Senior Management
Dangerous Exposures: Risk and the Bottom Line
Nine days after the September 11, 2001 terrorist attack on the World Trade Center in New York City, Kent Smetters, then deputy assistant secretary of economic policy at the U.S. Treasury, met with a group of insurers as one of the point people for Treasury. “They said that they never expected this to happen,” recalls Smetters, now an associate professor at Wharton, discussing risk management with senior financial executives in The CFO: Becoming a Strategic Partner program.
Despite the insurers’ contention that they never saw this coming, Smetters points out that there was a previous attack on the building in 1983. Smetters himself talked about the possibility during a program in 1998 at Wharton. “When they constructed the World Trade Center, engineers talked about the potential of this happening. It was well known that the World Trade Center was a terrorist target. How could the insurers have ignored this?” he asks. “Because it was a low probability event.”
It is tempting to engage in too much risk reduction. You don’t want to eliminate all your risk; you only want to go to where marginal benefits equal marginal costs.
–Kent Smetters, Joseph E. and Ruth E. Boettner Associate Professor of Financial Gerontology; Associate Professor of Insurance and Risk Management, speaking to Wharton’s The CFO: Becoming a Strategic Partner program
Smetters notes that one of the hardest issues in risk management is dealing with such high-severity, low-probability events. Most managers, like the insurers of the World Trade Center, choose to ignore them because they seem to be remote possibilities. The subprime mortgage crisis was another example. “It was well known that this problem was going to happen,” he says.
Three Kinds of Risks
Effective risk management requires identifying risks such as low-probability events and creating strategies to address them. Smetters notes that companies face three primary types of risks: 1) financial risk, which is systemic, 2) pure risk, which is specific to the firm, such as risks from operations or a fire at a plant, and 3) regulatory risk.
Pure risks such as operational risks are more significant than many managers recognize. Smetters notes that “casualty” is the second most common reason firms go bankrupt (the first is price competition). Companies also face new cyber and Internet risks in protecting privacy and data, particularly in industries such as healthcare where information is a significant concern or in online businesses.
Regulatory risks include tax changes and new regulations, such as Sarbanes-Oxley, that create additional costs and constraints for companies. “New regulations will come from the response to the subprime mess, so you have to think about what those regulations are going to be and what they mean for your company,” Smetters says. “Corporate income tax rates are likely to go up in the next several years.” He notes that Obama campaigned against tax incentives for sending jobs overseas. The impact of that change and others could be substantial. If money earned overseas has to be repatriated, it will represent a 20 percent tax increase.
One of the biggest regulatory risks, which overshadows the subprime crisis, is shortfalls in Social Security and Medicare. Smetters says there are massive shortfalls that are not apparent in federal numbers because of how the accounting is done. “The U.S. federal budget makes Enron accounting look pretty pristine,” he says. With better accounting, the $10 trillion debt of official government estimates is actually closer to $68 trillion. According to his calculations, the true annual U.S. deficit is $1.5 trillion per year, or 6.7 percent of all future GDP. “This is going to have major implications for the economy going forward,” he says. “We could have a currency crisis in the United States, like the Asian currency crisis, and every year we wait is adding another couple of trillion dollars to the problem.”
Addressing Risks: Mitigation, Transfer, and Incentives
In addressing risks, companies can mitigate or transfer the risks. The trick is to know when to stop. “It is tempting to engage in too much risk reduction,” Smetters says. “You don’t want to eliminate all your risk; you only want to go to where marginal benefits equal marginal costs.”
Mitigation strategies reduce the risk through changes in the way the business is run, such as installing sprinklers or diversifying the supply chain. Companies also can transfer risks through mechanisms such as financial hedging or insurance.
Incentives and culture also play an important role in managing risks. Many incentives such as giving employees options sometimes encourage risky behavior. Companies need to be very careful in designing these incentives to make sure employees are encouraged to take risks that are aligned with the shareholders’ interests. The organizational culture also can help in identifying risks and mitigating them effectively.
Most people do not have a sophisticated understanding of risk and probabilities. Previous research shows that when different groups of airline travelers are asked to assess either the risks from all causes or the risk from a terrorist attack, they give a higher probability to the terrorist attack. Since attacks are a subset of total risks, the probability should be lower, but a clearly identified risk tends to be given more weight since it seems more real to air travelers. Such effects make it hard for managers to accurately assess the probability of risks. “You need to create a culture in your company where people think in probabilities and correctly,” Smetters says.
Improvements in Risk Management: Hurricanes and Oil Shocks
Companies already have made tremendous improvements in managing risks in some areas, Smetters says. A spike in oil prices in the mid 1970s, for example, led to the largest real-value stock market decline in recent history, adjusted for inflation. “In the past year, oil prices reached the same dollar levels as the 1970s, but the stock market didn’t respond in the same way,” he says. “Why? In the past 30 years, firms have become a lot less energy dependent.” Using alternatives, improving efficiency, and diversifying, they are much less susceptible to oil shocks.
Hurricane Katrina is another example. After the Cold War, Russians revealed that the top targets in the U.S. were Washington, New York, and New Orleans. At one time, half the GDP of the country flowed down the Mississippi. The Soviet Union recognized that disrupting the port at New Orleans could bring the entire country to its knees. When the hurricane hit with the equivalent of a small nuclear attack, companies had already recognized that they needed to diversify their supply chains. Companies such as Lowes and Wal-Mart were actually in the position to rush supplies into the disaster area.
“Companies have diversified their supply chains and do not ship through one port,” Smetters says. “Risk management has been taken more seriously during the past few decades. Had it not been taken seriously, we would not be in a recession now; we would be in a serious depression with the impact of oil prices and Hurricane Katrina.”
Your feedback is valuable to us. Please let us know if you consider this: