Expert Answer:2 page summary for each HBR attached

Answer & Explanation:Students will turn in two pages double spaced summary paper for each HBR reading assignments (4-pages total). Please address how you think this article benefits (or not) the strategic planning process and why. Provide personal example.
managing_risks__a_new_framework.pdf

managing_demographic_risk.pdf

Unformatted Attachment Preview

STRATEGIC PLANNING
Managing Risks: A New
Framework
by Robert S. Kaplan and Anette Mikes
FROM THE JUNE 2012 ISSUE
Editors’ Note: Since this issue of HBR went to press, JP Morgan, whose risk management practices are
highlighted in this article, revealed significant trading losses at one of its units. The authors provide
their commentary on this turn of events in their contribution to HBR’s Insight Center on Managing
Risky Behavior.
W
hen Tony Hayward became CEO of BP, in 2007, he vowed to make safety his top
priority. Among the new rules he instituted were the requirements that all
employees use lids on coffee cups while walking and refrain from texting while
driving. Three years later, on Hayward’s watch, the Deepwater Horizon oil rig exploded in the Gulf
of Mexico, causing one of the worst man-made disasters in history. A U.S. investigation commission
attributed the disaster to management failures that crippled “the ability of individuals involved to
identify the risks they faced and to properly evaluate, communicate, and address them.” Hayward’s
story reflects a common problem. Despite all the rhetoric and money invested in it, risk
management is too often treated as a compliance issue that can be solved by drawing up lots of rules
and making sure that all employees follow them. Many such rules, of course, are sensible and do
reduce some risks that could severely damage a company. But rules-based risk management will not
diminish either the likelihood or the impact of a disaster such as Deepwater Horizon, just as it did
not prevent the failure of many financial institutions during the 2007–2008 credit crisis.
In this article, we present a new categorization of risk that allows executives to tell which risks can
be managed through a rules-based model and which require alternative approaches. We examine
the individual and organizational challenges inherent in generating open, constructive discussions
about managing the risks related to strategic choices and argue that companies need to anchor these
discussions in their strategy formulation and implementation processes. We conclude by looking at
how organizations can identify and prepare for nonpreventable risks that arise externally to their
strategy and operations.
Managing Risk: Rules or Dialogue?
The first step in creating an effective risk-management system is to understand the qualitative
distinctions among the types of risks that organizations face. Our field research shows that risks fall
into one of three categories. Risk events from any category can be fatal to a company’s strategy and
even to its survival.
Category I: Preventable risks.
These are internal risks, arising from within the organization, that are controllable and ought to be
eliminated or avoided. Examples are the risks from employees’ and managers’ unauthorized, illegal,
unethical, incorrect, or inappropriate actions and the risks from breakdowns in routine operational
processes. To be sure, companies should have a zone of tolerance for defects or errors that would
not cause severe damage to the enterprise and for which achieving complete avoidance would be
too costly. But in general, companies should seek to eliminate these risks since they get no strategic
benefits from taking them on. A rogue trader or an employee bribing a local official may produce
some short-term profits for the firm, but over time such actions will diminish the company’s value.
This risk category is best managed through active prevention: monitoring operational processes and
guiding people’s behaviors and decisions toward desired norms. Since considerable literature
already exists on the rules-based compliance approach, we refer interested readers to the sidebar
“Identifying and Managing Preventable Risks” in lieu of a full discussion of best practices here.
Category II: Strategy risks.
Identifying and Managing
Preventable Risks
A company voluntarily accepts some risk in order
to generate superior returns from its strategy. A
bank assumes credit risk, for example, when it
Companies cannot anticipate every
circumstance or conflict of interest that an
employee might encounter.
Thus, the first line of defense against
preventable risk events is to provide
guidelines clarifying the company’s goals
and values.
The Mission
A well-crafted mission statement
articulates the organization’s fundamental
purpose, serving as a “true north” for all
employees to follow. The first sentence of
Johnson & Johnson’s renowned credo, for
instance, states, “We believe our first
responsibility is to the doctors, nurses and
patients, to mothers and fathers, and all
others who use our products and
services,” making clear to all employees
whose interests should take precedence in
any situation. Mission statements should
be communicated to and understood by
all employees.
The Values
Companies should articulate the values
that guide employee behavior toward
principal stakeholders, including
customers, suppliers, fellow employees,
communities, and shareholders. Clear
value statements help employees avoid
violating the company’s standards and
putting its reputation and assets at risk.
The Boundaries
A strong corporate culture clarifies what is
not allowed. An explicit definition of
boundaries is an effective way to control
actions. Consider that nine of the Ten
Commandments and nine of the first 10
amendments to the U.S. Constitution
(commonly known as the Bill of Rights) are
written in negative terms. Companies
need corporate codes of business conduct
lends money; many companies take on risks
through their research and development
activities.
Strategy risks are quite different from preventable
risks because they are not inherently undesirable.
A strategy with high expected returns generally
requires the company to take on significant risks,
and managing those risks is a key driver in
capturing the potential gains. BP accepted the
high risks of drilling several miles below the
surface of the Gulf of Mexico because of the high
value of the oil and gas it hoped to extract.
Strategy risks cannot be managed through a rulesbased control model. Instead, you need a riskmanagement system designed to reduce the
probability that the assumed risks actually
materialize and to improve the company’s ability
to manage or contain the risk events should they
occur. Such a system would not stop companies
from undertaking risky ventures; to the contrary,
it would enable companies to take on higher-risk,
higher-reward ventures than could competitors
with less effective risk management.
Category III: External risks.
Some risks arise from events outside the company
and are beyond its influence or control. Sources of
these risks include natural and political disasters
and major macroeconomic shifts. External risks
require yet another approach. Because companies
cannot prevent such events from occurring, their
that prescribe behaviors relating to
conflicts of interest, antitrust issues, trade
secrets and confidential information,
bribery, discrimination, and harassment.
Of course, clearly articulated statements
of mission, values, and boundaries don’t
in themselves ensure good behavior. To
counter the day-to-day pressures of
organizational life, top managers must
serve as role models and demonstrate
that they mean what they say. Companies
must institute strong internal control
systems, such as the segregation of duties
and an active whistle-blowing program, to
reduce not only misbehavior but also
temptation. A capable and independent
internal audit department tasked with
continually checking employees’
compliance with internal controls and
standard operating processes also will
deter employees from violating company
procedures and policies and can detect
violations when they do occur.
See also Robert Simons’s article on
managing preventable risks, “How Risky Is
Your Company?” (HBR May 1999), and his
book Levers of Control (Harvard Business
School Press, 1995).
management must focus on identification (they
tend to be obvious in hindsight) and mitigation of
their impact.
Companies should tailor their risk-management
processes to these different categories. While a
compliance-based approach is effective for
managing preventable risks, it is wholly
inadequate for strategy risks or external risks,
which require a fundamentally different approach
based on open and explicit risk discussions. That,
however, is easier said than done; extensive
behavioral and organizational research has shown
that individuals have strong cognitive biases that
discourage them from thinking about and
discussing risk until it’s too late.
Why Risk Is Hard to Talk About
Multiple studies have found that people
overestimate their ability to influence events that,
in fact, are heavily determined by chance. We
tend to be overconfident about the accuracy of our
forecasts and risk assessments and far too narrow
in our assessment of the range of outcomes that
may occur.
We also anchor our estimates to readily available evidence despite the known danger of making
linear extrapolations from recent history to a highly uncertain and variable future. We often
compound this problem with a confirmation bias, which drives us to favor information that supports
our positions (typically successes) and suppress information that contradicts them (typically
failures). When events depart from our expectations, we tend to escalate commitment, irrationally
directing even more resources to our failed course of action—throwing good money after bad.
Organizational biases also inhibit our ability to discuss risk and failure. In particular, teams facing
uncertain conditions often engage in groupthink: Once a course of action has gathered support
within a group, those not yet on board tend to suppress their objections—however valid—and fall in
line. Groupthink is especially likely if the team is led by an overbearing or overconfident manager
who wants to minimize conflict, delay, and challenges to his or her authority.
Collectively, these individual and organizational biases explain why so many companies overlook or
misread ambiguous threats. Rather than mitigating risk, firms actually incubate risk through the
normalization of deviance,as they learn to tolerate apparently minor failures and defects and treat
early warning signals as false alarms rather than alerts to imminent danger.
Effective risk-management processes must counteract those biases. “Risk mitigation is painful, not
a natural act for humans to perform,” says Gentry Lee, the chief systems engineer at Jet Propulsion
Laboratory (JPL), a division of the U.S. National Aeronautics and Space Administration. The rocket
scientists on JPL project teams are top graduates from elite universities, many of whom have never
experienced failure at school or work. Lee’s biggest challenge in establishing a new risk culture at
JPL was to get project teams to feel comfortable thinking and talking about what could go wrong
with their excellent designs.
Rules about what to do and what not to do won’t help here. In fact, they usually have the opposite
effect, encouraging a checklist mentality that inhibits challenge and discussion. Managing strategy
risks and external risks requires very different approaches. We start by examining how to identify
and mitigate strategy risks.
Managing Strategy Risks
Over the past 10 years of study, we’ve come across three distinct approaches to managing strategy
risks. Which model is appropriate for a given firm depends largely on the context in which an
organization operates. Each approach requires quite different structures and roles for a riskmanagement function, but all three encourage employees to challenge existing assumptions and
debate risk information. Our finding that “one size does not fit all” runs counter to the efforts of
regulatory authorities and professional associations to standardize the function.
Independent experts.
Some organizations—particularly those like JPL that push the envelope of technological innovation
—face high intrinsic risk as they pursue long, complex, and expensive product-development
projects. But since much of the risk arises from coping with known laws of nature, the risk changes
slowly over time. For these organizations, risk management can be handled at the project level.
JPL, for example, has established a risk review board made up of independent technical experts
whose role is to challenge project engineers’ design, risk-assessment, and risk-mitigation decisions.
The experts ensure that evaluations of risk take place periodically throughout the productdevelopment cycle. Because the risks are relatively unchanging, the review board needs to meet
only once or twice a year, with the project leader and the head of the review board meeting
quarterly.
The risk review board meetings are intense, creating what Gentry Lee calls “a culture of intellectual
confrontation.” As board member Chris Lewicki says, “We tear each other apart, throwing stones
and giving very critical commentary about everything that’s going on.” In the process, project
engineers see their work from another perspective. “It lifts their noses away from the grindstone,”
Lewicki adds.
The meetings, both constructive and confrontational, are not intended to inhibit the project team
from pursuing highly ambitious missions and designs. But they force engineers to think in advance
about how they will describe and defend their design decisions and whether they have sufficiently
considered likely failures and defects. The board members, acting as devil’s advocates,
counterbalance the engineers’ natural overconfidence, helping to avoid escalation of commitment
to projects with unacceptable levels of risk.
At JPL, the risk review board not only promotes vigorous debate about project risks but also has
authority over budgets. The board establishes cost and time reserves to be set aside for each project
component according to its degree of innovativeness. A simple extension from a prior mission
would require a 10% to 20% financial reserve, for instance, whereas an entirely new component that
had yet to work on Earth—much less on an unexplored planet—could require a 50% to 75%
contingency. The reserves ensure that when problems inevitably arise, the project team has access
to the money and time needed to resolve them without jeopardizing the launch date. JPL takes the
estimates seriously; projects have been deferred or canceled if funds were insufficient to cover
recommended reserves.
Risk management is painful—not a natural act
for humans to perform.
Facilitators.
Many organizations, such as traditional energy and water utilities, operate in stable technological
and market environments, with relatively predictable customer demand. In these situations risks
stem largely from seemingly unrelated operational choices across a complex organization that
accumulate gradually and can remain hidden for a long time.
Since no single staff group has the knowledge to perform operational-level risk management across
diverse functions, firms may deploy a relatively small central risk-management group that collects
information from operating managers. This increases managers’ awareness of the risks that have
been taken on across the organization and provides decision makers with a full picture of the
company’s risk profile.
We observed this model in action at Hydro One, the Canadian electricity company. Chief risk officer
John Fraser, with the explicit backing of the CEO, runs dozens of workshops each year at which
employees from all levels and functions identify and rank the principal risks they see to the
company’s strategic objectives. Employees use an anonymous voting technology to rate each risk,
on a scale of 1 to 5, in terms of its impact, the likelihood of occurrence, and the strength of existing
controls. The rankings are discussed in the workshops, and employees are empowered to voice and
debate their risk perceptions. The group ultimately develops a consensus view that gets recorded on
a visual risk map, recommends action plans, and designates an “owner” for each major risk.
The danger from embedding risk managers
within the line organization is that they “go
native”—becoming deal makers rather than
deal questioners.
Hydro One strengthens accountability by linking capital allocation and budgeting decisions to
identified risks. The corporate-level capital-planning process allocates hundreds of millions of
dollars, principally to projects that reduce risk effectively and efficiently. The risk group draws upon
technical experts to challenge line engineers’ investment plans and risk assessments and to provide
independent expert oversight to the resource allocation process. At the annual capital allocation
meeting, line managers have to defend their proposals in front of their peers and top executives.
Managers want their projects to attract funding in the risk-based capital planning process, so they
learn to overcome their bias to hide or minimize the risks in their areas of accountability.
Embedded experts.
The financial services industry poses a unique challenge because of the volatile dynamics of asset
markets and the potential impact of decisions made by decentralized traders and investment
managers. An investment bank’s risk profile can change dramatically with a single deal or major
market movement. For such companies, risk management requires embedded experts within the
organization to continuously monitor and influence the business’s risk profile, working side by side
with the line managers whose activities are generating new ideas, innovation, and risks—and, if all
goes well, profits.
JP Morgan Private Bank adopted this model in 2007, at the onset of the global financial crisis. Risk
managers, embedded within the line organization, report to both line executives and a centralized,
independent risk-management function. The face-to-face contact with line managers enables the
market-savvy risk managers to continually ask “what if” questions, challenging the assumptions of
portfolio managers and forcing them to look at different scenarios. Risk managers assess how
proposed trades affect the risk of the entire investment portfolio, not only under normal
circumstances but also under times of extreme stress, when the correlations of returns across
different asset classes escalate. “Portfolio managers come to me with three trades, and the [risk]
model may say that all three are adding to the same type of risk,” explains Gregoriy Zhikarev, a risk
manager at JP Morgan. “Nine times out of 10 a manager will say, ‘No, that’s not what I want to do.’
Then we can sit down and redesign the trades.”
The chief danger from embedding risk managers within the line organization is that they “go
native,” aligning themselves with the inner circle of the business unit’s leadership team—becoming
deal makers rather than deal questioners. Preventing this is the responsibility of the company’s
senior risk officer and—ultimately—the CEO, who sets the tone for a company’s risk culture.
Avoiding the Function Trap
Even if managers have a system that promotes rich discussions about risk, a second cognitivebehavioral trap awaits them. Because many strategy risks (and some external risks) are quite
predictable—even familiar—companies tend to label and compartmentalize them, especially along
business function lines. Banks often manage what they label “credit risk,” “market risk,” and
“operational risk” in separate groups. Other companies compartmentalize the management of
“brand risk,” “reputation risk,” “supply chain risk,” “human resources risk,” “IT risk,” and “financial
risk.”
Such organiza …
Purchase answer to see full
attachment