When you consider all the bad things that happen to good plans, it's not surprising how often CEOs blame poor performance on poor luck. Product launches flop when customer demand is weaker than expected. A brilliantly conceived merger becomes a value-destroying menace when integration fails. Plans to expand overseas stumble over regulatory issues.
But risk-management and planning experts say such failures are usually predictable, and frequently preventable. The problem is that most planners don't think hard enough about what might go wrong before putting an idea in motion. "There's a natural tendency for executives to focus on the positives of a plan and deemphasize the risks," says Rick Funston, national practice leader for the governance and oversight group at Deloitte & Touche LLP in New York. "It's like saying, 'Let's climb Mt. Everest this weekend because it will be great fun,' without stopping to think that this will probably get you killed."
A number of companies think they have found a way to create better-examined plans — by formally linking risk management and strategic planning, something risk managers have long advocated. Indeed, a stronger bond between risk and planning was one of the goals of enterprise risk management, introduced in the 1990s. But few companies adopted ERM, and when they did, the result was often better integration of some risks — such as credit and market risk — without a real connection to strategy.
Two things have sparked renewed interest in ERM: the terrorist attacks on September 11, 2001, and the new governance rules enacted after the corporate scandals. "There is no question that this is the hottest time for ERM since we started working on it in 1991," says Michael Chagares, senior vice president at Marsh Inc. "Boards want to know if management has a corporate risk profile and a continuous view of the company's risks. And they're finding that the best way to look at risk from a corporate perspective is to integrate it into the planning process."
As a result, the new ERM programs aim to create such integration from the start. "Our main focus over the past 18 months has been building a risk culture and linking it to the business-planning process," says Kathryn W. Dindo, vice president and chief risk officer at FirstEnergy Services Corp., an Akron-based utility holding company that has implemented an enterprise risk program at the urging of its chairman.
A Gap in the Plan
There's nothing new about considering risk when making plans, of course. In fact, most companies already have some way of doing this, and some do it very well. This is usually SWOT (strengths, weaknesses, opportunities, and threats) analysis, a venerable planning method still taught in business schools. The issue is that executives tend to focus on the strengths and opportunities, but gloss over the weaknesses and threats. "Where strategic planning falls down is that there's not enough thought given to the barriers to execution — the risks," comments Rick Machold, a former business consultant and currently chief risk officer at Certegy Inc., a financial transaction processing firm in Alpharetta, Georgia. "The idea is to choose the highest-impact opportunities with the greatest likelihood of success. Companies do a good job with the first half of that logic, but not the second."
Randy Nornes, managing director of Aon Risk Services in Chicago, agrees. "Many planners don't have a great feel for the details of their risks," he says. "The result can be a great plan with poor execution, or a single event that spirals out of control."
Ford Motor's disastrous experience with its Explorer SUV several years ago illustrates what can happen when the connection between risk and planning isn't strong enough. What started as a technical problem with the Explorer's tires became a safety problem when the SUVs began flipping over on highways. This turned into a public-relations nightmare, a government-relations issue, and a source of bitter conflict with Ford's tire supplier Bridgestone/Firestone Inc. "The whole thing started to explode on them," says Funston. Arguably, if Ford's planners had thought through the cascading effects of a technical failure, they could have taken steps to prevent it or at least prepare a coordinated response with their suppliers.
Risk and Reward
To prevent such oversights from creeping into their own plans, companies are connecting planning and risk management in two ways. The first, and most common, is to vet plans and capital expenditures with the risk management department after the plans have been drafted. The other is to conduct a formal risk assessment during the actual formulation of the plans.
Genentech Inc., a South San Francisco-based biotechnology firm, is pursuing the first approach. "As strategic plans are put in place, we look at them and ask, 'If we're going to meet these goals, what must we do operationally? And what are the risks to these plans?' " says Genentech treasurer Thomas T. Thomas. Before any plan is implemented, his team works with the business to document the risks, measure them, and devise mitigation plans. "For example," he says, "if we're going to meet our five-year plan, we need to make sure that our production capacity will come online at the right time, in the right configuration, and in the right place, so that when drugs come out of the pipeline, we're ready to produce them. The supply-chain people have the functional knowledge, but the risk people can ask the questions to make sure we structure our facilities in a way that lowers the risk to the company."
The second approach — which complements the first — is to involve risk management earlier. The hope is that a skeptical voice in the planning session can influence the shape of a plan. Capital One Financial Corp. in McLean, Virginia, has a method for doing this, according to chief enterprise risk officer Laura Olle. In addition to a review of annual business plans, Capital One involves risk managers in all major decisions. The risk professionals work with planners to think through a structured set of questions when developing a plan. If a unit is thinking about expanding to Germany, for instance, does the company need to buy new technology? What are the privacy laws in that country? Is the company prepared to comply? "Our goal is to help the business understand what things could go wrong before they make the bet," says Scott Davenport, vice president of enterprise risk management.
This can happen without a formal ERM program. Ellen Vinck, vice president of risk management at U.S. Marine Repair Inc., which is based in Norfolk, Virginia, says she has participated in planning meetings for at least 15 years, something she admits is uncommon among risk managers. "Truthfully, I think this is what every risk manager should be doing," she says. Vinck provides an example of her role: during one meeting, someone proposed expanding repair operations to bridge work. Vinck pointed out that the risks involved in working under a 200-foot-high bridge aren't the same as those of working in a shipyard, and that the company's insurance wouldn't cover such risks. "If a risk manager hadn't been there, we might have gone ahead and created a huge exposure for the company," she says.
The danger in all this is that companies could cultivate a risk-averse culture — one in which good ideas get shot down by risk managers. It shouldn't, according to the advocates of better integration of risk and planning. "Our company is in the business of taking risks, but taking risks in an understood, assessed, and managed way," says Davenport. Arguably, the effort to link risk to strategy is a way of returning companies to their roots. For a young, small company, there is no division between planning and doing — they are typically done by the same people. "A good entrepreneur always thinks about what will go wrong," says Davenport. By closing the gap between strategy and execution, companies may start to see more things go right.
Don Durfee is research editor at CFO.