This report investigates the origins and impact of over twenty major corporate crises of the last decade. The crises examined involved substantial, well-known organisations such as Coca-Cola, Firestone, Shell, BP, Airbus, Société Générale, Cadbury Schweppes, Northern Rock, AIG, Independent Insurance, Enron, Arthur Andersen, Railtrack, the UK Passport Agency and also some smaller firms. Several did not survive and most of the rest suffered severe damage.
Our aims were to trace the deeper causes of the crises, to assess the post-event resilience of the companies involved and to consider the implications for the risk management of companies in general.
Our report is built around eighteen detailed case studies that analyse the impact of critical events both on the enterprises most directly affected and, in many cases, on other associated firms. There are references to around forty organisations in total.
The case studies provide a rich source of lessons about risk, risk analysis and risk management, in the context of critical events of many different types, ranging from fires and explosions, product-related and supply chain crises to fraud and IT failures. Our report details over one hundred specific ‘lessons about risk’ that emerge from the case studies.
Much broader lessons have also been distilled from the case studies. Several of the firms we studied were destroyed by the crises that struck them. While others survived, they often did so with their reputations in tatters and faced an uphill task in rebuilding their businesses. We found that the firms most badly affected had underlying weaknesses that made them especially prone both to crises and to the escalation of a crisis into a disaster.
These weaknesses were found to arise from seven key risk areas that are potentially inherent in all organisations and that can pose an existential threat to any firm, however substantial, that fails to recognise and manage them. These risk areas are beyond the scope of insurance and mainly beyond the reach of traditional risk analysis and management techniques as they have evolved so far. In our view, they should be drawn into the risk management process. They are as follows:
A. Board skill and NED control risks – limitations on board competence and the ability of the Non-Executive Directors (NEDs) effectively to monitor and, if necessary, control the executives.
B. Board risk blindness – the failure of boards to engage with important risks, including risks to reputation and ‘licence to operate’, to the same degree that they engage with reward and opportunity.
C. Poor leadership on ethos and culture
D. Defective communication – risks arising from the defective flow of important information within the organisation, including to board-equivalent levels.
E. Risks arising from excessive complexity.
F. Risks arising from inappropriate incentives – whether explicit or implicit.
G. Risk ‘Glass Ceilings’ – arising from the inability of risk management and internal audit teams to report on risks originating from higher levels of their organisation’s hierarchy.
We conclude that a number of developments are necessary to deal with these risks.
The scope, purpose and practicalities of risk management will need to be rethought from board level downwards in order to capture these and other risks that are not identified by current techniques.
The education of risk professionals will need to be extended so that they feel competent to identify and analyse risks emerging from their organisation’s ethos, culture and strategy, and from their leaders’ activities and behaviour.
The role and status of risk professionals will need to change so that they can confidently report all that they find on these subjects to board level.
However, these risks will remain unmanaged unless boards – and particularly Chairmen and NEDs – recognise the need to deal with them. Boards will also need risk professionals with enhanced vision and enhanced competencies to help them do so.