inherently believed-in,” warned the ex-CEO, by “the very top, as a CFO, the CEO, or a
couple of key board members, it will be ignored.” It must be “a never-ending commitment” by the top ranks.
One reason for the importance of that senior commitment was the ceaseless daily demand that all managers
feel to reach quarterly goals and deliver annual results. That goes with the territory, but this company
73
recognized that it could also push the cat-risk agenda aside. One executive warned, as a result, “the fact that
you get so focused on day-to-day business” meant that “you find a year or a year-and-a-half goes by and you
haven’t had the conversation about risks.” You “tend to be involved in your sales, the trends, and your expense
trends, and your profitability trends, and the short-term, and you get so wrapped up in that, that frankly, the
issue of catastrophic risks or risks in general, business risks, does not come up enough at the board level” or
even the business level without high-level prodding to make it evident.
By way of one example of visibility, mindful of the extra risks that expansion in foreign markets can bring,
the directors and executives built on their one foray outside the U.S. by requiring extremely high hurdles for
entering still another off-shore market. On-shore stores achieved close to a 10-percent average rate of return,
but the company would require investments in its newest foreign market to deliver a 15-percent rate of return.
The firm, affirmed the executive “is a very risk adverse company that goes extremely slowly and wants to
prove things first.”
Box A2 provides an extrapolated summary of the emergent leadership and governance principles from both
this large retail company.
Box A2. Leadership and Governance Principles from a Large Retailer
Leadership
L2.1. Insert risk recognition and mitigation into all management functions and levels.
L2.2. Refine risk-protection devices from on-going experience.
L2.3. Pinpoint responsibility for catastrophic risk but hold all managers responsible for risk in their own
arena.
L2.4. Ask both senior managers and front-line employees to identify emergent risks through direct
interviews.
L2.5. Establish an incident command system that fixes responsible parties and response protocols before
disaster strikes.
L2.6. Institutionalize risk concern by requiring operating divisions to annual identify their gravest threats.
L2.7. Top management – including the chief executive and other officers – force a focus on low-probability
but high-impact hazards to overcome management focus on quarterly and annual business results.
Governance
G2.1. Recurrently report gravest risks to the company to the board – and what management has done to
reduce those risks since the prior board meeting.
G2.2. Directors make management responsible for executing the board’s risk mandates.
G2.3. Directors take an active and preemptive role in referencing catastrophic risk management.
74
CASE A3. Not All Firms Have Developed the Same Risk Management Capability – The Case
of a Media Enterprise
Company vary greatly in not only the methods they use for catastrophic-risk management but also in the
extensiveness of their methods. We have learned much from Deutsche Bank, the major retailer, and host of
other major companies in our study at the upper end of the extensiveness spectrum. Yet can also be equally
instructive to study companies at the lower end. What is arguably missing in their case can suggest what
should be present in the best case.
Our second enterprise lacks many of the features in boxes 1 and 2 above, despite its more than 200-year history.
With more than 15,000 employees, $5 billion in annual revenue, it had become one of America’s premier
media properties, but it had incorporated few of the leadership or governance principles so evident at the other
enterprises.
An executive reported that the company had faced no catastrophic event in its very long history, though like
so many other firms in our sample, the cataclysm of 9/11 had deeply affected its operations. The firm prepared
to anticipate the prospect of further terrorist attacks, instituting emergency evacuation protocols, and
stockpiling emergency kits for those who might be stranded or obligated to remain on duty.
Only recently had the company explicitly turned to enterprise risk management, focusing mainly on business
continuity, and even then it remained little concerned with extreme risks. It had neither assigned nor hired
individuals with risk management in their job description or personal expertise. In fact, the company had come
into it sideways, building a disaster-recovery capacity for its information technology – no surprise given IT’s
centrality to an essentially information company – and then working to migrate that capacity into other parts
of the enterprise.
Still, the firm had finally hired a full-time manager to consolidate its business-continuity planning. The new
manager ran a risk-management simulation with top executives and set about identifying where the greatest
management gaps remained. But changes were still coming in “bite-size chunks,” in the words of the newly-
appointed manager, one modest step at a time. With other companies having focused on catastrophic risks for
years, producing complex multi-faceted methods, this firm stood in stark contrast – thought to seek to have
many of the rudiments in place within several years.
Even then, it would be uphill, in part because of the absence of any top-level support for the initiative that was
so evident at Deutsche Bank and the major retailer. Leadership principle L2.7 captured what was missing
here: “Top management – including the chief executive and other officers – force a focus on low-probability
but high-impact hazards to overcome management focus on quarterly and annual business results.” The media-
company’s manager found himself campaigning for what should have been coming from the top echelon.
“We need this,” he pressed, yet he found that many were still wondering what exactly “this” was. The manager
argued for acceptance of more comprehensive practices but also found he was carrying the flame largely on
his own.
Given the absence of any top-down direction, it is unsurprising that overarching responsibility for risk had not
been assigned or delegated. This stands in stark contrast to the L2.3 directive for pinpointing responsibility
75
and holding all managers responsible for risk in their own arena. The risk manager and top executive occupied
offices in the same building, but otherwise found little common ground. One person had been tasked with
continuity and risk issues, and his only leverage came through volunteers.
Little was taken up to the governing board, nor did much come down from the directors. The disconnect
proved disconcerting and even disheartening. “You cannot have a business continuity plan unless it's driven
from the top,” the risk manager warned. “I can't drive this at my level. You have to drive [business continuity]
from the very top: Say it’s important, mean it, and demonstrate that it's important by doing the testing, doing
the communication, and making sure that the company knows this is an important part of our risk
management.” You “have to have buy-in at the very top,” the manager concluded, “or it doesn’t work.” He
had previously worked at an organization that had gone under during the financial crisis that came with
Lehman’s failure, and he noted that the absence of top management commitment to risk management had
proven fatal there. “You did a piece of paper” outlining big risks facing that company, he recalled, but you
“struck it up on your cabinet and nobody looked at it.”
Box A3 draws on this experience to identify several additional leadership and governance principles, only
these have been derived from what the company had largely not done. And the company’s fate would prove
un-providential for a host of reasons unrelated to extreme risk management but possibly a product of not having
appreciated the growing hazards of the digital era. After struggling with declining income for a number of
years because of the rise of the Internet, the owners sold a major portion of the company to another firm not
long after our interview with the company was concluded.
Box A3. Leadership and Governance Principles from a Media Enterprise
Leadership
L3.1. Build a dedicated staff for facilitating the identification of major hazards from throughout the firm and
construct a company-wide capacity to surmount them.
L3.2. Institute an extensive set of extreme-risk practices.
L3.3. Secure the backing of top management, not just that of those dedicated to business continuity, in the
face of dis-continuity threats.
Governance
G3.1. Prompt the board chair or lead director to move the directors into active engagement with and
preemptive guidance of high-risk issues at the company.
76
NOTES 1 “Leadership on 9/11: Morgan Stanley’s Challenge,” http://hbswk.hbs.edu/archive/2690.html; James B. Stewart, Heart of a Soldier;
Amanda Ripley, Unthinkable: Who Survives When Disaster Strikes—and Why.
2 Michael Useem, “Developing Leadership to Avert and Mitigate Disasters,” in Learning from Catastrophes: Strategies for Reaction
and Response, Howard Kunreuther and Michael Useem, eds., Wharton Publishing-Pearson, 2010.
3 See, for instance, Cynthia D. McCauley, D. Scott DeRue, Paul R. Yost , and Sylvester Taylor, Experience-Driven Leader
Development: Models, Tools, Best Practices, and Advice for On-the-Job Development, Jossey-Bass, 2013.
4 Michael Useem, “John Chambers: Whether Up or Down, Always Innovating,” U.S. News and World Report, November, 2009.
5 See for instance, Erwann Michel-Kerjan and Paul Slovic. The Irrational Economist. Making Decisions in a Dangerous World (2010;
Public Affairs); Howard Kunreuther and Mike Useem. Learning from Catastrophes (2011; Wharton School Publishing-Pearson).
6 See Howard Kunreuther and Erwann Michel-Kerjan. At War With the Weather. Managing Large-Scale Risks in A New Era of
Catastrophes (2011; MIT Press).
7 PwC 2013 CEO survey.
8 Daniel Kahneman. Thinking Fast and Slow (2011; Farrar, Straus and Giroux).
9 Samuelson, William and Richard Zeckhauser (1988). Status quo bias in decision making. Journal of Risk and Uncertainty, 1.1, 7-59.
10 Amos Tversky and Daniel. Kahneman (1973). Availability: A heuristic for judging frequency and probability. Cognitive Psychology 5, 207–232.
11 James March, L.S. Sproull, and M.T. Tamuz (1991), "Learning from Samples of One or Fewer," Organization Science, 2, 1-13.
12 William Starbuck and F. J. Milliken (1988), “Challenger: Fine Tuning the Odds Until Something Breaks,” Journal of Management
Studies, 24, 319-340.
13 Paul J. DiMaggio and Walter W. Powell (1983), "The Iron Cage Revisited: Institutional Isomorphism and Collective Rationality in
Organizational Fields," American Sociological Review, 48, pp. 117-160.
14 Barbara Levitt and James March (1988), “Organizational Learning,” American Review of Sociology, 14, 319-340.
15 Howard Kunreuther and Edward Bowman (1997) “A Dynamic Model Of Organizational Decision Making: Chemco Revisited Six
Years After Bhopal” Organization Science 8 (4): 404–413.
16 World Economic Forum. Global Risk Report 2012.
17 Mirakhur et al. (2011) originally developed a list of 29 categories based on the Item 1A filings for a random sample of 122 firms,
resulting in an initial list of 116, relatively specific, categories (e.g. supplier concentration, supplier promotions, etc.). We reduced
this to 21 risk factors.
18 The reason we used daily stock return rates instead of the actual raw stock prices is that stock splits caused too much disruption in
our model. Our model had no way of recognizing whether a huge drop in the stock price (e.g., $60 to $30) was because of an actual
catastrophic event or a stock split. By using the daily stock return rates – which eliminated the stock split problem, we were able to
create two models, a 10-day model and the regular model (both of them are explained in later sections).
19 Paul Slovic, Baruch Fischhoff, and Sarah Lichtenstein, S. (1978) “Accident Probabilities and Seat Belt Usage: A Psychological
Perspective” Accident Analysis and Prevention 10: 281:285.
20 Neil Weinstein, Kolb, K., and Goldstein, B. (1996) “Using Time intervals Between Expected Events to Communicate Risk
Magnitudes” Risk Analysis 16:305-308.
21 Eric Johnson, John Hershey, Jacqueline Meszaros and Howard Kunreuther (1992) “Framing, probability distortions and insurance
decisions” Journal of Risk and Uncertainty 7:35-51.
22 This section draws on Michael Useem and Herman (Dutch) B. Leonard Jr., Catastrophic Risk Management at Deutsche Bank,
Wharton School, University of Pennsylvania, 2012.
23 For information on nuclear reactor fuel rods, see Joe Palca, National Public Radio, “Explainer: What are Spent Fuel Rods?” March 15, 2011.
24 Population Census, “Preliminary Counts of the 2010 Population Census of Japan released,” May 11, 2011.
25 The World Bank Group, World Development Indicators, 2012.
26 Berlin Partner GmbH, “Berlin Business News,” March 2011.
27 Deutsche Bank AG, “Management,” 2012.
28 Nassim Nicholas Taleb, The Black Swan: The Impact of the Highly Improbable, Random House, 2010.
29 The accident that occurred on April 26, 1986 at the Chernobyl Nuclear Power Plant in Ukrainian SSR included an explosion and fire
that released large quantities of radioactive contamination that spread over western USSR and Europe.
30 Deutsche Bank AG, “Management,” 2012.
31 Chris Lawrence, Cable News Network, “Pentagon Clears Exit of Some Military Family Members from Japan,” March 17, 2011.
32 Deutsche Bank AG, “Deutsche Bank Careers: Operational Risk/Business Continuity Management Framework Specialist (m/f)
Frankfurt am Main,” January 5, 2012.
77
Study Directors
Howard Kunreuther is James G. Dinan Professor of Decision Sciences and Public Policy, and
Co-Director, Center for Risk Management and Decision Processes, Wharton School, University of
Pennsylvania, USA. He has a longstanding interest in ways that society can better manage low-probability,
high-consequence events related to technological and natural hazards. He is a Coordinating Lead Author on
the Intergovernmental Panel on Climate Change (AR5), a member of the OECD’s High Level Advisory Board
on Financial Management of Large-Scale Catastrophes, a fellow of the American Association for the
Advancement of Science (AAAS), and distinguished fellow of the Society for Risk Analysis, receiving the
Society’s Distinguished Achievement Award in 2001. He is the recipient of the Elizur Wright Award for the
publication that makes the most significant contribution to the literature of insurance.
See https://opimweb.wharton.upenn.edu/profile/37.
Erwann O. Michel-Kerjan is Managing Director of the Wharton School's Center for Risk
Management and Decision Processes, and teaches in Wharton School's graduate and executive programs. He
is also Chairman of the OECD Secretary-General Board on Financial Management of Catastrophes, which
advises its thirty-four OECD member countries on these issues. Dr. Michel-Kerjan was named a Young Global
Leader (YGL) by the World Economic Forum (Davos), an honor bestowed to recognize and acknowledge the
most extraordinary leaders of the world under the age of 40. He has worked extensively on improving corporate
strategy to extreme events and how to strengthen resilience. He has testified before the U.S. Congress on these
issues, recently addressed the G20 and currently advises several corporations, foundations and heads of state.
Dr. Michel-Kerjan is the author of several acclaimed books, including, most recently, The Irrational
Economist (PublicAffairs Books, with P. Slovic) and At War with the Weather (MIT Press, with H. Kunreuther)
which received the prestigious Kulp-Wright award for the most influential book on risk management. He is a
regular contributor in the media and has given over 150 public speeches. He studied at Ecole Polytechnique
(France), McGill and Harvard. See http://opim.wharton.upenn.edu/risk/faculty/michel-kerjan.htm.
Michael Useem is William and Jaclyn Egan Professor of Management and Director of the Center
for Leadership and Change Management at the Wharton School of the University of Pennsylvania, USA. His
university teaching includes MBA and executive-MBA courses on leadership and change, and he offers
programs on leadership, governance, and decision making for managers in the United States, Asia, Europe,
and Latin America. He also works on leadership development and governance with many companies and
organizations in the private, public, and non-profit sectors. He is the author of The Leadership Moment,
Investor Capitalism, The Go Point, and The Leader’s Checklist. He is also co-author and co-editor and co-
editor with Howard Kunreuther of Learning from Catastrophes, and co-author of The India Way and Boards
That Lead. See http://leadership.wharton.upenn.edu/l_change/Useem_Bíosketch.shtml.
78
For three decades, the Wharton Risk Management and Decision Processes Center
has been at the forefront of basic and applied research to promote effective corporate
and public policies for low-probability events with potentially catastrophic consequences,
integrating risk assessment and risk perception with risk management strategies under
various regulatory and market conditions. Providing expertise and a neutral environment
for discussion, the Center is also concerned with training decision makers and
promoting a dialogue among industry, government, interest groups and academics
through its research, publications and forums.
Wharton’s Center for Leadership and Change Management stimulates basic
research and practical application in the area of leadership and change, and fosters an
understanding of how to develop organizational leadership. The intensifying competition
for resources and demand for high performance are pressing firms to become more
flexible, more results-focused, and more fast-acting. Companies are finding that such
initiatives require able leadership; the challenge is to help build effective leadership
both in the next generation of managers and throughout the organization today. The
Center Leadership and Change Management was created to support these efforts.
The joint project, Effective Corporate Leadership and Governance Practices in Catastrophic Risk
Management examines the practices of large, publicly-traded companies to determine effective
strategies for detecting, preparing for and coping with catastrophic events.
Wharton Risk Management and Decision Processes Center www.wharton.upenn.edu/riskcenter
Wharton Center for Leadership and Change Management
http://wlp.wharton.upenn.edu
3730 Walnut Street, Jon M. Huntsman Hall Wharton School, University of Pennsylvania
Philadelphia, PA 19104
