Chapter 5

The Risk Index

TYPES OF ORGANIZATIONS WHERE THIS METRIC IS APPROPRIATE

Any large organization needs to measure risk. Even government organizations need to measure certain types of risks. Certainly military organizations need to measure risk, as do health care providers; high-risk industries like pharmaceuticals, airlines, energy companies, hospitals, and other organizations that provide critical goods and services.

HOW DOES THIS IMPACT PERFORMANCE?

Disasters of any type can put companies out of business. Both Pfizer and Merck have had to pay millions in damages due to side effects of their drugs. Both companies survived, but a big lawsuit or fine like this can ruin a company. Lawsuits relating to human resource violations can also be devastating. Discrimination lawsuits have also resulted in payment of huge damages. Natural disasters like floods, hurricanes, and earthquakes can destroy facilities, data, equipment, and employees. Many companies in the New York City area took weeks to recover from Hurricane Sandy, and New Orleans has not completely recovered from the flooding years ago during Katrina.

Financial disasters can also be devastating. Too many high-risk mortgages and bad investments put many mortgage companies out of business in the last few years. Big banks and insurance companies like AIG, Bank of America, and others had to be bailed out by the government to avoid bankruptcy.

Not taking risks can also be hurtful to an organization. Many big companies only reward risk taking when it is successful, and there is a culture of playing it safe. The majority of companies are not innovators but copycats. They wait for others to come up with the innovations and take the risks and then knock off the innovators’ products and services. Often by the time the copycat product or service gets to the market, the opportunity for sales may have dried up. Think of the companies that came up with knockoff versions of the iPhone or iPod. Taking intelligent risks is a huge part of the recipe for success for many organizations.

COST AND EFFORT TO MEASURE

The amount of effort and cost required to create a good risk analytic is medium. Most organizations have some financial risk metrics in place that can be used, as well as compliance metrics. However, most of their metrics are simply counts of plans, events, or training attendance. In other words, the metrics do not really provide an accurate view of the level of risk the organization is facing. Most organizations do not have decent risk metrics for:

• Supply chain risk
• Human resources risk
• Emergency preparedness and natural disasters risk
• Intellectual capital risk
• Competitive risk
• Product or service liability risk
• Legal risk
• Customer risk

This is where the cost and effort come in. Coming up with good metrics for these various factors will take time and possibly the expertise of outside consultants. Some risk assessments can be done for free or for relatively low cost, such as the Ready Rating system sponsored by the Red Cross that assesses emergency preparedness.

HOW DO I MEASURE IT?

Step 1 is to do an inventory of available data relating to risk and emergency preparedness to see what metrics you currently have. You might want to evaluate each one of those metrics based on the accuracy of the metric and the integrity of the data. For example, counting the number of fire drills conducted or attendance at emergency preparedness training are easy and objective metrics with good integrity, but they don’t really tell you anything about how well the organization is prepared for risks. People could take way too long to get out of the building during a drill, and sleep or do other work through the training, so just counting these activities does not tell you much.

Once you have identified all the metrics on which you currently have data, and assessed the usefulness of these data, Step 2 is to decide on the types of risks you want to include in your risk analytic. One client brainstormed about eight different types of risks like those in the previous bulleted list and had a team assess each dimension on a scale of 1 to 10 for probability and seriousness. A factor like supply chain risk may get a high score in both probability and seriousness if the organization relies on one supplier for a key raw material used to make their product and the supplier has had some quality problems in the past. Some of the major types of risks to consider include:

• Supply chain risk. Many organizations are heavily dependent upon suppliers to manufacture, deliver, sell, and service their products. Many hospitals rely on groups of doctors to treat patients, drug companies to supply medications, equipment manufacturers to provide good-quality equipment, and service suppliers to provide food service, laundry, cleaning, billing, and other services. Hospitals are probably more reliant on suppliers than even most manufacturing companies. Factors that go into assessing supplier risks are the number of suppliers for needed goods and services, supplier performance, availability of alternative suppliers, and dependence on suppliers. Some companies have been working with the same suppliers for so long that it would be a huge risk to switch to someone new who does not know their company and needs.
• Human resources risk. Some companies are very dependent upon key people who help develop new products or services, manage the business, keep clients and customers happy, manage production, and market the brand. The loss of a few key people can be devastating to a company. Refer to Chapter 16 on the human capital index for a way to identify your most valuable employees. Then you need to assess the risk of losing each one. Losses may come from death or health problems, early retirement, or someone who decides to go work for a competitor. Most valuable people are contacted by headhunters all the time, and there is always a risk of losing them in spite of the power of your “golden handcuffs.”
• Emergency preparedness and natural disasters. In this era of global warming–related weather disasters, pandemics, terrorism, and war, it has become more important for organizations to be well prepared for the many emergencies that can occur.
• Intellectual capital risk. This is related to human resources risk if someone walks out the door with intimate knowledge of your organization and its products and goes to work for a competitor. However, there are intellectual capital risks that may come from others hacking into your data, which has happened to many organizations in the last few years, or intellectual capital being stolen by a supplier or competitor. Industrial espionage still occurs and is tougher to prevent these days. People are also more mobile now and do not tend to stay at one company for their entire career. Even if it is not intentional, most people can’t help but apply knowledge learned at one job to their new job and employer. If you have a lot of proprietary products, services, or practices, this might be a type of risk for you to consider tracking.
• Competitive risk. Many organizations fight for market share with existing and emerging competitors. The biggest threats often come from unknown and small competitors that seem to come out of nowhere and steal your market share. Sears did not see Walmart coming until it was too late, and neither did Borders see the threat of electronic books to the bookstore business. While GM and Toyota are watching Hyundai, Hyundai is watching emerging Indian and Chinese car manufacturers. Competitive risks might also relate to mergers and acquisitions. Perhaps one of your main competitors is a small company that gets bought by a huge corporation and then has the money and clout to squash you. There could also be a risk that your company gets bought, which changes your ability to be agile and customer-focused because of all the new bureaucracy you have to cut through to get stuff done.
• Product and service liability. If you are in the medical devices, food, or pharmaceutical business you better have some top-notch lawyers on staff to fight all the liability lawsuits you’re likely to encounter. Hospitals and doctors also face huge risks from lawsuits for medical errors and mistakes made. So far I don’t think many financial advisors or brokers have been sued for bad advice, but it is a possibility. Each product and service carries its own risks and possible side effects and needs to be balanced with the desire for revenue and profits.
• Legal risk. All organizations are subject to the same laws regarding employees, hiring, promotions, safety, financial compliance, and other factors. Some companies are better prepared than others and do a lot more to prevent possible lawsuits. Your history may also figure into the likelihood that you will have future legal problems.
• Customer risk. In the early days of my consulting practice I had two big corporate clients who bought about half of my billable days each month for seven or eight years. It was great to have a stable revenue stream and two clients that I really got to know well. It was also a huge risk. When they both decided they didn’t need me anymore the same year, there went half my business, and because I was so busy with them, I had not spent much time marketing to others. Putting all your eggs in one basket is a huge risk, even if it is an attractive basket. Many organizations, such as automakers, face customer risks because their customers are getting older and no longer buying cars. Rolls-Royce experienced this: most owners of their cars were in their sixties or older. Young people viewed Rolls-Royce as an “old man’s car” until BMW bought the company and created the Phantom, favored by young music stars and entrepreneurs. Sales went from a few hundred cars a year to several thousand, and Rolls-Royce has also expanded its appeal to other countries besides the United Kingdom and the United States. China now has one of the most successful Rolls dealerships in the world. Moscow is not far behind. With the release of the Ghost in 2011 and Wraith in 2013, Rolls-Royce now has a broad array of models that appeal to different demographics. Another type of customer risk is that your customer could go out of business or have financial problems. When I worked with NORDAM, an aircraft repair company, it was always at risk for a customer to file bankruptcy, which is fairly common in the airline business.

After deciding on the factors to include in your risk index, you have to decide how to measure your performance. The types of metrics I usually see when measuring any kind of risk tend to be the same:

• Knowledge. A big factor that impacts how well organizations respond to crises is their level of knowledge. Knowing what to do before and after an emergency can sometimes make a life-or-death difference. In California, the news media tries to do its part in educating us about what to do in an earthquake. In spite of these efforts, there is still a lot of confusion. Should you stand in a doorway, run outside, stay in your bed and cover your head, crawl underneath a heavy table? Many of us are not sure. Knowledge of what managers or competitors are up to is also a major factor in preventing risks. Knowledge can be measured via a test, but it should not be measured by training attendance or eyeballs. Many people attend the training, read the brochure, look at the poster in the hallway, and soon forget the whole thing.
• Preparedness. Preparedness is assessed via audits, drill performance, simulations, plans, and processes. The Red Cross Ready Rating assessment is a comprehensive survey on a wide variety of topics relating to emergency preparedness. What’s good about it is the low cost; what’s bad about it is that it is a survey. Surveys are not the most reliable way of assessing many of these factors. Having an audit combined with a survey is probably going to provide a more accurate assessment.
• Risk scoring of products and services. A good measure of the potential liabilities associated with your products and services is to do a portfolio review once a quarter or so and do a risk assessment on each of them. The products or services might be given a weight depending on the revenue and profit that comes from them, and each one could be given a potential liability score based on the number of potential problems, the seriousness of those problems, and the probability that they will occur. For a prescription drug like Lipitor or Crestor, we might give either drug a high weight because of the revenue in sales and profits generated, and a high (bad) score for the number of potential side effects, but a low score based on the seriousness of the side effects—for example, muscle soreness (1) versus death (10)—and a low score based on the number of people affected in studies. By doing this assessment of each of the products and services in your portfolio you can come up with an overall risk number and try to keep it in the safe or green zone.
• Customer risk scoring. Another factor that might be scored at least quarterly is your portfolio of customers. A baby food manufacturer I worked with is a private label producer for Walmart. Walmart is a very successful and stable company, but they are also known for not being loyal to suppliers if a better deal comes along. Having one customer like this ought to put this company’s customer risk gauge in the red zone. The types of factors that would get assessed in a customer risk evaluation are the percentage of business that comes from the supplier, the degree to which they are profitable, the financial health of the customer, and the number and variety of customer types and markets you sell to. Companies like BMW lessen their risk by having customers who range from billionaires who buy a Rolls-Royce Phantom convertible for $450,000 to students who drive a Mini Cooper that their parents paid $20,000 for. Having a diverse portfolio of customers and products that meet their needs dramatically lessens a company’s risk.
• Competitor risk scoring. Assessing competitors is all about sizing up the degree to which they are a threat today and tomorrow. I am shocked at how many Fortune 100 companies do not have good competitive databases that are updated all the time with the most current data. They seem to stumble on competitor intelligence and have it stored in many different locations and databases. In order to get a handle on competitive risk, think about assessing each competitor on factors such as new products they have in the pipeline, relationships with important customers, partnerships with other firms such as distributors, retailers, or suppliers, financial health, and projected growth.
• Human resources risk. I observed a good approach for quantifying this at one of my clients. It was focused on the top 100 people in the company, a mix of executives and technical professionals. Each one already had a human capital score (see Chapter 16) based on competencies, traits, accomplishments, and relationships, and they also were assigned a risk score of 0 to 100 (higher means greater likelihood of leaving). The risk score was based on health (see Chapter 20, wellness index), personal situation (age, married, divorced, kids at home, family in area, estimated net worth), opportunities for advancement, marketability outside (would this person be sought after by competitors or others?), and price of divorce—what it would cost for them to leave. These factors were used to score the relative risk of each person leaving, and a risk mitigation plan was put into place to help ensure that they lowered the risk of losing key people. Compliance with the risk mitigation plan also was figured into the overall risk score for each person. The aggregate gauge was a combination of the value of the person to the company along with the risk of losing them. What they didn’t account for is how happy or disgruntled the person is. This is the main risk factor. I have several investment banker neighbors who are really mad at their firms, disgruntled with the way the industry is going, and who have enough money to never have to work again. These guys are high-risk and very valuable to their firms.
• Risky behaviors. Another type of metric to consider for your risk analytic is employee behavior. Coming up with new product or service ideas is a desirable behavior you could track. Having an affair with your subordinate is an undesirable risky behavior, as is getting kickbacks from suppliers, such as Super Bowl tickets, invitations to golf outings, and other similar privileges. Organizations I have worked with also track failures as an indication of risk taking. If no one is taking any risks, there are no failures and no lessons to be learned. If there are too many colossal failures, they are taking too many risks and the consequences could be devastating.

VARIATIONS

I have laid out a fairly complicated and comprehensive way of measuring the various types of risks an organization may encounter and an assessment of how well prepared they are to handle them. For a small to medium-size organization or one that is in a very low-risk business, an annual risk assessment that looks at your insurance, regulatory compliance, and emergency preparedness might be enough. However, keep in mind that all organizations experience risk, and the smaller you are, the harder it is to recover from emergencies or disasters. Even with an organization as small as mine (one guy working out of the spare bedroom), I need to track my level of risk. I was almost out of business when I lost my two biggest clients in the same year and had nothing in the pipeline. A small business might just try to diversify its portfolio of products and services, customers, and revenue streams.

FORMULA AND FREQUENCY

As a straw man to start with, consider the following factors and weights:

BENEFITS OF DATA

Most organizations I work with measure risk via annual audits, failures, counting butts in seats in training, and counting activities like fire drills conducted or databases backed up. In short, most organizations really don’t have much information on their level of risk. Data is spread throughout many different databases and is often based on verbal reports rather than quantifiable numbers. Organizations have really good daily measure of things like cash flow, costs, and revenue but have little and/or unreliable data on risk. The analytic proposed here will require a fair amount of work to construct, but I find that a lot of organizations have available at least half of the information for what I am proposing somewhere in the company.

The benefit of getting real daily, weekly, and monthly feedback on the level of risk is that it can be managed. Imagine how easy it would be to measure your health if every risky or healthy action provided you with feedback on whether it added or deleted minutes from your life span. We would spend a lot more time eating our vegetables and running than we would sitting at the bar pounding margaritas and devouring a steak burrito. With good and frequent risk metrics, organizations can make better, and more timely, informed decisions about actions to maximize revenue and growth while minimizing the risk of failure.