Political Risk: How Businesses and Organizations Can Anticipate Global Insecurity
Twelve Books, 2018, 336 pp., $30
Mastering Catastrophic Risk: How Companies Are Coping with Disruption
Oxford University Press, 2018, 248 pp., $29.95
The quest to conquer chance of loss, injury, or failure to secure a reward has been an abiding primum mobile of Western civilization. So, anyway, argued, Peter Bernstein in his seminal 1996 book, Against the Gods: The Remarkable Story of Risk. Bernstein claimed that understanding risk, measuring it, and weighing its consequences has been one of the prime catalysts driving modern Western society.
It could be. As societies became more complex, new and more complex risks arose, necessitating the development of ever more complex risk management tools. Better measurement of risk allowed for a more rational process of risk-taking than that furnished by a vague conviction of fate or destiny. Risk management now guides us in making a wide range of decisions—whether at the personal level (buying life insurance, wearing a seatbelt), at the corporate level (making capital investments, developing new products and services), and at the national level (developing defense and disaster management strategies). To the extent that risks are becoming more complex and, in an increasingly connected world, more integrated, there is arguably a greater chance of catastrophic failures, with consequences extending well beyond the bounds of the narrow field in which they originated.
Writing about risk requires one not just to know mathematics and statistics, but also psychology, economics, politics, and history. In different ways, two new books on the topic recognize the fundamental shift taking place in both the nature of the risks corporations now face and how they prepare (or fail to prepare) for them.
Political Risk arose from a course that Condoleezza Rice and Amy Zegart have taught to Stanford MBA students. Their books shares what they have learned from their extensive experience in government and the private sector; from interviews with investors, CEOs, and risk managers; and from their academic research in psychology, organization theory, and political science into the reasons for the decisions individuals and organizations make about political risk. Their stated hope is that the book “will expand our classroom and help business leaders at all levels, in all industries” to better manage political risks.
The authors range well beyond the business world to draw from an eclectic array of risk management successes and failures: nuclear force posture, aircraft carrier operations, Space Shuttle program, evidence-based medicine, and football. Their framework is meant to be “simple yet powerful”: “Understand—>Analyze—>Mitigate—>Respond.”
Twenty-first century political risk is defined in “the most elementary terms” as the “probability that a political action could significantly affect a company’s business.” This exceptionally broad definition supposedly encompasses no less than ten types of political risk: geopolitics; internal conflict; laws, regulations, and policies; breaches of contract; corruption; extraterritorial reach; natural resource manipulation; social activism; terrorism; and cyberthreats. Rice and Zegart acknowledge that these risks originate from a wide variety of actors, not just national governments but also transnational groups, individuals, interest groups, and even international organizations.
The ambitious scope of the book as laid out in its first 50 pages doesn’t leave enough room in the remaining 200 pages for in depth coverage of all ten topics. But an easy and engaging writing style, interesting vignettes, and many useful illustrations and insights make up for the less-than-comprehensive treatment.
After identifying the important mega-trends (globalization, supply-chain innovations, connective technologies, and social activism), in their third chapter the authors address key trends in post-Cold War politics. To cover all of these topics (and the growth of populism and protectionism) in a mere 20 pages requires one to paint with a very broad brush. After reviewing these complex phenomena—and their interaction—the authors offer the reasonable (albeit banal) observation that understanding and managing political risk is a notoriously difficult task for companies.
This chapter segues into a useful discussion of why many firms find managing risk, widely recognized as an essential task, so hard to master. The section dealing with the “The Five Hards” of political risk management (hard to reward, to understand, to measure, to update, and to communicate) is particularly original. Drawing on both academic research and their own experiences, this section highlights some of the significant barriers to developing effective risk assessment and management. Succeeding chapters explore how these hard barriers might be overcome; key takeaways conclude each section. While some are not particularly original (“Prepare for the Unexpected”), others, especially those related to the importance of both tailoring and institutionalizing risk assessment/management functions within the firm, are well argued and quite insightful.
The middle chapters of the book flesh out the aforementioned framework. Appropriately, they start by stressing the importance of knowing your firm and its risk appetite. Here the key is the extent to which the firm as a whole shares an understanding of risk and knows its blind spots. In a chapter imaginatively entitled “Thinking Like a Physicist,” the authors address several key questions: “How can we get good information about the risks we face?”; and “How can we ensure rigorous analysis and integrate the results into our business decisions?” The chapter includes a short but useful discussion of the benefits of scenario planning.
The authors then turn to addressing ways to mitigate risk. Firms are advised: to know what assets are most valuable and most vulnerable; to know how to reduce exposure of those assets to loss; to have protocols and a system for timely warning and action; to limit damage when something bad happens; and to develop contingency plans. Illustrative vignettes from FEDEX, Walmart, the Defense Department, and other organizations are deployed to describe different aspects of various risk mitigation efforts. But alas, this section seems to overlook the old adage that knowing what to do is not the same as knowing how or when to do it.
The last component of the framework is responding to crises. Using wide-ranging vignettes from Marriott Hotels/Indonesia, Apple’s launch of the iPhone 4, the Challenger disaster, BP’s Deepwater Horizon disaster, the Tylenol tampering episode, and Jim Harbaugh’s football coaching prowess, the authors outline rules for effective crisis response. Not the least of these is the importance of continuous learning and implementation of proven best practices.
Political Risk’s stated purpose “to expand our classroom and help business leaders at all levels, in all industries” is at least partially fulfilled. Graduate students at schools beyond Rice and Zegart’s Stanford will likely benefit from reading it. Indeed, I have added it to the syllabus of a course I’ve taught since 1984, “International Political Risk Assessment and Management.” That said, its prospective utility to an international business executive is not so clear.
A serious challenge faced by all authors trying to communicate to a business audience is the heterogeneity of the international business community. Seeking to address “business leaders at all levels in all industries” is a daunting task, as is relating wisdom about political and social phenomena in a state of continuous change. Presuming that North American, Asian, European, and Latin American business executives are all concerned with the same “political” risks may be a convenient stance for an author but not for every potential reader. Moreover, aside from geographic and national differences, there are enormous industry differences as well.
There are several more challenges involved in communicating to a business audience. The first is that you must have great empathy for wide variety of risks that senior corporate officials need to address these days. Executives are managing complex organizations with heterogeneous resources and capabilities, operating in multiple economic, political, and legal environments, buffeted by many global political, economic, and financial changes, and forced with making time-limited decisions with less than perfect information about and understanding of the complex environments in which they operate.
It is particularly challenging for many senior corporate officials to understand political and social phenomena. Many of them ascended to senior corporate positions because of their technical or entrepreneurial competence in finance, engineering, business, law, medicine, science, or software development. Understanding such phenomena was often a peripheral concern throughout their careers. They may be aware of how important such things are, but being aware of these things isn’t the same as having deep experience with them or knowing how to integrate that knowledge into a corporate context.
The most serious shortcoming of the Rice/Zegart book is the relative dearth of attention to political risk management (which is not the same as “preparedness”). In the immense risk literature, risk is usually defined either in relation to its probability or to its degree of uncertainty, but the word “uncertainty” does not even appear in the index to this book. “Uncertainty” and “risk,” of course, are far from being synonyms. Risk is a stochastic concept having to do with assessing probabilities of known variables; uncertainty is a structural concept describing situations in which one cannot account for all relevant variables. Woe to the executive who doesn’t know the difference. Thus for Rice and Zegart, evidently, “risk” means either too much, or too little.
The book is replete with anecdotes about failures and successes in political risk assessment, but there is a dearth of discussion of political risk management. Consider the following metaphor: Imagine a well-written book on the risk of loss due to fire. The book examines in detail the causes, types, and varieties of fires (both accidental and non-accidental) and also covers prospective management actions, preparedness efforts, and education of staff. Such a book can be valuable, but it would be thought a serious oversight if it left out even a mention of the existence of fire insurance.
Rice and Zegart’s failure to acknowledge that insurance is available to help mitigate some of the financial impacts of the ten “political risks” is thus regrettable. For example, the Wall Street Journal reported in 2018 that many businesses and municipalities have bought insurance against cyberattacks, and that the majority of the 25 largest U.S. cities had or are looking into buying cyber insurance. It would have been useful to explore the advantages and the shortcomings of such coverage.
Indeed, the authors might have considered using insurance terminology and refer to the “ten political risks” as hazards—namely, things that may cause injury, loss, or destruction. Risk can then be defined as the probability that one’s exposure to a hazard will lead to negative consequences of a certain type or magnitude. A hazard poses no risk if there is no exposure to that hazard. One can only discuss probabilities in a classical fashion when there is a measured risk.
And further, with respect to the political risks of expropriation, currency convertibility and transfer, breach of contract, war, revolution, terrorism, and insurrection, Political Risk completely disregards the large and vibrant insurance market covering these risks. Multiple private, public, and multilateral insurers have been providing billions of dollars of coverage against these risks for decades. The book’s index contains no entries for Lloyds’, AIG, the Overseas Private Investment Corporation (or its national counterparts in 20 other countries), the World Bank’s Multilateral Investment Guarantee Corporation, or other political risk investment insurers. Indeed, the very word “insurance” is nowhere to be found in book’s index. This would ill serve any business executive looking for a comprehensive treatment of political risk management. In a similar vein, the authors are silent on a whole host of financial guarantees available from many private, national, and multilateral entities that can effectively deter (or mitigate) certain political risks from materializing and causing actual loss to a corporation.
Nonetheless Rice and Zegart’s book is well-written, engaging, and insightful for a variety of educational purposes and for broadening the knowledge of junior corporate officials. For directors and senior corporate officials, however, it is perhaps most useful as a reminder of the ever-shifting range of non-traditional risk challenges and might best be read in conjunction with Kunreuther and Useem’s book, Mastering Catastrophic Risk.
Kunreuther and Useem are two senior Wharton professors who have extensively researched and written about business management of catastrophic risk, insurance, and risk management. Klaus Schwab has referred to them as “two of the world’s most influential risk and strategy luminaries.” Five years in the making, with a research team of 12 persons who conducted scores of interviews with senior executives of more than 100 firms on the S&P 500, overseen by an 11-member senior external advisory board, and financed by generous grants from several insurance companies, Mastering Catastrophic Risk is a “heavy” book. It is fundamentally an inductive work that seeks to capture what firms have done, are doing, and hope to do about managing catastrophic risk. In scope, terminology, and conceptual structure, it is designed for corporate directors, senior corporate executives, insurers, and financiers. It is certainly not for light bedtime or beach reading.
Kunreuther and Useem’s book focuses on the catastrophic risks—whether physical, financial, reputational, political, or business—that threaten a firm’s performance, or even its existence. The authors’ aim is to prepare senior executives for massive disruptions. They argue that firms can strengthen their ability to manage such risks by learning from others’ successes and failures in dealing with catastrophe.
In some respects this book is broader than Rice and Zegart’s in that it covers a wider range of risks (including natural risks), but in other respects it is narrower in that it is not concerned with many risks of lesser impact. Both books draw on recent work from the social sciences to better understand the importance of preparing for the long run even in the face of short-term pressures.
Mastering Catastrophic Risk is logically organized. Part One explores the new risk environment in which firms now operate. Part Two presents a framework for how firms make decisions for managing low-probability/high-impact events by highlighting how companies can recognize their own systematic biases and behave more deliberatively in assessing and managing risks. Part Three contains accounts of U.S. and German companies that have dealt with catastrophes. Part Four deals with how companies’ management of catastrophic risks affects their stakeholders, both internal and external. Finally, the book concludes with a checklist for managing potentially disruptive events before they occur to mitigate their impacts and facilitate recovery.
Early on, the book takes up four linked questions:
- WHY is preparing for disruption an essential element of corporate management today—and what are the major drivers leading firms to take action?
- WHAT are directors and executives doing about potentially catastrophic risk- and how can they learn from their past failures and successes as well as others?
- WHEN do other interested parties become involved after a firm has been disrupted by an adverse event?
- HOW can firm improve their mastery of adverse events by being better prepared for them and better managing them when they occur?
Primarily using interviews with senior corporate officials, Kunreuther and Useem take up these questions in detail, finding that these officials are now devoting much more attention to these matters. Officials report being much more likely to be held responsible—and much more likely to take responsibility—for ensuring that their firms are ready to survive and recover from such catastrophes. The authors note that disasters like Hurricane Katrina, the 2008 financial crisis, and the Japanese earthquake of 2011 often prompt firms to ratchet up their risk-appraisal and risk-management capabilities.
Kunreuther and Useem then describe a risk analysis cycle that has emerged from the experience of many enterprises. Building on a shared understanding, executives identify and assess the potential risks faced by the firm, determine the firm’s risk appetite and tolerance for such hazards, and develop the firm’s risk management strategy—and then bring it to life. Considerable attention is paid to specific methodologies, both quantitative and qualitative, that have been developed for risk appraisal. The authors report that virtually all of the companies that they interviewed have moved toward more comprehensive and systematic analysis.
As companies have added enterprise risk management to their operations over the past decade, they have developed several specific practices. These include systematic learning from near misses, sophisticated risk modeling and advanced analytics (for example, reinsurance of natural disaster risks), systematically reducing exposure to certain risks, improving internal communications about a firm’s risk management practices, strengthening suppliers against hazards, networking with competitors, business continuity planning, and exercises imagining the next major disruption. The authors illustrate these practices with several examples from recent years.
Part Three of the book focuses on what firms, including Lufthansa and Deutsche Bank, have actually done when coping with major setbacks. There is extensive discussion of how corporate boards have moved from primarily reactive to proactive risk management strategies, helping their firms to define risk appetite, tolerance, and readiness. The growth of board risk management committees is a leading indicator of this change.
In an insightful chapter the authors also cover how businesses have increasingly used their own catastrophic risk management capabilities to assist others dealing with calamities. The authors note that, by one estimation, the fraction of the largest 500 U.S. corporations engaged in some form of disaster giving worldwide has risen from less than 20 percent in 1990 to more than 95 percent by 2014. Corporate capabilities for delivering assistance (FedEx, UPS), emergency communications (AT&T, Vodaphone), transportation (airlines), and food (Walmart) are increasingly being utilized. For example, in anticipation of Hurricane Katrina, Walmart mobilized more than 60 staff members from its emergency operations center to pre-position more than $5 million of supplies in the affected area. Working with local authorities, they delivered 1,500 truck loads of products and 100,000 free meals at a time when government provisions were scarce.
Part Four, the capstone of the book, categorizes the eight pitfalls one encounters when dealing with catastrophic risk, 15 steps to master catastrophic risk, and a ten-item mission critical checklist. They write that firms need to:
- recognize that the potential for catastrophic losses is rising;
- identify and appraise the risks they face;
- define your firm’s risk appetite and risk tolerance;
- invest now in taking protective measures;
- learn from your own adverse events and those of others;
- involve personnel at all levels in designing risk management and crisis-response strategies;
- recognize your firm’s behavioral biases and weaknesses;
- strategize for recovery after the loss occurs;
- protect against extremes through risk transfer (such as insurance); and
- prepare the next generation of the firm’s risk managers.
If the greatest strength of Rice and Zegart’s book is risk identification, Kunreuther and Useem’s greatest strength is in risk management practices. Although their approaches vary, the resulting analyses are complementary, which serves to enhance the credibility of both works.
Both sets of authors have sought to capture the dynamism of the mega-risks that have arisen in the past decade. Within firms, the need to learn to manage such risks, to become more resilient if not perfectly secure, never ends. Tomorrow will bring new and probably even more complex challenges. Albeit in different ways, both books will help firms cope with the enterprise risk challenges they face today, and those they will face tomorrow as well.
* * *
On Risk and Uncertainty
In 1921, Frank Knight made a classical and useful distinction between risk and uncertainty in his famous book, Risk, Uncertainty and Profit. Risk, he argued, can be priced in financial markets because it depends on known distributions of events to which investors can assign probabilities, and thus price things accordingly. Uncertainty can’t be priced—it relates to structural possibilities that cannot be predicted, measured, or modeled.
To better appreciate the value of Knight’s distinction, there is an insightful metaphor about a man playing Russian roulette. He takes a standard revolver with room for six bullets, puts one in the chamber, spins it, places it next to his head, and pulls the trigger. He understands the risk and knows that he has a one in six chance of blowing his brains out. He can make an informed decision about whether to play.
Imagine, however, the game played by a man given a mystery gun prepared by someone else. The gun could have no bullets in it, six dummy bullets, or anywhere from one to six real bullets or blanks. That is uncertainty; he has no idea how to assess the risk of shooting himself.
Even partial information, however, can serve to reduce uncertainty and improve his ability to assess risk. If he knows for a fact that one of the chambers is empty and two of the bullets are blanks, then he is in a different position: He knows there is at least a 50 percent chance of surviving. While uncertainty still exists, it is reduced. He can now make a partially informed decision.
Why is this distinction between risk and uncertainty important? Whether in politics, economics, or business, the gathering and analysis of relevant information can serve both to reduce uncertainty and to improve the estimation of risk. Better estimation of risk, in turn, allows for better management of that risk.
High uncertainty tends to paralyze decision-making. Hence the incentive to reduce uncertainty and better estimate the risk is a constant in many human endeavors. Although the terminology changes over time (“the known, the unknown, and the unknown unknowns,” for example), what has not changed since Frank Knight’s time is that conflating risk and uncertainty and using the terms interchangeably is evidence of muddled thinking.