Captains in a Sea of Danger: CEOs as Navigators of Risk.
New opportunities and new markets beckon CEOs from around the globe. But for many corporate leaders, seizing those opportunities means steering their companies though uncharted water fraught with danger, whether due to political, technological, or liability risk.
Savvy CEOs must choose wisely from a seemingly endless array of investments, alliances, and technologies, carefully balancing potential peril with reward. Add to the roles the CEO now assumes -- leader, manager, communicator, moderator -- that of master of risk assessment.
Successfully evaluating risk is no easy task in the age of advanced network connectivity, which, on the one hand, has enabled us far more quickly to get information about customers, competitors, and productivity, but on the other, leaves us increasingly vulnerable to intrusions. Industry experts seem to agree that having third-party control would be helpful, but how much should the government be involved?
Participants at the following roundtable, co-hosted by Veridian Corp., grapple with the concept of CEO as risk manager and debate answers to the critical questions facing today's top executives: How can companies effectively model and anticipate risk? What kind of risks are associated with brand and with reputation? How can you restore trust with customers, suppliers or employees in the face of a publicly reported security breach, attack or theft? What kinds of new risks are we now facing? Are they really different or are they merely augmenting those dangers we've always faced?
Certainly, these are not easy questions to answer, but the CEOs who avoid them -- and avoid being adequately prepared -- may find themselves in crisis before long. "A good brand is a shield in a time of crisis, but it can go down," says Mike Morley of Edelman Public Relations. "Maybe CEOs should be measured on how well they protect the brand equity over the life of their tenure."
David Langstaff (Veridian): Fundamentally the role of the chief executive is to manage risk. That's the ultimate fiduciary responsibility we've got. But I'd like to drill down and talk about this issue of risk and frame it in the context of a very different business environment from what we've known, and that is a connected world enabled by the Internet and an explosion of networks. There's been a lot of talk about the benefits of this connected society, but there hasn't been adequate talk about the risks.
One of the things that makes it tricky is that you can't isolate this risk into one part of your business; it really transcends the whole business. Therefore, it has to be thought about in a more holistic way. No banker would leave for the day and leave the doors of the bank open and unlocked and the vault open. That's obvious. But I would suggest that, with regard to information on our networks, we are doing exactly that. We're basically closing up and leaving it unlocked and vulnerable.
Now if you look at some of the business risks embedded in this whole notion of the interconnected world, loss of productivity is an obvious one. All of us have likely been affected by viruses that have hit our computers and our networks. They can be quite damaging, but for the most part they fall into the nuisance category.
But there are clearly opportunities for financial loss and legal liability and there have been cases where people have broken into banks and other financial institutions and stolen money. That may be discounted as part of the cost of doing business, and it can be insured. But you can then get into a situation where you lose the availability of the network entirely. For some companies--those which are in the e-trading business or are dependent on the Internet--that is akin to death. If your network doesn't work, your entire organization is at risk.
That raises the issue of data integrity. Companies that are knowledge-based, where the information on your network must be trusted--have to be concerned about those that would come in and either steal or corrupt that data. At the end of the day there is an implicit relationship between any company and its consumer, whether it's a retail consumer or an industrial consumer, and that is tied up in your brand and its integrity and your reputation for delivering good work. When you start to have penetrations into a network that change your information or data, it can lead to an unraveling of that trusted relationship with your customers and your peers, and it puts the whole enterprise at risk.
To help frame the issue, I'd like to posit these six points. First, we're living in a world where there's a connectivity imperative that is now part of base expectations. Second, networks by their nature are becoming more complex. We're dealing with a plethora of both internal and external networks, so we've got to be addressing the problem at the network level. Third, networks are increasingly regarded as essential and integral parts of business. Fourth, we have to recognize that the Web is not really designed as an open exchange of information. We're using it in business in ways for which it was not designed, which is why we have security problems. Fifth, the security threat is exploding. The level of sophistication required to do damage is decreasing. Finally, the public reaction to the deluge of data with which we're dealing today is one of confusion.
So what becomes important in this market? Company brand, the reputation for trust, the confidence you establish with your customers. The risk for CEOs and their companies in an interconnected world could be simply summed up this way: You have transaction risks. You have brand or enterprise risks--which really speak to the heart of what our job is. And then you have the system or infrastructure risks. We can all protect our own companies, but who's going to protect the system? It's something that the government is trying to figure out, and the President and Congress are asking, "What should the role of government be versus the role of industry?" We also have to ask the question, "What are we doing--and to what extent is it our responsibility to be addressing this risk in a bigger-than-corporate context?"
Don Hurzeler (Zurich North America): An ancillary point is reputational risk, which refers to people being able to post remarks online without having to be accountable for those remarks, whether it be on a message board or on a site devoted to bashing a company's reputation. Those are also very serious attacks on the reputations of our companies.
Langstaff: One of the issues industry has come together and asked of the government is to be clear on what the rules are. We need a legal system to put accountability in place. It's tough to mitigate risk if we don't know what the rules are.
Allen Warms (Participate.com): First we have to understand that we need to address these issues of risk, make some investments on an ongoing basis, and state the rules up front. The biggest way for CEOs to mitigate risk is to really listen to customers, partners, and suppliers to understand what the issues are. The power of the Web and enterprise application software technologies on the Internet is really to put in place applications that allow you -- at a rate much faster than it was 20 years ago--to get a sense of the issues that your sales force in Asia Pacific are having with certain customers. What is your competitor doing in Europe? What problems are employees having with driving productivity? All of these issues can now be addressed very efficiently through technology.
Arnie Pollard (CE): The whole network risk to some degree can be mitigated when users of networks trust the brands they're dealing with. I'd like to know if either Bill or Michael have come to grips with those issues as they relate to the Web.
Bill Katz (BBDO New York): There's an adage in our industry: The worst thing for a bad company is good advertising. You can do all the--and I hate to use the word but--propaganda you want for a company, but if they can't deliver, what we're doing will essentially be undermined. Firestone is a great example. It's not a technological risk; it's a business risk.
Mike Morley (Edelman Public Relations): A chunk of our business is crisis management, which is really the last stage of a bad process. If you look at everything that comes as a shock and surprise to the CEO, you can usually find, as with Firestone, a long trail of little amber lights flashing along the way that nobody paid attention to. That's poor management. A good brand is a shield in times of crisis. But it can go down, and maybe CEOs should be measured on how well they protect the brand equity over the life of their tenure.
John Branch (CE): What happens when risk isn't managed well up front, and what do you do after it's exploded? I'm curious about some of the frameworks people around this table have in terms of assessing and managing risk across a broad array of areas for their company. What do you do to head these things off before it becomes a crisis?
Hurzeler: One of the best processes we have in our company is our assessment of risk. This is a formal process that occurs every year around the world in our company. It's called the ZHA, or Zurich Hazard Analysis. We have a wide open discussion about what the risks might be, and we go through all the various types of risk and list them out. Then we try to determine how ruinous to the business they could be on a formalized scale. We then determine the odds of that happening in a strategic period. Then you plot that on a graph, and at some point, you draw a line as to what your tolerance to risk is. Those items that fall below the line are risks you can tolerate. Those above the line are ruinous items that absolutely must be addressed. We then would put together an action plan to mitigate or eliminate that risk.
Langstaff: Is network security above the line or below the line?
Hurzeler: Network security would always be above the line. And many of these items turn out to be IT-related items.
Eric Gertler (Privista): There s an inherent risk in trying to identify every known possible risk because we'll never be able to do that. When you look at the CEOs who have been successful over time, they were the ones who recognized that change occurs over the course of time and it's how you manage change that counts. You're taking risk every day by consciously innovating, by bringing about progress, by making changes.
Pollard: The risk management side of that is if a company appropriately orients itself to encouraging creative risk-taking for its own business development reasons, it also needs to have some balance so the risks taken are acceptable. Are any of you undertaking approaches within your own company to make sure the risks inherent in innovation are, in some sense, measured and managed?
Gary Dunton (MBIA): The biggest risk for us is the downside risk-not missing the upside opportunity. Everything we look at has to do with protecting our brand, which is the "triple A" rating we get from rating agencies. What we've done, at the top level all the way through the organization, is a process equally balanced between cheerleading and anticipating the doom and gloom of the company. First and foremost, that means identifying the things that can go wrong, understanding the nuances of each one of those items, and communicating them. We are a very small organization in terms of numbers of people who get involved with transactions. Each one of these professionals has to understand the risk, has to be able to see it when it's happening, and has to understand and be able to communicate it to their own people. We have to look at it daily, weekly, quarterly, annually, to make sure the risks that are appropriate for us are not being exceeded. Everyone needs to understand what the three or four worst-case scen arios are and make sure they've got action plans and good measurement systems in place, because if there's one thing you can count on, the bad stuff happens with greater frequency than the good stuff.
Zuheir Sofia (Sofia and Co.): Risk is the penalty for being wrong, and being wrong is something that could significantly change the way you re doing business. We have no industry-wide protocol to decide how to monitor this network risk. Everyone is careful about getting Uncle Sam involved, but something needs to be done at that third level to bring those three elements together to minimize those risks.
Langstaff: Right now every state is addressing issues of security or privacy on their own. As business people trying to do business, it's going to be impossible if we're dealing with different state laws on these same issues. So there does seem to be a need to address some of the basic rules of the game at the national level. But there are those who would argue that it's got to be done at the international level because of the global nature of many companies. What's good enough when it comes to managing risk? There's a desire on the part of the insurance industry to underwrite this risk, but they're having trouble knowing where and how to draw the lines.
Hurzeler: It's very much an emerging issue and right about the time when we can get policy language grafted, we learn new things. The biggest risk in our business of innovadon is to not innovate. The insurance business has not been at the leading edge of innovation over the years. We've pretty much been doing things as we've done them all along, and that's not good enough anymore because of some of the expertise at this table right now that is being brought to bear in our industry. And if we don't innovate, if we are adverse to taking risks in the area of innovation, we won't be around in the future because the expense ratios will drop so much, it will leave the laggards behind and they'll lose market share.
Rob Hale (Network Plus): From a smaller company's perspective, it's not whether we're going to take a risk--it's which risk are we going to take, because we're taking risks all day long. Whether it was 10 years ago with 10 people in a small company, or today in the telecom sector, where there is carnage all around, you have to make decisions all day and the telecommunications business supports the broadband Internet economy. It's not a decision of yes or no, but to what degree, and from our perspective, we have to meet almost every other week just to decide today in our industry which customers we're comfortable with to take that risk. We have to take certain risks. If not, we'll eventually be crushed.
Pollard: How does a CEO who's not technically in the middle of the increasingly complex world of the Internet nevertheless say, "here are the questions I've got to make sure I have posed and that I've gotten decent, acceptable answers to in my organization?"
Langstaff: Right now we're all assuming every company represented here has a network. CEOs are assuming it's being well and properly taken care of by the information systems department--but don't take it for granted. CEOs have to recognize that this is a risk, and it's a risk that can be managed, but it won't, in all likelihood, be managed well enough unless the CEO gets involved, and even the non-technical CEO can get involved by asking questions and getting familiar with it and making sure the company's attention to the matter is heightened.
Gertler: Today, in a networked economy, the ability for consumers to talk to other consumers very quickly and in a vital fashion can either be a great help to your growing your business, or it can be devastatingly harmful. The questions I ask our technology people are: What are we doing every day to insure that we're respecting the customer's information? What are we doing about the credibility of our consumers? What are we doing to increase customer confidence?
Robert Uretta (Insignia Financial Group): Does anyone believe that the SEC is going to at some point in time come in and say there needs to be a third-party independent audit done of technology systems that could somehow affect the growing concern of a company?
Langstaff: It's happening. The financial industry's been one of the more sophisticated industries in understanding this is a risk, and when you cut through it, our whole financial system is built on confidence and trust--period. That will be brought down if we start to erode that confidence and trust, and the SEC is aware of that.
Hurzeler: There was a minor piece of that in the insurance business over Y2K where certain states came in and wanted to know about our preparedness on behalf of consumers in the state. They had a very detailed survey we had to fill out. In those areas where we were lacking, and it said we were lacking, there was quite a bit of follow-up all the way through. So that would seem like the first step -- not quite the SEC, but a step in that direction.
Bill Randle (Smart Card Alliance): I'd like to go back to a point David [Langstaff] made when he indicated we are, in fact, using the Web for something for which it was never designed. What happens when your customers connect to the Web? There is a great deal of vulnerability. Most CEOs are worried about their own companies, but they don't understand that it's like a house of cards; if one falls, even those with great network security can fall. Their reputations are at risk if the Internet is at risk. The issue for the Smart Card Alliance, and for other activities similar to this, is to create standards for security that can be adopted in an open sense by many organizations. That simply doesn't exist today.
At the Smart Card Alliance, we have encouraged the major telcos to consider a chip card as a standard for securing in-commerce. All the consultants will tell you that in-commerce is going be bigger than the Web in three to four years, but there is great risk there for all of us, even though individually we might not be able to do much about it. There is a need for collective action on the part of CEOs to look at this global community of connectivity we've created and say, "are we doing everything we can do outside of our individual companies to ensure that this doesn't collapse?" That's really part of the mission of the Smart Card Alliance. My concern is, I don't see a lot of action in the marketplace yet.
Jeffrey Tarrant (Arista Group): How much do you outsource m security protection and how much can you trust in the company to whom you're outsourcing the security protection for your network? And another point: If I have a risk of a thunderstorm or something destroying a piece of property and I have a risk of something destroying my network, why isn't insurance willing yet to step in and underwrite that risk for me? That way, as an executive, I can look at alternative solutions rather than just concentrating on outsourcing the risk management, and maybe outsourcing the cost of the risk by purchasing insurance.
Langstaff: It's difficult for people outside the industry to keep up with changes in the security field. By outsourcing it, you're putting it in the hands of people for whom that's their business. The thing about security is, it's never over. The minute you secure, the one thing you can count on is there will be counter-attacks established, and then you have to address the counter-attacks, and it's a never-ending process. If you're going to outsource security, it means turning the keys of your network over to someone else, and you had better be confident you trust whoever is providing that.
Pollard: Why is the trust issue any different -- other than the fact it's more complex and technological -- than which armed guard service you put your trust in?
Langstaff: If you're dealing with who drives the armored car, we have a system and we have laws that make it very clear what's right and what's wrong, and you aren't going to go to a firm that has a bad track record. So there is trust in that relationship. Here we're talking about something which is more than just transactional. The trust issue is gigantic. You want a customer to place confidence in you to do a job and you cannot violate that. That's certainly part of the brand relationship that any company with a strong brand has with its consumers.
Hurzeler: A couple of times here today the comment has been made about getting to know the customer and the like. In our company, as we go in and understand what exposures might be there because of the network or other IT type development, and as we begin to understand the risks involved with those exposures, we can craft a product that addresses the needs. However, it's an emerging issue and if you aren't talking with one another and you don't really understand your customers' needs, you're not going to get there.
Brandt: When you're working with your larger customers, CEOs and their boards, how are they thinking about risk these days? How are you encouraging them to think about risk?
Mathis Cabiallavetta (Marsh & McLennan Cos.): We look at risk from a holistic point of view, from a strategic perspective -- business models, customer behavior, all these things that happen, among other things induced by technology. We look at the strategic and management consulting part of it, then the operational, of which technology is one part and human resources is the other. We often tend to underestimate human resources issues, non-aligned performance and reward systems with respect to the comparison to strategy. We get to risk/reward profiles that are much more acceptable from an overall point of view--to the shareholder and then obviously also to management--than if we just look at a particular sector.
Chris Miller (6FigureJobs. com): Technological risks really never go away from security risks. You can address them and put in procedures and practices to help in case something terrible happens, but no matter what you do they're never going to be zero.
Brandt: What's the biggest thing you worry about with your company?
Miller: Sales. If our technology isn't working, then we sell absolutely zero, and our customers start asking for their money back. It all hinges on technology. I run my business realizing that I can put all these procedures in place to help minimize that, but it's never going to go away. Knowing that, and accepting that, you then have to diversify that risk in case of a worst-case scenario, but never being too dependent. Obviously you have to be dependent on the technology, but what are your back-up plans? How are we going to function if this part of the business doesn't work?
Gertler: The CEO must be able to manage risk on a global basis, and must be comfortable doing that, both in terms of external forces and internally.
Hurzeler: I think it was Bill Gates who said Microsoft is, at any time, 24 months away from being out of business. That's what I worry about, because our company is well-positioned to compete effectively with the top tier of competitive companies we have out there, but what about someone who comes in from a different industry with different technology and a different idea, perhaps from a different country, and has a better, more innovative way of doing business, and here we are laying the cards we've played for 50 years. One of the roles of a CEO is to have his or her antennae up, as well as the antennae of the organization, for those new and emerging killer apps.
Morley: We have a process called the CIA, or the Critical Issues Analysis system, which tries to lyze what can come from the social sphere, from the political sphere, from the competitive environment, and we try to create a kind of vulnerability index. When you do this around the world, you will find, out of this list of maybe 30 things that can come out of left field and hit you, five to eight will rise to the surface as being a No. 1 hot topic in your principal market countries. That calls for corporate resources to study it and figure out what you need to do about it. It's a very helpful kind of procedure to not only tell you what are the risks globally, but where they're happening. Then you can get down to what you can do about it.
* Mathis Cabiallavetta is vice chairman of New York City-based Marsh & McLennan Cos., a $10 billion insurance brokerage company.
* Gary C. Dunton is president and COO of Armonk, NY-based MBIA, a $1 billion financial guarantor.
* Eric Gertler is president and CEO of New York City-based Privista, a privacy and credit management firm.
* Robert T. Hale, Jr. is president and CEO of Quincy, MA-based Network Plus, a $236 million telecommunications service provider.
* Donald J. Hurzeler is president and CEO of Schaumburg, IL-based Zurich North America, a commercial property-casualty, health, and accident insurance provider.
* Bill Katz is president and CEO of New York City-based BBDO New York, a $14.9 billion international global agency network.
* David Langstaff is CEO of Arlington, VA-based Veridian, a $500 million provider and developer of intelligent IT solutions.
* Christopher Miller is president and chief executive of Darien, CT-based 6FigureJobs.com, an executive-level career management and job-search Web site.
* Michael Morley is chairman and president of international operations at New York City-based Edelman Public Relations, a $248 million marketing and public relations firm.
* William Randle is chairman of the Smart Card Alliance, a New York City non-profit organization representing the financial community and promoting the acceptance of smart cards.
* Zuheir Sofia is chairman of Columbus, OH-based Sofia & Co., a private investment banking firm.
* Jeffrey Tarrant is president of New York City-based Arista Group, a private investment firm managing the investment portfolios of private wealth and their foundations.
* Robert Uretta is president and COO of New York City-based Insignia Financial Group, a $686 million property management and mortgage broker.
* Alan K. Warms is president and CEO of Chicago-based Participate.com, an outsourcing solution for online community management.
|Printer friendly Cite/link Email Feedback|
|Publication:||Chief Executive (U.S.)|
|Article Type:||Panel Discussion|
|Date:||Aug 1, 2001|
|Previous Article:||From Corner to COMMUNITY.|
|Next Article:||Big Picture Book.|