it possible that we just talk to ourselves? Each year I attend four or
five risk management conferences, primarily to keep up-to-date on current
developments. The registrants at these sessions—practitioners, vendors
and academics alike—are the “choir” of believers to whom the speakers
preach. They listen for the nuances and interpretations of the “priests”
and never doubt their faith. They then return to their organizations to
practice their specialties, congratulating themselves on their progress.
But is anyone else listening or converting to the faith? Have the precepts
of risk management filtered into the thinking of others in the organization?
Is risk management becoming part of the organizational culture?
To check on purported progress, I decided to attend a January conference
on strategic planning in New York, sponsored by the Conference Board.
I listened to the eleven speakers in three general and three repeated
concurrent sessions to see if some of our discipline’s ideas have been
adopted. The results were encouraging. Of the six sessions, three directly
referred to risk issues and how best to resolve them. The opening plenary
presentations dealt with global change and “uncertainty,” followed by
a concurrent meeting that addressed “Managing Across Multiple Cultures,”
bringing risk issues into play. The most explicit session was entitled
“Managing Global Business Risk.” Its first speaker, Merli Baroudi, from
the Risk Services Group of The Economist Intelligence Unit in London,
described her firm’s continuing analysis of ten operational risk categories
that it measures in countries globally: security, political stability,
government effectiveness, legal/regulatory, macroeconomic, financial,
foreign trade/payments, tax policy, labor market and infrastructure. She
suggested “bureaucrats are a bigger threat to business than terrorists,”
that trade risks are exaggerated and that Latin America is the “riskiest”
region,all based on the EIU database. It was a thorough risk analysis
using the tools of the discipline, even though seeing risk primarily in
its downside potential. She was followed by Paul Podolsky, from Fleet
Boston Financial, describing his firm’s approach to the “fundamental irrationalities
of the system” and its techniques (hedging, etc.) for reducing uncertainty.
He defined risk primarily as volatility but recognized that it encompassed
both gains and losses.
Other speakers recommended a renewed focus on “generating value for
customers” as the primary strategic goal for any organization, through
a better understanding of how customers actually use a product or service.
“Create a leap in customer value,” suggested Craig Naylor of DuPont:
the “value proposition” is to improve first the customer’s
profitability and functionality. Risk thinking was evident in many of
Several speakers commented on two new risk issues that will demand
our attention in the coming decade. The first is the privacy of customer
information collected by sellers. The new “Auto ID” radio chip planned
for many products will speed checkouts, reduce inventory shrinkage and
improve inventory controls, but will it also give producers personal
buyer information that could be improperly used? Will the consumer have
any right to its storage and use? How will it be protected from others?
The second risk issue is the growing dependence of organizations on
both internal information technology systems and the external Internet.
What can impair these systems? How do we protect them? Are we resilient
enough to continue operations without them?
Is anyone listening? Based on this one conference, admittedly a small
sample, I am encouraged that risk management ideas are being slowly
absorbed into organizations.
The job of the entrepreneur isn’t to act prudently, to err
on the side of caution. It’s to err on the side of reckless
ambition. It is to take the risk that the market allows him
Michael Lewis, "In Defense of the Boom,"
New York Times Magazine, October 27, 2002