I remember performing at Strategic Risk Review for a company in the Middle East. There were two of us on the team in-country, with support at "home". When attempting to come up with our starter set of assumed strategic risks, we included the usual; market and product risk, process and system risk, cyber and privacy, financial reporting and financial management risk, capital markets and exchange rate risk, and of course ownership and succession risk. My colleague then added "loss of life, the death of an employee" as one of the strategic risks.
Loss of life, it would seem obvious, is a major strategic risk, and the short and longer-term impacts could, if not managed well, be significant. Yet in this situation, I told my colleague that I did not agree, and for this company and country, the response to a workplace death would be "write a cheque". I'm not normally cold and disrespectful of human life, and certainly not disrespectful of the strategic risks facing organisations. But this time it simply did not rise to the level of strategic risk.
Strategic risks vary. Certainly, there are common strategic risks, but each country, industry, company and organisation, and the business lifecycle both at the global and at the individual entity level will influence the range of strategic risks applicable to the entity.
Country influences
Businesses and entities function within countries, usually within their home country, sometimes across countries and regions. Each country has its idiosyncrasies, from cultural to political, regulatory or legal, or in many countries, extra-legal (corrupt practices embedded in the culture and government).
The UK provides a good example of a current strategic risk associated with that country: Brexit. The only good news is that like Y2K, Brexit will be here and gone soon enough, and the uncertainty will give way to response and management of the actual risk. but until the event actually happens (if indeed it does) then the potential impact is unknown in detail.
But certain aspects of the risk are known - there will be price discovery as new trading relationships come into place. Some of that discovery will be uncomfortable, with inflation and costs associated with the potential (temporary) breakdown in supply chains. What can be said with confidence is that such market discomfort will be temporary, as Brexit rewrites some rules, but does not rewrite the rules of markets, only the current set of "how to" rules. The underlying economics does not change, and therefore markets will return to efficient functioning, in as much as markets are ever efficient in their functioning.
For example, in a conversation with another colleague, he was concerned that post-Brexit, the cost of vegetables in the supermarkets would go up, and stay up. His argument was that the loss of supply from one source would result in increased cost of supply from other markets. My response was that as alternative sources were able to supply, prices would come down. His view was that "once the supermarkets raise their prices, they will not lower then even if the input costs reduce, as they will use this as an opportunity to increase profits". The flaw, of course, is that this assumes that fundamental market mechanisms of price discovery and competition will, for some reason, be different in a post-Brexit UK.
Other countries have their own market dynamics, not infrequently influenced by exchange rate movements due to global or even local political situations. Turkey today is suffering as the Lira drops due to a combination of economic and political pressures. Therefore, a strategic risk of doing business in Turkey will include the ability to forward hedge externally sourced raw materials, and to hedge, where possible, exchange rate risk against currencies in export markets.
Then there is the systemic corruption in some countries, even to the point where we've seen corrupt practices in the awarding of contracts to introduce anti-corruption programmes. We bid to implement an anti-corruption programme in an East African country, partnering with a local former-Big-4 firm. I will say that I think it was a very good bid, in concept, content, team and pricing. We were shortlisted, and the local partner was invited to the procurement director's office to discuss the next steps.
"Your's is the best bid, and we expect we should be able to award this to you." All good so far. Then, "But we were wondering if there was something would be willing to 'do for the team' here in procurement?"
The local Partner did exactly what he should have done, and apologised and said that unfortunately, they were unable to, after all that might not appear to be within the spirit of the objectives of the project. I wish this had been the "test question", but unfortunately it was not.
I will not name them, but the bid was won by the local firm of one of the Big-4, days before I attended a conference in London in which that same Big-4 firm gave a presentation on anti-corruption and anti-bribery.
So in some countries, you pay or you do not play. It is that simple, FCPA and the UK Bribery Act be damned.
Industry Risk
Different industries have their own strategic risks, though of course there is massive overlap across industries. But Healthcare strategic risk is different from Steel industry strategic risk.
While there are some strategic risks that are applicable to all industries (to a greater or lesser extent) such as Cyber threats and market and entity capacity, the specifics of the risk will vary according to the industry. For example, Cyber threats in service and financial industries centre around customer and personally identifiable data, while in Extraction and Manufacturing, the Cyber threat is one of attacks on infrastructure and SCADA (Supervisory Control and Data Acquisition) to disable plant and equipment. On a national scale, the Cyber threat relates to infrastructure attacks on power generation and distribution, and on national government databases. Recently in Panama, a security analyst was able to demonstrate that the health records of 90% of the citizens were held on servers that were inadequately secured. He demonstrated the ability to extract that data, for almost 4 million citizens.
I remember an FMCG (Fast Moving Consumer Goods) manufacturing company that did not seem to adequately consider one of its strategic risks. The company relies heavily on a distribution network that includes trains, trucking and local distribution. Trains provide most of the transportation of raw materials to factories, while much of the post-production distribution is trucked (from major train depots). During the mid-2000s, before fracking became economically possible, oil production appeared to be approaching a peak, and the price of oil was beginning to move. A sudden movement upward caught the company off-guard, and it appears they had not hedged their transportation capacity or costs.
In the extraction/mining sector, some of the specific strategic risks include political access and regulation, as in many countries access is a core element of doing business, and regulation can and in some cases needs to be leveraged. In one example, a major mining company wanted to improve mine safety by installing high capacity fans and extraction equipment. Unfortunately, local regulations limited the speed of airflow within underground mines, to a rate that the company's engineers had determined to be unsafe. The volumes of air that needed to be moved, due to the size of the mines simply made it impossible to ensure clean and fresh air for workers and equipment, at the regulated airspeed. Political access facilitated the company gaining the exemptions required to manage this risk.
In Brazil, we've already seen the extraction industry-specific strategic risks around company created infrastructure such as dams, and the dangers associated with inadequate investment in maintenance of such dams. Earthen dams, when they collapse, do so at a frightening speed, and the death toll can be significant, with over 200 killed and 100 missing in the Brumadinho dam disaster in January 2019.
In this case, the company clearly has prioritised capital cost containment over life, or simply had failed to listen to their engineers. Only good news travels up, and bad news has a way of dying or being converted into other news. At a major refining business, the Risk Manager was told that, while $2.5 million was required to reduce the risks of a blast furnace explosion (and consequent loss of a many tens of millions furnace) and the risk of death to many employees, the money would be spent on addressing Internal Audit findings that had nothing to do with the blast furnace. Why? Because the CEO of that subsidiary would be fired if he did not address Internal Audit findings, and was not authorised to exceed budget.
Therefore it is inappropriate to expect that there will be a set of strategic risks common to all companies and entities. While there certainly are common strategic risks, it is also clear that each industry will have strategic risks unique to that industry.
Loss of Life - the death of an employee
So returning to the original statement, that the loss of life would not be, for that company in that country, a strategic risk. Certainly is would be a significant risk, and considering the nature of the company, could result in a negative impact on reputation and perceptions. But a strategic risk, no.
Because in that country, the loss of life on an industrial site, for example, results in a mandatory payment of compensation to the family of the victim of twenty-four months of his basic wage, however, “the amount of compensation shall neither be less than Dh18,000 nor more than Dh35,000”.
So based on the exchange rate of May 27th 2019 (and it is worth noting that this exchange rate does not fluctuate significantly), the death of a worker will cost a company between under £4,000 to £7,500. Total.
Or as I said to my colleague, “5% of the capital cost of the bulldozer that ran him over”.
In a case like this when “write a cheque” is the response to the death of an employee, and absent significant reputational damage to a brand, it is sad to say that an employee death simply does not rise to the level of strategic risk.
Loss of life, it would seem obvious, is a major strategic risk, and the short and longer-term impacts could, if not managed well, be significant. Yet in this situation, I told my colleague that I did not agree, and for this company and country, the response to a workplace death would be "write a cheque". I'm not normally cold and disrespectful of human life, and certainly not disrespectful of the strategic risks facing organisations. But this time it simply did not rise to the level of strategic risk.
Strategic risks vary. Certainly, there are common strategic risks, but each country, industry, company and organisation, and the business lifecycle both at the global and at the individual entity level will influence the range of strategic risks applicable to the entity.
Country influences
Businesses and entities function within countries, usually within their home country, sometimes across countries and regions. Each country has its idiosyncrasies, from cultural to political, regulatory or legal, or in many countries, extra-legal (corrupt practices embedded in the culture and government).
The UK provides a good example of a current strategic risk associated with that country: Brexit. The only good news is that like Y2K, Brexit will be here and gone soon enough, and the uncertainty will give way to response and management of the actual risk. but until the event actually happens (if indeed it does) then the potential impact is unknown in detail.
But certain aspects of the risk are known - there will be price discovery as new trading relationships come into place. Some of that discovery will be uncomfortable, with inflation and costs associated with the potential (temporary) breakdown in supply chains. What can be said with confidence is that such market discomfort will be temporary, as Brexit rewrites some rules, but does not rewrite the rules of markets, only the current set of "how to" rules. The underlying economics does not change, and therefore markets will return to efficient functioning, in as much as markets are ever efficient in their functioning.
For example, in a conversation with another colleague, he was concerned that post-Brexit, the cost of vegetables in the supermarkets would go up, and stay up. His argument was that the loss of supply from one source would result in increased cost of supply from other markets. My response was that as alternative sources were able to supply, prices would come down. His view was that "once the supermarkets raise their prices, they will not lower then even if the input costs reduce, as they will use this as an opportunity to increase profits". The flaw, of course, is that this assumes that fundamental market mechanisms of price discovery and competition will, for some reason, be different in a post-Brexit UK.
Other countries have their own market dynamics, not infrequently influenced by exchange rate movements due to global or even local political situations. Turkey today is suffering as the Lira drops due to a combination of economic and political pressures. Therefore, a strategic risk of doing business in Turkey will include the ability to forward hedge externally sourced raw materials, and to hedge, where possible, exchange rate risk against currencies in export markets.
Then there is the systemic corruption in some countries, even to the point where we've seen corrupt practices in the awarding of contracts to introduce anti-corruption programmes. We bid to implement an anti-corruption programme in an East African country, partnering with a local former-Big-4 firm. I will say that I think it was a very good bid, in concept, content, team and pricing. We were shortlisted, and the local partner was invited to the procurement director's office to discuss the next steps.
"Your's is the best bid, and we expect we should be able to award this to you." All good so far. Then, "But we were wondering if there was something would be willing to 'do for the team' here in procurement?"
The local Partner did exactly what he should have done, and apologised and said that unfortunately, they were unable to, after all that might not appear to be within the spirit of the objectives of the project. I wish this had been the "test question", but unfortunately it was not.
I will not name them, but the bid was won by the local firm of one of the Big-4, days before I attended a conference in London in which that same Big-4 firm gave a presentation on anti-corruption and anti-bribery.
So in some countries, you pay or you do not play. It is that simple, FCPA and the UK Bribery Act be damned.
Industry Risk
Different industries have their own strategic risks, though of course there is massive overlap across industries. But Healthcare strategic risk is different from Steel industry strategic risk.
While there are some strategic risks that are applicable to all industries (to a greater or lesser extent) such as Cyber threats and market and entity capacity, the specifics of the risk will vary according to the industry. For example, Cyber threats in service and financial industries centre around customer and personally identifiable data, while in Extraction and Manufacturing, the Cyber threat is one of attacks on infrastructure and SCADA (Supervisory Control and Data Acquisition) to disable plant and equipment. On a national scale, the Cyber threat relates to infrastructure attacks on power generation and distribution, and on national government databases. Recently in Panama, a security analyst was able to demonstrate that the health records of 90% of the citizens were held on servers that were inadequately secured. He demonstrated the ability to extract that data, for almost 4 million citizens.
I remember an FMCG (Fast Moving Consumer Goods) manufacturing company that did not seem to adequately consider one of its strategic risks. The company relies heavily on a distribution network that includes trains, trucking and local distribution. Trains provide most of the transportation of raw materials to factories, while much of the post-production distribution is trucked (from major train depots). During the mid-2000s, before fracking became economically possible, oil production appeared to be approaching a peak, and the price of oil was beginning to move. A sudden movement upward caught the company off-guard, and it appears they had not hedged their transportation capacity or costs.
In the extraction/mining sector, some of the specific strategic risks include political access and regulation, as in many countries access is a core element of doing business, and regulation can and in some cases needs to be leveraged. In one example, a major mining company wanted to improve mine safety by installing high capacity fans and extraction equipment. Unfortunately, local regulations limited the speed of airflow within underground mines, to a rate that the company's engineers had determined to be unsafe. The volumes of air that needed to be moved, due to the size of the mines simply made it impossible to ensure clean and fresh air for workers and equipment, at the regulated airspeed. Political access facilitated the company gaining the exemptions required to manage this risk.
In Brazil, we've already seen the extraction industry-specific strategic risks around company created infrastructure such as dams, and the dangers associated with inadequate investment in maintenance of such dams. Earthen dams, when they collapse, do so at a frightening speed, and the death toll can be significant, with over 200 killed and 100 missing in the Brumadinho dam disaster in January 2019.
In this case, the company clearly has prioritised capital cost containment over life, or simply had failed to listen to their engineers. Only good news travels up, and bad news has a way of dying or being converted into other news. At a major refining business, the Risk Manager was told that, while $2.5 million was required to reduce the risks of a blast furnace explosion (and consequent loss of a many tens of millions furnace) and the risk of death to many employees, the money would be spent on addressing Internal Audit findings that had nothing to do with the blast furnace. Why? Because the CEO of that subsidiary would be fired if he did not address Internal Audit findings, and was not authorised to exceed budget.
Therefore it is inappropriate to expect that there will be a set of strategic risks common to all companies and entities. While there certainly are common strategic risks, it is also clear that each industry will have strategic risks unique to that industry.
Loss of Life - the death of an employee
So returning to the original statement, that the loss of life would not be, for that company in that country, a strategic risk. Certainly is would be a significant risk, and considering the nature of the company, could result in a negative impact on reputation and perceptions. But a strategic risk, no.
Because in that country, the loss of life on an industrial site, for example, results in a mandatory payment of compensation to the family of the victim of twenty-four months of his basic wage, however, “the amount of compensation shall neither be less than Dh18,000 nor more than Dh35,000”.
So based on the exchange rate of May 27th 2019 (and it is worth noting that this exchange rate does not fluctuate significantly), the death of a worker will cost a company between under £4,000 to £7,500. Total.
Or as I said to my colleague, “5% of the capital cost of the bulldozer that ran him over”.
In a case like this when “write a cheque” is the response to the death of an employee, and absent significant reputational damage to a brand, it is sad to say that an employee death simply does not rise to the level of strategic risk.