3 critical success factors for strategic risk management and 5 questions corporate directors should ask

The announcement from PG&E that the California utility will file for bankruptcy reminded me of a question posed a few years ago by the head of GM’s risk committee: “How do we manage strategic risks?”

Key takeaways —

  1. People can and do die from poor strategic risk management
  2. Due to blind spots in the risk vision of executives and directors, risks can emerge that unbalance corporate strategies and create existential events
  3. The critical success factors for strategic risk management include encouraging and rewarding risk awareness, creating goodwill with stakeholders, and building a strategic risk response plan

NASA’s ARIA team produced this map of damage to Paradise, California, from the Camp Fire, the deadliest wildfire in the state’s history. Image credit: NASA/JPL-Caltech

Facing losses of up to $30billion arising from lawsuits in the 2017 Nun and 2018 Camp Fire blazes, PG&E announced today that it will file for bankruptcy on 29 January 2019.  California law requires a 15 day notice period to employees, though in this case, job losses are unlikely.

Generally public utilities do not declare bankruptcy.  With revenues guaranteed by state utility commissions, and rate-setting regulators and state legislators involved in the governance of public utilities, any financial shortfalls usually are made up for by rate hikes, and liability risks associated with natural catastrophes are mitigated through state law.  However, with a service area larger than the state of Florida, PG&E, California’s largest utility, could be expected carry more liability risks than the typical public utility.

This is not the first time that PG&E has faced bankruptcy.  In 2001, with mounting losses due to California’s botched electrical utility deregulation and market shortages being exacerbated by unethical Enron traders artificially cutting supplies, PG&E filed for what was the third largest bankruptcy in U.S. history – $24.2 billion.

Safety culture gaps.  The current crisis is not due to market miscalculations or financial machinations.  Rather it has interesting parallels to BP’s 2010 Deepwater Horizon gulf oil spill disaster.  Both companies had spotty safety records as compared to their peers, and as a result both faced existential crises.  In the U.S. government’s report on Deepwater Horizon, investigators noted that BP focused more on individual worker occupational safety, rather than process safety.  That’s another way of saying that safety was just not baked into the culture.

Another case of safety culture also comes to mind – GM’s ignition switch issue that could have driven the company to return to bankruptcy shortly after it had emerged from government receivership.  In the board report, the weakness of the culture of safety was the overriding finding.

Strategic risk management.  As GM responded to its safety crisis, the head of GM’s risk committee openly asked how strategic risks should be managed.  I’m sure that same question is going through the minds of PG&E’s corporate directors right now, too.

Quite often, the risks that unbalance corporate strategies and even create existential events just are not apparent.  Expediency toward achieving major financial goals and timelines create blind spots in the risk vision of managers and executives.  And hope that the well won’t blow this time, or the test failure of a product component won’t really affect vehicle safety, or sparks from a downed power lines won’t create infernos – because most of the time they don’t – can lead to safety experts and auditors, career-dependent themselves on corporate financial success, to be less aggressive and bend to the pressures of expediency.

Inevitably after tragedies, the after-action reports identify people who knew of the problem and tried to raise it to higher levels, or who knew and decided it was futile to raise the issue.  And also inevitably the risks that really derail company strategies are not the ones that corporate leaders and managers are actively paying attention to.

Recommendations —

So what can be done?  No strategic risk management plan is going to be perfect, but beyond the foundational elements of a reliable enterprise risk management program, here are three critical success factors for managing strategic risks:

1 – Encourage and reward risk awareness.  There is always someone whose job includes the management or at least insight and awareness of any given risks associated with company operations and processes.

The board should ask, “How much of the bonus pool goes toward safety and risk management goals as compared to financial goals?”

2 – Create goodwill on environmental, social and governance (ESG) issues.  Be careful on this – absent a solid track record in safety and risk management, goodwill can evaporate overnight.  For example, prior to the Deepwater Horizon incident, BP had a strong stakeholder engagement plan and won loads of ESG awards.  But Deepwater Horizon highlighted a poor safety record, and the goodwill came to be seen as self-serving hypocrisy.

The board should ask, “For each enterprise risk, what are the ESG-related issues and who are the stakeholders?  What is our stakeholder engagement strategy?”

3 – Build a strategic risk response plan.  Most crisis management plans are built to address risks that have a very rapid time of onset – an earthquake, a plane crash, a nuclear meltdown, the sudden death of the CEO, etc.  They are not built to address those types of crises that play out over a long period of time – like a months long oil spill and years long clean-up, or a slowly escalating series of product failures that only eventually point back to a safety or quality failure, or a series of safety problems that eventually lead to massive infernos.

The board should ask, “How and when do we trigger a strategic risk response plan for emerging risks that could become strategic?  How are we engaging stakeholders in both preparedness for a strategic risk event and the response to it?”