What a world! In just the last few months, businesses across the globe have been shaken by a series of unprecedented events, many of which reverberated to the bottom line. For corporate risk managers, whose job is to identify the value-killer risks to their organizations' operations, financial soundness, people and strategy, discerning such events and devising ways to soften the blows is tantamount to predicting next month's weather in Florida.
Indeed, few risk managers anticipated the extent of the tragic events in Japan that are sure to disrupt their organizations in ways that only now are beginning to be understood. The same applies to spreading political instability in the Middle East. Earthquakes in Haiti, Chile and New Zealand; huge snowstorms in the Northeastern United States; a massive oil spill in the Gulf of Mexico; a global financial crisis and consequent recession; swine flu pandemic; and a horde of recent hackings against major companies are just a few of the other out-of-the-blue events ripping carefully prepared strategic plans in half. Add widespread fears of reputational disasters caused by WikiLeaks-type revelations, rising inflation in China and India, and the numbing effect of regulation-after-regulation-after-regulation, and the job of the risk manager becomes one for the more resilient among us.
Treasury & Risk reached out to several thick-skinned risk managers to determine what they see as their top five concerns in 2011. Surprisingly, there was more agreement about the top five than there was disagreement. While many readers may affirm their choices, others may dispute them, wondering why no one selected the risk of an asteroid hitting Wall Street. That said, we decided The Sky Is Falling made for a darn good headline anyway.
In no particular order, here is what the risk managers came up with as this year's top worries.
Sigh for Cyber Risk
First there was WikiLeaks and its embarrassing disclosures. Now it's corporate network break-ins by hacker-activists calling themselves Anonymous. Among the victims whose networks allegedly were penetrated are DuPont, General Electric, Johnson & Johnson, Morgan Stanley, Sony Corp. and other major companies. The attacks mirrored a similar hacking of Google last year by China-based perpetrators. Google acknowledged the loss of intellectual property assets as a result of the intrusion. No one yet knows the extent of the losses from the recent attacks.
Law enforcement officials in the United States have indicated that such attacks have increased in number and scope over the last few years--hence the selection of cyber risk as one of risk managers' top five concerns. "It's the 'WikiLeaks effect'--the cyber-theft of proprietary documents and personal information," says Wayne Salen, director of risk management at Labor Finders International, a large West Palm Beach, Fla.-based temporary staffing firm. "By having your secrets--competitive or otherwise--revealed to the public, you run the risk of diminished value. The impact on your brand can be such that it may even bring you down."
Hewlett-Packard's former CEO Mark Hurd, who lost his job in part because his computer was reportedly determined to contain soft-core pornographic videos of a marketing contractor, certainly can relate. But cyber crimes involve more than revelations of private behaviors.
"We all hear about the large attacks that occur, but the truth is there is a staggering number of hackings out there," says Nowell Seaman, director of risk management at the University of Saskatchewan and a member of the board of the Risk and Insurance Management Society (RIMS). "Much of this fortunately is repelled, but cyber risk is really a 'many-headed Hydra.'"
"We experience multiple attacks on our systems every day," says Pete Fahrenthold, managing director of risk management at United Airlines. "An airline has so much infrastructure tied to computer systems that can be disrupted. We also have access to a vast amount of consumer personal data that can be stolen."
The solution, if it can be called that, is the usual mix of anti-virus software, data encryption, intrusion detection systems, clear policies and procedures for workers handling personal data, and other risk prevention strategies. But as Seaman points out, "While you can design intrusion prevention systems and maintain a cutting edge program of data security, hackers are always trying to get one step ahead of the mousetrap."
When all else fails, at least victims can rely on cyber coverage, which transfers much of the risk to third-party insurers, including the costs of such headaches as notifying people that their personal data has been compromised. "We pursue state-of-the-art cyber-risk management and buy cyber insurance, which help us to reduce the exposure," Fahrenthold says. "Still, it's one risk that concerns me a great deal."
The devastating events in Japan are sure to disrupt global supply chains, given the great number of companies in the country that manufacture parts for consumer electronics devices like Apple's iPad and Toshiba's flat-screen TV. Japanese companies also make parts for automobiles and jet airliners, among others. Small wonder risk managers at companies that rely on overseas manufacturing and sales selected supply chain risk as a top concern. Indeed, there are myriad ways in which just-in-time manufacturing can become "when-it-arrives" manufacturing. As John Merkovsky, global leader of Marsh Risk Consulting, puts it, "There is a very large, complex series of interdependencies that drive a product from raw material to the finished goods. The issue is not supply chain risk, it's supply chain risks."
It's not just Mother Nature that can slow the delivery of a key component to a manufacturer. For example, the liquidity problems in the wake of the global financial crisis whipped up concerns over supplier solvency. If a vital sole-source supplier went belly up, its buyers would confront manufacturing delays affecting their relations with their own buyers. "Whether it's political instability in the Caribbean and the Middle East or an earthquake in New Zealand, there are supply chain repercussions," says Eric Andersen, CEO of Aon Risk Solutions U.S. "With the Chinese government getting very itchy about developments in Egypt, Tunisia and other countries--and so many U.S. and European manufacturers depending on goods from China--supply chain risks are heightened for many risk managers."
Such risks certainly have been elevated for Dave Hennes, director of risk management at the Toro Co., a Minneapolis-based manufacturer of lawn care products with $1.6 billion in annual revenue. "We have moved a fair amount of production into Juarez, Mexico, and have some key plants there," Hennes explains. "The problem is the much-reported violence there. We're concerned about the impact on our production of lawn care products, like Home Depot walk-power mowers, just as the spring selling season is beginning."
Juarez is the epicenter of drug cartel turf wars, with a reported 3,000 people killed in the city last year. "If the U.S. decided to disrupt trade with Mexico through some sort of intervention like a closing of the border between Juarez and Texas, it would have a significant impact," Hennes says. "We have people from our El Paso plants crossing the border to Juarez every day. While we could shift production to other plants, especially the ones in El Paso, the truth is that all our plants are pretty busy this time of year."
What can a risk manager do? "Imagine all scenarios and plot a mitigation strategy," Hennes says. "And stay tuned to all developments."
Politics as (Un)Usual
While cyber and supply chain risks have been migraines for some time, political risk is back in the spotlight following the jaw-dropping developments in the Middle East and Africa. No one could have predicted a people's putsch would bring down the government of Hosni Mubarak in Egypt, much less the government of Tunisia and possibly those of Yemen, Jordan and Libya. So it's a bit of a no-brainer that political risk made it in the top five. As Seaman says, "It's amazing that an event in an African country can have a significant effect on our operations here, driving costs sky high."
He's referring, of course, to the price of crude oil, which at this writing was $105 per barrel. Every company, no matter its industry, must cope with energy costs. When oil prices rise, it affects strategic plans, the cost of products, and resources earmarked for other purposes. If you're an airline, then the cost of fuel oil has a major impact. "We burn something on the order of 100 million barrels of fuel a year, and with the cost now at more than a $100 a barrel, this adds up to quite a bit of capital," says United Airlines' Fahrenthold.
In addition to passing on additional costs to customers, the veteran risk manager says the airline hedges fuel expenses. If prices continue on the upswing, "we may have to cut capacity or switch aircraft, taking out less fuel-efficient airplanes from the fleet," Fahrenthold explains. "Anything that disturbs the cost of fuel is a critical issue for us."
Janice Ochenkowski has another concern about political risk--people. "As a global real estate concern, we have employees on the ground in many countries where terrorism and political risks give us great pause about their safety and security," says the managing director of global risk management at Chicago-based Jones Lang LaSalle, which lists some 30,000 employees in 60 countries. "The cost of energy is another issue, given the trickle-down effect on the operation of office buildings and other client real estate investments." Ochenkowski is a former president of RIMS.
While political risk and terrorism risk insurance absorb a measure of the financial exposure, Andersen from Aon Risk Services notes a particular drawback to the policies: "Once a problem erupts in a country, it is quickly excluded from coverage. Insurers will give you political risk insurance for [operations in] Canada, but I'm not sure it will be available in Libya any day soon."
Ever see the Federal Register? At 80,000 pages and counting, this official registry of federal laws and regulations is about the size and weight of a small Buick. By the end of this year, it might be mistaken for an SUV, thanks to the regulation-loving Obama administration. Complying with the sheer number and variety of the rules has pushed regulatory risks into the top five. "It's a big one," says Merkovsky from Marsh Risk Consulting. "Everyone I talk to is worried about it--viscerally, in some cases."
Two pieces of recent legislation causing much distress are healthcare reform and the Dodd-Frank financial services reform acts, both subject to change now that Republican lawmakers have a more solid footing in Congress. The problem for risk managers like Carmelo Casella at Bank of New York Mellon is interpreting the impact of all the new rules. "We just don't know what restrictions will be put in place or their effect on things like capital requirements," says Casella, the bank's longtime manager of corporate insurance. "Whatever impositions arise may affect the types and amount of insurance policies we buy."
Merkovsky shares his frustration. "There are already more regulatory requirements and constraints for financial institutions than anywhere else, and the prospect of more is unsettling," he says.
Salen bemoans the toll that regulations are taking at Labor Finders International. "We've been subject to an increase in [Immigration and Customs Enforcement] audits, which the Obama administration fostered," he says. "It's getting to the point of ridiculousness. On any given day, we have about 100,000 workers out there in more than 30 states. The government wants to root out illegal immigrants, but they put pressure on employers to invest enormous time and resources to assist them. They drive you nuts with their requests for documents and discussions, at a time when we're all trying to dig out of the recession with fewer resources and people."
Salen adds that he's also coping with ever-increasing legal regulations regarding hiring discrimination. "We comply with all of this because we don't want to break the rules or be written up in the newspaper as not complying," he adds.
Merkovsky is concerned that the restrictive regulatory milieu might drive U.S. companies abroad, to parts of the world that don't have Buick-sized books of regulations. As for a solution to the dilemma, he doesn't have much to offer. "You can't buy insurance to transfer the risk," Merkovsky says. "You just have to hope for no unintended consequences."
As we were assembling our list of top five risk manager concerns, we realized that many of them fell into the same bucket--each fit the definition of a highly improbable yet extremely consequential event known as a Black Swan. Lately, such events seem to be spinning at companies faster than a Natalie Portman pirouette. As Aon's Andersen says, "The sense of what is possible today for risk managers is a lot different than it was two years ago."
Two years ago, an ash cloud spewing out of a volcano in Iceland, grounding planes across the world, would not have been on the radar of risk managers. It is now, as are other Black Swans swooping in from the blue yonder. Take, for example, soaring inflation in China and India. "With 20% wage inflation, will it affect decisions to continue outsourcing to these countries, now that the labor cost differential may not be as significant?" Merkovsky asks.
The problem is that Black Swans fly in darkness, making it difficult to see them coming. Seaman, though, offers this advice: "Prior to the financial crisis of 2008, we had implemented an [enterprise risk management] program that called for identifying key strategic risks and then posing a series of 'What if?' scenario-type questions regarding the exposure, such as the effect of lower interest rates or lower stock prices on our pension funds and endowments."
This way the university was better prepared when the swans came hurtling out of the sky. As for an asteroid, well, maybe next year's top five.
For more on the impact of popular uprisings overseas, see Winds of Political Risk.