By Bill Rossi, CEO, Metabiota
If your company doesn’t have a chief risk officer (CRO) today, it will soon. Given the multitude of risks facing today’s global business, it’s become a critical “C” level role in any organisation. While the specific role of the CRO varies from company to company, the essence of the job is the same. CROs and their organisations are tasked to manage and mitigate risk. What does this mean? It means being prepared for the unknown. How would you like that in your job description?
The Evolution of the CRO
For the CRO of Southwest Airlines in 2007, it meant preserving the company’s low fare business model during a period of highly volatile fuel prices. When oil prices spiked to over US$150 a barrel, Southwest successfully hedged its jet fuel purchases allowing them to keep fares low and maintain profitability. Other airlines didn’t fare so well (no pun intended) and were forced to match Southwest’s prices and absorb the hit to their bottom line.
I cut my teeth in the telecommunications industry and witnessed the rise of the CIO (chief information officer). Though they didn’t have “risk” in their title, their job certainly looked a lot like today’s CRO. The CIO’s job was to bring their company into the digital age and navigate the choppy waters of the newly emerging internet economy. If you were the CIO of Blockbuster or Walmart, the challenges you faced were immense. You had a booming business, but a cloudy horizon with small upstarts like Netflix and Amazon promoting disruptive business models. What do you do? Build more brick and mortar stores or begin to hedge your strategy? Enter the CRO, whose role it is to understand the timing, likelihood and potential impact of a specified risk and mitigate it.
The insurance industry learned about the importance of properly assessing risk the hard way. In the wake of Hurricane Andrew in 1992, the industry did not heed warnings by weather experts that predicted heavy rainfall and large storms and as a result, several insurers went bankrupt covering claims in the region.
Today’s CRO
In the technology industry, supply chain risk is growing rapidly. With “Big Tech” manufacturing operations consolidated in Asia, and high-demand for commodities (like cobalt) mined in third- world countries, supply chain risk is now among the top concerns cited by CROs in this sector. As part of our CRO research, we spoke with the head of risk at Seagate, the largest manufacturer of hard disk drives in the world, as he shared some of the risks his company faces and what he worries about most in the future.
Seagate supplies over 100m disk drives a year and accounts for nearly 40% of worldwide production. With most of its facilities and supply chain located in Southeast Asia, the company knows first-hand the impact a catastrophic event can have on a business. In 2011, its largest competitor almost got wiped out by a series of floods that hit Thailand, while Seagate saw its profits soar. Seagate understood the risk of flood and chose to locate its Thailand factory on high ground, a decision that kept its factory humming while its main competitor had to slash production by 50%.
While fires, floods and tsunamis are still risks that rank at the top of the list for their potential impact on a business, Seagate’s CRO acknowledges the next big disaster can start with a simple sniffle. Infectious disease outbreaks affect a company's own staff, as well as suppliers, consumers and beyond.
While SARS and MERS (in 2003 and 2012 respectively) turned out to be less deadly than initially feared, it terrorised the tourism industry. People didn’t travel, and hotel occupancy rates plummeted. In these times, operating a hotel or casino in hot zones or regions that could be impacted by an infectious disease, is like running a business without fire insurance. You can take your chances but the risk of your operation going up in smoke (again, no pun intended) and your job with it, isn’t worth it.
What’s Ahead for the CRO
Bill Gates and other thought leaders think the likelihood of a pandemic like the one we experienced one hundred years ago with the Spanish Flu is quite high, and the magnitude of a similar event would cause a trillion-dollar impact to our economy. Some industries, like the tourism and hospitality industry can’t afford not to protect themselves, but as we know the risk of an epidemic doesn’t stop there.
It can affect supply chains in Southeast Asia and mining operations for rare earth minerals in Africa. It can impact worldwide consumer demand for just about any good or service, it can overwhelm our public health infrastructure and prevent people from getting necessary medical attention, and it can throw financial institutions into panic and cause dramatic swings in the stock market impacting our economy.
CROs are tasked to prepare for the unknowable and what makes their job particularly difficult is prioritising and allocating mindshare and budget among specific threats. The risk of infectious disease is rising with climate change, population growth, global transportation networks, emerging superbugs and declining research for universal flu vaccines. It’s time for CROs to protect their organisations by understanding the potential of this risk and mitigating it.
Here are a few key takeaways about the role of the CRO and its potential impact for corporations:
In addition to the above, Aon found that organizations that rate high on their risk maturity index have greater transparency of risk communication, stronger risk identification of existing and emerging risks, a more formal process of gathering risk information, as well as sophisticated methods of risk analysis.
Unfortunately, the choppy waters of today’s business environment are unlikely to calm, but effective CROs can educate themselves and their organizations on the risks posing the greatest threat to their business and implement strategies to prevent them from sinking the corporate ship.