.
BY DR ALAN WARING
Many large organisations are terribly naïve when it comes to recognising their significant risk exposures. Two independent cases exemplify just how unrealistic some companies can be about their vulnerabilities. What lessons can be learned?
Case 1: “Security Threats Start Next Year”
The first case concerns a major project in the Far East in the hotels & leisure sector. A huge integrated resort was being built at an investment cost of US$ billions, including hotels, cinemas, sports facilities, restaurants, conference centres and gaming halls. Thousands of people would be using the showpiece resort daily, including foreign dignitaries and other VIPs. The design & build phase took several years. Various technical security features had been designed into the site but overall there had never been a proper examination of the security threats and requirements on a life-cycle basis, from design through construction, snagging and testing, handover, operation, maintenance and repair, development and disposal. With another year to go before completion and handover, the owner’s senior management position was that security issues begin with the operational phase from handover onwards. Therefore, there was no need to examine the security requirements until then!
Pointing out to them the blindingly obvious fact that the construction phase was the most vulnerable because of the myriad of contractors on site who had access to plans, premises, software, etc., cut no ice. They just did not want to accept that organised criminals who wanted to plant electronic surveillance and other devices to be activated once the site, and especially the casinos, became operational would have already infiltrated the contractors. Computer files would have been hacked into and copies of plans, wiring diagrams and other intelligence were just a bribe away. And we haven’t even mentioned potential terrorist infiltration yet in a region with an uncomfortable record of terrorist attacks on the hotels & leisure sector such as the bombings in Jakarta, Bali and Mumbai. Criminals and terrorists do not conveniently switch off their activities and mark time just to suit the timetables and fanciful security delusions of their targets.
Case 2: “Risks Don’t Exist Unless Customers Are Worried”
The second case is remarkably similar in that it was a commercial property development and had never had a proper security evaluation on a life-cycle basis. The premises would be a prestige city-centre development, including hotel, conference centre and leased offices. Mid-build, the owners started to sell the commercial leases and were rather surprised to receive some sharp questioning from potential tenants on security, fire and other risk issues and what the provisions were. Some would-be tenants would have a regular flow of foreign ministers and other VIPs – what were the security arrangements provided by the landlord? Some would-be tenants held lots of critically important data and hosted top secret negotiations – what electronic data firewalls, counter-eavesdropping and other counter-measures were in place for the building?
The owner-developers had simply swallowed the assurances of the principal architects and contractors that security measures would be built in. In fact, this amounted to little more than CCTV cameras and electronic swipe key access and certainly nowhere near adequate as ‘the security strategy’.
The owners were clearly worried that they would lose these two prime clients unless they could demonstrate that they were on top of the security issue. However, when the two potential tenants who had raised the issue decided not to proceed, the owners concluded quite wrongly that therefore there was obviously no need to upgrade their security provisions! In addition, the likelihood that other prospective tenants would also raise similar concerns and back away never entered their tiny minds.
Naïve Beliefs Cloud Corporate Judgement
There is a range of staggeringly naïve beliefs about risk that are all too common in boardrooms and among corporate executives. Such myths and delusions are not confined to particular sectors or to particular risk exposures. For example:
• Business growth is inevitable; we are immune to economic recession.
• The market will bear whatever prices we ask for, regardless of economic or market conditions.
• Life’s a gamble, so why treat business any differently? We don’t need to apply any discipline or methods to risk management, just use our experience.
• We are making good profits so we must be managing our risks OK. As we have never had anything bad happen, isn’t that good enough evidence we are invincible?
• Lost foreign buyers, tourists, etc. will return soon; we don’t have to do anything significant to get them back.
• Bonuses as the main performance criterion and goal of individuals will ensure good risk-free corporate performance.
• Insurance will do the trick and is sufficient to manage all our risk exposures; no active risk management is required.
• Enterprise Risk Management is only about finance and accounting standards and internal audit; ERM and Business Risk Management is only what accountants say it is; ISO 310000? Never heard of it!
• Superficial risk checks will be enough for corporate Due Diligence.
• If customers don’t demand risk management from us then it doesn’t need attention.
Some of the above may seem embarrassingly familiar to readers in Cyprus but they are also depressingly common around the world. They lead to a lack of any disciplined, well-informed framework in companies for managing their risk exposures. To use an analogy, most of these myths and delusions are rather like the attitude of a person who imagines that he or she will never fall ill and so does not need to do anything to prevent ill-health. The “I-feel-as-fit-as-a-fiddle” deluded soul who every day smokes 40 cigarettes, interspersed with Monster Burgers plus souvlaki-and-chips all washed down with bottle of Scotch, does no exercise, is a workaholic and thinks he will live to 100 without so much as the need of an aspirin. I’m sorry, my friend, but the odds are overwhelmingly stacked against you. Your life expectancy will be cut short drastically – think more in terms of 65 if you are lucky, not 100. And, before reaching that final demise, you will probably suffer years of debilitating ill-health. You certainly will not be functioning well and will be pretty miserable.
Now, apply the analogy to running a company.
Frankly, those who choose to take such a cavalier approach to managing corporate risks deserve to lose the shirt off their backs as a result of their own stupidity. But of course, the fall-out of mismanaged corporate risks unfortunately also damages many other people as well – shareholders, investors, employees, customers, suppliers. Just look at the thousands damaged by BCCI, MGN, Enron, Stanford, Madoff, Soc Gen, RBS, and the mismanagement of the banks and finance sector alone quite apart from ‘basket cases’ in other sectors. Does any director or executive have the right to gamble so recklessly with other people’s money and lives? In corporate governance terms, certainly not. In first-world countries, the penalties of reputation damage and public humiliation vie with prosecutions, disqualification as a director, fines and possible jail time. In some countries, however, top people get the death penalty for gross mismanagement of risk exposures.
Conclusion
Wacky beliefs about risks and delusions about risk exposures and controls often go hand-in-hand. They lead to a naïve reliance on luck or miracles as a strategy for managing risks instead of having proper systems in place. This represents a huge gamble. Managing a business is not the same as gambling in the casino, where the odds are always stacked against the gambler. Active risk management changes the odds in the company’s favour.
Dr Alan Waring is an international risk management consultant with extensive experience in Europe, Asia and the Middle East with industrial, commercial and governmental clients. Contact [email protected] .
©2010 Alan Waring
