Since time immemorial we have been dealing with uncertainty and risks. Power, money and fame were driving forces even in ancient times, led to wars and divided peoples. The whims of nature struck mercilessly, with droughts, famines or floods. Earthquakes and volcanic eruptions reduced whole cities to ruins.
But while the people of past eras often had to deal with individual dangers and disasters at local, national and intergovernmental levels, the risks in our modern and closely interlinked world are many times greater and more complex. It is above all the mobile and at the same time digital path that is bringing us closer together.
This creates advantages and opportunities. People can travel from A to B at tremendous speed, exchange information and data in milliseconds, network with each other and find new ways of cooperation and communication. The digital quantum leap has accelerated the momentum of modernization in many parts of the world.
At the same time, with the increasing networking, digitalization and disruption of business models, risks are moving closer to us and are increasingly determining our everyday lives. For with the all-encompassing professional, social and societal interdependence, not only opportunities are being networked, but also the risks.
Uncertainty is the new certainty
We are living in a "world risk society" and are surrounded by "systemic risks". Uncertainty has become a constant. Indeed, financial market risks, hacker attacks, natural disasters or war and terror have an impact on all continents, nations and people. The result is weakened economies and large corporations, which can trigger a chain reaction on the international financial markets. Earthquakes and tsunamis reach our apparently so safe economic areas and the export of weapons to all conflict areas of the world, force the spiral of violence and catch up with us again with terror and conflicts on our own doorstep.
In these uncertain times, only one thing is certain: the diversity and interdependence of potential dangers makes the profession of risk manager indispensable on the one hand and shows on the other hand that the tasks have become incomparably more difficult and demanding.
Knowledge and foresighted action in dealing with risks and opportunities was and is the core task of a good risk manager in stormy and uncertain times ("Uncertainty is the new certainty").
Functional sub-cultures without added value
But what about the acceptance of risk managers in practice? In many cases, they are seen as object of concern and only very rarely heard as sparring partners at the decision-making level. Is that surprising? A look at practice very often presents risk management systems without any methodological foundation and without any reference to the strategy of the company. While the management board has to deal with disruptive developments in the business model and the turbulence on the markets, the risk manager sets up excessive control systems and overly bureaucratic risk management systems. The major potential surprises that a company may encounter on its exciting strategy journey are systematically hidden.
In this way, functional sub-cultures in the area of compliance and risk management are created in companies, the added value of which is a matter of debate. In quite a few cases, such over-bureaucratized systems tend to weaken the corporate culture. This can be observed especially in large corporations for years. An empirical study would confirm that the majority of risk management systems in large corporations are not effective and have a low level of maturity. In addition, there are various risk management systems in these sub-cultures that are rarely coordinated in terms of methods or reporting. While quality managers often work with a Failure Mode and Effects Analysis (FMEA), a Fault Tree Analysis or other analytical methods, compliance risk managers often work with "simple" collection methods (risk control matrix, checklists, etc.) and risk managers in the area of information security and corporate security work with other methods from the toolbox of collection methods, analytical methods or creativity methods [see Romeike 2018 and Romeike/Hager 2020 for more details]. There is often no coordination - especially with regard to the actual risk owners, the process owners in the operational areas. This means that the operating units are bothered with widely differing methods for identifying and assessing risks.
Armin Sorg, who was head of the Economic Policy Department at Siemens AG until 2008, had already warned many years ago against the "risks and side effects" of escalating control and risk management systems on the corporate organism [see Sorg 2009]. "With the spread of a compliance (in)culture, managers are deprived of their direct and unlimited responsibility for the legality and coherence of their actions. What a contradiction to the insight that emerged in the 1990s that 'empowerment' is necessary, that individuals are given and can assume responsibility. An open-minded rather than a distrustful attitude was seen as the key to greater motivation and higher productivity. Many companies owe progress in innovation, quality and productivity to this change of attitude in leadership," Armin Sorg says in his analysis.
In recent years, over-bureaucratized compliance systems, in whose wake many risk management systems were and are still operating, have given us a complex control apparatus without measurable added value and without any effectiveness. While on the one hand compliance-driven and over-bureaucratized risk management systems are being introduced into companies, on the other hand agility and a living just culture is demanded. But the result of over-exuberant and ineffective risk management systems is often a culture of mistrust and paperwork. At this point, Publius Cornelius Tacitus, the Roman historian and senator, is quoted as saying: "Corruptissima res publica plurimae leges. (The most corrupt state has the most laws). This can be applied equally to companies.
Many risk management systems are blind to the relevant risks
Why are many risk management systems blind to the really relevant risks? One reason lies in massive methodological deficits, a just culture / risk culture that is not lived, and another reason is the lack of a link between risk management and corporate strategy and strategic goals. Risks are often "collected" and documented completely detached from the actual success factors of the company. This is why the lifetime of companies is surprisingly short, and in the long-term trend it continues to decline. According to a Creditreform analysis, on average less than two percent of all companies reach an age of 100 years or more. Companies in Germany reach an average age of eight to twelve years before they become insolvent. In the USA, since 2000, a good half of the Fortune 500 companies have quietly and secretly disappeared. The cause? The digital revolution is eating up companies. And all these companies had ineffective risk management systems that - based on a "green traffic light culture" - produced beautiful risk maps and fairytale risk management reports.
While the digital revolution continues to eat away at the encrusted corporate world, many risk managers remain blind to the disruptive and truly relevant risks. About five years ago, during a risk assessment I asked managers of a large corporation what they would actually do if their largest customer with a turnover dependency of about 20 percent decided that this service was part of their business model and would do it themselves in the future. The answer could not have been more arrogant: "They couldn't have done that. Only we can do it!" It was only to take a year for the "still customer" to realize that this service is an essential part of his core competence and that he could provide it better, faster and more cost-effectively on his own.
Blind to strategic misjudgments
Companies die early because their managers (and by this I do not mean executives) focus exclusively on the production of goods and services and forget that the organization should be an agile system that is constantly changing [see Romeike/Hager 2020].
A study by Swiss scientists Probst/Raisch shows that corporate insolvencies follow a uniform logic of decline. The scientists investigated why companies that have been among the most successful and respected for years (see Kodak, Nokia, Quelle for an example) often get into difficulties. For their analysis, the scientists have analyzed the 100 biggest corporate crises of the past five years. An initial analysis showed that more than half of the companies studied had been extremely successful by the time they went out of business. They were market leaders in their respective industries and had been highly profitable for years.
All the insolvencies examined showed that, in all cases, the crash was "home-made" and anything but inevitable. Early warning signals would have signalled to companies that they were on the wrong track. The scientists were able to distinguish between two different manifestations of this logic [see Probst/Raisch 2004, pp. 37-45]:
Burn-Out syndrome: In 70 percent of the companies investigated, the decline can be attributed to this. This syndrome is characterized by four drivers. 1. A decline often follows a phase of extreme expansion. 2. High growth sooner or later leads to saturation of the original market. In order to continue to grow, many companies diversify into new markets and products/services. This often leads to increased complexity and unrest in the organization. Expected synergies often cannot be realized. As a consequence, the core business often suffers and the company ultimately loses its identity. 3 The first two drivers are often linked to dominant, almost autocratically ruling, CEOs who act and change gears at their "discretion". The fourth driver is an excessive culture of success. "In summary, the four factors described can be classified as symptoms of the same disease we have called Burn-Out syndrome (or fatigue syndrome). An over-ambitious CEO overburdens the organization in the long run through excessive growth and incessant change to such an extent that it simply burns out. Weakened by high debt, growing complexity and persistent uncertainty, the system can, in extreme cases, collapse." [see Probst/Raisch 2004, pp. 39-40].
Premature-Aging syndrome: This syndrome explains the decline of the remaining 30 percent. 1 These companies are characterized by stagnating sales (see Kodak, Nokia, Quelle). The decline of the analyzed companies is essentially due to a rigid adherence to an increasingly outdated formula for success. Strong forces within the company block any changes (see Kodak). Decision-makers are struggling with the situation that a large share of sales is generated in the traditional business segment (e.g. analogue films), although the market segment is being substituted. This is astonishing as companies are developing innovations in parallel and management is still focusing on the traditional core business. 2 Another driver is the management style. Often there is a CEO at the top, who - confirmed by past successes - increasingly rigidly sticks to his habits ("We've always done it this way!"; as Kodak's former CEO George M. C. Fisher said in 1997: "Digital photography will not displace film!) 3. The companies are characterized by a pleasant corporate culture based on loyalty and trust. But there is a dark side to such a culture: management avoids necessary cuts in personnel. "In summary, we can observe a premature aging of the second group of companies - due to the lack of growth and change - which we call the Premature-Aging Syndrome. Management increasingly ignores change until the company is in a state of imbalance." [Probst/Raisch 2004, p. 42].
The scientists point out that an effective early warning system would have detected weak signals and prevented the imbalance or insolvency of many companies.
Weak signals (see Fig. 01) exist in the organization and need only be recognized and correctly interpreted and, above all, must be followed up by measures.
Why do some companies live longer?
Long-lived and successful companies can be described by "agility and ability to change". They always manage to reinvent themselves. Here the US-American company IBM should be mentioned as a positive example. The company has successfully completed many transformations since its foundation by the German emigrant Herman Hollerith in 1896. Starting with punch cards, IBM later developed electric typewriters, mainframes, PCs and laptops and later mutated into a consulting and service provider and currently a pioneer in the field of quantum computing and artificial intelligence. Two Nobel Prizes for Physics have emerged from the Zürcher IBM research laboratory. Gerd Binnig and Heinrich Rohrer invented the scanning tunneling microscope there. And IBM currently holds 8290 patents in the field of Artificial Intelligence, putting it ahead of all other companies.
Another success factor is that companies allow their employees freedom and also allow exotic experiments outside the core business, as long as these do not endanger their existence. Successful companies also pursue a conservative financing and spending policy with little dependence on banks or investors. Successful companies are characterized by the transparency of their values and a strong identification of all employees with them.
Instead of setting up overly bureaucratic and ineffective risk management systems, managers and risk managers should learn to listen to the organisation and recognise weak early warning signals. And they should learn to listen actively and with concentration. And here, above all, they should listen to their own employees and less to omniscient strategy consultants.
A few years ago, for example, Bosch CEO Volkmar Denner set up so-called "Disruption Discovery Teams" and asked associates to identify disruptive risks that could affect their own business model. The result: In just six days, 1800 applications were returned. The teams were released for eight weeks, and were given the opportunity to think creatively in an inspiring work environment and to work out risks for the existing Bosch business model. They worked on "blind spots" in their own business and were asked above all to develop innovative solutions for risk prevention. This is exactly how risk management should work. Many risk managers have forgotten how to listen to the organization and take the early warning signals from the operating units seriously and interpret them correctly.
They limit themselves to collecting risks and nonsensical questions about the probability of occurrence and the severity of damage. And are supported in this by industry-specific and international as well as national standards. The majority of risk managers work with boring collection methods (risk identification matrix, checklists etc.) or analytical methods. Very few risk managers work with creativity methods, such as the "reverse thinking" method or scenario analysis. Very few risk managers are able to show the organization the added value of their activities. They collect risks and then visualize them in the form of a risk map. What is the added value of such risk management if a risk manager is not concerned with the really important issues and, above all, cannot go beyond pure risk documentation due to a lack of methodological competence?
What causes a management or an employee to lose sleep?
The headstand technique (also known as flip-flop or reverse thinking) serves to identify risks by reversing the actual core question. The method goes back to the English physician and cognitive scientist Edward de Bono (* 1933) (who, by the way, also developed the six-hats method, a tool for group discussions and individual thinking based on six different colored hats).
By reversing the question, the participants are provoked and should be creatively stimulated.
For example, instead of asking about risks, one of the following questions is asked:
- "What must we as a company do to fail and become insolvent?"
- "What must we do so that our defined risk-bearing capacity is completely used up by the occurrence of risks?"
- "What must a disruptor do to destroy our business model? What can we learn from this?"
Risk managers should listen into the organization and simply ask managers and employees what potential scenarios are causing them "sleepless nights" (this is why I call this method "nightmare assessment"). You will be surprised what honest answers and critical scenarios you will get described. You should listen and then have the scenarios evaluated using a scenario-oriented assessment approach (worst case, realistic case, best case). In this way, risk managers mutate from risk managers to real sparring partners who support the operating units and also the management in anticipating the really critical surprises and taking appropriate countermeasures. Risk management is the art of professionally anticipating risks and opportunities together with other people and of navigating the stormy seas safely!
The Chinese philosopher Lǎozǐ already knew this: "Deal with things before they happen. Get them in order before they get confused. Because the difficult things in the world always start simple, and the great things always start small."
- Beck, U. (1986): Risk Society. On the way to another modernity, Suhrkamp Verlag, Frankfurt am Main 1986.
- Beck, U. (1991): Politics in the risk society. Essays and analyses, Suhrkamp Verlag, Frankfurt am Main 1991.
- Kempf, A./Romeike, F (2017): The success of "disruptive innovations" remains uncertain, in: FIRM Yearbook 2017, Frankfurt/Main 2017, S. 144-147.
- Probst, G./Raisch, S. (2004): The logic of decline, in: Harvard Business Manager, March 2004 edition, pp. 37-45.
- Romeike, F. (2018): Risk Management, Springer Verlag, Wiesbaden 2018.
- Romeike, F./Hager, P. (2020): Success Factor Risk Management 4.0: Methods, Process, Organisation and Risk Culture, 4th completely revised edition, Springer Verlag, Wiesbaden 2020.
- Sorg, A. (2009): Compliance - Bureaucracy the American Way, in: Managerism, Issue 2/2009, Internet: https://www.managerismus.com/
Frank Romeike is founder and managing partner of RiskNET GmbH. Previously, he was Chief Risk Officer at IBM, where he helped build IBM's international risk/pportunity management system.
[This article was first published in FMEAplus Magazin]