By Bill Rossi, CEO, Metabiota
If your company doesn’t have a chief risk officer (CRO) today, it will soon. Given the multitude of risks facing today’s global business, it’s become a critical “C” level role in any organisation. While the specific role of the CRO varies from company to company, the essence of the job is the same. CROs and their organisations are tasked to manage and mitigate risk. What does this mean? It means being prepared for the unknown. How would you like that in your job description?
The Evolution of the CRO
For the CRO of Southwest Airlines in 2007, it meant preserving the company’s low fare business model during a period of highly volatile fuel prices. When oil prices spiked to over US$150 a barrel, Southwest successfully hedged its jet fuel purchases allowing them to keep fares low and maintain profitability. Other airlines didn’t fare so well (no pun intended) and were forced to match Southwest’s prices and absorb the hit to their bottom line.
I cut my teeth in the telecommunications industry and witnessed the rise of the CIO (chief information officer). Though they didn’t have “risk” in their title, their job certainly looked a lot like today’s CRO. The CIO’s job was to bring their company into the digital age and navigate the choppy waters of the newly emerging internet economy. If you were the CIO of Blockbuster or Walmart, the challenges you faced were immense. You had a booming business, but a cloudy horizon with small upstarts like Netflix and Amazon promoting disruptive business models. What do you do? Build more brick and mortar stores or begin to hedge your strategy? Enter the CRO, whose role it is to understand the timing, likelihood and potential impact of a specified risk and mitigate it.
The insurance industry learned about the importance of properly assessing risk the hard way. In the wake of Hurricane Andrew in 1992, the industry did not heed warnings by weather experts that predicted heavy rainfall and large storms and as a result, several insurers went bankrupt covering claims in the region.
In the technology industry, supply chain risk is growing rapidly. With “Big Tech” manufacturing operations consolidated in Asia, and high-demand for commodities (like cobalt) mined in third- world countries, supply chain risk is now among the top concerns cited by CROs in this sector. As part of our CRO research, we spoke with the head of risk at Seagate, the largest manufacturer of hard disk drives in the world, as he shared some of the risks his company faces and what he worries about most in the future.
Seagate supplies over 100m disk drives a year and accounts for nearly 40% of worldwide production. With most of its facilities and supply chain located in Southeast Asia, the company knows first-hand the impact a catastrophic event can have on a business. In 2011, its largest competitor almost got wiped out by a series of floods that hit Thailand, while Seagate saw its profits soar. Seagate understood the risk of flood and chose to locate its Thailand factory on high ground, a decision that kept its factory humming while its main competitor had to slash production by 50%.
While fires, floods and tsunamis are still risks that rank at the top of the list for their potential impact on a business, Seagate’s CRO acknowledges the next big disaster can start with a simple sniffle. Infectious disease outbreaks affect a company's own staff, as well as suppliers, consumers and beyond.
While SARS and MERS (in 2003 and 2012 respectively) turned out to be less deadly than initially feared, it terrorised the tourism industry. People didn’t travel, and hotel occupancy rates plummeted. In these times, operating a hotel or casino in hot zones or regions that could be impacted by an infectious disease, is like running a business without fire insurance. You can take your chances but the risk of your operation going up in smoke (again, no pun intended) and your job with it, isn’t worth it.
What’s Ahead for the CRO
Bill Gates and other thought leaders think the likelihood of a pandemic like the one we experienced one hundred years ago with the Spanish Flu is quite high, and the magnitude of a similar event would cause a trillion-dollar impact to our economy. Some industries, like the tourism and hospitality industry can’t afford not to protect themselves, but as we know the risk of an epidemic doesn’t stop there.
It can affect supply chains in Southeast Asia and mining operations for rare earth minerals in Africa. It can impact worldwide consumer demand for just about any good or service, it can overwhelm our public health infrastructure and prevent people from getting necessary medical attention, and it can throw financial institutions into panic and cause dramatic swings in the stock market impacting our economy.
CROs are tasked to prepare for the unknowable and what makes their job particularly difficult is prioritising and allocating mindshare and budget among specific threats. The risk of infectious disease is rising with climate change, population growth, global transportation networks, emerging superbugs and declining research for universal flu vaccines. It’s time for CROs to protect their organisations by understanding the potential of this risk and mitigating it.
Here are a few key takeaways about the role of the CRO and its potential impact for corporations:
- Think beyond 1-5 years: While timing is often an unknown, CROs would be wise to focus on risks where the likelihood of occurrence is high and potential impact ruinous. This includes risks with high probability events in the next 5-25 years. It’s why earthquake insurance is typically a must if you operate a business in San Francisco and epidemic insurance should be if you have facilities in China, Southeast Asia, Africa and other hot zones.
- Utilise analytics: Industries are getting much smarter about preparing for risk by using advanced technology, modelling and risk management strategies. The smart insurers have incorporated smart systems into their daily operations and will be more prepared to optimise the role of CRO for global businesses today.
- Constantly adjust your risk portfolio: Reviewing and prioritising your threats each year like your analysing a stock portfolio makes sense. New risks emerge and current risks evolve to require specific action. Smart CROs take a fresh look at risk each year to make sure they are managing the most critical ones for their business.
- Stay current on threats: Understanding the drivers of your business and mitigating the risk of disruption is job number one for the CRO. For a hotel chain, consumer sentiment and spending habits drive occupancy rates. Whether it’s a financial virus or the biological kind, if it’s fear that’s spreading, it can impact your business. Staying current on new and evolving threats and how they can impact your key business drivers is playing offense, not defence.
- Embrace technology: Technology is rapidly changing the face of how to manage and mitigate risks. Powerful computing makes simulating various risk events feasible and cost-effective that were once impossible. Machine learning and AI are making these systems smarter and more capable. Today’s CRO has to be full-time risk manager and part-time technologist.
In addition to the above, Aon found that organizations that rate high on their risk maturity index have greater transparency of risk communication, stronger risk identification of existing and emerging risks, a more formal process of gathering risk information, as well as sophisticated methods of risk analysis.
Unfortunately, the choppy waters of today’s business environment are unlikely to calm, but effective CROs can educate themselves and their organizations on the risks posing the greatest threat to their business and implement strategies to prevent them from sinking the corporate ship.