McKinsey’s recent promotional piece, Risk: Seeing around the corners is a perfect example of why enterprise risk management is so ineffective (answering a question posed by Norman Marks). Citing a handful of well worn cases of supply chain and distribution channel failures, its advice for seeing around corners might be better expressed as driving while gazing into the rear-view mirror.
The article opens with the claim that risk-assessment processes expose only the most direct threats and neglect indirect ones. It finds “indirect” hazards (one step removed from harmful business impact) to be elusive. The hazards they cite, however, would immediately flow from a proper engineering-style hazard assessment; they are far from indirect. For example, missing environment-caused damage to a facility with subsequent supply-chain interruption in a risk assessment is a greenhorn move at best.
McKinsey has cultivated this strain of risk-management hype for a decade, periodically fertilized, as is the case here, with the implication that no means of real analysis exists. Presumably, their desired yield is customers’ conclusions that McKinsey’s risk practice can nevertheless lead us through the uncharted terrain of risk.The blurry advice of this article, while perhaps raising risk awareness, does the disservice of further mystifying risk management.
McKinsey cites environmental impact on a supply chain as an example of a particularly covert risk, as if vendor failure from environmental hazards were somehow unforeseeable:
“At first glance, for instance, a thunderstorm in a distant place wouldn’t seem like cause for alarm. Yet in 2000, when a lightning strike from such a storm set off a fire at a microchip plant in New Mexico, it damaged millions of chips slated for use in mobile phones from a number of manufacturers.”
In fact, the Business Continuity Institute‘s data shows tier-1 supplier problems due to weather and environment to be the second largest source of high-impact supply chain interruptions in 2015.
McKinsey includes a type of infographic it uses liberally. It has concentric circles and lots of arrows, and seems intent on fogging rather than clarifying (portion shown below for commentary and criticism purposes). More importantly, it reveals a fundamental problem with ERM’s conception of risk modeling – that enterprise risk should be modeled bottom-up – that is, from causes to effects. The text of the article implies the same, for example, the distant thunderstorm in the above quote.
Trying to list – as a risk-analysis starting point – all the possible root causes propagating up to impact on a business’s cost structure, financing, productivity, and product performance is indeed very difficult. And it is a task for which McKinsey can have no privileged insight.
This is a bottom-up (cause first) approach. It is equivalent to examining the failure modes of every component of an aircraft and every conceivable pilot error to determine which can cause a catastrophic accident. There are billions of combinations of component failures and an infinite number of pilot errors to remember. This is not a productive route for modeling high-impact problems.
Deriving the relevant low-level causes of harmful business impacts through a systematic top-down process is more productive. This is the role of business impact analysis (BIA) in the form of Functional Hazard Assessment (FHA) and Fault Tree Analysis (FTA). None of these terms, according to Google, ever appear in McKinsey’s published materials. But they are how we, in my firm, do risk analyses – an approach validated by half a century of incontestable success in aviation and other high-risk areas.
An FHA view of the problem with which McKinsey fumbles would first identify the primary functions necessary for success of the business operation. Depending on specifics of the business these might include things like:
- Manufacturing complex widgets
- Distributing widgets
- Marketing widgets
- Selling product in the competitive widget space
- Complying with environmental regulation
- Issue stock in compliance with SEC
A functional hazard assessment would then look at each primary function and quantify some level of non-function the firm would consider catastrophic, and a level it would consider survivable but dangerous. It might name three or four such levels, knowing that the boundaries between them are somewhat arbitrary; the analysis accommodates this.
For example, an inability to manufacture product at 50% of the target production rate of one million pieces per month for a period exceeding two months might reasonably be judged to result in bankruptcy. Another level of production interruption might be deemed hazardous but survivable.
An FHA would include similar definitions of hazard classes (note I’m using the term “hazard” to mean any unwanted outcome, not just those involving unwanted energy transfers like explosions and lightning) for all primary functions of the business.
Once we have a list of top-level functional hazards – not the same thing as risk registers in popular risk frameworks – we can then determine, given implementation details of the business functions, what specific failures, errors, and external events could give rise to failure of each function.
For example, some things should quickly come to mind when asked what might cause manufacturing output to fall. They would include labor problems, supply chain disruption, regulatory action, loss of electrical power and floods. Some factors impacting production are simple (though not necessarily easy) to model. Floods, for example, have only a few possible sources. Others might need to be modeled systematically, involving many combinations of contributory events using tools like a qualitative or quantitative fault tree.
Looking specifically at the causes of loss of manufacturing capability due to supply chain interruption, we naturally ask ourselves what proximate causes exist there. Subject matter experts or a literature search would quickly list failures like:
- IT/communications downtime
- Cyber attack
- Fire, earthquake, lightning, flood
- Flu epidemic
- Credit problem
- Supplier labor dispute
- Transportation labor dispute
- Utility failure
- Supplier ethics event
- Regulatory change or citation
We would then assess the probability of these events as they contribute to the above top-level hazards, for which severity values have been assigned. At that point we have a risk assessment with some intellectual heft and actionable content.
Note that in that last step we are assigning probability values to the failures, either by using observed frequencies, in the case of floods, lighting and power outages, or with periodically updated estimates of subject matter experts, in the case of terrorism and labor disputes. In no case are we assigning ranks or scores to the probability of failures, as many risk frameworks dictate. Probability ranking of this sort (ranks of 1 through 5 or high, medium, low) has been the fatal flaw of many past risk-analysis failures. In reality, all important failure modes have low probability, especially when one-per-thousand and one-per-billion are both counted as low, as is often the case. I’ve discussed the problem of subjective probability assignment in earlier posts.
McKinsey’s article confuses uncertainty about event frequency with unforseeability, implying that McKinsey holds special arcane knowledge about the future.
Further, as with many ERM writings, it advances a vague hierarchy of risk triggers and types of risk, including “hazard risk,” insurable risk, performance risk, cyber risk, environmental risk, etc. These complex taxonomies of risk reveal ontological flaws in their conception of risk. Positing kinds of risk leads to bewilderment and stasis. The need to do this dissolves if you embrace causality in your risk models. Things happen for reasons, and when bad things might happen, we call it risk. Unlike risk frameworks, we model risk by tracing effects back to causes systematically. And this is profoundly different from trying to pull causes from thin air as a starting point, and viewing different causes as different kinds of risk.
The approach I’m advocating here isn’t rocket science, nor is it even jet science. It is nothing new, but seems unknown within ERM. It is exactly the approach we used in my 1977 college co-op job to evaluate economic viability, along with safety, environmental, and project risk for a potential expansion of Goodyear Atomic’s uranium enrichment facility. That was back when CAPM and Efficient-Market were thought to be good financial models, when McKinsey was an accounting firm, and before ERM was a thing.
McKinsey concludes by stating that unknown and unforeseeable risks will always be with us, but that “thinking about your risk cascades is a concrete approach” to gaining needed insights. We view this as sloppy thinking – not concrete, but vague. Technically speaking, risks do not cascade; events and causes do. A concrete approach uses functional hazard assessments and related systematic, analytic tools.
The purpose of risk management is not to contemplate and ponder. It is to model risk by anticipating future unwanted events, to assess their likelihood and severity, and to make good decisions about their avoidance, mitigation, transfer or retention.
Leave a comment or reach me via the About link above to discuss how this can work in your specific risk arena.
– – –
In the San Francisco Bay area?
If so, consider joining us in a newly formed Risk Management meetup group.
Risk assessment, risk analysis, and risk management have evolved nearly independently in a number of industries. This group aims to cross-pollinate, compare and contrast the methods and concepts of diverse areas of risk including enterprise risk (ERM), project risk, safety, product reliability, aerospace and nuclear, financial and credit risk, market, data and reputation risk, etc.
This meetup will build community among risk professionals – internal auditors and practitioners, external consultants, job seekers, and students – by providing forums and events that showcase leading-edge trends, case studies, and best practices in our profession, with a focus on practical application and advancing the state of the art.
If you are in the bay area, please join us, and let us know your preferences for meeting times.