The COVID-19 crisis is dramatically highlighting the potential impact of high-consequence, low-likelihood risks. Low but never zero: that is the probability of risks such as a viral epidemic ballooning into a pandemic that costs millions of lives and shuts down economies across the globe. The chances of an extraordinary regional catastrophe, whether naturally occurring or human-caused, are similar, as are the disastrous effects. A severe earthquake, a massive oil spill, or a nuclear accident can result in heavy loss of life, ecological damage, and financial loss for countries and companies.
The relative improbability of such events well illustrates the decision makers’ dilemma: which of them should their organizations plan for? The danger of a pandemic was not unknown. Health organizations and policy makers discussed the danger on the global stage. Many organizations accounted for it in their enterprise-risk-management (ERM) frameworks as a high-consequence, low-likelihood event. Some organizations, especially in the healthcare and travel sectors, even had firsthand experience with the SARS pandemic in 2003. Nonetheless, companies were by and large unprepared for COVID-19. More than 50 billion-dollar companies have filed for bankruptcy in 2020 in the United States alone. As Exhibit 1 shows, furthermore, the pandemic’s adverse economic effects have varied widely by industry sector.
Some high-consequence, low-likelihood risks have to do with business strategy, such as those posed by the digital disruption; operational risks are another category and include serious quality-control failures in manufacturing. Missed opportunities are another equal source of extraordinary risk. Opportunities to adopt disruptive innovation can bring companies to crucial moments of truth, when movers gain significant market advantage over hesitant peers. Amazon, for example, moved to help third parties build e-commerce sites, leading to Amazon Web Services (AWS). Now, through AWS, Amazon has around 30 percent of the cloud-computing market.1 Our work on resilient corporations demonstrated that those able to do more than just hunker down in an economic crisis—retaining the wherewithal to invest in new opportunities—will emerge from it in a strengthened position.
Some organizations have even built business models around taking advantage of low-likelihood opportunities (such as those in pharmaceutical pipelines). The models allow for fast movement when a high-consequence risk or opportunity occurs. Missing a high-consequence opportunity can lead to ultimate demise just as ignoring a risk can.
A recent article in the McKinsey Quarterly described the decisions by boards or management teams to ignore or act on these high-consequence, low-likelihood risks as “big bets.” That characterization is based on the broad scope of a decision and the size of its impact. When it comes to extraordinary risks, the decisions are also governed by the unfamiliarity and infrequency of these risks. These consequential decisions are not highly visible parts of the CEO’s public agenda, unlike more familiar big bets such as mergers and acquisitions. For example, the decision by Nokia’s mobile-phone division to develop a response to potential supply-chain disruptions was not even discussed by investors. This decision allowed the telecommunications company to act fast to find alternative chips suppliers when a fire disrupted the normal supply. The move led to Nokia expanding its share of the global market and boosting profits significantly.2 The big bet in supply-chain resiliency doubly paid off in this high-consequence, low-likelihood event, as potential losses were averted and a large opportunity was captured.
Big risks that matter
The number of potential high-consequence, low-likelihood risks is far too great for corporate decision makers to plan for all of them. Indeed, the abundance of possibilities is one reason why some companies don’t plan for any of them. The first strategic requirement that is often missing when addressing these risks, therefore, is the identification of the risks that matter. This action, known as risk ID, is an important part of robust ERM. It means differentiating risks that could hurt the business from risks that could damage or destroy the company.
Some organizations have concluded that such existential risks are unknowable. This is an error, in our view. By far, most existential crises that companies have faced in recent years were identified in advance by experts—from oil spills to chemical disasters to nuclear accidents.
The threats behind these high-profile incidents were known and recognized in advance by industry and government specialists. They were “predictable surprises,” as Michael Watkins and Max Bazerman described in an eponymous article in the Harvard Business Review.3 Predictable surprises meet three criteria: first, they are the result of risks decision makers know are possible, even if unlikely—such as a 500-year flood. Second, leaders feel confident that if the risk materializes, the event will have a big impact on the whole organization. Third, predictable surprises require organizations to respond.
Sometimes, but not always, these risks are identified in ERM frameworks, where they are categorized as high consequence, low likelihood. The predictable surprises found here can include epidemics, pandemics, cyberattacks, hurricanes, floods, financial fraud, economic recessions, oil spills, and other catastrophes, whether natural or human-caused. Decision makers should prioritize these potential threats, making big bets on those that would precipitate an existential crisis for their organization.
Understanding the potential impact of such events is the first step for decision makers in reducing the chance that a particular event results in an existential crisis. The likelihood does not matter for these risks—they are all unlikely, according to traditional ERM programs. Once scored by ERM, they all land in the same low-likelihood corner. However, the impact on the organization does matter. Not all the risks are equal: some would create an existential crisis while others would not. Thus decision makers need a way to distinguish among these high-consequence, low-likelihood risks.
Identifying the most important risks
To identify and define the most important risks, we recommend using a two-by-two risk grid (Exhibit 2). In this plan, the potential impact of an event on the whole company is situated along the vertical axis and the decision makers’ level of certainty about the impact is situated on the horizontal axis. High placement on the vertical axis means that the company’s existence would be threatened if this risk occurred—or the company would miss a massive opportunity. Low vertical axis placement means that the impact or opportunity would be limited or isolated. The vertical axis allows senior decision makers to distinguish risks that require board- and CEO-level attention from those that can be managed at a lower level. These risks will vary significantly by company and industry sector. For example, the impact of COVID-19 is varied according to a company’s ability to conduct operations and serve customers with employees working remotely.
A risk placed to the right on the horizontal axis means that decision makers are relatively certain of its scope and intensity; leftward placement signals doubt about the risk’s reach and impact. Using the horizontal axis, decision makers recognize the differences between familiar risks with known impact and risks that they are still investigating. The placement of low-certainty risks will shift as decision makers learn more about the potential risk.
Potential risks are ranked in relation to each other, rather than on an absolute scale. This approach allows decision makers to separate into distinguishing categories risks that are traditionally grouped together in ERM frameworks. The technique could be used by an insurer, for example, to create differentiated products by applying deeper segmentation to populations formerly categorized as high risk.
Risks placed in the upper-right corner are the high-consequence, low-likelihood risks that everyone agrees would pose an existential threat to the company. These can then be addressed with the big bets and they might move lower down on the vertical axis as a result. Big bets to address these types of risks can take many forms—financial, operational, or strategic. Energy providers, for example, sometimes divide their organizations into several legal entities so that a catastrophic loss in one physical location would not result in a collapse of the entire enterprise.
Despite big-bet actions, the potential impact of certain risks may not diminish. As long as a process is in place for quickly identifying and addressing an emerging event, the company will survive and may also thrive (as Nokia did). Decision makers can also move risks up or down on the vertical axis as they learn more about potential impact. The same risk could have widely different impact on different companies (see sidebar, “Different companies, same risk, different impact).
Risks and the core of the organization
Decision makers locate potential risks, such as a pandemic, on their own grid after defining their core business and identity and understanding what impact a risk would have on this core. The core of the company could include products and services, the loyalty of a customer segment, public perception, brand identity, and legal requirements that must be met. For example, technical failure of a particular part can adversely affect the reputation of a manufacturer’s entire product line; high-profile fraud can damage a financial institution by undermining customer confidence. Reliable service provision could be at the core of a company, especially where customers have a switching option. Decision makers identify core elements by the essential role they play; without them, the business would disappear.
Once the core is established, decision makers can identify the high-consequence, low-likelihood risks that would adversely affect the core, locating the risks along the vertical axis of the grid. Risks that would not affect an organization’s core are less likely to create an existential crisis. By focusing on the core, decision makers are making their organization’s strategy crystal clear. Those organizations with clear strategies are nearly three times more likely than others to lead in their sector. Those that make good decisions faster, that is, are more likely to outperform industry peers.
In one category of existential risk are catastrophic operational failures, such as those caused by natural disasters, accidents, negligence, and cyberattacks. Reputational risk events can also set off existential crises; these may be the result of operational failures, cyberattacks, data breaches, or fraud and other forms of financial malfeasance. Decision makers can look along their ERM frameworks for the most common risk segments: health and safety, reputation, operations, strategy, compliance, and financial.
It is also important to consider other risk segmentations to avoid missing critical risks—internal risks arising from the business model, for example, versus external risks, such as those potentially arising from global economic conditions. Other useful risk pairs to consider are adversarial risks such as an activist investor or cyber- or terrorist attacks, versus nonadversarial risks such as natural or human-caused disasters and accidents. High-consequence, low-likelihood risks that could cause existential damage might be found in any of these categories. The impact will of course depend on the company’s established core and many other variables.
Organizations can sometimes survive existential crises, though with diminished value. But crises and missed opportunities can also cause an entire organization to fail. It is therefore important for decision makers to consider all types of high-consequence, low-likelihood risks. By measuring the impact on the core, they can differentiate among them, illuminating the particular issues that are of highest importance to the organization.
Conducting a ‘premortem’ for risk events
The premortem exercise is a technique decision makers can use to identify which predictable surprises would have serious consequences on their organization. It involves a thought exercise in which the core value proposition is assumed to have been damaged or destroyed. Decision makers then consider all the possibilities that could have led to this, with help from risks experts who have been warning about the potential for such events. Missed opportunities should also be considered. A diversity of perspectives and the quality of debate are essential conditions for making high-quality, big-bet decisions quickly. To obtain perspectives of sufficient diversity, especially for external risks, organizations sometimes need to bring in experts. For example, an insurance company might bring in hydrologists and climate-change scientists to consider how their exposure to flood risk might be evolving. Once these “whole-company risks” have been identified, decision makers can plot them on their risk grid based on the size and certainty of their impact on the company’s core value.
Avoiding bias in your risk grid
When identifying the risks of greatest consequence, decision makers need to avoid optimism bias—a view that tends to see more positive outcomes than the evidence warrants. Confirmation and anchoring bias also reduce predicted impact—through assumptions that future threats will recapitulate those of the past.
Biases can be partly neutralized by a healthy organizational culture in which people are rewarded for speaking up, sharing dissenting ideas, and listening to others’ voices. For such a culture to thrive, people must feel completely secure in sharing their views. Without that personal security, important risks might go undiscovered. Whistleblowers, furthermore, must be protected and their concerns investigated—especially when the risks in question are those that could cause physical harm—such as catastrophic accidents due to product-safety failures.
Impact measurement
The goal is to create a risk grid where the predictable surprises that could destroy the organization are measured according to impact. Their probability is not in question here, since all of these risks are considered low likelihood. However, an organization’s confidence in its impact assessments does matter. Once the risks are mapped on the vertical axis (severity of impact), decision makers must continue to probe them.
On the horizontal axis (certainty of impact), risks positioned to the left (low certainty) could shift position as more about them is learned. For those risks situated farther to the right on this axis, their higher certainty of impact signals to the board and the CEO that mitigating these risks will require investment (big bets).
Taking action
Starting with the high-consequence, low-likelihood risks of greatest impact—those in the upper-right hand corner of the grid—the organization must decide on what actions would reduce their potential impact to an acceptable level. What is acceptable will vary by board and management team, based on many factors, including inherent risk within their industry and availability of resources. Decision makers recognize that many of these risks—earthquakes, pandemics, recessions—are outside the organization’s control. With such risks, the objective is to reduce—below the existential threshold—their potential impact on the organization.
To identify and decide on the most effective actions, decision makers can assemble external and internal experts and cross-functional teams. A diverse perspective and sharp, high-level discussion are needed for this task. Lists of potential actions can be generated and pared down as the teams discuss them. In one approach to this step, participants create lists of choice actions that if taken today could reduce risk down the road. Then they fast-forward into six-month or one-year scenarios and identify a small decision that could have made a big difference in protecting the core value of the organization. Alternatively, experts develop potential actions, and a “red team” pressure-tests them; in another approach, leaders are chosen and assigned to explore these questions and monitor the organization for ideas. Whatever method an organization chooses, the outcome should be a range of potentially effective actions for decision makers to consider.
From the lists, leaders should identify actions that could reduce the impact of several risks at once. Those that would reduce harm significantly in the here and now can be taken as no-regrets moves; others can be designated as trigger-based decisions, to be taken when certain conditions occur.
No-regrets moves might include the creation of a more resilient supply chain by allowing single-source suppliers as an exception only. The introduction of multiple sources for a majority of items promotes resiliency while helping companies manage working-capital costs. This example aligns with a broader suite of resiliency solutions, such as adequate capitalization for rainy days, strong stakeholder relationships, a culture of people speaking up, and a crisis-response plan. Creating more resiliency could be a big-bet option that decision makers might consider because it strengthens an organization’s ability to withstand risk events.
Decision makers might also think about developing leading indicators for predictable surprises. This no-regrets move gives decision makers more time to respond to a threat, reducing its adverse impact. Leading indicators of financial fraud, for example, might be overly smooth profits or a rise in the use of nondisclosure agreements (NDAs). Other leading indicators can help detect significant arising opportunities.
Some actions are taken once the likelihood of a particular risk event reaches a certain threshold or trigger. A weather forecast, for example, with a reasonable amount of certainty that a company’s operations are in the path of an oncoming hurricane would trigger necessary countermeasures. Decision makers should develop the appropriate actions while ensuring that the triggers they choose provide enough of a window for the actions to be effective. The objective is to protect the company’s core value proposition. An example of an effective trigger and response would be a storm warning that sets in motion actions to stop production on an offshore rig to prevent an oil spill. Obviously, trigger-based decision making requires a monitoring process that alerts the organization when a trigger has occurred.
Protecting against extraordinarily rare events may seem counterintuitive. The risks are many and resources are finite. By defining the core value proposition, however, leaders can identify and mitigate the risks that would threaten the whole company.
High-consequence, low-likelihood events can fatally damage an organization. The investments organizations make to protect their value propositions—and not miss significant opportunities—can mean the difference between extinction and survival. More than that, however, these investments (big bets) can improve an organization’s overall resiliency.