How to avoid falling victim to cascading risks

Risks don’t exist in siloes in an economy as connected and complex as ours. One event can trigger other headaches to have an enterprise-wide impact.

To be clear-eyed on interconnected risks first requires taking a portfolio view of them, then establishing a unified measure of risk tolerance across organizational functions, experts told CFO Brew.

Company leaders have been trained to manage risks as if each occurred in “a single domain of our business,” according to Reid Sawyer, managing director and head of the emerging risks group at Marsh.

“That environment doesn’t exist anymore,” he said in an interview this week at Riskworld, the annual conference hosted by RIMS. “We’re now in an era of unbounded risks, where risks are stacking and where oftentimes the impacts are nonlinear.”

What does that mean? A single product liability risk can trigger claims in both errors and omissions (E&O) and directors and officers (D&O) insurance policies, Ray Santiago, head of financial lines for North America at Sompo, told us. Likewise, an organization slapped with a disclosure penalty from a regulator could see its stock price tumble.

A disruption to a single facility can create outsized economic impacts to people and businesses that rely on its products, according to Randall Hodge, COO of commercial property insurance company FM. Data centers, for instance, are becoming a more critical foundation in the global economy as hyperscalers like Amazon and Google expect to spend hundreds of billions of dollars in capex on data-center development.

“Ten to 15 years from now, all of our businesses will be dependent upon [data centers], and so will all of our personal lives,” Hodge told CFO Brew.

Sage advice. Organizations need to establish their risk tolerance before deciding how to manage their risks. They should do that by getting everyone involved and identifying how the organization will measure that risk tolerance, Sawyer explained.

There’s no one-size-fits-all way. Companies can choose metrics like margin, cashflow, or EPS volatility, he said.

“Those give you three very different answers about how much risk you’re willing to absorb, and if you don’t have that as a starting point for the conversation, then any other decision you’re making, you don’t have a measure,” he added.

All stakeholders need to be involved in a discussion of risk, as each function will have different perspectives. “The general counsel [will] have a different view of what the risk tolerance is than the CFO, than the treasurer,” he said.

Furthermore, organizations have to take a full accounting of their risks in order to understand how those risks could be connected, he added.

According to Sawyer, “You’ve got to look at individual risk, but in this hyper-interconnected world, if we’re not looking at the portfolio to understand where risks are correlating [or] where risks are stacking, we’re underpricing risks in organizations.”