Actionable Information

Performance Secrets of Effective Boards







Sunday, June 20, 2010

Asymmetric Risk Hunting with the Board and CEO

This post is about using the hunt for asymmetric risks, primarily "black swans" and "ugly ducklings" as one tactic or tool in risk oversight and governance.

1. There is no shortage of advice, literature, regulations and consulting services concerning the board's role in risk oversight. See, for example, this recent excellent post from Marty Lipton, the NACD's publication and KPMG Advisory's risk methodology, not to mention current SEC proxy statement requirements.

2. Asymmetric risk, however, is under appreciated. The current regulation and advice on risk management would probably only identify asymmetric risk if it already happened to be associated with excessive compensatory inducement or coincidentally to be among the top business risks identified at the company for the CEO and Board through such methods as red, yellow and green color coding.

3. Asymmetric risk is risk that is catastrophically and collaterally disproportionate to its catalyst. 911 was caused by a handful of militant extremists; the current economic collapse, initiated by handfuls of non-C-suite individuals; the Putnam meltdown, by one employee broker; and the BP disaster, apparently by operational level decisions (e.g. reportedly deploying only one blind shear ram in the blowout preventer rather than two, under-designing the well, omitting a cement quality test, and not installing appropriate capping devices at the top of the well).

4. The "black swan" type of asymmetric risk gets its name from the pre-Darwin era in Europe, where the only swans known were white. Black swans were not known until Australia was explored. Black swan asymmetric risks are driven by inadequate information or poor data quality.

5. The "ugly duckling" type of asymmetric risk derives from the famous childhood story of seeing what appears to be an ugly baby duck only to have it develop into a gorgeous swan. Ugly duckling asymmetric risks are driven by bad judgment. It is a cygnet misjudged as an ugly duckling.

6. Asymmetric risks are particularly difficult to identify because (1) they are caused by people or events beyond the board's (and often management's) visibility, (2) detection requires time for attention and reflection from employees, management and directors -- all of whom are pressed for time and for whom issue prioritization is an ongoing challenge, (3) comprehending the threat's import requires a shift in the frame of reference to a "stop, look, listen and visualize-outside-the-norm" mentality and (4) the employees most likely to know the most about these risks are typically beyond management and the board's normal visibility.

7. There are two reasons for the Board and CEO to pay special attention to asymmetric risks. The potential for massive company, constituent and collateral damage is life threatening to the company and its many publics. Secondly, asymmetric risk hunting should result in a good indication of the quality of the company's risk management program.

8. Here are five areas of questions the CEO-Board team could explore to contribute to minimizing asymmetric risks and to testing the quality of the risk management program:

A. Highlight the Risk Class. Ask that all asymmetric risks be separately identified and added as items to be covered in the risk management program, including giving them line item treatment in management's risk reports and by adding them to the list of the Board's topics overseen, about which specific questions will be asked.

B. Seek the Overlooked Data. Seek and ask for the outliers, dissenting reports and "contrary" information in connection with these reports and presentations. For example, a report last year to Transocean indicated that single blind shear rams on blowout preventers were 99% reliable and that having two increased reliability only to 99.3%, there have been only 62 failures out of almost 90,000 government-designed tests and two thirds of the rigs in the Gulf today only have one shear ram in their blowout preventers. On the other hand, numerous reports have called out the "single-point failure vulnerability of the ram's hydraulic shuttle valves, another study reported that of 11 real-life cases where crews had lost control of their wells, the blowout preventers failed 45% of the time, in 2003 a BP crew faced a situation where they decided to activate both blind shear rams in the blowout preventer to prevent a disaster such as the Deepwater Horizon's loss of control over the Macondo well, and (last, but not least) some one or more employees at BP have been sufficiently concerned about this issue to equip the blowout preventers on 11 of BP's 14 Gulf rigs with two shear rams. Instead, the Board's SEC filings show that the Safety Committee was focused on refinery safety rather than drilling safety (and - in another PR misstep - that the Board obtained "Deeds of Indemnity" shortly after the explosion occurred).

C. Insist on Responsible Judgment. Ask that the risk reports and presentations include a discussion of risks, issues and areas where poor judgment calls at all levels of the company might be made and the nature of what those potential poor judgment calls might be. Ask whether the tone at the top and the company's culture supports responsible judgment.

D. Stand in the Field of 600 Dead. Ask yourselves and the members of the company's risk management team to form a "fresh" frame of mind to understand the significance of what is being detected and communicated in those efforts, reports and presentations. The late Rick Rescorla (the hero of Morgan Stanley who, as its head of security, saved 2700 employees on September 11 because of his individual foresight and persistence in training them for emergency evacuation) warned the Port Authority officials BEFORE THE FIRST GARAGE BOMBING of the Twin Towers and again LONG BEFORE THE PLANES STRUCK. He also tried, to no avail, to persuade Morgan Stanley to move out of the World Trade Center because he had thought about and understood the asymmetric risk. No one at the top listened. No one created that special attentiveness or had the life experience or took the time to "scenario think" to understand and give proper weight to what Rick was saying. Rick (who fought in some of the bloodiest battles in Viet Nam) has often been quoted as having said "They never stood in a field of 600 dead people and thought about what men could do to each other."

E. Find the "One." Identify the key employees who truly "know" -- who are the company's Rick Rescorla -- and discuss the advisability of having a presentation from, or conversation with, them.

I wish you "good hunting."