Risk Management Leadership Lessons – Operations Are Improved when Leaders Welcome Bad News

Risk Management Leadership Lessons – Operations Are Improved when Leaders Welcome Bad News

Risk Management Leadership Lessons – Operations Are Improved when Leaders Welcome Bad News

As the Volkswagen case unravels before our eyes, it plays out a familiar and repeated lesson on dealing with risk. This lesson is that early warning signs were available, but ignored. It appears that Bosch warned VW of the illegal diesel emissions as early as 2007.[1] It is not entirely surprising that VW and its executives ignored the warning. In fact, many of the great risk-driven crises involve firms that ignored early warning signs. Often early warning signs come as disconfirming information – or bad news – information that suggests the prevailing outlook on things is flawed and that a negative outcome is looming.

Let’s look at some other big failures in risk management and how the ignoring of early warning signs played a dangerous role. Evidence shows that BP had many test results, indicating that the critical pressure levels on the doomed Deepwater Horizon well were questionable. Toyota had the benefit of many years of excessively large numbers of customer complaints about accelerators. GM knew of the ignition problems. And, even famously, the NASA leadership team knew of the vulnerability of rubber O-rings in low temperatures (it was below freezing at Cape Canaveral the night before the launch in January, 1986). In all cases, the organizations ignored the information and elected to interpret it in a different manner. Why?

The answer is tied to how we develop our outlooks or hypotheses for the things around us. In these spectacular failures, the organizations and their leaders had early warning signs. Yet the early warning signs were ignored. As humans, we are predisposed to confirmation bias when confronted with new and disconfirming information. That is to say, when we see data that suggests our outlook is wrong, we first interpret the data in a way that still fits our rose-colored outlook. We attempt to discredit the data, the messenger, or the meaning of the data before we question our outlook and theory.

For instance, it results in the following claims: The drivers are the problem with Toyota automobiles, not the accelerators. Inconclusive pressure tests are common in oil well tests, as noted by BP. There is no statistically shown relationship between O-ring failure and temperature, as asserted by NASA before the Challenger explosion. And at VW, our engines are better, in spite of the data and warnings.

Overcoming these challenges is a fundamental one in the management of risk and decision-making. It involves organizational refocus and a diligent examination of disconfirming information or bad news. For the leader, it means opening your personal and professional network to the upward from of disconfirming information. That is not a one-time task, but a change in how you operate and do business.

How a firm operates and makes decisions is tied to how it manages internal decision-making processes. The management of such risk falls under Operational Risk Management. Operational Risk and self-inflicted damages are the cause of the greatest reputational harm. Through cases and simulations, we will explore all of these topics in the upcoming course Operational Risk Master Class: Measurement, Management, and Leadership.

Join us!

About Russell Walker, Ph.D.

Professor Russell Walker helps companies develop strategies to manage risk and harness value through analytics and Big Data. He is Clinical Associate Professor of Managerial Economics and Decision Sciences at the Kellogg School of Management of Northwestern University.

books together from amazon

His most recent book, From Big Data to Big Profits: Success with Data and Analytics is published by Oxford University Press (2015), which explores how firms can best monetize Big Data. He is the author of the text Winning with Risk Management (World Scientific Publishing, 2013), which examines the principles and practice of risk management through business case studies.

He has advised many leading institutions on Operational and Reputational Risk Management, including: The World Bank, SEC, Genworth, Capital One Financial, Discover Financial, PNC, The Bank of England, and the US State Department, among others.

You can find him at @RussWalker1492 and russellwalkerphd.com

Advertisements
The Value of Trust: Operating for Success

The Value of Trust: Operating for Success

The Value of Trust: Operating for Success

In business and life, we grow to expect certain things. Namely, our society expects companies to produce products that are safe and reliable. We go to Yelp and rail against restaurants that do not meet our expectation for service. However, large firms, when caught red-handed often have gotten by with a mere slap on the hand. When we see a firm misbehave or use a controversial advertisement, we see boycotts initiated and apologies extracted. What about more severe damages? How a firm operates is important in its success and in forming trust with its customers.

In the last few weeks, we have seen a couple of major developments in how firms have cheated and thus lost trust. Stewart Parnell, the former CEO of Peanut Corporation of America, was sentenced to 28 years in prison for knowingly selling and distributing peanut products containing salmonella. At least nine people are known to have died from these contaminated peanut products. It is a striking case, because we now have the science to keep food safe. We now have the science to find what has killed us and identify the source of that contamination. Yet, a firm and its executives decided to operate in a reckless manner. It is the first severe penalty levied on a food company for selling contaminated food. In the trial, former employees of the Peanut Corporation of America testified that the CEO and firm prioritized profits over safe operating conditions. Of course, the tragic deaths cannot be reversed with prison time or fines. The damage to the Peanut Corporation of America was self-inflicted. No competitor or market force did that to them. No surprise in the capital markets or fear of peanuts by consumers brought them harm. When firms cheat and do harm, they ultimately hurt themselves. This fraud is of course a major risk to shareholders, customers, markets, and, in this case, the health of people.

The recent EPA disclosures about how Volkswagen has more or less gamed its diesel engine systems to perform well on emissions tests (and only during tests) showcases yet another case of internal fraud. Attorneys General across the US are already calling for billions in damages from Volkswagen. The firm created an image for “clean diesel,” sold it to well-educated and wealthy Americans, who wanted an environmentally palatable vehicle, and they profited handsomely from it. Now the lies have been revealed. The fraud, again, is internal and self-inflected. No competitor, regulator, customer, or market force made Volkswagen do this. It is risk that now will harm shareholders, customers, the German economy, and the environment. And, let’s not forget about Toyota and its accelerator, GM and its ignition switches, and well… the list goes on and on. We lose trust in firms because of the harm they cause and because that is the result of internal risk taking and decision-making gone awry.

These two recent cases are largely about internal fraud. It is clear that the firms knew about their misdeeds and elected to operate in a reckless and harmful manner. We often think of internal fraud as a banker walking out of the vault with gold bars. Such fraud is far less likely to occur than that of an executive taking undue risk against the firm to meet short-term goals. With average CEO tenures on the order of 5 years, the pressure to preform is high and the window of opportunity is short. The threat of internal fraud is a risk that all firms must address.

The management of such risk falls under Operational Risk Management. Operational Risk and self-inflicted damages are the cause of the greatest reputational harm. Nobody forced BP, GM, Volkswagen, Toyota, or the Peanut Corporation of America to do what they did. Their executives elected to take risks (and dangerous ones). Trust requires operating successfully over many transactions and creating value for customers. Once that trust and reputation are damaged, the firm must work to change not only its image, but also its operation. The process to managing Operational Risk requires a treatment that addresses the organization, its culture, its management, and leadership. We will explore all of these topics in the upcoming course Operational Risk Master Class: Measurement, Management, and Leadership.

Join us!

About Russell Walker, Ph.D.

Professor Russell Walker helps companies develop strategies to manage risk and harness value through analytics and Big Data. He is Clinical Associate Professor of Managerial Economics and Decision Sciences at the Kellogg School of Management of Northwestern University. His most recent book, From Big Data to Big Profits: Success with Data and Analytics is published by Oxford University Press (2015), which explores how firms can best monetize Big Data. He is the author of the text Winning with Risk Management (World Scientific Publishing, 2013), which examines the principles and practice of risk management through business case studies.

books together from amazon

He  has advised many leading institutions on Operational and Reputational Risk Management, including: The World Bank, SEC, Genworth, Capital One Financial, Discover Financial, PNC, The Bank of England, and the US State Department, among others.

You can find him at @RussWalker1492 and russellwalkerphd.com

The World in 2050: Rapid Changes Ahead

The World in 2050: Rapid Changes Ahead

The World in 2050: Rapid Changes Ahead

Last week, I picked up a copy of the Wall Street Journal and was saddened and troubled to see the picture of a baby Syrian boy’s body being recovered from the sea. It was all the more ironic that I was preparing to give a talk on the World in 2050. It made me think that we are on the cusp of many rapid and dramatic changes. By 2050, we will have some 9.6 billion people on the planet, up from our current population of some 7.3 billion.[1] A big change facing the human race is the massive demographic shift that we will see in accordance with this population growth. Not all populations are growing equally. The sad events in Syria and elsewhere are part of this big shift. The world will have a super abundance of people in some places and a rapidly aging population in other places. As far as we can tell, the size, speed, and dramatic nature of the changes to our population are unprecedented in human history and will pose both challenges and opportunities.

India will Surpass China in Population (and Growth?)

We have grown comfortable with China being the population and economic growth engine for the world. Need another factory? China has been able to add manufacturing capacity in a low cost manner and find new workers to operate the factories. Due to the one-child policy and now the movement of many Chinese to urban areas, which typically results in the downsizing of family size, China will have a smaller and older population by 2050 (1.30 billion) than it does today (1.37 billion in 2015). It is somewhat hard to accept that China will soon be shrinking. The challenge here is that economically speaking, much of China’s growth has come from its ability to generate a labor supply and customer demand to fuel global markets. With concerns about China not meeting economic growth targets today and some 45% of the population already urbanized, one is forced to wonder if this slowing growth is a permanent change for the future and an earlier start to the inevitable slowdown than anticipated.

This brings us to India, which will be by 2050 become the most populous nation in the history of the world with over 1.66 billion people, up from its current population of some 1.25 billion. India will add more people to its population in the next 35 years than we have in the U.S. today! India still has a great deal of growth potential with only some 30% of its population living in urban areas. India’s growth will require access to more and new food supplies and a low-cost supply of energy. The opening of Iran and the access of other large energy finds in recent decades are all positive factors to support the economic growth of India. There is a strong intellectual base and educational system in India. Conditions for economic hyper growth are very positive.

Africa will Surprise Us

The largest boom in population growth will come from West Africa. Nigeria, which has a landmass about the size of Texas, will grow from its current population of 180 million to about 400 million in 2050.

It will more than double its population in a landmass that is already feeling crowded. The following population pyramid growth for Nigeria shows that Nigeria will remain a growing population through the next century, too.[2]

Most forecasts suggest that Nigeria will about equal the U.S. in population by 2050. Some project even faster population growth for Nigeria such that Nigeria will top the U.S. by 2040. This growth in Nigeria will be similarly matched by other countries in West Africa, leading many industries to examine Africa as a source for talent, customer demand, and indeed overall growth!

The U.S. will become more Hispanic

The U.S., like most developed countries, is aging. We are all familiar with the Baby Boomer population. However, the delay in marriage, lower rate in the formation of families and the reduction of family sizes are new normals for millennials. The net is that America will see an aging population, but immigration and the higher birthrate of immigrants in the U.S. will have U.S. population grow from today’s level of approximately 325 million to some 395 million by 2050. It is a respectable growth, which will come almost entirely from the Hispanic population. The Pew Research Center estimates that 82% of the U.S. population growth will come from Hispanics and that by 2050, the Hispanic population will grow from a current 17% to nearly 30%.

Foreign-born Americans will make up nearly 20% of the population by 2050, up from today’s 12% (although these number are clearly hard to confirm owing to undocumented residents). The Asian population, which is now about 5%, will double to 10% by 2050; the African-American population will remain at about 13%, and Caucasians are expected to comprise less than 47% of the population by 2050, showing a dramatic decline.[3] As you can see from the above population pyramid for the US, we will have an abundance of older people and fewer young people, suggesting that population growth will slow into the next century in the absence of greater immigration. Of course, immigration pressure will exists for the US, suggesting an even richer ethnic composition after 2050!

The World Will Need More Women

The population explosion that is occurring in India comes with an unfortunate and troubling imbalance. Owing to cultural preferences and gender-specific infanticide, India produces more boys than girls, and this is a growing problem. This cultural preference has been at work for many decades now and the population imbalance of women is irreversible. Consider the population pyramids for India and China, showing this grave imbalance.

The United Nations predicts that in Asia, there will be some 80 million to 100 million men with no prospect of forming a family by 2050. We should expect that the imbalance will be concentrated in the poorest strata of society. As families form, the poorest women will have mobility upward and the poorest men will have the hardest time in having families. This will be a social challenge that will bring changes to the concept of families, communities, marriage, and happiness in many of the poorest parts of Asia. The world has not seen this level of imbalance before and how it will be resolved is a new challenge.

Some Thoughts and Observations on Growth

For companies and investors looking for growth in the world, I offer a few major trends. The world will have massive expansion in the warmest climates. Warm climates demand air conditioning, refrigeration, and such comforts go a long way in changing the satisfaction of the population. With rare exception do people ever give up such comfort. Also, the growth of these populations (especially in India) will correspond to higher per capita GDP. As people move out of the depths of poverty and into the so-called “global middle class” they adopt a richer diet that is based more on animal protein. This will require more soybean production for the raising of animals and put new pressures on sustainable animal husbandry as meat consumes not just soy beans, but large amounts of water and energy. These people will need transportation and communications. The development of low cost automobiles and the expansion of mopeds will bring these growing populations access to combustible engines and the continued environmental challenges posed by them. On the flip side, the U.S., Europe, and Japan will need solutions for an aging population. Obviously healthcare is a focus. But these aging populations will consume services. Some of this can be met by immigration, but automation and even robots will, and already are answering the call.

It is clear from the Syrian crisis that millions people will need to move across borders in pursuit of peace and prosperity. This movement will continue to be amplified in the coming decades. Arguably, we are just seeing the beginning. Businesses and governments will need to change how they connect supply and demand globally. Workers are not just contributors but are also customers. Growth will come from matching supply and demand and bring peace and prosperity to the millions (actually billions) of people who are looking to improve their lives.

About Russell Walker, Ph.D.

Dr. Walker is Clinical Associate Professor of Managerial Economics and Decision Sciences at the Kellogg School of Management of Northwestern University.

Professor Walker has developed and taught executive programs on Enterprise Risk, Operational Risk, Corporate Governance, Analytics and Big Data, and Global Leadership. He founded and teaches the Analytical Consulting Lab, Risk Lab, Global Lab, and Digital Lab – all very popular experiential learning classes at the Kellogg School of Management, which bring Kellogg MBA students together with corporate opportunities focused on data and strategy. He also teaches courses in risk management, analytics, and on strategies in globalization.

His most recent book From Big Data to Big Profits: Success with Data and Analytics is published by Oxford University Press (2015), which explores how firms can best monetize Big Data. He is the author of the book Winning with Risk Management (World Scientific Publishing, 2013), which examines the principles and practice of risk management through business case studies.

books together from amazon

He has also authored many business cases and published multiple Kellogg case studies through Harvard Business School Publishing. His cases have been highlighted by the Harvard Business School Publishing, the Aspen Institute, PRMIA, and the Bank of England for excellence in teaching risk management.

He serves on the Scientific and Technical Council for the Menus of Change, an initiative led by the Harvard School of Public Health and the Culinary Institute of America, to develop healthier and more environmentally friendly food choices. He was formerly on the board of the Education and Technology Committee to the Morton Arboretum. He was a board member of the Virginia Hispanic Chamber of Commerce, where he developed support programs for Hispanic entrepreneurs and worked with US senators on US Latino matters.

He is at @RussWalker1492 and russellwalkerphd.com.

[1] United Nations Population Projections, 2012.

[2] Population pyramid graphics are from the International Data Base, made available by the US Census Bureau.

[3] http://www.pewhispanic.org/2008/02/11/us-population-projections-2005-2050/

Practical Advice for MBAs & all Going to College: Get the Most from your Venture and Investment

Practical Advice for MBAs & all Going to College: Get the Most from your Venture and Investment

Fall is already in the air here in Evanston, Illinois. In the coming weeks, we will welcome our new students to campus at Northwestern University. It is always an exciting time of the year. It is exciting to be part of the new journey that our students are all beginning. For me, I look forward to working with our new and talented MBA class at the Kellogg School of Management. Heading to college (or back to college in the case of our MBAs and graduate students) is an important venture and investment in one’s life. It is also a period that moves by much more quickly than anticipated. Reflecting on what worked for me and my students, I offer some points and reminders to help incoming and returning college students get the most out of their venture and investment.

Be Organized

Although some programs like pre-medicine are really trying to separate students, I find that most universities and professors want to see their students excel. And when students struggle, it is often self-inflicted and due to poor organization – not following directions on an assignment, not meeting deadlines, not doing the reading, not doing the simple stuff. Not all of college is simple, but there is no need to let the simple and small stuff trip you up. Get Organized! Make a list of to dos each day. Knock those out. Complete tasks early. Get up early – there is so much that can be done before lunch! Ask for help before the deadline. In many ways, college is preparing you for work and life management. Self organization is critical (and not necessarily that hard). Also, don’t expect others to organize things for you.

Challenge Yourself

Few college students will know upon entering college what career or job they will take. College is a place to learn and grow. However, you are not growing if you are not working and challenging yourself. Indeed, it should push you and even at times hurt a bit. Loading up on easy classes will make for an easy semester and result in a high GPA, but did it advance you? Did you grow? Probably not. Companies are looking for graduates, more than ever, that can handle complexity, and STEM careers are more attractive than ever for that reason. Take classes that allow you to contribute in these expanding markets. A wise man once told me upon my entry to college, “Work hard for the next 10 years and you can relax for the rest of your life. Relax for the next 10 years and you will work hard for the rest of life.” It still holds true today. The more you put in, the more you will get out.

Explore and Take Risks

The wonderful thing of a university is that it is full of great classes and professors. Many students come to me and ask my advice on which classes to take or if they should retake statistics or finance of something that they already know. My advice is always, take new things and things that allow your to explore. If you already know an area well, consider exploring it in greater depth or try a new topic. I greatly enjoyed my classes in history, art, architecture, and philosophy. Each has made my travels more enjoyable and brought richness to appreciating life. Each also has added an ability to work with and communicate with people from many cultures. So, take classes outside of your major, take those that you can use to explore genuine interests and enjoy that special opportunity!

Get to Know People…No Really!

The most troubling effect of our social media and mobile world is that many people have grown uncomfortable with in person communications. At Kellogg, professors invite their students to lunch for the sole purpose of building relationships with our students. It is the most enjoyable part of teaching – to get to know our students outside of the classroom and for them to get to know us. The skill and art in getting to know people is important in leadership roles of all forms. Consider college an opportunity to do that.

I teach many lab classes at Kellogg, in which student teams work on real-world projects. These popular classes are a great opportunity for our students. Realizing that many teams struggled to click, I now require all teams to meet over a meal and to swap personal stories. The impact has been highly positive on the team dynamics and many teams share with me that they continue to meet long after the class. Be that person that reaches out to get to know others. They will appreciate that in you and look to you as a leader.

The time spent in getting to know others will be greatly important in team work, as we conduct it in our MBA program at Kellogg, but also in overcoming challenges and difficulties in college and afterwards. You might even meet someone really special with whom you’d like to share your life!

Learn New Life Skills

A wise professor of mine at Cornell University offered me this same sage advice – Learn New Life Skills! College is not only about preparing for your first job or even your career, it is about preparing for life. Universities offer many great opportunities to develop new skills, for life. Take a class in music appreciation, learn a foreign language, learn a programming language, visit other countries, learn about science and the body, take a geology trip, take a cooking class, build something, grow something, and for MBAs, sell something or start something special. The ability to pick up such skills is much harder once work and family set in. Identify a few skills that you would like to develop and take classes to grow those skills.

Develop Great Presentation Skills

In recent years, it seems that less emphasis has been placed on critical presentation skills. Indeed every profession that I can imagine involves some level of important presentation. Doctors are expected to have good bedside manners. Business consultants are expected to make compelling presentations to their clients. And, the chance opportunity to meet with the CEO or a possible client is most likely to occur in person with little to no warning. An observation from my career is that those people most entrusted with working on top projects or with top clients are those who have greatest presentation skills. Few firms will honestly state that, but the bias is inherent in how we view a good presentation as the sign of a better leader or more thoughtful person. Gain that advantage! Develop a natural and comfortable style presenting your ideas. Take classes in speech and speaking. Learn to write in the manner demanded of your career. For MBAs, learn to develop compelling presentations and pay close attention to formatting details. Volunteer to do this on behalf of your team. The team will thank you, and you will be the real beneficiary of the practice in presenting.

Be Frugal

Here is the hard and honest truth. With most Americans borrowing to go to college and with graduates (such as MBAs) borrowing even more, the cost of college is a drain on your future earnings. So, it is all the more important to make the most of it. Delayed gratification is really in order. If you are borrowing money to buy a $5 latte each day, that will cost you much more later. For a dollar borrowed at 6% (a common rate at least among graduate students) and paid out after college and at the end of a ten-year payback period, graduates will need to make over $3.45 for that dollar borrowed. That coffee and other expensive luxuries will really impede your lifestyle going forward. Consider alternatives. Can you live with less? Can you spend less? Prioritize those things that are most important. Consider a part-time job to offset costs or to pay for some luxury that you really want. Make a financial plan and stick to it.

Have Fun…by Getting Involved!

College can and should be fun and memorable. This is most likely the case when you are active and involved. Join clubs – but get involved! Start a new club. Help your student club with a new effort. Help your major or program. Meet your professors to learn about opportunities in your field (really, few people come to office hours anymore – you will have no wait). Work to bring special speakers to campus. Invite your friends and family to campus; show them what excites you about your venture and investment. Take classes that bring passion and excitement to your work and studies. Being involved and passionate will allow you to get the most from your time at college.

And if you (or your son or daughter) are coming to the Kellogg School of Management or Northwestern University, stop by and say hello! It would be great to meet you or them in person!

About Russell Walker, Ph.D.

Professor Russell Walker helps companies develop strategies to manage risk and harness value through analytics and Big Data. He is Clinical Associate Professor of Managerial Economics and Decision Sciences at the Kellogg School of Management of Northwestern University. His most recent book, From Big Data to Big Profits: Success with Data and Analytics is published by Oxford University Press (2015), which explores how firms can best monetize Big Data. He is the author of the text Winning with Risk Management (World Scientific Publishing, 2013), which examines the principles and practice of risk management through business case studies.

books together from amazon

Professor Walker has developed and taught executive programs on Enterprise Risk, Operational Risk, Corporate Governance, Analytics and Big Data, and Global Leadership. Russell leads the Kellogg PRMIA Complete Course in Executive Education for Risk Management. He founded and teaches the Analytical Consulting Lab, Risk Lab, Global Lab, and Digital Lab, all very popular experiential learning classes at the Kellogg School of Management, which bring Kellogg MBA students together with corporate opportunities focused on data and strategy. He also teaches courses in risk management, analytics, and on strategies in globalization. He was awarded the Kellogg Impact award by Kellogg MBA students for excellence and impact in teaching Enterprise Risk Management in 2011.

He serves on the Scientific and Technical Council for the Menus of Change, an initiative led by the Harvard School of Public Health and the Culinary Institute of America, to develop healthier and more environmentally friendly food choices. He is a former member of the board of the Education and Technology Committee to the Morton Arboretum. He was a board member of the Virginia Hispanic Chamber of Commerce, where he developed support programs for Hispanic entrepreneurs and worked with US senators on US Latino matters.

You can find him at @RussWalker1492 and russellwalkerphd.com

He looks forward to the start of school each fall.

The Increasing Importance of Operational Risk in Enterprise Risk Management

The Increasing Importance of Operational Risk in Enterprise Risk Management

Enterprise Risk Management, as a corporate undertaking, has its deepest roots in financial services. Historically, for banks and insurance firms, the focus within enterprise risk has largely been credit and market risk. The Great Recession of 2008 showed us that liquidity risk and the interplay between a firm and capital markets were also important to consider. Now that sufficient time has passed since the Great Recession, we see that credit and market risk were not the sole causes. Indeed, critical operations and processes at many lending institutions failed. Underwriting procedures, loan processing, and the like were subject to little if any confirmation and oversight, leading to larger and higher credit risk positions than anticipated. Operational risk had reared its ugly head. The wave of regulation that has overtaken the financial services industry since then is largely driven by concerns over processes and procedures that caused harm to customers. The impact of processes and policies has never been greater. There are drivers at work to suggest that operational risk is still increasing, and that in particular, firms should be mindful of certain risk drivers, in the context of enterprise risk management, such as Increasingly Complex Operations, Development of New and Untested Products, Automation and Digitization, Increasing Reputational Impact from Operational Risk, New Focus of Regulators on the Treatment of Customers as Victims, and lastly, Cyber Risk. The disturbing and uncomfortable reality is that operational risk is unintended and, in theory, should not happen, if critical processes are well designed. Operational risk is self-inflicted, or if not self-inflicted, it is the result of unexpected errors or mistakes, all proving to be much more costly and dangerous than initially anticipated. Therefore, this leads firms to pay specific focus on operational risk management as part of enterprise risk management.

Full article at:

http://www.ermjournal.org/index.php/erm

Managing Data Breaches and Cyber Risks

Data Breaches Impact Reputations and Customers

A data breach can lead to terrible consequences for you and your customers. In addition to devastating financial losses, the damage to your reputation and brand may be irreversible. Yet, despite the risks, some firms still view cyber crimes as random events. They take a “this will never happen to me” approach. On the contrary, it can happen to you and there are things you can do to prevent it.
For one, know that hackers don’t pull names out of a hat. They target firms for precise reasons. Either you have something they want or they’ve spotted a weakness in your system that makes you vulnerable. Consider TJX. In 2007, the retail giant reported the largest data breach in history. Out from under the company’s nose, cyber criminals made off with more than 45 million credit and debit card numbers. It turned out the crooks had been siphoning data for nearly two years before TJX detected the breach. How did the hackers do it? They intercepted insecure wireless payment information TJX was sending to its credit card authorizers and banks. TJX was using an outmoded WEP encryption instead of the more secure WAP. The company elected to not install the latest encryption technology, figuring the risk of a breach was low. Sounds familiar. It was also at work in the Target and Home Depot cases. You might argue, TJX’s business was retail, not technology. What did its management know about cyber crime? Probably not as much as they do now. But had they taken the risks more seriously, the event likely would never have happened.
Employees present a risk, too
Sometimes cyber criminals get help from employees inside a company. In 2011, an RSA employee retrieved an email from his junk folder and opened it. The email contained a malware that gave cyber thieves a foothold and allowed them to burrow into the company’s network. That one employee’s oversight ended up costing RSA and its parent company EMC $66 million. Other times, employees inside a company become the cyber criminals themselves. Booz Alan Hamilton gave its employee Edward Snowden access to classified information. Snowden, in turn, went against his employer’s client, the US government, by going public with that information. JP Morgan, Barings Bank and Société Générale are examples of other companies that also have experienced employee fraud or data breaches.
Tips for securing your data
We live in a data-driven society. Fortunately, you can do a few things to mitigate loss, and ensure your data is more secure.
1. Pay attention to the tiniest of details – As we rely increasingly on data automation to do our heavy lifting for us, we open ourselves up to the dangers of processing data inappropriately. Cloud storage and file sharing add to that risk. It’s best to take a detailed approach to examining data flows. Small holes easily can turn into flood gates.
2. Partner with best-in-class data firms – TJX lost money not because of a bad business model or even poor customer service. It lost money because of how it transferred credit card data, a task far outside of running a department store. Target, Home Depot, and many more are suffering the same. Be honest about what you do best and don’t be afraid to partner with experts in data risks and management.
3. Know your employees and their actions – A broad universe of tools (social networks, blogs, and intranet postings) is available for monitoring employee behavior. Many firms even deploy keystroke tracking software to comb messages and emails for legal issues. It is important to educate employees on how their actions can impact a company’s overall data security.
4. Customers expect more than the law – Laws exist that set clear direction on how companies need to process financial and health care data. But as more firms allow data sharing with web services and third-party apps, the risks become greater. Management needs to look to customer expectations regarding the treatment of data.

How to Win With Risk Management

A Q&A with Russell Walker about risk management

Many people think about risk management as a defensive strategy, a tool for minimizing exposure to economic crises or public-relations blowouts. But Russell Walker, a clinical associate professor of managerial economics and decision sciences at the Kellogg School of Management, argues that businesses should be thinking about risk management very differently. He has just written a book on the topic, Winning with Risk Management, published by World Scientific Press, which he kindly agreed to discuss with Kellogg Insight. Here is our conversation, lightly edited and condensed. (For a longer version of our conversation, listen to the accompanying podcast.)Kellogg Insight: Your book argues that a company’s risk management strategy can actually bring it a competitive advantage. Can you start by explaining just what you mean?

Russell Walker: The world of business has taught us that companies develop competencies and use those to create advantages. Companies might, for instance, be excellent in operations, in marketing, pricing, branding, etc. So in the same way we would ask ourselves, “how do we compare against another firm on pricing?” or “how do we compare against a firm on branding?,” we could ask questions about risk management. How does the organization tie into knowledge networks, how is the organization exposed to global stresses, global shocks, shocks in supply chains, or even risk from regulation?

“What’s really exciting about competing on risk is that you could ‘buy’ your competitor’s assets for free.”

KI: You point out that operational risk in particular is often mismanaged—to a company’s peril. What do you mean by operational risk, and why is it important to manage it well?

Russell Walker: Operational risks are the negative outcomes associated with executing a strategy. It’s often the case that we remember the very catastrophic, image-driven, external events: explosions, hazards, tornados, what have you. But many organizations fail not because of outside stresses, but because of challenges internally. There may be technological challenges. And there may be organizational issues dealing with information that might suggest that risks are different. Operational risk mostly is the implicit risk that an organization has accepted by setting a strategy.

KI: So let’s move to a couple concrete examples. Your book takes us through the way two different cell phone companies, Nokia and Ericsson, both responded to the same crisis, a fire in a supplier’s factory that delayed production of a critical component. But the two companies’ responses to this crisis were night and day. What happened?

Russell Walker: Great question. The case is a famous one because it highlights how two companies were exposed to essentially the same risk. Both companies were using a single supplier—Philips in this case—which made a memory chip that was unique in the cell phone industry. Both Nokia and Ericsson found themselves dependent on this single supplier. When Philips was unable to produce chips because of a fire event at its factory, Nokia and Ericsson took drastically different approaches.

Ericsson was laissez-faire: “we’ll wait for more information on our supplier.” Nokia more proactively sought out information. And as you might guess, that more proactive approach by Nokia allowed them to secure the international supply of this memory chip, preventing Ericsson from acquiring any supply. Nokia was able to provide its competitor Ericsson a deathblow, and in doing so gained market share. They picked up 3% of the world’s market share and paid Ericsson nothing for that. The case has changed how technology companies in particular view their global supply chain and assess the risk of their suppliers.

KI: How so?

Russell Walker: We have found that many of the components used in technological devices like iPhones or iPads now accept one of many different components in the marketplace. Whereas in the case of Nokia and Ericsson, the phones were designed around one particular memory chip—only one, made by one supplier—now many of the devices have built in an engineering flexibility that allows them to receive one of many different components. We’ve also seen that Apple has changed its relationship with suppliers. It has a nearly exclusive relationship with Foxconn and develops very deep relationships with its partners. This case shows that both Ericsson and Nokia lacked that kind of deep relationship with a supplier.

KI: Would you say that there are any other ways that technology has shaped the risk landscape?

Russell Walker: Many ways. T.J. Maxx is a large retailer here in the U.S., and they’re not a company that you would expect to necessarily be competitive in the world of data security. But because they elected not to take particular actions to upgrade the security on their credit card transaction systems, they became the victim of a very sophisticated and targeted fraud scheme in which individuals stole credit card information from the satellite transfers from T.J. Maxx stores to their headquarters.

T.J. Maxx is a retailer. They compete on selling brands and clothes and all the things that we wish to wear, not on credit card security and in the technology necessary for that. But now even companies that run small e-commerce webpages are exposed. The case highlights—and it was the largest example of credit card fraud to date in the U.S.—the need for companies to stay abreast of technological risk.

KI: Time and again your book frames risk as this opportunity. I know you’ve touched on it briefly before. But why do you think that the more positive aspects of risk are ignored?

Russell Walker: They’re largely ignored because risk has been presented as a downside, not necessarily as an upside. What is fascinating about risk and understanding your competitive position against risk is that if your competitor is to falter—if you could assist your competitor in some demise—their assets (be they market share, factories, brands, etc.) get transferred.  And in the context of risk, if we look at the examples of Nokia and Ericsson, and even Toyota and British Patroleum, we see that assets get transferred for nothing. What’s really exciting about competing on risk is that you could “buy” your competitor’s assets for free. That largely will define the winners and the losers in a marketplace.

KI: You said something really interesting in your book about CEO tenure, and how that might actually influence how companies think about risk. Do you mind sharing?

Russell Walker: Exact numbers are in the book, but I believe a typical CEO tenure is 4–7 years. But it’s not uncommon for it to even be less. This suggests that a CEO, given his or her reward package, may take risks or make investments that maximize short-term results, and potentially expose the firm to larger risks later down the road. We could look at family businesses as a comparison, where a family business has the goal of preserving the company over a very long period of time, in fact even transferring it to the next generation. And we find that they take different risks, risks more in the direction of, “how do I preserve this and grow this in a sustainable way?” versus “how do I grow revenue rapidly, quickly?”

KI: So it might not be a bad thing for us all to start thinking about public corporations more as family corporations.

Russell Walker: Well, in the sense that you own it and it’s yours, you think about it very differently. In fact it has been suggested that CEOs should be compensated entirely by stock, entirely by ownership.