Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
The Silver Lining: Seeing Opportunities in Risk
By Yoram (Jerry) Wind The Lauder Professor and Professor of Marketing
Director, SEI Center for Advanced Studies in Management Director, Wharton Fellows Program Editor, Wharton School Publishing
The Wharton School, University of Pennsylvania
Draft: April 27, 2005
Recent Advances in Operations and Risk Management Conference in Honor of Paul Kleindorfer
May 5th 2005
Introduction
For companies selling proprietary software in the 1990s, the open-source software
movement at first seemed like a crazy idea. As it grew, it came to be perceived as a
significant risk. The software business was based upon developing valuable intellectual
property and then licensing it to users. Piracy was thwarted with software encryption and
codes as well as legal action as any infringement of intellectual property was met with a
bevy of lawyers. When open-source evangelists began saying that the software should be
given away for free, it was an attack upon the core of their revenue model. As the
adoption of this open-source software increased, this was a growing threat and a
tremendous risk.
This is how IBM first viewed open-source software. When MIT technologist Richard
Stallman talked to technologists at the company in the 1990s about his GNU software, his
idea that software should be like “air” went against every basic instinct of the industry.
There was no business model, and it looked like it could undermine the company’s
current software revenue model by giving away valuable products for free. From this
viewpoint, sharing software was the same as stealing it. This was a growing risk that
needed to be managed. (This is how Microsoft continues to view open source, as one of
the greatest risks to its dominance in software.)
But eventually IBM took a very different view of this strategic risk. The company
embraced the open-source model and developed a business model to benefit from it. (The
fact that IBM’s proprietary Web server software had only gained a fraction of the market
made this shift in thinking easier.) The new business model was based on using open
7/17/2006 2
source as the foundation and then building IBM proprietary software and services on top
of it to increase its value. They also structured their involvement in a way that reduced
their liability, given the company’s deep pockets.
With this shift in mindset, it became apparent that open source had many advantages. The
software was created by a community structured as a meritocracy, in which developers
competed to add source code and users fixed bugs so that the system was self-correcting.
Distribution was easier because it was free, and the community that created it helped to
spread it. IBM became one of the most important proponents of open-source software,
helping to drive a revolution that it might once have wished to stop.
It turned out to be a win-win situation for both IBM and the open-source Apache web
server initiative. IBM contributed equipment and programmers, giving Apache added
credibility and the service support to increase the comfort level of large clients. At the
same time, IBM now had solid software and an easy distribution platform for basic server
software, which was never going to be a high-margin business anyway. By early 2003,
Apache was running on more than 60 percent of all servers1 and IBM had launched other
successful open-source-based projects such as WebSphere and Eclipse.
In the instant that it embraced this new mental model – this new way of seeing – IBM
transformed one of its greatest risks to its software business into one of its greatest
opportunities.2 IBM realized many benefits from the open-source model. This dark cloud
had a silver lining.
7/17/2006 3
In this chapter, we will consider how a shift in mindset can transform risks into
opportunities. We’ll discuss how the traditional approaches to examining risk tend to
focus on the downside of risk, but obscure the potential opportunities that risks present.
We will present a broader perspective of “total risk” that considers both sides of risk to
generate integrated strategies. Based on this broader view of risk, we discuss the pitfalls
of Chief Risk Officers in focusing the attention of the organization on protecting against
the negatives of risk rather than exploiting their positives. Finally, we explore the
implications of this view of risk for the organizational architecture of the firm, leading to
a reconsideration of the theory of the firm.
TRANSFORMING RISKS INTO OPPORTUNITIES
The way companies typically approach risk assessment is to focus on managing the
downside risk. This analysis weighs risks against returns, but it does not encourage
managers to look outside of this narrow frame to see opportunities in the risks. Using
financial modeling, companies define risk as variability of returns. A focus on stochastic
dominance offers a more refined view of risk, and risk assessment can help identify
diverse sources of risk. Still, however, the focus remains on the negative side of the
equation. The concern is for reduction, elimination and prevention of risk. The returns in
this risk vs. returns equation don’t come from the risk itself but from the business activity
that produces the risk. In its simplest form, the analysis can be seen as a balance where
risk, on one side, is weighed against returns on the other, as shown in Figure 1. If it tilts
toward the risk side, the project is often abandoned. If it tilts toward the return side, it
7/17/2006 4
might be pursued. While there are many complex analyses that can be done within this
context, the overall approach limits creativity in addressing risks.
Figure 1: Weighing Risk versus Returns
RiskReturns
From this standpoint, open-source software would be one more risk that might erode the
returns of IBM’s proprietary software business. Other risks came from competitors,
changes in customer behavior, new technologies, new government regulations and other
sources. The presence of open-source software increased the risks and reduced the returns
for the business. This analysis might seem straightforward until the company looks more
broadly at the nature of the risk and the opportunities it might contain.
There are many other examples of how risks can be transformed into opportunities. For
example, most banks initially didn’t consider college students an attractive market for
credit cards. According to all the prevailing actuarial models, students were too risky.
After all, these students were young, had no assets established, no credit rating, no jobs
7/17/2006 5
and growing debts as they paid for their education. But Citibank was the first to
recognize that there was a different way to look at this situation. The parents of these
students were not going to let them start their careers with poor credit. If they got into
trouble, the parents would cover the debt. The risk of offering cards to these students
didn’t decrease, but companies began to take a broader view of it. They set aside the
actuarial tables and recognized that there was a different way to evaluate the risk. This
insight ultimately led to the ubiquitous offers for credit cards to almost every new
freshman coming to campus. With this shift in thinking, the risk was transformed into an
opportunity. Other credit card companies have found ways to design cards for high-risk
customers that had been rejected in the past.
Similarly the low-income recipients of micro-credit loans in developing countries at first
seemed too risky (and too small) for traditional banks to consider. But as Grameen Bank
and others proved the power of micro-lending, it became clear that the risks were much
less than had been thought and many other lenders began to focus on these segments.
These borrowers actually proved to be much less risky in many cases, with default rates
that were lower than the average for more developed markets.
While the music industry saw digital downloads as a threat and a risk, slapping Napster
and even its customers with lawsuits, Apple saw the opportunities in this new
technology. In creating iTunes software, iPod hardware and agreements with owners of
music rights, Apple was able to create opportunities from something the music industry
saw as a huge risk. It turned out that the biggest risk to the music industry was not
digital downloads themselves, but the limits of their own imaginations.
7/17/2006 6
TiVo’ing TiVo
TiVo which allows users to record programs digitally and skip over commercials,
appears to be the kiss of death for traditional advertising. This advertising has been
built around 30-second commercials that viewers have to sit through in order to see the
programming. With empowerment of the viewer through TiVo and the remote,
television that has fragmented into hundreds of channels and the rising importance of
video games, the world has changed in fundamental ways. A study of U.S. television
viewers found that more than 43 percent of viewers were actively ignoring advertising
and that jumped to more than 71 percent for those using personal video recorders such
as TiVo. In some categories, such as credit cards and mortgage financing, more than 90
percent of ads were being TiVo’d into oblivion.3
There are several opportunities embedded in this growing risk. First of all, it is leading to
innovations in marketing. Companies are turning to approaches such as events, buzz and
creative product placement. In launching its new Scion brand targeting youth markets,
Toyota has shunned traditional advertising, spending 70 percent of its promotion on street
events. Even the remaining ad spending is mostly directed toward the Internet.4
Companies are using product placements in films and video games to promote products.
For example, in the Tony Hawk Underground video game, players cannot move up to the
third level until they drink a Pepsi. As Robert Kotick, Chairman and CEO of video game
maker Activision, Inc., commented during the Milken Institute’s Global Forum, “In our
medium, people cannot skip the advertising.”5
7/17/2006 7
In addition to working around TiVo, companies are rethinking TiVo itself. With greater
market fragmentation comes the opportunity to develop and deliver more sharply targeted
messages. An advertisement for golf equipment can be sent only to those viewers who
spend a considerable amount of time watching golfing channels or the latest kitchen
gadgets can be pitched to the devotees of food channels. Companies such as Comcast are
using digital cable capabilities to target advertising to viewers in specific geographic
regions or demographics. A Bermuda tourism ad, for example, might change the age of
the vacationers shown based on demographics or emphasize food on a food channel
while touting the island’s history on the History Channel.6 Based on program choices,
companies can even track whether the remote is currently in the hands of a father or his
teenage daughters, targeting and personalizing advertising to specific members of the
household. In short, TiVo has been Tivo’d. What could be the biggest risk and darkest
cloud in the history of television advertising since the invention of television, could, in
fact, have a silver lining.
SEEING BOTH SIDES OF RISK
Traditional ways of looking at risk would not have recognized these opportunities. The
more IBM focused on the downside risks of piracy, the less attractive and more
threatening open source would look. The more rigorously credit card companies applied
their actuarial models, the more risky college students would appear. The more lawsuits
recording companies filed, the harder it was for them to create effective business models
around digital downloads. The more advertisers focused on ways to thwart TiVo, the less
7/17/2006 8
attention they would give to creative alternatives or capitalizing on the opportunities it
creates.
While there are people in the organization focused on downside risks, the upside of risk is
either ignored or addressed on an ad hoc basis. It is sometimes championed by
entrepreneurial managers, who can see the potential of a creative redirection.
But these innovators often survive outside the purview of risk management. This means
that in pursuit of these upside opportunities, they may take risks that they should not take.
Because both sides of risk are not systematically considered together, the company has a
choice of operating under a mindset of rigid risk management focused on the downside
implications of risk, killing projects that should go forward because the organization is
too risk averse. Or, on the other hand, managers may be forced to operate outside of the
system, which can mean throwing caution to the wind.
Considering the returns along with risks would appear to focus on the upside, but the
returns are from the business activity itself. For example, selling proprietary software
generates revenue and the company then faces a variety of risks that detract from returns
of the business. This is a different analysis than actively looking at the upside
opportunities embedded in the risks. This rethinking of the risk typically produces much
more dramatic returns while at the same time reducing or eliminating the risk itself.
Traditional risk-return analysis does not encourage managers to look for opportunities in
the risks.
7/17/2006 9
As these examples illustrate, there is a need for a richer view of risk than a simple risk-
benefit analysis. We need to assess “total risk” as shown in Figure 2. This Total Risk
Assessment is the basis both for develop strategies for “risk management,” the downside
challenge, and engaging in “opportunity identification and management” to address the
upside opportunities. Managers need to take a broader view of each of these areas and
pay more attention to the upside opportunities of risk as well as the downside. Managers
also need to take a more coherent view of these two aspects of risks. As illustrated in the
figure, this leads to an integrated risk strategy and execution.
Figure 2: Seeing Both Sides of Risk
Integrated Risk Strategy and Execution
Total Risk Assessment
Risk Management
Opportunity Identification and Management
TOTAL RISK ASSESSMENT: SEEING THE GORILLAS
The first step in this process is identifying risks through total risk assessment. While
companies are expanding their view of risk, the challenge is to avoid creating
7/17/2006 10
blindspots. Sometimes organizations may focus intently on one type of risk and miss
others. Mental models and attention limit the risks the organization is able to recognize.
The organization may be so focused on the task of assessing risk from its current
perspective that managers miss much more significant risks outside of this frame.
As one demonstration of such blindspots, consider a study by Daniel Simons and
Christopher Chabris at Harvard University.7 They asked subjects to count the number of
times basketball players with white shirts pitched a ball back and forth in a video. More
than half the subjects were so engrossed in the task that they failed to notice a black
gorilla that walked into the center of the scene and beat its chest. The subjects may have
been doing a good job of counting the basketball passes, but a gorilla was right in front
of them and they didn’t see it. This is a huge risk, right in the middle of the frame of
vision that was ignored because their attention was focused on counting the passes.
Our traditional focus in business is on the risk of losing our count or missing a pass. This
is a risk at a certain level. But a much bigger risk comes from areas we are not focusing
on. The gorillas that come in from left field create tremendous risks that are often
unnoticed. At the same time there are opportunities that we cannot see because of the way
we view risk. By changing the way we think about the business and its risks, we can
better see these threats and realize these opportunities.
Unseen risks can creep up on managers, particularly if their attention is focused on other
areas. For example, many U.S. manufacturing companies were managing their apparent
risks of their operations and competition against other domestic firms, but low-cost
7/17/2006 11
Chinese manufacturing changed the ground rules. This risk showed up like the gorilla in
the video, completely outside the operational focus of manufacturing, and it took some
time for many firms recognize it and develop a China strategy.
Enterprise Risk Management is an effort to look at the total risk of the enterprise. It takes
an integrated approach that can help to recognize the gorillas and take a comprehensive
view of various risks and their interrelationships. While this approach is still in its
infancy, there is also some early recognition of opportunities created by risks.8
Creating Broader Definitions of Risk
To see these unseen risks, we need to use the broadest possible definition of risk itself.
Among the risks assessed by companies are for example country risk, operational risk,
market risk from product and service offerings, the risk that some of customers are
dissatisfied, ethical risks and risks from the volatility of the marketplace. Within each
category of risk, there are a wide range of factors. For example, while some companies
used exchange risks or other shorthands for country risk, the Kurtzman Group developed
a broader Opacity Index that examines 65 variables related to risks in different countries
around the world.9 The index is a rigorous tool for assessing the relative risks of foreign
markets, allowing managers to weigh and compare diverse forms of risk from sources
such as unclear legal systems, regulations, economic policies, corporate governance and
corruption.
7/17/2006 12
But even this definition of risks can be broadened. The company’s actual risks in a given
country depend not only on the local environment but also on the nature of the industry,
the characteristics of the company itself and its partnerships with local firms. A
prominent firm such as IBM, for example, may face much steeper risks than an unknown
organization in some areas and a lower risk in other areas. In addition, a strong local
partner can substantially reduce the risk of entering a new region.
This is just an illustration of the way the definition of country risks can be broadened.
There could be many other ways to expand the assessment of risk. Such an approach can
also be applied to every risk facing the firm. As companies think more broadly and
creatively about risks, they can better see the gorillas that could represent new threats.
BROADENING THE VIEW OF RISK MANAGEMENT
While companies generally focus considerable attention on the challenge of risk
management, particularly those firms that have appointed chief risk officers, there is also
a need to look at the challenge of risk management more broadly. While risk
management initiatives are generally centered within specific firms, the risks in a
networked world are increasingly interdependent. Again, the frame of managers needs to
be broadened.
For example, security risks are interdependent. Unless every airline is screening baggage
to the same standard, a bomb-carrying bag could entered the system at one poorly
defended check-in and put the whole system at risk. It doesn’t matter how good a specific
7/17/2006 13
carrier’s systems are. It still faces risks through these broader interdependencies. Howard
Kunreuther, Geoffrey Heal, and Peter R. Orszag point out in their consideration of
terrorism, there may be a need for public interventions that encourage private actions to
develop “interdependent security.”10 When risks are created and prevented as a result of a
broader ecosystem, focusing on risks within a single firm will not lead to optimal
solutions. A broader view of the challenges such as the concept of interdependent
security can lead to broader solutions for risk management.
Similar interdependencies can be seen in how individuals engage in activities that could
reduce or increase environmental risks, such as using environmentally sustainable
technologies, engaging in recycling or reducing use of fertilizers and pesticides on crops.
As Paul Kleindorfer and Ulku Oktem point out, decisions are affected by mental models
and biases of individuals.11 Regulators and companies need to understand this decision-
making process to develop effective mechanisms for aligning individual actions with
public goals such as protecting the environment. Solutions need to take into account the
motivations of different players.
Companies can also broaden their view of risk management by focusing on identifying
weak signals of problems earlier in the process. For example, while many manufacturing
firms engage in post-disaster analysis to identify, prevent, manage and remedy the causes
of major explosions or other catastrophes, some have moved to “near-miss analysis” to
look at incidents that do not lead to major injuries or property damage. Before the 1997
Hindustan refinery explosion that killed 60 people, there had been complaints about
7/17/2006 14
corroded and leaking transfer lines that went unheeded. Before the 1986 Challenger space
shuttle explosion, engineers had identified degraded O-rings on missions dating back to
1982. By paying closer attention to these precursors and developing systems for
responding to near misses, managers can recognize and address risks that otherwise
would not be on the radar screen.12 By extending the mental model from catastrophes to
near misses, the organization can engage in a broader approach to risk management.
In addition to near misses, many major disasters from airline crashes to the Three Mile
Island nuclear accidents were the result of the accumulation of fairly minor mistakes that
were not recognized early enough. These escalating mistakes are apparent in retrospect
but the challenge is to see them as they are unfolding. Early identification and analysis
are vital in this process, as Robert Mittelstaedt Jr. points out in his book, Will Your Next
Mistake Be Fatal?13
Organizations can take a broader, cross-disciplinary approach to risk management by
bridging disciplinary silos. Distinct disciplines within an organization tend to view risks
and opportunities through their own lenses. Operations examines the operational risks,
marketing the marketing risks and finance the financial risks, the interdependencies of all
these risks are seldom examined together. These silos restrict the ability to take an
integrated approach to managing risks. There can be tremendous power in bridging
organizational silos. The legendary medical treatment of the Mayo Clinic is based upon
focusing diverse medical insights on a patient’s problem. While the choice of treatment is
often a product of the choice of medical specialists (consulting with a surgeon, for
7/17/2006 15
example, will tend to lead to a surgical solution), Mayo uses more diverse teams to create
treatment plans. These teams of specialists look at the patient’s symptoms from a variety
of different perspectives and then draw up an integrated plan of action. The organization
pulls together the expertise it needs from various perspectives and clinic sites to address a
patient’s specific problems. This process is facilitated by a culture, an incentive system
and interactive technology that support collaboration. 14
Finally, organizations can improve their risk assessment and risk management through
pattern recognition, clustering and identifying causal relationships. This clustering of
risks and prioritization can offer insights on the root causes of risks and how they can
best be addressed.
While risk assessment has received significant attention in the risk management literature
and practice, even in this area, there are opportunities to expand our thinking. There are
opportunities to broaden perspectives by looking at interdependent risks, paying attention
to near misses and other weak signals, and deploying interdisciplinary approaches.
ENGAGING IN OPPORTUNITY IDENTIFICATION AND MANAGEMENT
While broadening mental models can help create a richer assessment of risk and more
robust approaches to risk management, this is just part of the equation. There is also an
upside of risk, as shown in Figure 2 that must be addressed through opportunity
identification and management. As noted in the opening examples of open-source, credit
7/17/2006 16
cards, micro-credit, digital music and TiVo, companies often can find opportunities in
what are initially considered threats or risks.
Focusing on the downside of risk leads to different strategies than focusing on the upside.
For example, the total risk assessment for a retail business might identify customer
complaints and returns as some of the company’s risks. Risk management might look at
ways to design the product return process and manufacturing to reduce returns. There
might be legal language added to warranties and return policies that protect the company
from the risk of angry customers. In contrast, an upside focus would consider ways to
change relationships with customers in ways that not only reduce complaints but also
build stronger customer relationships and loyalty. This increased loyalty and customer
satisfaction could lead to increased share of wallet and higher returns for the business
while at the same time reducing customer complaints. The focus on complaints
themselves leads to one set of actions. The broader focus on the upside potential would
suggest a broader set of actions. There would still be careful wording of the warranties
(risk management) but there might be less need to rely upon them as a result of stronger
customer relationships. To take another example, this is like the difference between a
physician who purchases comprehensive malpractice insurance to manage risks versus
one who develops strong relationships with patients that decrease the likelihood of legal
action.
To take another example, the inner city is generally considered a risky environment in
which to conduct business. Most companies see poverty, crime and drugs. On the other
hand, most multinational companies are very interested in emerging markets, which are
7/17/2006 17
viewed as a source of tremendous future opportunities as they develop. Companies are
racing into China, India and other parts of the emerging world because they see
opportunities for growth that offset the risks. Michael Porter, the Milken Institute and
others have proposed that we consider inner city markets as “domestic emerging
markets.” This shift in framing leads to a fundamental change in how we see the risks
and opportunities presented by these markets. Instead of merely focusing on the risk of
these markets, we can see by analogy that there are opportunities if we can create the
right business models to capitalize on them.
Rethinking Business Models
A shift in thinking about risks often requires a shift in business models to take advantages
of these opportunities. To do business in developing markets as well as “domestic
emerging markets” requires different approaches to the business. Similarly, from the
perspective of selling music on CDs, digital downloads were a tremendous risk to the
future of the business. To realize the opportunity, companies like Apple needed to
develop new equipment, new purchasing mechanisms (the 99-cent song) and an entire
business ecosystem around this new model. The shift in thinking that leads to
opportunities is not just about the risk itself but about how business is conducted.
When Commerce Bank saw itself as a retailer in financial services instead of a bank, it
led to change the way it approached the business. It was among the first to break with the
tradition of “bankers’ hours.” Retailers know to be open when customers are actually out
shopping, not during their work hours. Commerce created a network of branches because
retailing is all about location. It offered services such as coin counting to bring customers
7/17/2006 18
into the branch. The shift in its thinking led a fundamental shift in how it conducted its
business.
THE DAMPENING EFFECT OF FOCUSING ON DOWNSIDE RISKS
If being a little cautious is a good thing, being more cautious might seem even better. But
the problem is that there also are downsides to too much risk aversion as well. This can
be seen in Sarbanes-Oxley where the desire for reducing risks for investors creates a
substantial burden on companies. There are direct costs in increased auditing and more
cumbersome operations, for starters, but there are also less obvious risks. The new
regulations change the role of the board from one of strategic partner in maximizing the
company’s value to being policemen in ensuring compliance. What are the true costs of
such a shift in restricting the active involvement of board members in identifying and
capitalizing on new opportunities? Like a risk-averse driver, such a company may have
fewer accidents but it also may limit its speed on the highway and the diversity of its
destinations.
Is It Risky To Have a Chief Risk Officer?
With this additional perspective of risk as opportunity, there is a need to reexamine the
impact of Chief Risk Officers (CROs). The creation of CROs is designed to have an
accountable top executive who focuses on risk, ideally leading to minimization of risk.
Yet, the CRO may, in fact, be increasing risks for several reasons:
7/17/2006 19
• A focus on the downside: This means that there is place in the organization to
systematically focus on downside risks but there is no place in the organization to
focus on the upside opportunities that are embedded in risks.
• Siloing of risk: While taking risk out of the context of broader business decisions
and strategy increases focus on this important area, it also separates it from other
business decisions. Like any number of business disciplines, this separation
cultivates specific expertise but leads to a narrow view of business challenges.
These challenges often demand broader solutions. Is the potential of marketing
initiatives fully appreciated from the perspective of risk management? Is new
product development and new business development adequately appreciated?
• Balkanization of risk: Another danger of giving responsibility for risk
management to one part of the organization is that it may imply that the rest of the
organization doesn’t have to worry about it. Nothing could be further from the
truth. In a world in which one rogue trader can bring down a venerable institution
such as Barings Bank, the entire organization needs to recognize the emerging
risks.
Many of these critiques are not unique to risk management but could be applied to many
of the other silos in organizations. This is not to criticize the establishment of CROs,
which has been an important step in focusing more corporate attention on risks. The CRO
has helped to look at risks more broadly across the entire enterprise and to better manage
7/17/2006 20
them. We still need to give this kind of attention to the downside of risks shown in the
bottom of Figure 2, but we also need to look at the upside and the interdependencies
between them. This means that we need to change the management structure, processes
and culture, and performance measures and incentives of the organization to encourage a
focus on the upside as well as the downside of risk.
RETHINKING ORGANIZATIONAL ARCHITECTURE
As discussed, addressing risk more broadly and capitalizing on opportunities often
demands rethinking business models. It also may require redesigning many aspects of
organizational architecture, as shown in Figure 3. For each element of the architecture,
managers need to look for ways to shift the definition of risk:
• Instead of making vision, objectives and strategy fixed in stone, the company can
move to more fluid approaches that address and mitigate risks. It also needs to set
stretch goals and other challenging objectives that encourage sound risk taking
and creativity.
• The organizational culture has to avoid risk-averse behavior and encourage
creativity. While discouraging negative risky behavior, the culture also has to
accept mistakes as a natural part of learning to encourage individuals to pursue
well-designed initiatives, even if they entail some risks.
• Organizational structures and processes can be made flexible enough to absorb
and reduce risks, and they also need to be open enough so that individuals can
identify and pursue new opportunities.
7/17/2006 21
• Processes cannot be too rigidly defined to protect the organization against risk.
Instead, they need to be flexible enough to allow creative thinking and action. For
example, CIA’s venture fund In-Q-Tel created a separate organization that was
focused on identifying and investing in new technologies that could be valuable to
the CIA’s work.
• People can be hired to mitigate risks, through strategies such as outsourcing, and
companies can hire more versatile employees who have the personal courage to
take risks but the wisdom and experience not to do so foolishly.
• Resources can be deployed creatively, for example by investing in strategic
options that give the organization flexibility later in the process. The company can
also earmark some of its resources for learning.
• Technology can be used to analyze risks, and can also be designed to reduce
various risks, including operational risks, international risks and security risks.
Technology can also be used to analyze opportunities and share creative ideas.
• Performance measures and incentives can be used to encourage employees to pay
attention to risk and behave in ways that reduce risks, or they can be designed to
encourage employees to think about opportunities. Giving employees a certain
percentage of their time to work on their individual projects, as 3M has done, or
rewarding those who pursue entrepreneurial initiatives can encourage employees
to focus more on the upside opportunities.
All these elements of organizational architecture are interdependent, and one of the major
risks for the organization is not to integrate these various characteristics. They are all
7/17/2006 22
interrelated. Organizational architecture recognizes the interdependencies among all these
elements.
At the center of the architecture, the governance of the organization has to pay attention
to risks, particularly those that come from the broader environment and context of the
business. The organization’s governance and leadership can also help ensure a balance
between risk management with opportunity identification through its own example and
actions.
Figure 3: Organizational Architecture
PerformanceMeasures and
Incentives
H
Vision, Objectivesand Strategies
A
Technology
G
Resources
F
People
EProcesses
D
Structure
C
OrganizationalCulture
B
The OrganizationalStakeholders:
CustomersEmployees
HQShareholders
SuppliersGovernmentCommunities
Other
Towards a New Theory of the Firm
This broader definition of risk is consistent with changes in the theory of the firm. As
Paul Kleindorfer pointed out at the 2004 board meeting of the SEI Center for Advanced
Studies in Management, the old view of the firm is that it is a unitary actor, a single
7/17/2006 23
15entity that controls all the necessary inputs. This theory, as discussed by Adam Smith,
in his well-known examination of a pin factory, is built around specialization and trade.
Specialization means unbundling certain tasks to take advantage of economies of scale
while trade involves a process of “rebundling.” The theory of the firm – as developed by
Smith, Marshall, Coase, Samuelson, Williamson and others – is focused on maximizing
profits by increasing revenues and reducing costs. Part of the reduction of costs is
managing risks.
But risks, and opportunities, today are not primarily from the single actors but rather from
systems. Li & Fung, for example, has rethought the supply chain. The traditional supply
chain is fixed, either through vertical integration or a stable set of suppliers. This rigidity
can make the supply chain much more susceptible to shocks if a link in the chain is
broken. With supply chains stretching around the world, this exposes companies to risks
of currency fluctuations, economic crises, political unrest and other risks.
Li & Fung redesigned its supply chain to make it more flexible. The company has used
advanced technology and a set of 7,500 suppliers to create a networked supply chain that
can be configured on the fly.16 Every order, in effect, results in its own, customized
supply chain. For example, if the company receives an order for 10,000 shirts, managers
will select the best source for the yarn, for the dyeing and weaving, and for cut-make-
and-trim. They might source yarn from a factory in Korea and use two dyeing and
weaving factories in Taiwan. The best place to finish might be three factories in Thailand.
7/17/2006 24
This is done every time an order comes in, so the same order for 10,000 shirts a few
weeks later might result in a completely different supply chain.
Organizations such as Li & Fung are becoming more fluid and flexible, which helps them
to absorb more risks. The company operates as part of a global integrated value network
and no longer as a stand-alone firm. This flexibility, in itself, reduces risk. If there is a
civil war in one country, the supply chain can be shifted to another. If currency values
drop, the supply chain can be reconfigured. Other companies might try to manage the
risks of their existing supply chains, but Li & Fung, by rethinking the organization,
changes the whole definition of risk.
CONCLUSION: AGENDA FOR RESEARCH AND ACTION Throughout his career, Paul Kleindorfer has encouraged a broader view of risk and
opportunities, including research in areas such as enterprise design management,
catastrophic risk, environmental management and near-miss management, as discussed
above. Based on his definitive works in decision sciences, he has brought a deep
understanding of the impact of mental models and biases of decision making to the study
of how we address risks as individuals, and in organizations and society.17 I also have
had the pleasure of collaborating with Paul on the development and teaching of an
interdisciplinary MBA course on “integrating marketing and operations.” Looking
through one discipline or another could lead to missed opportunities and increased risks.
The MBA course recognized that it is far more effective to jointly optimize market and
operations than to optimize either marketing or operations independently. It is only
through multidisciplinary perspectives that we can develop more creative solutions.
7/17/2006 25
How can we facilitate a broader view of risk? To better understand total risk assessment,
we need more research on issues such as interdependent risks to understand the
interactions that create or reduce risks and how best to manage them. For practice, we
need assessment tools and broader frameworks such as the Opacity Index for managing
risks. In addressing risk management, we need to expand our empirical studies of risk
management strategies and examine the power of interdisciplinary approaches. A focus
on interdependencies and analysis of the impact of approaches such as near-miss analysis
can help to quantify the returns from a broader view and create frameworks for managers.
Finally, we need research that addresses the upside potential of risk as well as its
downside to more clearly demonstrate the power of thinking more broadly about risks.
We also need systematic approaches that can ensure managers look at risk from different
perspectives and explore its positive as well as negative implications. Finally, researchers
need to develop new theories about the firm and new designs that support a broader view
of risks and more creative approaches to addressing them. Companies need to rethink
their current organizational designs and look for ways to support broader thinking and
challenge current models.
There is a tremendous need for better assessment and integrated risk management tools.
While there will probably never be a simple formula for analyzing something as complex
as the upside and downside or risk, we can create better measures that will give managers
a clearer view of the positive and negative impact of decisions about risk.
7/17/2006 26
More rigorous and balanced measures, perhaps even represented in dashboards tracking
opportunities and risks, will ensure a more integrated view of risks in organization. This
will help ensure that while managers continue to watch for the dark clouds hovering
above their businesses, they will also be on the look out for the silver linings.
7/17/2006 27
NOTES 1“February 2003 Netcraft Survey Highlights.” Server Watch. 3 March 2003.
<http://www.serverwatch.com/news/article.php/1975941>. 2 For further discussion of the opportunities from shifting mental models, see Jerry Wind and Colin Crook,
The Power of Impossible Thinking, Wharton School Publishing, 2004. 3 A survey of the 15 largest U.S. television markets in 2003, by CNW Marketing Research, Inc., reported
in Anthony Bianco, “The Vanishing Mass Market,” BusinessWeek, July 12, 2004, p. 60. 4 The Echo Boomers, CBSNews.com, October 3, 2004. 5 Milken Institute Global Forum, April 2004. 6 Lorne Manly, “The Future of the 30-Second Spot,” The New York Times, March 27, 2005, Section 3, Page
1. 7 Daniel J. Simons and Christopher F. Chabris, “Gorillas in our Midst: Sustained Inattention Blindness for
Dynamic Events,” Perception , Vol. 28 (1999), pp. 1059-1074. 8 Enterprise Risk Management – Integrated Framework, PricewaterhouseCoopers, September 2004, p. 1. 9 Joel Kurtzman, Glenn Yago and Triphon Phumiwasana, “The Global Costs of Opacity,” Sloan
Management Review, Vol. 46, No. 1 (Fall 2004), pp. 38-44. 10 Howard Kunreuther, Geoffrey Heal, and Peter R. Orszag, “Interdependent Security: Implications for
Homeland Security Policy and Other Areas,” The Brookings Institution, October 2002. 11 Paul R. Kleindorfer and Ulku Oktem, “Assessment of Environmentally Sustainable Technologies as if
Individuals Matter: And They Do!” Wharton Risk Management and Decision Processes Center, May 2004. 12 James R. Phimister, Ulku Oktem, Paul R. Kleindorfer, Howard Kunreuther, “Near-Miss Management
Systems in the Chemical Process Industry,” Wharton Risk Management and Decision Processes Center,
January 2003. 13 Robert Mittelstaedt, Jr. Will Your Next Mistake Be Fatal? Avoiding the Chain of Mistakes that Can
Destroy Your Organization. Philadelphia: Wharton School Publishing, 2004. 14 Berry, Leonard L., and Neeli Bendapudi. “Clueing In Customers.” Harvard Business Review 81:2
(2003). pp. 100–106. 15 Paul Kleindorfer, “Toward a New Theory of the Firm,” SEI Center for Advanced Studies in
Management, Board Meeting, October 1, 2004. 16 Victor Fung, “The Dispersed Global Supply Chain,” SEI Center for Advanced Studies in Management,
Board Meeting, September 30, 2004. 17 See for example, Paul R. Kleindorfer, Howard G. Kunreuther and Paul J.H. Schoemaker, Decision
Sciences: An Integrative Perspective., Cambridge University Press, 1993.
7/17/2006 28