Corporate Strategies for Managing Catastrophic Risks in the S&P 500: Linking Intuitive and Deliberative Thinking Howard Kunreuther, Erwann Michel-Kerjan, and Michael Useem The Wharton School, University of Pennsylvania Interim Report – Preliminary – Do Not Quote November 22, 2013
84
Embed
Corporate Strategies for Managing Catastrophic Risks …opim.wharton.upenn.edu/risk/library/CorpStrategiesForManagingCat... · Corporate Strategies for Managing Catastrophic Risks
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Corporate Strategies
for Managing Catastrophic Risks in the S&P 500:
Linking Intuitive and Deliberative Thinking
Howard Kunreuther, Erwann Michel-Kerjan, and Michael Useem
The Wharton School, University of Pennsylvania
Interim Report – Preliminary – Do Not Quote
November 22, 2013
i
Table of Contents
Foreword: Riding the Wave .............................................................................................................iii
Section 1. Setting the Scene: A More Risky World for Corporations ........................................... 1
Section 2. A Framework for Understanding and Managing Catastrophic Risks by Key
Decision Makers in Firms ................................................................................................................. 5
Section 3. Twelve Preliminary Findings from the Interviews...................................................... 21
Section 4. Preliminary Findings from our Analysis of 10K Risk Sections ................................. 29
Section 5. Preliminary Findings from our Analysis of S&P 500 Stock Prices ........................... 35
Section 6. Overcoming Challenges through the Development of Long-term Strategies ........... 47
Section 7. Open Questions for the Next Phase of the Project ...................................................... 50
Appendix 1. Statistics on the 100 Firms Interviewed ................................................................... 52
Appendix 2A. 10K Risk Factor Mentions across Industry Sectors ............................................. 54
Appendix 2B. Percentage of the 10Ks Discussing Specific Risks (across sectors) ..................... 57
Appendix 3. Methodology for Analyzing Stock Price Changes ................................................... 59
Appendix 4. Leadership and Governance Lessons from Three Case Studies ............................ 61
Study Directors ……….…………………………………………………………………………77
ii
Acknowledgements
The study on Effective Corporate Leadership and Governance Practices in Catastrophe Risk Management
started in 2011 and will continue through 2015. It is being undertaken under the direction of Howard
Kunreuther, Erwann Michel-Kerjan and Mike Useem of the Wharton School of the University of
Pennsylvania.
The research team includes Karen Campbell, Preston Cline, Rebecca Henderson, Matthew Hill (who
served as project manager), Richard Hong, Carol Heller and Ann Miller and Greg Nini. Sourav Bose,
Laura Boudreau, Danbi Hwang, Nicole Kwok, Shaun Lee, Wing Li, Joy McKenzie and Sean Niznik
provided excellent research assistance.
We would like to thank all the experienced managers, executives and directors of the over 100 firms
we interviewed for taking the time to talk to us about their firm’s practices, lessons learned from past
experiences with severe events, and the way they foresee the future of (catastrophe) risk management.
A dedicated advisory board had provided us with strategic guidance on several aspects of the project.
The board is chaired by Jay Fishman, Chairman and CEO of The Travelers Companies; other
members of the Board are, in alphabetical order: Paul C. Curnin (Simpson Thacher & Bartlett LLP),
Luis G. Custodio (IBM Corporation), William J. Egan (Bank of America - Merrill Lynch), Peter
Kellogg (Merck & Co., Inc.), Joe Morton (IBM Corporation), Stephen Propper (Merck & Co., Inc.),
Tom Ridge, (former Governor of Pennsylvania and U.S. Secretary of Homeland Security), Paul
Slovic, (President, Decision Research) and J. Eric Smith (Swiss Re America),
This ongoing initiative benefited from the financial support of the Travelers Foundation through the
Travelers-Wharton Partnership for Risk Management and Leadership Fund, the Wharton Risk
Management and Decision Processes Center and the Wharton Center for Leadership and Change
Management.
iii
Foreword: Riding the Wave
Many of Morgan Stanley’s more than 4,000 employees had already started their work day at the
World Trade Center on twenty floors of the South Tower on Tuesday, September 11, 2001, when
American Airlines flight 11 slammed into the North Tower at 8:46 am. Morgan Stanley’s director of
security, Richard Rescorla, called the Port Authority, the center’s landlord, for guidance, and then
called the company chief executive, Philip J. Purcell.
The World Trade Center’s owner recommended against evacuating the South Tower, but Rescorla
nonetheless urged his CEO to approve immediate evacuation of all employees. Rescorla had lived
through the 1993 truck bombing of the World Trade Center that had killed six people; that experience
led him to institute quarterly evacuation drills ever since. Now, he started an evacuation for real. He
and his staff managed to move virtually all of their on-site employees out of the South Tower before
it was hit at 9:03 am and then collapsed at 9:59 am. Just six staff members were lost -- among them
were Rescorla himself and three deputies who had returned to make sure no one remained in the
building. In reflecting on Rescorla’s preparations and Morgan Stanley’s remarkably swift and nearly
complete evacuation on 9/11, chief operating officer Robert Scott later offered, “If you wait for a
crisis to begin to lead, it’s too late.”1
By contrast, when Lehman failed on September 15, 2008, the leadership of insurance giant AIG
proved woefully ill-prepared to avert its own collapse that resulted from the actions of one small part
of its entire organization. The board, the chief executive, and the managing director for its Financial
Products subsidiary (AIGFP) – which at the time had only 400 employees – had not anticipated that
the company’s credit rating would be downgraded, requiring that it post tens of billions of dollars of
collateral to back the insurance policies that it had written against defaults on debt, including massive
amounts of subprime mortgage debt. But in the wake of Lehman’s failure, rating agencies turned to
see if AIG held large amounts of the same toxic subprime mortgages that had pushed Lehman over
the edge. AIG-Financial Products did, and a major rating agency downgraded the parent to A-. Due
to industry convention of requiring collateral if an insurer is not top-rated, the drop instigated
collateral calls from AIG’s customers. By the end of the month, AIG had lost $32 billion, and by the
end of the year, $61 billion, the largest annual shortfall in corporate history. The U.S. federal
government injected more than $182 billion to save the company from complete collapse and took
control of it.2 Remarkably, the firm is back on track today: it paid all its debt to the government, with
interest: a total $205 billion, for a profit of $23 billion to the U.S. federal government. To do so, it
had to go through a very significant restructuring of its leadership and of its portfolio of activities.
Morgan Stanley’s experience in 1993 created a readiness to save itself in 2001. By contrast, AIG’s
years of success might have ill-prepared it to save itself in 2008. The firm is now reinventing itself;
something that would have certainly been hard to do before the financial crisis.
iv
Examples such as these abound across industry sectors. We often learn as much from setbacks as
successes, often even more, and with unflinching study of our stumbles, we believe, companies can
become better prepared for the hazards ahead.3
This is partly why Cisco Systems’ John Chambers had been one of the longest surviving chief
executives in Silicon Valley. Chambers took the Cisco helm in 1995 and rode the Internet wave in
the late 1990s to make his company one of the world’s most valued entities, with a market
capitalization soaring above $500 billion. But when the Internet bubble burst at the end of that decade,
Cisco flipped from extraordinary growth to stunning contraction. Chambers and Cisco survived the
collapse, and he attributed much of the company’s success in the decade that followed to what he
learned when it felt as if he were touching the void.4
Until one undergoes a rare but wrenching experience, there is little natural impetus for preparing for
catastrophic risk. But we believe that executives and directors of large, publicly-traded companies
need not – and indeed should not – have to wait for such an experience before building their own
company’s capacity to avert or overcome low-probability but high-consequence events. They can
learn from one another and from other’s disasters without having to live it themselves. How they can
do so is the focus of the findings of this Wharton initiative.
In the pages ahead, we speak to those who are responsible for company enterprise, their managers,
executives, and directors. We try to better understand how risk management has evolved over time
and how it is conducted in large publicly traded companies today. Leadership of these enterprises
calls for thinking deliberatively, imaging the unimaginable, and acting strategically; recognizing the
shortcomings of human behavior; and preparing for the long-term even when short-term pressures
prevail. Company leaders can and should move their firm to a state of readiness for extreme events,
and we draw upon their experience to offer guidance on doing so well before a disaster strikes.
1
Section 1. Setting the Scene: A More Risky World for Corporations
1.1. Introduction
In today’s world, as a senior manager, executive or director of a large company, you cannot afford to
ignore the necessity of having an effective catastrophe risk management strategy in place. What
constitutes a catastrophic risk depends on your company and industry sector.
Given the unprecedented series of extreme events and crises that have occurred in recent years, it is
becoming clear to many more top decision makers in firms that we have indeed entered a new era of
catastrophes, with disasters, accidents and crises occurring at a more frequent rate and having greater
ripple effects across continents than in the past.5
Natural disasters such as hurricanes, floods and earthquakes have increased in intensity and
frequency, leading to historic records of economic losses given increased numbers residing in hazard-
prone areas. Also of concern are technological disasters such as large-scale chemical and nuclear
power plant accidents, environmental disasters such as oil spills, and externally caused events such
as terrorist attacks. These events could also be considered catastrophic: legal or reputational issues,
fraud, losing key personnel, stringent regulations that change the firm’s business model, and strategic
errors and competition that has a severe impact on market share.
All of these have caused firms to pay more attention to taking steps in advance of the next catastrophe
rather than treating them below their threshold level of concern. Firms have also learned the hard
way that global financial crises, intercontinental pandemics and cyber-attacks can have systemic
impacts.6 Some firms have been successful in addressing situations that could or have had severe
negative impacts on their bottom line.
In a recent survey of over 1,300 CEOs worldwide, the majority considered that “increasing
accountability in risk management” (62%) and “increasing resources devoted to risk management”
(53%) were two statements that “appropriately described their approach to managing their
organization in a complex and changing competitive environment.”7 This is a sea change compared
to where the corporate world was just a decade ago.
1.2. The Wharton S&P 500 Initiative
The Wharton Risk Management and Decision Processes Center and the Wharton Center for
Leadership and Change Management recently teamed up on a multi-year research initiative supported
by the Travelers Foundation to more fully understand how Standard & Poor’s (S&P hereafter) 500
firms approach catastrophe risk management today.
We define catastrophic risk broadly as events that can have severe physical, financial or
reputational impacts on the conduct of the firm’s activities. These can be internal or external to
the firm and typically require the involvement of top management and their Board of Directors.
2
We have now interviewed over 100 CEOs, Chief Risk Officers, other executives and Board members
concerned with these issues to address the following questions:
What extreme events have those firms experienced?
What insights have they gained from them?
Why is the risk management function playing a more central role in these firms?
What processes were in place in those firms, from risk identification, risk prioritization, and
risk assessment, to risk and crisis management?
What can we learn from leaders in the C-suite and at the Board level as to how they have
interacted with others in the organization on these issues in recent years?
How is the risk management function organized internally?
Has the Board become more active and if so, in what ways?
The distribution of the nearly 100 S&P 500 firms we interviewed during the past 18 months is highly
representative of the entire S&P 500 group (Figure 1). They differ in size, industry sector and their
risk management practices. Their annual revenues range from $1 billion to over $400 billion (median:
$12 billion; average: $29 billion); their human capital base ranges from 2,100 to over two million
employees (median: 20,000; average: 70,000). (See Appendix 1 for more details on the distribution
of firms in our sample compared to the full S&P 500 group of firms.)
Almost all the leading executives and risk managers we interviewed confirmed that risk management
has assumed a much more important role in their firm’s activities as well as having a higher profile
on their Board’s agenda. To a large extent this is due to recent experiences they have had in dealing
with events affecting their balance sheet and/or impacting on their long-term operations due to
changes in the business environment. The companies also provided us with lessons they have learned
from these events and steps they have taken to reduce the future likelihood and resulting
consequences of these events.
3
FIGURE 1.1: DISTRIBUTION OF THE INTERVIEWED FIRMS VERSUS FULL S&P 500
Interviewed Firms
Full S&P 500
Consumer
Discretionary
18%
Consumer
Staples
7%
Energy
7%
Financials
25%
Health Care
11%
Industrials
7%
Information
Technology
15%
Materials
4%
Telecommunication
Services
1%
Utilities
5%
Consumer
Discretionary
16%
Consumer
Staples
8%
Energy
9%
Financials
17%Health Care
10%
Industrials
11%
Information
Technology
15%
Materials
6%
Telecommunication
Services
2%
Utilities
6%
4
Organization of the Interim Report
This interim report is organized as follows. Section 2 develops a framework for understanding how
firms have dealt with risks that, if they were to materialize, could have a serious negative impact on
the firm, the changing role that catastrophic risk is playing in their organizations and how to manage
these risks in a more proactive manner. We propose themes and findings that can be tested both
quantitatively and qualitatively. In Section 3 these findings are illustrated with comments from our
interviewees. The names will remain confidential, but the lessons that can be gleaned from their
experiences will be highlighted so others can learn from them.
The data from these interviews were complemented by analyzing risks officially disclosed in the risk
section of these firms’ 10K annual reports, the results of which are provided in Section 4. We
were able to compare how risk disclosure practices have evolved over time, across industry sectors
and risk types. The majority of the firms have significantly expanded their discussion of risks they
have faced or dealt with than they did just five or six years ago. The top risk for almost all these
firms is Government.
We also conducted a series of analyses of the stock prices of the entire S&P 500 (as of 2011) over
time. Our goal was to examine cases where the stock price of a firm dropped significantly over a short
period of time compared to its competitors in the same industry sector and to understand factors that
may have led to significant drops. We also analyze the resilience of these firms (i.e., how long did it
take for the stock to bounce back to a pre-drop level). Section 5 focuses on the lessons learned from
the stock price analysis.
Section 6 provides guidelines for improving the effectiveness of risk management strategies for
decision-makers. Section 7 raises questions for your consideration as we update and revise this report.
The Appendices provide statistics on the firms interviewed (Appendix 1); complementary analyses
of the 10Ks (Appendix 2); stock price changes at a more granular level than presented in the body of
the report, and the methodology for analyzing the stock price changes (Appendix 3). We also present
three detailed case studies of firms that went through specific crises and highlight the key governance
and leadership lessons learned from each case (Appendix 4).
5
Section 2. A Framework for Understanding and Managing Catastrophic
Risks by Key Decision Makers in Firms
In dealing with issues associated with events that have the potential to have a severe adverse impact
on the firm, key decision makers are concerned with ways to reduce the likelihood of potential losses
in the future and how to deal with these extreme events should they occur. We first specify some of
the key decision makers internal to the firm and then delineate the following two key features that
characterize a framework for determining what actions these individuals or groups should take for
understanding and managing catastrophic risks in firms and in guiding a firm’s strategy:
Their risk analysis and management process
Their intuitive and deliberative thinking process
2.1. Key Internal Decision Makers
There are a number of different stakeholders within the firm itself who play a role in firms’ decision
making with respect to catastrophic events.
Board of Directors The board of directors acts as an independent, third party entity that oversees
the management of risk by a firm’s top executives. The Sarbanes Oxley Act (2002) furthered the
independence of the corporate boards of listed companies by requiring that a majority of board
members must be independent, and that certain committees (e.g., audit and compensation) must be
comprised of entirely independent directors. Board members are often current or former Chief
Executive Officers (CEOs) who bring a wealth of experience and connections with them from other
industries. Today, boards are hearing about risk management practices more often than in the past,
and hence are becoming more informed about risks facing the firm. In our interviews, the majority of
risk management leaders who discussed board involvement said that they reported to the full board
or to a board committee more than twice a year.
As we will discuss in more detail below, risk management is indeed now entering the board room in
an unprecedented way. Boards are often responsible for helping to define the risk appetite for the firm
in consultation with senior management company and are ultimately responsible for the risks that
face the firm. Board members leverage their knowledge to help set broad risk goals for the firm,
provide a governance function by overseeing the risk-related activities of the firms and provide
guidance as to how the firm can strengthen their risk mitigation efforts. Firms also use board
members as thought partners to test their ideas, to make connections with other industry leaders as a
means of benchmarking their operations, and to receive advice and feedback on enterprise risk
management (ERM) initiatives. While boards may help decide which risks companies should focus,
they are rarely involved in the everyday decision making as to how to deal with these risks. The CEO
of a firm in the travel services industry responded to a question on the role of the Board by saying
that its primary role was to ask tough questions such as whether the firm is prepared for future adverse
events, and to oversee how the company will deal with the situations, should they occur.
6
Senior Management Senior managers play a critical role in enterprise management by both setting
the tone and promoting a risk culture throughout the organization. This culture extends both upwards
to the board and downwards through the ranks of the organization. More firms have developed
enterprise-wide risk management functions and processes, even though the nature of it varies widely
from one firm to another. As the ERM director of an oil exploration and production company said:
Top management sets the tone, the war tone at the top, if you will. They are influencers of
doing the right thing. Senior management needed to set an example, by encouraging open
discussions around risk as well as honesty, forthrightness, clarity, and crispness rather than
letting concerns about risk be buried deep in the organization.
Chief Risk Officers (CROs) and their management teams play an important, executive-level role in
managing the risks related to a business and its various units. For instance, the CRO of an information
technology (IT) software products company pointed out that he works with the board, senior
management and the various divisions of the company to identify the company’s most significant
risks and their likelihood and potential impacts to set the tone for how the company deals with extreme
events. We also heard this message from the CRO of a North American bank, who noted that top
management plays a critical role in the success or failure of a financial institution.
CROs carry out this role by putting into place processes and procedures to facilitate risk management
across the firm. Through our interview process it becomes clear that, while many companies do not
have a CRO, the functions and responsibilities of this position are often assumed by the chief financial
officer (CFO) or the General Counsel and their teams.
Front Line Managers and Employees Almost all of those interviewed view frontline managers as
critical players in the risk management process because they are more in tune with specific risks that
an organization might face in a particular division, business unit or country. This is particularly true
for multi-national corporations operating in a large number of countries around the world, where
crises can be local. As previously noted, CROs (or those who assume similar functions) attempt to
harvest the local knowledge about specific risks by putting processes into place that help managers
communicate this information up the chain of command. The most proactive companies cast a wide
net, querying frontline managers through formal processes that take place on a regular basis.
7
2.2. Risk Analysis and Management Process
The risk analysis and management process in most firms that we interviewed typically follows the
steps depicted in Figure 2.1.
FIGURE 2.1: EIGHT STEPS OF THE RISK ANALYSIS AND MANAGEMENT PROCESS
Step 1: Identify the risks. Understand the risks the organization faces (likelihood, magnitude, and
cascading effect). Typically this process can identify a number of risks that need to be considered.
Step 2: Prioritize the risks. Determine several key risks that have been judged critical for the
organization and should be considered more seriously.
Step 3: Undertake risk assessment. Collecting data to quantify the risk can be time-consuming so
one needs to consider the purposes of undertaking such an analysis and what information end users
with require. For example, engineers will require a different type of risk assessment than financiers,
emergency planners or lawyers.
Step 4: Identify risk management options. The risk culture of an organization will set the tone for
managing the risks that firms face. This process involves determining options to consider in advance
of a severe event to reduce potential physical, economic and reputational losses and their likelihood
of occurrence as well as well as actions required following such events to limit further losses.
Step 5: Design a risk management strategy. After risk management options are developed, a strategy
needs to be implemented to reduce potential losses from adverse events and facilitate the recovery
process should a catastrophe occur.
4. Identify Risk
Management Options
5. Design Risk
Management Strategy
7. Implementation
8. Monitor Progress and
Update the Strategy.
1. Identify Risks
2. Prioritize Top Risks
3. Undertake Risk
Assessment
6. Design Crisis
Management Strategy
8
Step 6: Design a crisis management strategy. It is important for firms to clearly define roles and
communication procedures to make decisions and take actions for dealing with a crisis when it occurs.
The strategy often includes plans for dealing with the emergency, preserving business continuity and
informing top management and directors as to what actions are required to deal with the crisis and
over what time period.
Step 7: Implement the strategy. Depending on the priorities of top management and the board,
implementing a risk and crisis management strategy can be achieved over several years. It is
important to obtain tangible results early, to demonstrate that progress is occurring. As for any
project, it is also important to establish deadlines and adhere to a timeline.
Step 8: Monitor progress and update the strategy. This last step involves monitoring progress toward
achieving goals of risk and crisis management in light of changes in the risk environment and the
firm’s strategy.
Below we discuss what we have learned as to how S&P 500 firms approach different aspects of the
risk analysis process. We provide paraphrased comments from some of our interviews to highlight
these points.
Risk Identification and Prioritization
More than three-quarters of the firms we interviewed noted the importance of risk identification and
prioritization. The process is usually formalized; some firms have more ad-hoc procedures, but most
of them are moving to a more systematic process.
FIGURE 2.2: WHO IS INVOLVED IN RISK IDENTIFICATION AND PRIORITIZATION
Enterprise Risk
Management
(ERM)
Heads of Division,
Business UnitsFrontline
Employees
Managers
Consultants
Board
Audit/Risk
Committee
Executives
Executive
Committee Internal
Audit
Others
9
The process often begins with front-line employees, managers and heads of divisions or business
units playing a key role, as depicted in Figure 2.2. The CEO and CRO often play a role as does the
board through specific committees such as internal audit/risk. Consultants are rarely used to identify
risks, as there is a sense by most firms that nobody knows your business like you know your business.
The risk identification process normally involves characterizing risks from the bottom-up through
required reporting systems and meetings or workshops that bring cross-functional teams together to
review and assess potential risks and then recommend how best to manage them. Those involved in
developing Enterprise Risk Management (ERM) strategies play a key role by synthesizing the data,
and presenting a report to the executives, the Board and their committees on the important risks facing
the firm. This process can lead to a large number of risks being considered, in some cases over one
hundred.
Top executives, often in consultation with the Board, make final decisions on the three or four risks
that have top priority because of negative impact they would have on the firm’s operations and
balance sheet should they occur. Figure 2.3 indicates the frequency of mentions of different risk
identification and prioritization processes by firms that we interviewed.
FIGURE 2.3: HOW ARE RISKS IDENTIFIED AND PRIORITIZED
Checkpoints or Self-
Audits
Interviews
Meetings
& Workshops
Reporting
Listing/Matrix
Synthesis of
Findings by ERM
team
Event Specific
Auditing points of
failure
Research
Software
10
Risk Assessment
By risk assessment we mean the process by which firms characterize and rank key risks on which to
focus attention based on selected criteria. Risk assessment is normally distinct from risk
identification, requiring a much more specialized set of skills on the part of its ERM professionals.
For some firms, it is also part of the process by which the senior leadership and the board of directors
define the firm’s willingness to assume certain risks. Figure 2.4 characterizes parts of the organization
that are involved in risk assessment.
FIGURE 2.4: WHO IS INVOLVED IN RISK ASSESSMENT?
The ERM team or risk management personnel generally play a supportive role by presenting the most
important risks to the Board, and helping them determine priorities by specifying metrics that should
be monitored. For example, the General Counsel in a real-estate firm classified its leverage ratio
(i.e., debt/equity) as dry, damp or wet. If it is in the damp range, you need to indicate how you are
going to get it back to dry. You never want your leverage ratio to be so high that it is in the wet zone.
The director of corporate risk management in a healthcare industry firm classified its risks into 21
different categories and indicated that those that should get the most scrutiny by the Board, as those
are the ones that are likely to make the most significant difference in the performance of the
organization. They are often ones requiring more effort and investment to manage so they need to be
discussed at a strategic level by the top management and the Board.
Board
ERM
Executive
Internal Audit
Others
Senior Management
11
The risk assessment process was nearly always highly formalized and conducted regularly and
systematically in firms as shown in Figure 2.5, with 45% of firms meeting annually on risk
management issues, 37% either bi-annually, quarterly or monthly, and 8% on a continuous basis.
Only 4 percent of firms undertake risk assessments less frequently than annually basis. As noted by
the director of risk management of a beverage distributor, “We want to meet quarterly with the audit
committee of the Board to assess the potential impacts of the five critical risks of facing the firm,
mitigation measures currently in place to reduce the likelihood and impact of specific events.”
FIGURE 2.5: FREQUENCY OF RISK ASSESSMENT
Annually
Bi-Annually
ContinuouslyLess than anually
Monthly
Quarterly
12
Firms use a variety of methods for assessing risk ranging from quantitative methodologies such as
scenario analysis, stress tests and ranking/scoring metrics to prioritizing key risks on a qualitative
basis. The CRO of a firm in the financial sector indicated that they stressed their system such that
they would be prepared for any type of extreme or tail risk. Many firms go through this process more
quantitatively, through the examination of metrics in meetings and discussions — an important
distinction we discuss below. Figure 2.6 depicts how often each of the different risk assessment
approaches was mentioned by firms that we interviewed.
FIGURE 2.6: HOW RISK IS ASSESSED
With respect to scenario analysis, the CRO of an insurance firm noted that one has to fully test the
spectrum of scenarios in identifying and quantifying the key risk factors that are at the core of
preventing tail events. The risk manager of a retail store that uses ranking and scoring methods
indicated that the firm defined risk families based on their similarity with respect to implications,
ramifications, outcomes and damage. One bank noted that it utilized stress tests with respect to their
contingent capital plans by examining whether there is a scenario where it would have insufficient
capital. Another firm wanted to stress their system to ensure that it can take care of the tails and
extreme events that could occur.
A mapping approach involves categorizing risk into the frequency and their potential severity. An
industrial firm noted that it has to do a lot of work in identifying some of the tails or extreme risks to
make sure that it has stressed their system to be able to take care of decisions to reduce the risk if
either its frequency and/or severity were classified as high. After it imposed appropriate controls,
most of these risks shift down to low frequency, and especially low severity.
Mapping
Meeting or
Discussion
Ranking, scoring or
metrics
Scenerio Analysis or
Modeling
Stress Test
13
Many interviewees commented on the relative merits and use of quantitative or qualitative methods
for the full risk assessment process. The majority of firms we interviewed relied upon numbers to
conduct risk assessments, others undertook qualitative analyses and some utilized both approaches.
Figure 2.7 indicates the distribution of firms that specifically noted the type of approach they were
utilizing in the process.
FIGURE 2.7: NATURE OF RISK ASSESSMENT PROCESS
The arguments supporting a qualitative approach focused on the inaccuracy of numbers, and noted
that firms relying on them were often blindsided, especially when they tried to quantify probability.
We introduce the distinction between “intuitive” and “deliberative” thinking in the following
subsection to highlight the need for a combination of qualitative and quantitative risk assessments.
For example, the risk manager of a large bank noted that there is an element of judgment regarding
the likelihood of particular events occurring that make them difficult to quantify. The more
quantitatively oriented firms in the interviews we conducted tend to be in the financial and insurance
industry. One bank models its portfolio and balance sheet by constructing many different scenarios
and developing a loss distribution through a Monte Carlo simulation process. It then specifies the
amount of capital needed to withstand a 1 in 10,000 year shock. An insurer looks at the probability
and potential impact that low-probability events may have on the enterprise and revise these estimates
on an annual basis.
Quantitative
Qualitative
14
Risk Management
By risk management we mean the activities that firms select to modify their exposure to internal or
external events that could critically impact the firm’s operations and functions (i.e., steps 4 and 5
depicted in Figure 2.1). The types of strategies undertaken will be guided by the firm’s risk appetite
to reflect the level of risk that an organization is prepared to accept to achieve its objectives such as
profitability and safety goals. The degree of risk taking or risk aversion exhibited by a firm reflects
the tradeoffs between the potential benefits of a specific business decision and the possible negative
impacts to the firm.
Firms we interviewed dedicate a great deal of attention to the risk management process; 90 of our
interviews discussed concrete measures they deploy to mitigate risks they face and to facilitate the
recovery process following a disaster. There were over 500 mentions of risk management strategies.
A larger group of interviewees (82) discussed activities focused on reducing the risk of a catastrophic
event ex ante, while a smaller group (56) described measures to facilitate the recovery process
following a negative event. Many firms discussed both types of measures. They are partly determined
by the risk appetite of the firm and include the following strategies that are discussed below.
Mitigation measures are steps taken by firms to reduce losses from adverse events. For example, a
health care firm designed a plant in Japan to withstand an earthquake of 7.0 magnitude and protect
their employees. Following a fire at one of their warehouses, a distributor created underground
channels, so any materials that were ignited could be extinguished due to lack of oxygen so as to
prevent the fire from spreading to other buildings. A chemical manufacturing firm designed a facility
that was resistant to flooding, and a supplier designed a building that has a communications center
that is capable of withstanding a Category 5 hurricane.
Accountability measures provide organizational or behavioral controls that are put in place by the
firm to limit unauthorized risk taking. Sometimes these measures are implemented after an adverse
event creates a problem for the firm from external sources. For example, an investment management
and services company began auditing its third party suppliers when it discovered after 9/11 that the
backup communication line that it had purchased was rerouted by its supplier to the same location as
its primary line, resulting in a total communications failure. Similarly, an IT company started to audit
the risk management practices of one of its suppliers after a fire severely impacted its operations.
Internally, firms hire third parties to determine how effective they are at mitigating risks once they
have been identified. Some use evaluations and financial incentives to discourage employees from
taking unnecessary risks. In this regard, a real estate firm implemented a system where local
construction managers are held accountable for identifying and taking responsibility for risks
associated with building projects.
Supply chain diversification refers to the process of maintaining alternative sources of raw materials,
supplies and suppliers to maintain business continuity. A health care services company relies on two
suppliers so that if one is not functional, they can turn to the other to pick up the slack. A distributor
that requires a four month lead time to purchase copper now has a large supply on hand in the event
15
of a crisis with its supplier. A computer firm maintains an excess inventory of finished products and
supplies to hedge against sudden fluctuations in the availability of materials and the prices to purchase
them. And a chemical company maintains a global warehouse and works closely with its suppliers to
ensure that there are continuity plans in place in the event of a catastrophe.
Avoiding less profitable risks by discontinuing or reducing the activity that gives rise to the risk, or
by shedding risks that do not reflect a significant driver of profits is especially common among firms
that are too small to take on large risks. For example, one firm in the oil and gas industry decided to
sell their deep water exploration division even before the 2010 Deepwater Horizon accident; they
determined that it comprised a small percentage of their overall business mix and was not worth the
risk. Another firm in the same industry decided to avoid partnering with companies it considers too
small to cover the cost of the indemnities for a drilling disaster in the wake of the 2010 Deepwater
Horizon accident, out of fear that they might be left holding the bag. A chemical manufacturing firm
decided that it was too small to take on the risk of having its products used in medical devices
implanted in the human body, so it chose to avoid that market.
Transferring the risk by buying liability, property and/or business interruption insurance or hedging
its risk by sharing it with another party is an approach utilized by many firms that we interviewed.
To illustrate, a biotech company purchases insurance to cover risks related to product liability and
business interruption, and has started its own captive insurance company to cover some of its own
risks internally. This is a common practice in many industry sectors. A firm in the financial industry
prices credit risk in its derivative transactions so that it can generate funds for purchasing insurance
to protect itself against problems created by the insolvency of a lower quality counterparty.
Retaining the risk by setting aside sufficient reserves to cover the cost of a catastrophic loss is a
strategy that can be used by firms that recognize that it would be too costly to transfer the risk through
insurance, as was the case for a food processing company after it experienced an explosion in one of
its storage facilities and then saw the price of insurance spike, as is often the case after a disaster.
Retaining the risk is often a good strategy when the firm assesses the risk as being low probability
and has started implementing a more rigorous risk management strategy to make sure such events do
not happen. Sometimes risk retention is not by choice. For instance, an IT firm could not transfer its
risks in emerging markets because the company was unable to find an insurer who would offer
coverage for protection against adverse events occurring in these markets.
Early warning systems alert firms to the likely occurrence of a natural disaster, political crisis,
financial downturn, or severe cyber-attack so that steps can be taken to prepare and effectively
respond to the event should they be affected by it. A retail firm with numerous stores in the United
States has a storm-tracking team that does satellite checks for threat of potential hurricanes off the
coast of Africa, giving one to two weeks to prepare before it crosses the Atlantic. Within 72 hours of
a storm likely to hit the U.S., the team issues regular bulletins to senior management, store operations
and distribution-center operations and those on the catastrophic response team to let them know it is
closely monitoring the event.
16
Simulations and tabletop exercises on a regular (often annual) basis provide the firm an opportunity
to discover gaps in existing crisis plans and weaknesses in its continuity plans. One investment bank
undertakes a triage approach to test its plans by which it suddenly makes certain critical staff
unavailable, and then has the remaining employees try to run their continuity plans. While a number
of firms we interviewed indicated they undertook these exercises, the level of involvement from the
top management and line employees varies widely. Some exercises were conducted by small team in
a crisis room for several hours; others involved a large number of employees, including the top
management of the organization for a full day- or two-day-long exercise; significant brainstorming
occurred afterwards to capture lessons learned and integrate them into the firm’s risk management
strategy.
Back-up sites provide continuity should a severe adverse event occur. Measures include establishing
alternative worksites or manufacturing facilities, diversifying sites so that no single event impacts all
of them and facilitating the ability for employees to work remotely. A parts distributor created an
offsite back-up location for their IT systems since their main headquarters was located in an
earthquake-prone area. A bank in the financial services sector diversifies the location of its business
groups so that if two are out of commission, a third can continue to perform functions that are critical
to the firm’s financial infrastructure. Another bank maintains sites throughout the world where the
business can be quickly moved in the event of a crisis elsewhere. A health care company maintains
two mobile satellite ground stations that enable it to set up call centers with voice and data in the
event of a telecommunications outage.
Crisis Management
Most firms we interviewed highlighted the importance of preparing for a crisis in advance and have
clearly defined structure of roles during a crisis for all parts of the company. This allows the firm to
practice emergency procedures in advance to improve their thinking when a crisis occurs.
To know who the key leaders are in a crisis, firms need procedures to define the relevant decision
makers. The leader is normally someone who has specific knowledge of the crisis and hence may not
be the CEO. There was a general consensus among our interviewees that as a crisis grows more
serious, the situation must be brought to the attention of top management. Following the 2011 Japan
earthquake, one firm in the financial industry with significant operations in Japan held a series of
crisis management team meetings where the most senior level of the business actively engaged in
designing a strategy for going forward.
An important finding from our interviews is that top management feels it cannot be too involved in
crisis management, so that it has to define the roles that others in the firm will play should an extreme
event occur. This is especially true for multi-national corporations operating in many countries
around the world where the number of crises the firm has to manage on a yearly basis is large. In
these cases, the local business leader needs to be the senior management line of defense before the
crisis management process is escalated to worldwide headquarters. Several firms we talked to
17
expressed mixed feelings by the CEO about not wanting to be the person managing the crisis given
that he or she might not be the most qualified person to do so. Clearly defining when the CEO will
be informed of the crisis, and what his or her role will be depending on its nature, are two key elements
in developing a crisis management strategy. While some local crises are unlikely to require the CEO’s
involvement, other crises will require him or her to play an active role.
The most common crisis management strategy on the operational side is business continuity planning
(BCP). It refers to a variety of organizational capabilities, pre-approved by senior management, to
continue operations at a pre-defined level during and after a catastrophe occurs. BCP was mentioned
more than twice as often as other strategies such as preventing losses (i.e., insuring, hedging,
retaining, or shedding specific risks), internal and external communication measures or accountability
measures. The interview data suggests that continuity planning consists of three different types of
activities:
Past event specific plans are designed so the firm has the strategic capability to respond to
specific adverse events that the firm has previously experienced. The plans incorporate
lessons that the firm has learned from dealing with the situation in the past. Firms in the
consumer discretionary, utilities and energy sectors (e.g., hotels, retail outlets, energy
companies, etc.) show the greatest reliance on these types of plans as they face continuous
exposure to predictable types of risks either due to geography (for example, retail chains with
business concentration in hurricane prone areas) or the nature of their business (for example,
energy companies maintaining large power grids).
Could happen scenarios plans are used for the types of events the firm has not yet
experienced, but that could potentially happen in the future. These plans are designed for
events where it is difficult to quantify the probability of occurrence so the firm can respond
to them. These unanticipated, high-risk event perils arise in environments characterized by
interdependencies, complexity, and rapid change such as financial crises, political unrest,
supply chain disruptions and terrorism. Our interviews revealed that firms in the financial
sector demonstrate the largest reliance on such scenario planning since they face exposure to
risks that are not easily foreseen on the basis of past experience.
General crisis plans manage a variety of events that could impact any key operation. They
focus on general resilience by creating redundancies so that the firm can continue operating
in spite of the loss of mission critical processes. Key features of these plans include
determining which operations are critical to maintain in the event of a crisis, and developing
predefined strategies for a variety of different crisis situations. Financial, health care and
information technology firms are the ones most likely to develop general crisis plans,
presumably because their industries have faced severe risks in recent years (e.g., the financial
crisis, pandemics, cyber risks).
18
Overall, the firms we interviewed are actively developing their risk analysis and risk management
strategies. The level of detail, sophistication and involvement of the senior management varies across
firms, as one would expect. Still, the strategies we discussed above can often be replicated across
industry sectors and produce significant benefits. Some policies are more technical in nature while
others build on leadership at the top and rely on altering the ways that risk management is perceived
by the organization.
2.3. Approaching Risk Analysis and Management via Intuitive and Deliberative Thinking
Our preliminary analyses reveal that while many firms use quantitative tools to assess and manage
their risks, there is a large range of situations where it is difficult to determine the likelihood of
extreme events that could adversely affect the activities of the firm. While many interviewees
recognized the need for a systematic approach to catastrophe risk management, almost all of them
shared situations with us describing instances when very important risk management decisions were
made without carefully thinking through their long-term impacts on the firm. It soon became clear to
us from comments made during the interviews that the psychology of catastrophic risk management
was a critical dimension we needed to integrate into the analysis.
A large body of cognitive psychology and behavioral decision research conducted during the past 30
years has indeed revealed that individuals, small groups and organizations often make decisions under
risk and uncertainty by undertaking processes that can be characterized as intuitive thinking which
can be distinguished from deliberative thinking. These are two different systems of collecting and
processing information that have been labelled System 1 and System 2, respectively, in the literature.
In his thought provoking recent book Thinking, Fast and Slow, Nobel Laureate Daniel Kahneman has
characterized the differences between these two systems of thinking as summarized in Box 2.18.
NOTE: In developing risk management strategies, it is important to link intuitive and
deliberative thinking.
BOX 2.1. INTUITIVE AND DELIBERATIVE DECISION MAKING
Intuitive Thinking, System 1:
- Operates automatically and quickly, with little or no effort and no voluntary control.
- Uses simple and concrete associations, including emotional reactions or simple rules of conduct
that have been acquired by personal experience with events and their consequences.
Deliberative Thinking, System 2:
- Initiates and executes effortful and intentional abstract cognitive operations when needed.
- Cognitive operations include complex computations and formal logic.
19
Decisions made intuitively are often characterized by emotional reactions and opinions based on
personal experience. There is a tendency to misjudge probability, focus on short time horizons, utilize
simplified rules in choosing between alternatives, and selectively attend to subsets of goals and
objectives. Intuitive thinking works well when decision makers have extensive data on the outcomes
of different decisions and when recent experience is a meaningful guide for the future. These
processes are problematic for low-probability, high-consequence events where the decision maker
has limited experience and/or circumstances have significantly changed. Reliance on intuitive
processes will often lead to maintaining the status quo—that is, a decision to do nothing differently.
The negative consequences of changing current behavior are weighted much more heavily than the
potential gains, often leading the decision maker not to take action, referred to as the status quo bias.9
Deliberative thinking often involves the use of formal methods and decision aids to evaluate
alternative options and make choices in a systematic manner even when probabilities are difficult to
characterize and/or outcomes are uncertain. These methodologies often focus attention to potential
short- and long-term consequences and evaluate a wide range of options in an even manner rather
than deciding to maintain the status quo. The relevance of these methodologies and decision aids for
making more informed choices depends on how the problem is formulated and framed, the nature of
the institutional arrangements and the interactions between the relevant interested parties involved in
the risk management process.
Catastrophic risk management offers many examples where decision makers focus their attention on
the consequences of a recent disaster without considering the likelihood of a similar event occurring
again. A large retailer reacted to the H5N1 (avian flu) outbreak by preparing for another outbreak of
an H5 type virus. But when the next influenza outbreak hit a couple of years later, it took the form of
the H1 strain, so the H5 plan wasn’t applicable. As a top executive from this firm says:
A lesson coming out of that was that, number one, you can spend a lot of time building out
intricate plans for different scenarios, but the odds are what you’re actually going to face is
not going to be exact. So your planning, to some sense, while it can be specific, also has to
have more of generic elements to it that you can then modify and tailor to the specific event.
More broadly, the General Counsel of a large real estate investment firm highlighted the challenges
he faces in dealing with low-probability, high-consequences events:
The thing that worries me the most is a large-style, BP-style casualty. I mean, we build high-
rises over subway stations, and what if a building were to crash down and the people die and
the subway station is shut for a year and it’s just a mess? You’ve never had a casualty so you
don’t do anything about the situation. You think you’re so brilliant, and some terrible
casualty happens and when you peel back the onion you find you weren’t as smart as you
thought you were. That’s the thing that I worry about.
Firms also face problems of interdependencies since the risks they manage depend not only on their
own choices but also on those of others. One weak link in the supply chain network can undermine
the risk mitigation actions of all others in the system. Making global supply chains less vulnerable
20
may require coordination across the network. To deal with these interdependencies, some firms have
designed options to more effectively cope with disasters both before and after they occur in the spirit
of deliberative thinking. For example, as noted earlier, some firms maintain a diversified supply chain
and an extra stock of critical supplies in the event of a crisis. Another example is a pharmaceutical
company that makes contractual agreements with their customers to maintain continuity because they
feel they have a moral obligation to provide products to critically ill customers.
Deliberative thinking focuses attention on both short- and long-term events and their likelihood of
occurrence. It normally leads to a more even-handed evaluation of options under consideration rather
than relying on recent past experience or assuming that the disaster will not happen to them. As a
senior executive in a large energy company put it:
So, the chances of that actually happening again are fairly low, but the consequences are very
high. Even though this may be classified as a black swan event, we are willing to assess the
risk and try to mitigate the risk as far as it makes sense to take these steps. The one thing that
we’ve learned over the years is those high-consequence, low-likelihood events will happen,
and therefore people absolutely have to plan for them. They have to practice on how they’re
going to deal with those kinds of events
Today, many of the firms we interviewed are engaging in more deliberative thinking when
developing risk management strategies so that they reduce the potential damage from these low-
probability, high-consequence events and are better prepared for dealing with crises should they
occur. The CRO of a financial institution highlighted the role that deliberative thinking plays in its
current risk management process with the following comment:
We have discovered that the models that are retrospective in nature don’t always accurately
predict the future. What we were missing was a component that asks what if something
changes from the past. By adding stress testing and scenario analysis to our models, we ask
questions such as what bad things could happen this calamity occurs or if this economic
scenario happens to take place.
There are many risks for which determining the exact probability of occurrence could be extremely
difficult. Rather than doing nothing about these risks, firms should focus on “what if” scenarios first,
then try to evaluate the relative likelihood of these events and be able to continuously monitor those
risks so when the business environment changes one can trigger the alarm. As the chief risk officer
of a large insurance company says:
Sometimes I find probabilities very difficult to quantify. Severities are much easier to quantify
in my mind. I can tell you how much equity linked exposure I have and I can tell you what
happens if the equity market fell to 0, if it fell by 90, 80, 70, 60, 50, 40, 30, 20, 10. It’s very
hard to predict obviously what the probability of the S&P reaching those levels is precisely,
or validating it. And so for a CRO, thinking of all the key risks, worrying about severity first,
worrying about perfectly assessing the severity first and then perfectly assessing the
probability is how I would approach the order of operations because, as I said, it’s very easy
psychologically to be convinced that various things are okay, things are fine, the probability
of that event is remote. And so getting that balance right is the key part of my job.
We now turn to the preliminary findings from our interviews.
21
Section 3. Twelve Preliminary Findings from the Interviews
This section highlights findings that have emerged from the 100 interviews from the S&P 500 firms
that relate to the framework for understanding and managing catastrophic risks in firms. The findings
also reveal the nature of intuitive thinking by some firms prior to a disaster and how more deliberative
thinking following a catastrophic event has improved their performance in the wake of these events.
These findings will be examined more carefully in a later phase of the study, the using quantitative
and qualitative data from 10Ks, stock prices and other sources of information to supplement the
interview data we have collected.
3.1. Findings Related to Risk Identification
Under- and Over-Reacting to Catastrophes
Individuals have a tendency to focus on the recent past in making decisions with respect to extreme
events. People’s intuitive assessment of the likelihood of an uncertain event is often based on the ease
with which instances of its occurrence can be brought to mind, a mechanism called availability.10
Availability is influenced by recent personal experience and can lead to an underestimation of the
likelihood of a disaster before it occurs. After a catastrophic event, availability causes an
overestimation of likelihood of similar events, often triggered by emotions such as fear and anxiety.
In line with the availability bias, prior to experiencing a disaster there is a tendency for firms to focus
on the low probability of its occurrence and treat the possibility of a catastrophic loss as below their
threshold level of concern that put it in the category of “It will not happen to us.” Following a
catastrophe, there is a tendency to focus on the consequences of the event and take steps to reduce
the likelihood and outcomes from future disasters of this type. This behavior that reflects intuitive
thinking can be illustrated by the following findings:
Finding 1: Prior to a catastrophic event, firms often focus on the low-probability of its
occurrence. This estimate tends to be below the threshold of concern for many executives and
directors.
Finding 2: Following a catastrophic event, firms focus on worst-case scenarios of a repeat of
the event, but ignore the low likelihood of their occurrence in the future.
Comments from many of the interviews we conducted with S&P 500 firms provide support for these
two findings. A CRO from a financial firm highlighted the process he felt most firms in his industry
exhibited when he noted that prior to the financial crisis very few financial institutions had a defined
risk appetite, which is like sailing in the Atlantic Ocean without a rudder. “Unless you have a rudder
to direct you, you never know where you’re going to wind up until it’s too late. The CRO from an
insurance firm noted that a lot of people are anchored to scenarios and events that have occurred
and not the ones that they haven’t personally experienced. He felt it was important to take the position
that you can never know what will happen and need to think that way in developing risk management
strategies.
22
An enterprise risk manager from an energy firm explicitly noted the role that threshold models play
a role in the firm’s decision-making process. More specifically, senior management defines certain
thresholds above which risks are elevated for review. So for example, a $100 million loss event is
one that typically is elevated to regional leadership. Anything that could, we believe, plausibly result
in a fatality has to be explicitly elevated to the overall leadership team.
The senior vice president from an IT firm noted that it took a disaster for them to pay attention to the
design of their plants. The firm could not imagine more than one or two production lines going down
in an earthquake so didn’t plan for what actually happened—all seven production lines in the plant
not functioning. After the Japanese earthquake/tsunami, the firm invested $400 million in specialized
equipment in their manufacturing plants in Japan, and did structural design work so that the plants
could withstand higher shocks.
It took the 9/11 disaster for the CRO of an investment bank to highlight the importance of undertaking
deliberative thinking by taking “black swan” events far more seriously than before. The head of
operational risks indicated that before the terrorist attacks there was a sense that things happen in
places like Nigeria, but they don't happen in places like New York City. In the same spirit, another
investment bank indicated that one should not chop off the tails of the probability distribution because
of a perception that gold markets spiking, or liquidity dissipating will not occur in your lifetime. You
are doomed if you think this way because you know that these events could happen to you.
Avoiding the Next Disaster
An organization can often benefit from its past history by considering near misses (for example,
planes that almost crashed) as object lessons and learning experiences. In an article with the thought-
provoking title, Learning from Samples of One or Fewer, March, Sproull, and Tamuz provide
examples as to how historical events that are sufficiently similar to the hazard in question provide
insight as to how the firm can reduce their risks in the future.11
Some organizations might ignore the data and interpret past successes as evidence of its competence
rather than carefully examining whether it was just fortunate that some adverse event did not happen.
The case of the Challenger accident illustrates this point. Considerable evidence from previous flights
indicated that the O-rings presented potential problems. NASA and Thiokol personnel ignored the
evidence because no failure had occurred.12 This behavior suggests the following finding:
Finding 3. Firms that learn from near misses and catastrophic losses by doing post-mortems
are likely to be proactive in managing catastrophe risks.
The following comments from our interviews show that firms that have learned from previous
disasters and near misses are likely to be better prepared for the next one. A risk control manager
from an energy company indicated that the mistakes they made during Hurricane Rita in 2005 helped
them to prepare for Hurricane Ike in 2008. The firm inadvertently sent all of the repair crews to one
area during Rita, resulting in a bottleneck, which made it look to the media like they were doing
nothing. Following the Japan earthquake of 2011, the CEO of a retailer that experienced severe
23
damage to its facilities buildings had every building inspected structurally to make sure each one was
earthquake proof.
Hurricane Katrina was a wake-up call for several firms we interviewed. One firm that lost a number
of its stores in the disaster due to a lack of preparation took several steps to get their stores up and
running more quickly than the competition after a hurricane by working out a special arrangement
with their insurance carrier that allows them to adjust their own claims, rather than waiting for an
adjustor to come out to evaluate the damage. A chemical company that did a post-mortem after
Katrina can now obtain supplies and equipment much more quickly by working with local authorities
to get trucks through police barricades in the event of a natural-disaster.
A manufacturer that has plants throughout the world indicated that they learned from the Telecom
Crash of 2002 not to combine financial risk with operating risk. After the 2008 financial crisis, the
CRO of an investment bank created a formal process to define the firm’s risk appetite, and made
changes in risk governance. The vice president for corporate strategy of an auto parts supplier
indicated that watching what happened at Enron and WorldCom, they decided to look at enterprise
risk management in a different way.
Sometimes, however, actions taken in response to one disaster may not enable the firm to deal with
a catastrophe that takes a different form. The visceral memories of their building in downtown
Bangkok being burnt to the ground in the context of political unrest in Thailand, led a firm in the
service industry to build a contingency office near the airport, and provide their workers with laptops
so that they could work remotely. But when the 2011 Thailand floods occurred they couldn’t use their
office and their workers’ homes were underwater, so they had to house them in hotels with free
bandwidth.
3.2. Findings Related to Risk Assessment
Analyzing Catastrophic Risk in a Systematic Manner
The availability bias also suggests that paying attention to the outcomes of events will focus people’s
attention on what steps to take to reduce the likelihood of the reoccurrence of the event in the future.
One can first examine the impacts of a catastrophe and then focus on the likelihood of these events
occurring. This implies the following two findings:
Finding 4: Creating worst-case scenarios helps senior management and employees focus on
ways to manage catastrophic risks before they occur.
Finding 5: While some firms use quantitative tools for estimating the likelihood of specific
scenarios, some firms simply focus on the severity of the scenario and what to do about it,
disregarding the probability of it happening.
24
Supporting these two findings, we learned that some firms have teams from each of their divisions
undertaking risk assessments while others do a strategic risk assessment of their top risks.
One publishing firm exposes senior management to different worst-case scenarios each quarter so it
can determine what changes are required. The vice president of safety and environment in an energy
firm highlighted the importance of undertaking more systematic risk assessments by noting that they
have learned over the years that high-consequence, low-likelihood events will happen, and therefore
the firm has to plan for them.
Prioritizing Risks
Given the number of potentially severe adverse events that can impact a firm, it is important for the
firm to prioritize their risks so that they can devote attention to those that really matter. Decision
makers that undertake this type of activity in a systematic manner are likely to be prepared for the
relevant risks that their organization faces in the future. This behavior implies the following finding:
Finding 6: If the firm’s management can prioritize the risks that they face and develop plans
that are modular so they can triage their activities, they will be better prepared for the next
catastrophe than decision makers who do not follow this procedure.
Several firms indicated the importance of prioritizing their risks to see where they are vulnerable.
The CEO of a retailer indicated his firm picked 15 or 20 items that are really important and made
sure that everybody is involved and understands their role in controlling the risk. An investment bank
makes plans modular for dealing with a disaster. Should the crisis occur, the management team can
either rearrange the modules or pick and choose within the modules.
3.3. Findings Related to Risk Management
Learning from Others
The literature on organizational behavior points out the importance of gaining insight from other
firms with respect to developing strategies for improving performance. By developing formal and
informal channels of communication with competitors facing similar challenges, there is an
opportunity to learn about other approaches for taking steps to reduce the likelihood and
consequences of the next disaster and develop recovery plans should the event occur.
In the uncertain or ambiguous climate that characterizes the management of catastrophic risks, firms
frequently look to their competitors to provide guidance for their own behavior and to help determine
their core competencies. There is also a tendency to imitate what others have done well by
transporting these concepts to their own organizations and avoiding actions that could be costly.
Where there is substantial commonality in experience, such influence has been labeled mimetic
behavior.13 Such learning is a major mechanism for diffusion of information across firms.14
25
As an illustration of this behavior, executives in a chemical firm stated that one reason for selling one
of their businesses was that current industry practice is to produce the raw materials and the finished
goods at the same location. This approach obviates having to ship potentially dangerous materials,
even if the chance of a transportation accident is estimated to be extremely low. The firm sold the
business to a competitor that followed this practice.15 This behavior implies the following finding:
Finding 7: Firms that systematically learn from the catastrophic losses of others are likely to
improve their own operations.
Here are some actions that firms have taken in this regard that suggest they will improve their risk
management strategy: One firm in the energy industry looked to investment banks following the
financial crisis of 2008 to understand how they view risk and determine whether their firm has some
blind spots. The BP oil spill caused many firms to think a lot more about operational risk. Following
the Japan earthquake, a publishing firm began thinking about what could happen to the nearby nuclear
power plant if an earthquake occurred. The firm recognized that the probability of having an
earthquake at this location was less than 1 in 10,000, but felt it was something that could happen. As
one senior executive noted, after any catastrophe the firm needs to take a look and ask, Am I okay
with the status quo? Do I know what’s happening? How can I determine what I should do differently?
Comprehensive Management of Catastrophic Risk
Firms are now striving to manage catastrophic risk in a more comprehensive fashion by focusing on
enterprise risk management rather than decentralizing their analysis by divisions or departments. In
firms that effectively manage catastrophic risk using ERM, a chief risk officer normally reports to
the board on a range of activities for dealing with extreme events. The organization has transparent
metrics in place to measure investment in catastrophic risk management and output. It interacts with
a range of outside agencies and organizations on issues of catastrophic risk. This behavior implies
the following finding:
Finding 8: Firms that have had active dialogue among their board of directors, company
leaders, and government officials about managing exceptionally adverse risks are likely to be
more aware of the diverse risks that can impact them. They prepare for these adverse events
more systematically than companies without such dialogues and interactions.
Those proactive firms recognize that there are risks they will not be able to handle by themselves
should they occur. Establishing an open dialogue across the organization and with other firms is a
key step to creating trust, an essential element during a crisis. The following comments from our
interviews provide qualitative support for this finding. A firm in the financial industry utilizes their
committees to make people in their company more aware of how they are currently and should be
making decisions. Another firm in the same industry indicated that it needed to have a very strong
line of communication both within the company as well as with their customers. The head of
corporate and information security in an energy company emphasized the importance of interacting
with the public sector, indicating that one cannot develop a plan if one doesn’t know where the threat
26
vectors are. This means having good liaisons with the federal, state and local government and law
enforcement. The CRO of an information technology company noted that his firm has developed a
methodology for identifying top risks by establishing a risk infrastructure and governance structure
within the company in collaboration with the board of directors and other members of executive
management so that there is a well-defined risk universe shared with everyone in the organization.
Dealing with Interdependencies
Firms face challenges in dealing with a catastrophic events if others in their network have not taken
steps to reduce the risks they face. Following the Fukushima, Japan earthquake of 2011 there were
supply chain interruptions that caused shutdowns of plants in other parts of the world. To illustrate
this point, car manufacturers in Detroit utilized automotive microcontroller chips from Renesas, a
company north of Tokyo that was heavily damaged by the earthquake. With no alternative suppliers
of these chips, car production temporarily shut down.16 This behavior implies the following finding:
Finding 9: Firms are now recognizing that they must better appreciate risk interdependencies
as part of their overall risk management strategy. These interdependencies can emerge across
the world, across industry sectors, across divisions within the firm and may only become
apparent over time.
An executive from an investment bank that operates internationally commented that contagion across
borders and across businesses is much higher and faster than it used to be. Several firms noted that
the loss of a facility in the global supply chain would be catastrophic for them.
3.4. Findings Related to Crisis Management
Firms must make sure that when they are thinking and acting fast, they are doing so with deliberative
and systematic activity in advance of the crisis. They must develop well-articulated plans, designate
the structure for managing the crisis and specify information-gathering techniques to avoid falling
into intuitive traps. Firms emphasized that during a crisis, it is important to ensure that fast thinking
is high quality thinking. In order to make good decisions, in the moment, many firms we interviewed
indicated that they needed to have a concrete plan that included clearly defined roles and
communication procedures, such as emergency plans and business continuity. This behavior implies
the following finding:
Finding 10: Firms that have invested time, human resources and money into preparing for
catastrophic situations are likely to bounce back quickly and enhance their reputations.
Firms, particularly those in banking and in the retail/service industries emphasized the importance of
identifying the most crucial roles during the crisis and focusing on individuals within the company
having these responsibilities. One bank ranked critical areas by tiers, recognizing the importance of
making sure their core operations units were functional as soon as possible. Another consumer
services firm felt their customer agents had to be up and running within an hour.
27
3.5. Findings Related to the Role of the Board
The board of directors can provide input to the firm from a neutral but concerned perspective with
respect to dealing with catastrophic risks. The increase in extreme events in recent years has put
catastrophic risk management high on their agendas. This behavior implies the following finding:
Finding 11: Many more boards of directors are becoming proactive at overseeing risk management
activities. This trend is fairly recent and the level of involvement still varies widely.
An overwhelming majority of those we interviewed reported increase in involvement over the past
ten years by the board of directors; firm’s risk management activities are depicted in Figure 3.1. Some
firms cited specific events such as the financial crisis, 9/11, Hurricane Katrina as instigating board
changes. Risk managers noted that board members may serve on multiple boards, and thus have
often experienced a crisis first-hand in some capacity. However, they also cautioned that board
members who do not have risk management expertise may engage in primarily intuitive thinking,
such as focusing unduly on recent events, rather than thinking deliberately about possible long-term
challenges that firms face. They pointed out that it is the job of the risk managers to guide the board
towards more deliberative thinking.
FIGURE 3.1: HOW MANY YEARS AGO DID THE BOARD BECOME MORE INVOLVED IN RISK
MANAGEMENT IN YOUR FIRM?
0 to 3 years
(30%)
4 to 7 years
(35%)
8+ years
(35%)
28
There seems to be a continuum of levels of board involvement, rather than discrete categories.
Different boards participate in the process to different levels, based not only on the company but also
on characteristics of the industry and background of board members. Over time board involvement
in catastrophe and crisis management seems to have increased from simply relying on the audit
committee to set broad risk management goals to overseeing and being involved in in the decision
making process of the firm with respect to taking steps in advance to reduce the risks of future adverse
events.
An insurance firm indicated that there is a part of the Board that focuses on risk management where
in the past it was part of an audit committee. It took the BP oil spill in 2010 for another firm in the
oil industry to spend time with their Board running through all of their risk-management practices for
both upstream, downstream and company reputational risk to make sure that they were comfortable
with what they were doing.
Finding 12. More senior executives in top management want the Board to work with them in
defining the risk appetite of the firm by sharing information and responsibility for their actions
in this regard.
As the risk landscape is widening and more companies expand their activities outside of the U.S. the
top management often expects directors to support a specific risk appetite and to be aware of the
catastrophe risks that could seriously impact the firm. This is a way for senior management to more
systematically include directors in risk taking decisions and also to share responsibility when a crisis
occurs.
We now turn to our analysis of the 10K risk section of the annual reports of the firms that we have
interviewed. These reports reflect key risks these firms consider today and show how they have
evolved over time.
29
Section 4. Preliminary Findings from our Analysis of 10K Risk Sections
4.1. Methodology and Data
Another source of data we used as part of our analysis is the risk factor disclosure section of firm’s
Form 10K annual reports. Firms are required to disclose risks that could negatively impact their
activities. One can observe how the ranking of the top risks evolved over time in firms’ 10Ks and
across the ten S&P 500 industry sectors specified in Table 4.1.
TABLE 4.1: TEN S&P 500 INDUSTRY SECTORS (ALPHABETICAL ORDER)
We selected 21 risk categories building on previous work in the field,17 to facilitate comparisons of
risk factor disclosures across industry sectors. Our research team coded the sample set of 10Ks of the
firms we interviewed by utilizing these risk categories. (In this context, “coding” means reading and
manually tagging the text relevant to a specific risk factor based on a set of definitions and keywords
for each of the risk factors listed in Table 4.2.)
Given that the sample of interviewed firms is representative of the entire S&P 500 we feel that the
results discussed below apply more generally. To capture variation in the risk factors over time and
between industry sectors, we coded the 10Ks these firms submitted in 2007 and in 2011 using the
qualitative data analysis software program NVIVO, a relational database developed by QSR
International. After completing the coding, we calculated the industry-wide variation in coverage of
each risk factor. Risk coverage was identified for both (a) the number of risk factor mentions; and (b)
percentage distribution of text dedicated to the discussion of a particular risk factor in a given 10K
risk factor section.
Industry
Consumer Discretionary
Consumer Staples
Energy
Financials
Healthcare
Industrials
Information Technology
Materials
Telecommunications
Utilities
30
TABLE 4.2. DEFINITION OF KEY RISK FACTORS; ILLUSTRATIVE EXAMPLES AND KEYWORDS
Risk Factor Definition Example Keywords
Accounting Change in accounting regulations that can
affect the financial standing of the company.
We must comply with generally accepted accounting principles
established by the Financial Accounting Standards Board
Accounting, accounting practices, books,
auditor, audit, accounting irregularities,
financial statements, disclose
Acquisition Risk associated with all phases of acquisition
(pre, during, post) that may result in business
value loss (e.g., unmet synergy, operational
disruption, changes in management).
The integration of firm A and other acquired businesses may
present significant challenges to us.
Acquisitions, acquire, divest, sell unit,
sale, merger, merger agreement, joint
venture, synergies, spin off, split,
buyout, alliance, offer, bid, restructuring,
hostile takeover
Capital
Expenditure
Investment in a company’s business
requiring substantial funds for items such as
facilities, equipment, fixed assets, R&D or
new product development
We are developing new products that complement our traditional
memory products or leverage their underlying design or process
Industry Industry risks not only affect the company,
but also other players in the industry.
“The payments industry is highly competitive and includes, in
addition to credit card networks, evolving alternative payment
mechanisms and systems.”
Industry risks
Intellectual
Property
Risk associated with security of or changes
to the sustained advantage from the
business’s intellectual property. Any threats
to IP.
With respect to patents and patent applications we have licensed-
in, there can be no assurance that additional patents will be issued
to any of the third parties from whom we have licensed patent
rights
Patents
International Currency fluctuations in a company’s
international business operations. Any risks
associated with operations abroad
(government/legal).
“The enactment of provincial legislation or regulations in Canada
to lower pharmaceutical product pricing and service fees may
adversely affect our pharmaceutical distribution business in
Canada, including the profitability of that business.”
Foreign currencies, foreign currency
changes, exchange rate, currency
translations, strong US dollar,
international economies
Investments Pension/retirement benefits and any capital
put into other firms.
“Our pension plans are underfunded, and may require significant
future contributions, which could have an adverse impact on our
business.”
Pension liability, pension liabilities,
investment
Key
Personnel
The loss of potential key executives in the
company that may result in adverse effects.
Reliance of a company’s success on key
executives.
There is substantial competition for qualified personnel in the real
estate industry, and the loss of several of our key personnel could
adversely affect the Company.”
resigned, fired, CEO, COO, CFO, board
member; deaths; injured
Labor Recruiting and retaining employees, errors
that employees may incur.
“Our businesses require the retention and recruitment of a skilled
workforce and the loss of employees could result in the failure to
implement our business plans.”
Legal The possibility that legal action will be taken
because of a corporation's actions, inactions,
products, services or other events.
Potential/ongoing lawsuits that will affect
the company adversely.
“We are involved in numerous legal proceedings arising out of the
conduct of our business, including litigation with customers,
employment-related lawsuits, class actions, purported class
actions, and actions brought by governmental authorities.”
Lawsuit, legal proceedings, court, sued,
suing, damages, litigation, ruling, judge,
penalties, hearing, appeal, evidence,
legal costs, liability, allegations,
defendant, plaintiff, lawyers, trial, federal panel, jurisdiction
Macro Activities happening in the aggregate
economy that affect the operations of the company; demand for its products/services.
Demand contraction; low economic
growth
Marketing Any risks related to the firm’s brand,
reputation, image, product pricing, and
market share.
“The success of our branded products relies in large part on the
favorable image they enjoy with consumers.”
Marketing, reputation, market share,
market expansion, customer focus,
segmenting, brand, image, product mix,
pricing
Operations Risk associated with mismanaged or
unforeseen activities in the internal operation
of a business, e.g., production,
manufacturing, etc.
The size and complexity of our computer systems make them
potentially vulnerable to breakdown, malicious intrusion and
random attack.
Quality control, product quality, product
launch (this one is too broad/requires a
lot of human intuition to determine
whether an event falls under it)
Suppliers Variations in the supply delivery processes
that pose business risks; and changes in the
bargaining power of suppliers driven by
supply availability.
In order to sustain and grow its business, the Company must
successfully replace the crude oil and natural gas it produces with
additional reserves.
Suppliers, supplies, input costs, raw
material costs, high oil prices, high fuel
costs, fuel expenses, smaller margin
Sources: Authors
32
4.2. Number of Risk Factor Mentions in the 2007 and 2011 10Ks of the Interviewed Firms
Figure 4.1 compares the number of risk factor mentions between 2007 and 2011 across the 21 risk
factors we studied for the 100 firms we interviewed. “Risk factor mentions” refers to the number of
times one of the risk factors described above is discussed in the firms’ annual reports.
FIGURE 4.1: NUMBER OF 10K RISK MENTIONS ACROSS INDUSTRY SECTORS
Several interesting results emerge from the analysis:
Finding 13: There is an increase in the number of risk factor mentions in the 10K sections
between 2007 and 2011.
This confirms the finding from our interviews that firms are more concerned about a large number of
risks today and provide much more detail in the way a specific risk category can affect its operation
and its shareholders. The top risks in 2007 remain the same in 2011: government-related risks (e.g.,
a new regulation that may adversely affect future firm revenue), legal risks, marketing and
international markets.
We found that four out of five firms have increased the number of risk mentions in their 2011 annual
reports compared to 2007. This trend is not specific to any industry sector. At one extreme, a firm
which is not a financial institution, increased the number of risk factor mentions tenfold between
2007 (4 mentions) and 2011 (40 mentions). The highest number of risk factor mentions across all
firms that we interviewed was 92.
0
100
200
300
400
500
600
700
800
2007 2011
33
Finding 14: According to the 10Ks, Government is perceived as the most critical risk to almost
all firms and industry sectors.
While government was already ranked top risk in 2007 (354 risk factor mentions across all firms we
interviewed), the number of mentions in the risk section of the 10K reports has risen sharply in 2011,
with 674 mentions.
The fact that firms in the financial sector consider risks related to government decisions as one of the
key risks they face in the aftermath of the financial crisis and the new regulations that have emerged
is not surprising. However, our analysis reveals that this is not just a concern of the financial
sector. Government is the top risk in all the industry sectors (except for consumer staples where
it ranks second, and telecommunications where it ranks third). (See Appendix 2A for the distribution
of the top risks for each of the ten industry sectors in the S&P 500).
We also coded the portion of each 10K risk section devoted to a discussion of a specific risk factor.
Figure 4.2 depicts this distribution over all 21 risk factors by aggregating all 10Ks (in 2007 and 2011)
of the 100 firms we have interviewed in the S&P 500.
FIGURE 4.2: PERCENTAGE OF THE 10K RISK SECTION DEVOTED TO A SPECIFIC RISK FACTOR; 2007 & 2011
Sources: Authors - Based on the S&P 500 firms interviewed by the research team
0%
5%
10%
15%
20%
25%
30%
35%
2007 2011
34
Note here again the prevalence of government-related risk actions: one-third of the discussion of risk
in the 10K reports was devoted to this risk factor in 2011. Legal issues were ranked second with 13%
of the 10K report devoted to this risk factor, followed by risks related to international operations (e.g.,
currency risks). Across all firms, only 3% of the 10K reports are devoted to catastrophes such as
terrorism, natural disasters and technological accidents, perhaps because most firms feel they have
the appropriate risk management practices in place to deal with these risks and/or are not highly
exposed to them.
The analysis of the 10K reveals that firms need to manage a large number of risks to avoid future
crises and the possibility of losing market share to their competitor in a fast changing environment
where government actions such as new regulations are becoming the number one concern of the
business community. We now turn to our analysis of the stock market prices of those publicly-traded
companies that confirms this finding more quantitatively.
35
Section 5. Preliminary Findings from our Analysis of S&P 500 Stock Prices
The earlier part of this report focuses on what we learned from the interviews of the 100 firms
conducted by the research team and our studies of their 10Ks. In both cases the firms provided the
information and data for us to undertake these analyses.
We also wanted to have a more neutral view of the impact of risks with potential catastrophic
consequences on their performance and, at the same time, enlarge our sample to the entire S&P 500.
While many indicators could be examined, we decided to first look at the stock price of these firms
over time. Since the overall study focuses on catastrophe risks we were interested in testing whether
events that are traditionally seen as catastrophic (natural disasters, terrorist attacks, pandemics; cyber-
attacks, etc.) triggered significant stock price declines and if so, how large they were and for what
firm/industry. We were also interested in evaluating how these events compared to other factors that
may have been responsible for significant drops in stock prices.
To this end, we built a dedicated algorithm that determined 20% changes in stock price for individual
companies over a 10-day period relative to changes in the industry average. As an example, if the
industry average price dropped 5% during a 10-day period, then any firm in the industry whose stock
price dropped 25% or more during the same period would be put in this category. For any publicly-
traded company, losing 20% of its market value relative to its competitors over such a short period
of time would be considered a serious event. (See Appendix 3 for the methodology.)
During the period 2000-2011 there were more than fifteen hundred such events of interest. We could
then determine the sensitivity of each industry sector to specific types of events and measure the
resilience of firms to price declines by determining how long it took for the stock to recover to its
pre-drop level. As shown below, firms in some industry sectors are much more likely to bounce back
in a few months while others may take several years.
NOTE: This first phase is descriptive in nature and does not analyze the specific characteristics
of the S&P 500 firms that may have been partially responsible for causing the stock price
changes. We know that two firms of similar size can manage the crisis and recovery from an
exogenous shock very differently due to their financial situation (e.g., their debt ratio) and their
leadership in the C-suite and at the Board level. The second phase of the project (2014-2015)
will examine these elements in more details. The findings discussed here are a starting point for
this type of analysis.
The section is organized as follows. Section 5.1 introduces the data and methodology. Section 5.2
presents the findings on the significant event analysis focusing on significant drops: What types of
events triggered a large drop among the entire S&P 500 over the 11 years covered by our analysis?
What types of events are more likely to do so in your industry sector? What industry sectors have
been more affected by a given type of risk?
36
In section 5.3 we discuss the issue of resilience to shocks by examining how long it took for a firm’s
stock to return to the level it was before dropping at least 20% over 10 days compared to its industry
competitors. Are specific industry sectors more likely to bounce back more quickly than others? Are
specific risk categories more likely to trigger a longer recovery time across industry sectors, or just
for specific ones?
5.1. Data
We used daily trading stock returns for all firms in the S&P 500 over the period January 1, 2000 to
December 31, 2011; we focused on the S&P 500 group of firms as of December 31, 2011 and also
included a few other firms of interest (e.g., BP, given the 2010 oil spill). In total, we studied 503
firms. Stock price data came from the Center for Research in Security Prices (CRSP) to which
Wharton has a subscription access.18 We then split all companies into their corresponding industries
(as defined by Standard & Poor’s) (Table 5.1).
TABLE 5.1. DISTRIBUTION OF THE FIRMS COVERED BY THE STUDY ACROSS INDUSTRIES
Industry # of Companies
Consumer Discretionary 84
Financials 82
Information Technology 71
Industrials 61
Healthcare 53
Energy 41
Consumer Staples 40
Utilities 35
Materials 29
Telecommunications 7
Sources: Standard and Poor’s
We then used the same 21 risk factor categories introduced in the previous section on our 10K
analysis. Table 5.2 provides a summary of keywords and illustrative examples for the stock analysis.
A number of stock price drops were related to the announcement of quarterly or annual earnings
without necessarily be linked explicitly to a given risk factor. We thus created a new category called
“earnings” as well. The methodology for undertaking our analysis is detailed in Appendix 3.
37
TABLE 5.2. DEFINITION OF THE RISK FACTOR CATEGORIES USED IN THE STOCK ANALYSIS
Category Definition Keywords Example
Accounting/Release
of Quarterly results
Change in accounting regulations that can affect
financial standing of the company, anything related
to accounting
accounting control, accounting standards,
accounting fraud; accounting errors;
Company Y was involved in an accounting fraud
case
Acquisition Management, financial or accounting risks related
to two companies becoming one
acquisitions, cost savings, joint ventures,
merger benefits, restructuring
Company X acquired one of its main competitors
in a deal many perceived as a very risky decision.
Catastrophes Natural disasters, terrorism or war, and calamities natural disasters, terrorism / war, weather,
fatalities
Hurricane X has hit the oil refinery of Company Y.
Capital Expenditure
Investment in the company’s business – facilities,
equipment, fixed assets, R&D
capital expenditures, R&D Company X has invested $30 million into a key
R&D project, which is in its 4th stage of approval
from USDA and this was denied.
Capital Structure
Debt to equity ratio – how companies are financed, which affects stock price
assets: liens, capital availability, credit rating, debt: additional, debt: covenants,
debt: highly levered, debt: refinancing,
interest rates, restructuring charges
Company X was not able to refinance its debts given a recent downgrade of its bond rating by
rating agencies
Competition
Competitive gain or loss of market share to a
specific competitor
competition, competition: lower prices,
substitute products
Company X recently posted their market share
report, indicting a drop of 30% of their electronic
products – mostly to their rival Company ABC.
Credit Risk Not receiving payment for delivered goods or
services
credit risk, cash flow Company X was not able to receive payments from
Company Y which filed for bankruptcy.
Customer
Concentration
Firm revenue is dependent on a few large
customers or a high concentration of customers
within a region
customer concentration, regional
dependency
Company X’s recent quarterly report indicates a
drop in their sales due to low demands in the
southwest region of the US
Distribution
Outward flow of goods or services from the
company to the customer through different channels (online, in-store)
distribution channels, transportation,
supply chain, distribution partners
80% of all department stores have stopped selling
Company X’s products due to pricing conflicts.
Earnings earnings, estimated earnings, sales
subscriptions that explicitly affect earnings
Company X recently released their quarterly
earnings – a 40% decrease in sales.
Government
Actions taken by government, external to the firm,
which have an influence on the operations of the
firm
regulation, law, government oversight Government’s recent scrutiny on hiring practices
of Company X has triggered a change of
management.
Industry
Broad shifts in an industry-specific environment
which impacts how all players act
industry changes, industry condition, trend
change
Company X and four of its competitors have
suffered from customers’ switch to a new type of
technology
Intellectual Property
Threat to the security or value of intellectual
property and costs associated with protecting and
maintaining it
IP, legal defense, value, patents, copyright Company X lost a lawsuit concerning their
product’s design and how it closely resembled one
of their rival’s products.
International
Any risk associated with the challenge of doing
business in non-domestic settings
currency / exchange rates, international
(non-US) risk, international markets (challenges)
Company X’s huge investment in Country ABC
and the country’s recent announcement of inflation has triggered a spike in Company X’s cost of
operations.
Investments
Pension/retirement benefits and any capital put into
other firms, capital withdrawn from other firms,
named individuals that buy or sell shares en masse
(usually triggered by specific company event or
trend)
liquidity / investments, pension /
retirement benefits
Company X’s bankruptcy claim affects its parent
company, Company ABC who invested 300 MM
into the company 10 years ago.
Key Personnel Recruitment and retention of essential management
positions; references to specific names or positions
key personnel, key personnel: insurance,
new management
Company X’s CEO Joe Smith has recently been
arrested for insider trading and fraud.
Labor
The workforce required to maintain daily
operations in terms of quantity and quality
unions / labor, salary, hiring trend Company X’s labor union has gone on strike, and
the company’s inability to hire new employees in time adversely affects their operations.
Legal Liability, litigation and legal proceedings legal, lawsuit Company X recently lost their lawsuit against
Company Y.
Macro Uncontrollable or unpredictable changes in the
aggregate market
recession, trend, global trend Company X’s large did not allow it to survive the
recession.
Marketing
Firm’s reputation, image, pricing, and presence in
the market;
brand, brand concentration, consumer
preferences, market acceptance, market
share, marketing effectiveness, pricing,
reputation, scandal, analyst
recommendations
Company X’s series of product recall due to death-
related accidents have made the company’s brand
equity drop 30% and its perception plummet
among consumers.
Operations
Uncertainty and challenges associated with
production, development and implementation for
goods and services
leases, manufacturing / technical, new
products, new stores, operating risk,
product quality, production delay, single product, technological change, technology:
unproven, working capital
A firm did not make the necessary investments to
move to a new technology and was outpaced by its
competitors
Suppliers
The rise in costs or scarcity of necessary materials
for production of goods or services either for the
company or companies to which the company
supplies materials
energy prices, raw materials availability,
raw materials prices, suppliers:
concentration, suppliers: promotions,
supply chain, supply chain: foreign
Recently failing to reach a deal with the
government of Country A, Company X was unable
to monopolize the manufacturing capacity of
electronic equipment, and was outcompeted by its
rival, Company Z, in the supply chain.
38
5.2. Results
The research team then undertook a large-scale study to identify the most likely drivers of the 2,119
events through public documents searches on the Internet, Factiva and LexisNexis.i Firms
announcing negative news on earnings were by far the largest source of significant drops of the stock
price over a short period of time, with a total of 599 events (or 28% of all negative events) in this
category. We now consider the distribution of the 21 risk factors when one excludes these earnings-
related events over the 1,520 drops (Table 5.3).
TABLE 5.3. SUMMARY OF SIGNIFICANT PRICE DROPS ACROSS 21 RISK FACTOR CATEGORIES
2000-2011 – FULL S&P 500
Risk Factors Total Percentage
Marketing 192 12.6%
Operations 186 12.2%
Acquisition 150 9.9%
Legal 119 7.8%
Industry 108 7.1%
Key Personnel 102 6.7%
Capital Structure 100 6.6%
Macro 97 6.4%
Government 80 5.3%
Labor 66 4.3%
Competition 64 4.2%
Credit Risk 60 3.9%
Capital Expenditure 56 3.7%
International 38 2.5%
Investments 30 2.0%
Catastrophes 19 1.3%
Suppliers 14 0.9%
Accounting 13 0.9%
Distribution 12 0.8%
Intellectual Property 10 0.7%
Customer Concentration 4 0.3% Note: N= 1,520
i Some events have multiple drivers behind a stock price changes, and can be categorized with more than one risk category. Note also
that in several cases it was not necessarily clear whether an event had been driven by a specific risk factor.
39
Finding 15: The top risk factors that have led to the highest number of significant negative
stock price drops in the S&P 500 over the period 2000-2011 are Marketing (12.6%), Operations
(12.2%), and Acquisitions (9.9%) (See Definitions in Table 5.2).
We are also interested in seeing what risk factors drove more stock drops in recent years. Since our
analysis of the 10K used 2007 as a first reference point, we re-did the analysis for the entire S&P 500
firms by looking at two time periods: [2000-2006] and [2007-2011]. Table 5.4 shows for each risk
factor the number of negative drops across the full S&P 500 for each of the two periods and the
percentage change over time.
TABLE 5.4. SIGNIFICANT PRICE DROPS RELATED TO 21 RISK FACTOR CATEGORIES. FULL S&P 500
Risk Factors 01/2000-
12/2006
01/ 2007-
12/2011 Total Drops
Percentage change between
2001-2006 and 2007-2011
Credit Risk 22 38 60 73%
Macro 38 59 97 55%
Capital Structure 42 58 100 38%
Government 34 46 80 35%
Labor 31 35 66 13%
Suppliers 7 7 14 0%
Industry 56 52 108 -7%
Catastrophes 11 8 19 -27%
Distribution 7 5 12 -29%
Operations 110 76 186 -31%
Acquisition 89 61 150 -31%
International 23 15 38 -35%
Key Personnel 62 40 102 -35%
Legal 75 44 119 -41%
Investments 19 11 30 -42%
Marketing 126 66 192 -48%
Capital Expenditure 39 17 56 -56%
Competition 46 18 64 -61%
Accounting 11 2 13 -82%
Customer Concentration 4 0 4 -100%
Intellectual Property 10 0 10 -100% Note: Total events: 1,520. Percentage numbers are rounded. Significant price drop is defined as a 20% change or more in stock
price for individual companies over a 10-day period relative to changes in the industry average.
Not surprisingly, Credit Risk has the greatest increase in stock price drops between the two periods
(+72%) reflecting the financial crisis. The percentage increase in Macro (+55%) reflects the negative
impact of the economic recession on a number of firms. The percentage increase in Government
(+33%) confirms what we learned from the 10K risk section analysis in Section 4 of this report. It
appears that many firms rank this factor as their top risk in their annual reports to shareholders not
40
only because more stringent regulatory systems negatively impact their business, but also as a
reflection as to how they feel government actions can impact on their stock prices.
To gain more insight into the impact of the government risk factor on stock price drops, we undertook
a similar stock analysis on the sample of firms that took part of our interview process. We analyzed
their 10K risk reports where there was a significant increase in risk factor mentions of government
between 2007 and 2011. As Figure 5.1 reveals, this increasing concern about government seems
understandable if one looks at the significant percentage increase (367%) stock price drops that can
be attributed to government activities over the [2007-2011] period compared to [2000-2006] for the
100 firms that we interviewed.
FIGURE 5.1. PERCENTAGE INCREASE IN SIGNIFICANT STOCK PRICE DROPS.
2007-2011 VERSUS 2000-2006 FOR 100 S&P 500 FIRMS INTERVIEWED
Finding 16: For the publicly-traded firms we interviewed, the most significant percentage change
in the number of stock price drops in 2007-2011 compared to 2000-2006 was Government
(+367%), followed by Credit Risk (+200%) and Capital Structure (+190%).
5.3. Focus on Sudden Catastrophe Events as Drivers of Significant Stock Price Drops
The stock analysis shows that events that often come to mind when thinking of catastrophes (e.g.,
natural disasters, terrorist attacks, war, fatalities) represent only a very small portion of the risks that
have led to significant stock price drops (that is, a drop of at least 20% over a period of 10 trading
days, compared to the industry average).
-100%
-50%
0%
50%
100%
150%
200%
250%
300%
350%
400%
41
In fact we find that the Catastrophes risk factor (defined as including natural disasters, terrorist
attacks, technological accidents) ranked only 16th out of 21 risk factors in the number of severe stock
price drops over the period 2000-2011 in the entire S&P 500 (Table 5.1).
There are examples where the stock of the firm dropped at least 20% in the wake of a catastrophe as
reported in these media articles:
“In the wake of 9/11 transportation shares were hit hardest and Firm X in the transportation
part business was no exception. On this day, more than 80 percent of all stocks lost ground,
but transportation-related companies fared the worst among Northwest companies. The steep
declines on the first day of trading since terrorist attacks closed the markets a week prior
showed how nervous investors felt about companies that depend on travel or consumer