(This piece originally appeared on the Oxford University Press blog. Its based on the authors new book, “Mastering Catastrophic Risk: How Companies Are Coping with Disruption.” The book provides a pragmatic framework to assist decision makers at all levels in preparing for and responding to catastrophic risks.)
Facebook has been in the hot seat since it came to light that personal data on as many 87 million users, mostly in the US, had been improperly acquired by Cambridge Analytica for use in the presidential campaign of Donald J. Trump. CEO Mark Zuckerberg acknowledged as well that “malicious” outsiders may have accessed profiles of most of his 2 billion users. In the wake of Facebook’s enormous cyber-lapse, Congress investigated, users fled, and its stock plummeted—the makings of a genuine company disaster.
But cybersecurity—or the lack thereof—is just the latest source of catastrophic risk, with a flurry of data breaches in recent months exposing consumer records across a wide swath of business firms, non-profit organizations, and government agencies. Cyber risk joins terrorism, financial crises, and natural disasters in disrupting the operations of many.
Some disruptions are global. The subprime mortgage meltdown in 2008 in the US became toxic for financial institutions everywhere. The Fukushima reactor meltdown in Japan in 2011 shut auto suppliers that in turn closed car assembly around the world.
Occasionally, disasters are self-inflicted, as was evident when engineers at Volkswagen installed deceptive emissions equipment in more than 11 million vehicles from 2009 to 2015. And bankers at Wells Fargo created millions of unauthorized bank and credit card accounts without their customers’ knowledge in the mid-2010s. Both firms ousted executives, forfeited earnings, and suffered plummeting share prices.
Whatever the disasters’ causes, firms can and should ready themselves to avert them and to rebound if they do strike. Some have been preemptively doing just that, learning from the experience of others. But they have had to overcome a host of impediments that thwarts risk readiness at many companies.
At the top of the list is myopia. Some organizations, for instance, perceive the likelihood of a disastrous event next year to be so low that it drops below their threshold of concern. The “not-invented-here” syndrome, a well-known barrier to product innovation, has led others to simply ignore what leading firms have already put in place.
Facebook executives might have wisely investigated the massive breaches of company firewalls that had recently compromised vast amounts of confidential customer records at other firms, including Target (40 million records), Anthem (80 million records), Equifax (143 million customers), eBay (145 million records), and Yahoo (3 billion). Facebook could also have usefully studied what those companies have done to prevent future attacks.
Firms can learn much from others’ experience, and to that end, we have looked at risk management measures among 100-plus large companies in the US and abroad. From that, we have built an eight-point checklist for mastering catastrophes at any enterprise:
- Catastrophes are on the rise, and your firm may be next in line. Don’t pretend it cannot happen to you, and instead imagine five potential disruptions including a worst-case scenario that could threaten the entire enterprise.
- Recognize behavioral biases that misdirect company decisions. Intuitive thinking can lead you to underestimate low-probability risks and mismanage recovery efforts.
- Reframe the risks so that managers pay attention to them. Stretch the time frame for judging disasters so that a 1-in-100 likelihood of an event next year is viewed instead as a 1-in-5 chance of occurring over the next 25 years.
- Define your firm’s risk appetite and risk tolerance. Identify and balance risk appetite and risk tolerance in mapping your company’s overall strategy, and prioritize the enterprise risks that demand attention now.
- Take steps now to invest in protective measures. Design multi-year budgets that spread out the high upfront costs of risk-mitigation measures so the expected long-term benefits of those investments can be justified now.
- Learn from your own adverse events and near misses as well as those of others. Take advantage of a calamity or close call to redesign your enterprise for preparedness and resilience.
- Protect against extreme losses by transferring some of the risk. Use insurance and other risk transfers to buffer against events that can gravely threaten the firm.
- Attract and prepare the next generation of risk leaders. Prepare future managers to avoid behavioral biases and engage them in deliberative thinking for building risk-management capabilities throughout the firm.
Watch now, as Facebook and its leaders work to extricate themselves from the worst crisis the firm has ever experienced. And as we learn from it and the experiences of others, all of us will be in a better position to face worst-case scenarios and plan for resilient responses, whether a major flood, technological blow-up, or cyber-attack. In doing so, we can make the mastery of catastrophic risk a source of sustainable advantage, rooted in the well-known mantra, expect the unexpected.
Howard Kunreuther is the James G. Dinan Professor of Decision Sciences and Public Policy and Co-Director of the Center for Risk Management and Decision Processes at The Wharton School, University of Pennsylvania.
Michael Useem is the William and Jaclyn Egan Professor of Management and Director of the Center for Leadership and Change Management at The Wharton School, University of Pennsylvania.