CFO’s are usually tasked with risk management. Often that means being in charge of the insurance renewal negotiations. Basically this consists of an annual conversation with your broker on new policies that have been developed to help eliminate some new exposure which you weren’t aware of, and by the way, at a price that you can’t afford. Generally, the broker buys lunch, which is the best part of the transaction.
CFO’s that define risk management as simply buying insurance make a mistake. Corporate risk management has to include problems that can severely damage or destroy a business but are basically un-insurable. The types of problems we’ve seen with credit cards and hacking are a CEO’s nightmare. A single instance can cause irreparable damage to sales and the value of the business. How does a modern risk manager or CFO deal with these types of “all-in” risks?
Risk is usually defined as a function of frequency and severity. Frank Knight, back in the 1920s, argued that there are two realms of risks. Simple risks, which have a known frequency and severity, and uncertainty which is not and cannot be known. Pretty much if an insurance company writes a policy, you know they’ve got a frequency distribution and a good handle on severity. After all, insurance companies aren’t stupid. The big risks, however, remain in the uncertainty realm and those risks remain uninsured and uninsurable. Knight also noted that entrepreneurs generate profit by dealing with uncertainty and not risk.
Since we can’t know the future, business have to learn to deal with both types of Knightian risk. Dealing with known frequency and severity risks can be difficult, but the biggest challenge are in uncertainty or unknown distribution risks. Donald Rumsfield said: “The message is that there are no “knowns.” There are things we know that we know. There are known unknowns. That is to say there are things that we now know we don’t know. But there are also unknown unknowns. There are things we do not know we don’t know.”
Paraphrasing this into risk speak, we have insurance that covers the simple risks we know. Complicated risks that we are aware of but aren’t well known can only be partially covered by insurance. In these cases we manage the risks, putting in control processes, training and contingency plans to limit the occurrences and severity. Unknown risks by definition are retained and aren’t managed. Without a reporting processes, problems start, grow and can overwhelm a firm. This is true uncertainty.
What makes a risk truly an unknown-unknown? Does it imply that no one nowhere knows the risk? It does not. It simply means that the current management team is unaware of the risk. Nassim Taleb has a great story about a turkey who during its life considers the farmer a benefactor. The week before Thanksgiving the turkey finds out the plan, and imagines it an unforeseen and unknowable event. It might have been for the turkey, but it is not for the farmer.
The risks that will hurt your business are generally the ones that you aren’t managing. Integrated risk management is about pulling together efforts that manage exposure, control what can be controlled and insuring what can be insured. A good integrated risk management plan includes bringing the management team together to focus on the key risks, whether they involve credit cards, hacking. off-shore oil wells or workers compensation.