one

Introducing the Risk Hurricane

This book presents an extended analogy, holding two dissimilar things in parallel so that similarities and differences can provide new insights. Starting from the meteorological phenomenon of the hurricane, we’ll explore key characteristics of extreme risk exposure in business, explaining how it arises, how it can be predicted, how its effects can be mitigated or managed, and how an organization can recover after an extreme risk event.

This chapter sets the scene with some definitions and context for what follows.

THE HURRICANE AS ANALOGY

In 1805 Commander Francis Beaufort of the British Royal Navy developed a scale to describe the range of wind conditions that might be encountered by shipping. The Beaufort Wind Force Scale has since been adapted and extended, and it has become a de facto standard, with its terms and definitions universally accepted and used. The key elements of the Beaufort Wind Force Scale are summarized in Table 1.1, defining each level in terms of wind speed and wave height. The full scale also includes descriptions of conditions on land and at sea for each level.

Within the structure of the Beaufort scale, the hurricane represents the most severe level of storm that might be encountered. Even then, meteorologists felt the need for more granularity at the top end, and the Beaufort scale has been extended to describe different categories of hurricane. This is discussed in more detail in Chapter 3.

Given their unique position as the top-ranking type of storm system and their potential to wreak havoc on those communities unfortunate enough to experience one, it’s not surprising that hurricanes receive a lot of attention from professional meteorologists, academics, the media, and the public. This has led to increased appreciation of how they form, what drives their intensity, how they might be predicted, how to respond when one is heading your way, and how to recover afterward. This level of detailed understanding makes the natural hurricane eminently suitable as the starting point for an analogy.

DEFINING THE RISK HURRICANE

With the natural hurricane as the illustrative half of our analogy, what is the matching half for which we hope to gain a new perspective and new insights?

Today’s business world is characterized by volatility, uncertainty, complexity, and ambiguity (embodied in the VUCA acronym), with high rates of change and the emergence of disruptive new players and business models:

• V. Markets vary widely in times of stress and uncertainty, as measured by the VIX (Volatility Index), but volatility is also found widely elsewhere in the business environment, including raw material prices, labor market availability, and customer demand.

• U. Uncertainty is essentially driven by lack of predictability, where causal factors are unclear.

• C. Increased interdependence, interconnectedness, and hidden linkages characterize situations of rising complexity, where future behavior of systems is difficult or impossible to analyze from past performance.

• A. The explosion in data and information results in high levels of ambiguity, making it increasingly challenging to know what’s going on with any degree of accuracy.

Each VUCA element alone can create problems for businesses, but for many organizations, the combination of VUCA factors working together generates an unprecedented level of strategic risk exposure that presents an existential challenge. Businesses that are unable to handle such extreme risk exposure will go under, while those that survive will necessarily demonstrate a high degree of flexibility and resilience, giving them competitive advantage and the ability to thrive where others fail.

Many organizations rely on standard risk management processes to protect them from extreme existential risk exposure. But perhaps this confidence is misplaced?

Risk management has become a standard part of the strategic toolkit in recent years, providing senior leaders with a forward-looking radar to scan the future and give early warning of approaching threats and opportunities. Risk has entered the language of the boardroom and is no longer limited to subsidiary levels such as technical, safety, reputation, insurance, business continuity, projects, or operations. Leading organizations have become adept at risk-based decision-making, understanding and expressing their strategic risk appetite through measurable risk thresholds that drive the risk-taking activities of the whole enterprise (Hillson & Murray-Webster, 2012; Murray-Webster & Hillson, 2021).

However, even these best-in-class organizations can falter in the face of extreme risk exposure that is beyond anything they’ve previously experienced. This intense degree of uncertainty doesn’t happen every day, and routine risk management approaches aren’t designed to deal with it. Special circumstances demand special responses, and extreme risk exposure requires very careful handling.

This is where the concept of the Risk Hurricane comes in. The Risk Hurricane describes circumstances of extreme risk exposure in business that lead to major disruption. It is caused largely by predictable factors but characterized by sustained unpredictability and severe impact once it develops. If we can learn to predict a Risk Hurricane, to prepare for it effectively, and to survive its effects, then our organizations will be well placed to address the challenge of extreme risk exposure, if/when we are unfortunate enough to face it. While traditional risk management processes can form part of the response to a Risk Hurricane, they are insufficient on their own. The chapters that follow provide additional techniques and approaches that are better suited to addressing extreme risk exposure, complementing more routine risk management techniques, and providing the required level of robust protection.

RISK BASICS

The “hurricane” part of the Risk Hurricane is the basis for the analogy used throughout this book. But what about the “risk” part? In many ways, this element is more important, as it defines the area of interest about which we want to draw inferences and insights. There are many circumstances that can cause major disruption to businesses, but the Risk Hurricane is distinguished by its focus on circumstances of extreme risk exposure.

To understand the nature of the Risk Hurricane, we first have to understand the nature of risk. Risk is not the same as uncertainty. There are innumerable uncertainties in the world, but we do not count them all as risks. All risks are uncertain, but not all uncertainties are risks. Risk is therefore a subset of uncertainty. We need a filter to determine which uncertainties must be understood and managed as risks. This filter is embodied in a simple proto-definition: “Risk is uncertainty that matters.” The vast majority of uncertainties do not matter, and we can safely ignore them.

What matters is defined by our objectives; these describe what is “at risk.” We can therefore expand our proto-definition of risk to be a little more specific: “Risk is uncertainty that, if it occurs, would affect objectives.” This most basic definition of risk is reflected in all current risk management standards and guidelines, from the international ISO 31000:2018 Risk management—Guidelines (International Organization for Standardization, 2018) to national and sector-specific examples. The level of objective determines the type of risk: strategic risk would affect strategic objectives; operational risk would affect operational objectives; personal risk would affect personal objectives; and so on.

One more basic principle of risk must be stated here, as it is directly relevant to the Risk Hurricane. “Risk is uncertainty that, if it occurs, would affect objectives,” but that effect could be either negative, or positive, or both. The concept of risk incudes threat (uncertainty with negative impact), opportunity (uncertainty with positive impact), variability (uncertainty with uncertain impact), and ambiguity (uncertainty with unknown impact).

This means that risk includes uncertain future events that can be foreseen with some degree of accuracy, allowing you to predict them and prepare for them. But risk also covers uncertainties that are harder to anticipate, whose impact is often unclear, which makes them much more difficult to address proactively in advance (though not impossible). Risk management must cover predictable risks (known-unknowns and knowable-unknowns) as well as emergent risks (unknown-unknowns and unknowable-unknowns), dealing with uncertainty wherever and however it arises.

As a consequence, risk exposure describes the totality of the effects that uncertainty might have on our ability to achieve our objectives. The “extreme risk exposure” associated with the Risk Hurricane reflects a degree of uncertainty that could have an existential impact on the business. Of course, the definition of “extreme” will differ from one organization to another, and it is vital for the leaders of each business to have a clear view of “how much risk is too much risk,” embodied in their strategic risk capacity.

Once we know what we mean by risk and what level of risk exposure counts as “extreme” to our business, we can proceed to find and manage those uncertainties that matter to us. Simple principles underpin the risk management process, which in essence requires us to ask and answer eight basic questions:

1. What are we trying to achieve? (strategic objective-setting)

2. What might affect our ability to achieve these objectives? (risk identification)

3. Which of those are most important? (risk assessment and prioritization)

4. What can we do about them? (risk response planning)

5. Having done what we planned, did it work? (risk response implementation, risk review)

6. Whom should we tell? (risk communication and reporting)

7. What’s changed? (risk updates)

8. What should we do differently next time? (learning risk-related lessons)

Most organizations will be familiar with this process, and you’re probably already implementing some form of it within your business. The level of implementation will vary widely from one company to another, depending on the size and nature of the business. Some may have a full enterprise-wide risk management (ERM) approach, perhaps following an established framework such as COSO (Committee of Sponsoring Organizations of the Treadway Commission, 2017), where others may have a more informal approach (for example Chapman, 2011; Taylor, 2014). The form of your process matters less than the fact that you’ve adopted a structured approach to managing the risks faced by your business and that you’re implementing that consistently across all levels of the organization.

Armed with a firm understanding of the importance of risk to your business, as well as a sense of where the limits of acceptable risk exposure lie, you’ll be better equipped to spot an approaching Risk Hurricane and deal with it effectively.

BOOK OUTLINE

Throughout the following chapters, we use known facts about natural hurricanes to generate new insights about the Risk Hurricane, as outlined in Table 1.2. Each of Chapters 2 through 7 unpacks one aspect of the hurricane analogy, starting with a brief description of the characteristics of a natural hurricane, leading into an exploration of comparable factors relevant to the effects of extreme risk exposure on business. These chapters also each include a short case study to illustrate one aspect of the Risk Hurricane, drawing on well-known examples of extreme risk exposure from the public domain.

The book closes with a final chapter summarizing lessons to be learned by any business that wants or needs to prepare to face extreme risk exposure, with a call to action outlining the practical and strategic steps that must be taken to tame the Risk Hurricane.

Table 1.2: The Risk Hurricane analogy

TERMINOLOGY FOOTNOTE

The term “hurricane” is only used for storms that occur in the North Atlantic and Northeast Pacific Oceans. The same type of storm in the Northwest Pacific Ocean is known as a “typhoon,” and in the South Pacific and Indian Oceans it’s a “cyclone.” For simplicity, in this book we only talk about hurricanes, but the same principles apply to typhoons and cyclones. We hope readers from these other regions of the world will understand and accept this simplification. The Risk Typhoon and Risk Cyclone are equally relevant analogies, and what we say about the Risk Hurricane is just as relevant wherever you are in the world.