Assessing a company’s vulnerability to risk makes otherwise theoretical discussions of strategy more real.
In the decade since the global financial crisis, financial companies have honed their ability to measure risk in a way that nonfinancial companies have not. Granted, nonfinancial executives hadn’t faced the same existential crisis. And they’ve seldom come under the same kinds of investor and regulatory pressure. But the result is that they haven’t absorbed many of the lessons on risk management learned by the financial sector.
We believe that nonfinancial companies, too, would benefit from a more aggressive look at the risks they face. Among the most important steps they could take, for example, would be to quantify risks in the context of broader scenarios, and not just as discrete sensitivities. They should calculate the effect of more extreme one-off events, such as a cybersecurity attack, in addition to continuous risks, like GDP. They should model risk-mitigation strategies as well as the risks themselves. And they should sustain a conversation about risk that is explicitly tied to strategic planning, capital allocation, and other business decisions.
We recently tested our thinking qualitatively in interviews with the CFOs, company secretaries, and controllers of 11 leading nonfinancial companies in the United Kingdom. Having just completed their first full reporting year under a new policy requiring companies to assess their longer-term viability, these nonfinancial company executives offered insight into the value a structured risk-measurement exercise can bring to a company’s decision making. As one UK executive reflected, seeing what certain risks could really mean for the value of their operations gives the whole intellectual exercise more currency.
Gauge scenarios, not just individual sensitivities
Companies often maintain a list of the main risks that managers believe they face, which they report as their “risk register” in annual reports. These include discrete operational events, such as major industrial accidents, cyberattacks, or employee malfeasance. If they take the next step to quantify those risks, many simply turn to that list and model them, often for the first time, onto their financial outlook. That’s a good start, as it gives managers some insight into how sensitive the company’s financial health is to changes around individual risks, which many companies don’t do. But measuring individual risks discretely does little to illuminate a more complex landscape of interrelated risks that often move together in the real world. That requires the further step of coherently clustering risks together into scenarios.
Scenarios are more appropriate because they help managers consider the effects of a variety of severe but plausible scenarios without being farfetched. They can also accommodate interaction effects among sensitivities. One manufacturer in our group reported modeling 18 different scenarios, after eliminating many more that they felt did not meet the plausibility criteria. The comprehensiveness of the exercise equipped the board with a clear perspective on the company’s resilience and a number of management actions in time for the Brexit referendum months later. And finally, integrated scenarios also ensure that companies do not miss or underestimate the correlations between their different business activities and individual risk types, thereby underestimating group-level vulnerability.
Consider extreme and one-off events, not just everyday risks
We frequently encounter companies willing to model broader, everyday market variables, such as GDP or inflation, or more specific variables, such as the rate of formation of new companies. But we seldom find companies willing to model more extreme variables or one-off events, such as a cyberattack or a natural disaster. The data to measure the effects of the former are fairly easy to come by, some argue, while reliable data on the latter are not. Others believe that their employees would sufficiently rally together to counter such events. As one UK executive told us, “We did not try to model events of nature and operational issues. All hands would be to the pump in the organization anyway, to deal with that particular situation, given its gravity. The complete random nature of seeking to put in a number—we think that is too difficult.”
One-off events can also be more correlated with market downturns than companies expect. For example, the pressure on income after a recession can translate into aggressive business practices that lead to one-off risk events—by undermining product or employee safety or leading to ethics violations. Governments may add to the pressure with a more aggressive tax and regulatory stance. Many companies will model the economic downturn, but they often don’t model one-off events like changes in tax policy.
Some companies do find ways around the challenge of quantifying one-off events—often turning to the lessons of history to drive the analysis. One IT company, for example, used the experience of other companies that suffered a cyberattack to quantify the potential impact on its business. Press and financial reports often provide the kinds of relevant details needed, such as an increase in customer churn rates or declines in revenues.
A materials company used a proportionate measure of the impact of the 2007–08 financial crisis on its business to stress test its current financial outlook. Managers then used the data to inform a strategy discussion with the board. In so doing, these companies gained a deeper appreciation for the magnitude these catastrophic shocks could have on their business and could allocate resources to prepare for them more effectively.
Model mitigation strategies as well as risks
Even nonfinancial companies that undertake a regular measurement of risks often neglect also to measure the effects of their plans to mitigate the fallout of a downside scenario. Steps like reducing dividend payouts, cutting capex, or selling assets come with their own risks over the long term—and we believe risk-savvy managers should model both.
However, among our UK interviewees, several worried that modeling mitigations on top of the initial scenario or sensitivity amounted to piling assumptions on top of assumptions. Indeed, there was also some debate as to the right perspective from which to comment on risk. Viability is one, but metrics such as the risk of a dividend being cut might be another—or, for companies that have promised a progressive dividend, the risk that the rate of growth might slow.
Whichever metric is used, companies and their boards would benefit from understanding which mitigations exist, when they should be triggered, and what rough magnitude of impact they could deliver. One approach to understanding mitigation steps that we’ve observed elsewhere immerses executives in a war-game-like exercise. Teams representing different interests, such as competitors, suppliers, and regulators, debate a risk scenario and then run their respective reactions through the risk model to measure the effects. This has the benefit of ensuring that mitigation efforts are plausible and how they might affect viability or dividends, for example. It also gives management confidence in their approach when an actual crisis comes to pass.
Broaden the conversation
The usefulness of risk-measurement exercises can be limited if they aren’t dynamically linked to strategic planning, capital allocation, and other business decisions. That means such exercises need to include more than just a CFO or a board audit committee, or they amount—as one UK interviewee put it—to little more than a “tick-box exercise” that fails to change behaviors in the business.
Yet in cases where internal engagement is more comprehensive, we’ve seen risk-measurement exercises provoke a systematic review of a company’s risk profile, risk-management approach, and strategic posture—even if it can take some time before the consequences become evident. One UK retailer we met with described holding workshops with the company’s executive team to reconsider its risk register and define plausible downside scenarios. Its board audit committee also spends significant time discussing the appropriate modeling methodology to arrive at robust and meaningful results. As with many of the companies we spoke with, it’s too early to see concrete impact—we didn’t hear of anyone who had made a major change in the business as a result. But several told us that a better understanding of risk was valuable input and wanted to deepen the process.
Indeed, several of our UK interviewees acknowledged that they’d previously had a limited understanding of their risk exposure. As a consequence, for example, they had no systematic understanding of how much capital they actually needed to absorb risk in current operations. Again, none reported after undergoing the risk-measurement exercise that they felt the need to raise or conserve more capital for such risks, though a few did report finding they were much more resilient to downside risks than they had expected. We also found broad recognition of the value of a more structured, analysis-enriched conversation with key decision makers about risks, and many companies were keen to improve on their approach going forward. As the lessons from the viability-statement exercise are embedded and companies’ approaches evolve, the intent is summed up by one interviewee as, “you start with the risk process and it develops and becomes richer in time.”
For nonfinancial companies, a more structured approach to risk measurement can lead to a more nuanced and insightful appreciation of true risk levels, and eventually a better-informed strategic posture.
About the author(s)
Conor Kehoe and Cindy Levy are senior partners in McKinsey’s London office, where Matt Stone is a consultant.
The authors wish to thank Emma Gibbs and Sven Heiligtag for their contributions to this article.