Protecting Your Company from Disaster in the DIY Era

Disasters should be our teachers. Among the lessons we can take from the financial meltdown and the catastrophic Gulf of Mexico oil rig failure is that we have fallen short in understanding the risks we've created for ourselves.

And just as risk is not quantifiable, neither is the possibility of damage to corporate reputation. In a business culture that runs on metrics—where decisions are made on the basis of return on investment, margins, earnings, debt ratios, and dozens of other measurements—the imprecise nature of risk makes it difficult to discuss. There is often a powerful temptation to ignore what is not measurable—particularly with regard to so uncomfortable a subject as risk—in favor of what is. A program to identify and avoid catastrophic events adds nothing to the confidence of customers and employees. And, perhaps most important, investors won't pay for it.

As a consultant working at the interface between large corporate clients and the capital markets, I have extended conversations with a hundred or more institutional investors and equity analysts every year. In discussions that focus on how they value companies, I always make sure to ask them whether they include a company's conduct with regard to the environment and human rights in their risk calculations. In most cases I get variations of the following answer: "I care about these things a great deal personally, but they don't enter into my investment decisions. Companies don't talk about them, and I don't know how to quantify them." Period.

A Bad Day Everywhere

I would guess that the explosion of the Deepwater Horizon was one of the worst days in the life of Tony Hayward, BP's (BP) chief executive officer.

I would also guess that S. Elizabeth Birnbaum holds similar feelings about the day a month or so later when she resigned under pressure as head of the Minerals Management Service (MMS). The MMS, which manages offshore oil and natural gas operations and oversees BP's in the Gulf, has been described by The New York Times as "an agency widely recognized as one of the most dysfunctional in government." The MMS exempted BP from a host of requirements relating to environmental impact and disaster recovery when it approved the Deepwater Horizon project last year. At the time, it stated that the risk of environmental damage in Deepwater Horizon's area of the Gulf was "minimal or nonexistent."

Like virtually every company in the world, BP keeps the deliberations of its inner councils private. But if it is like most companies, BP would have welcomed this regime of regulation lite. Freedom of business from government intervention was one of the ideas held dear by those first tea partiers more than two centuries ago, and both the Revolution and the country that sprang from it were based on the idea of freedom of action.

But history, and most notably the Depression, led us to a belief that certain degrees of public oversight were necessary to keep individual enterprises aligned with the public good. In recent years, a weakening in the government's regulatory structure has enabled companies to go regulator shopping, just as banks in the buildup to the subprime bubble went ratings shopping for their mortgage-backed securities. (AIG bought a Delaware Savings & Loan that enabled it to place its entire worldwide empire under the regulatory watch of the small, weak, and virtually powerless Office of Thrift Supervision.)

Tough Medicine

The Deepwater Horizon case should show even the most animal-spirited business leader that there's another side to regulation—one that protects companies against risk, whether they like it or not. The absence of regulation not only fails to force companies into risk-mitigating behaviors, but makes it more difficult for them to pursue those behaviors on a voluntary basis. If an executive in Tony Hayward's position prior to the explosion were to ask his board to spend millions of dollars on disaster preparedness after a regulator said there was little or no danger, the board would most likely fire him as the wrong man for the job.

All the Help We Can Get

If our history over the last few years tells us anything, it's that risk is a subject larger than any single company. Dozens, if not hundreds, of companies joined each other in ignoring established standards of risk assessment as the subprime bubble inflated. The zeitgeist of the time amounted to nothing less than collective denial that there was anything wrong. The amount of money banks and lenders seemed to be making kept everyone quiet. Complicit in that silence was an Administration that had come into office carrying beliefs that accommodated the excess. But it has now become clear that, even though government's commitment to monitoring risk may rise and fall with the political tides, the risks any particular company faces do not.

In the absence of responsible oversight, companies must manage risk by becoming their own regulators in a sense. Unfortunately, this is not the same "self-regulation" they have so long sought.

Facing the Unknown Future: It's About Culture and Structure


Management must hone its own instincts so it makes significant decisions with a knowledge of the real risks involved. It must establish and reinforce the essential convictions of risk awareness:

A top-of-mind consciousness that catastrophic events are possible. In considering their own interests, most management groups will consider "catastrophic events" to include those that lead to selling the company.

An emphasis on the perception that events become catastrophic because they are unanticipated. If you don't see the risks, look harder. Andy Grove was thinking about technology change and competition when he wrote Only the Paranoid Survive, but it's a universal business concept.

An insistence that the internal risk conversation include diverse voices. I've never heard the idea expressed better than when a senior U.S. executive confided to me that he pushed himself toward ever-greater transparency as a means of keeping himself honest.


As a matter of governance, form a Risk Advisory Board comprising individuals from diverse industries. Its bylaws should stipulate a live presentation to the board of directors twice a year.

Mandate a standing scenario-planning group, made up of individuals from every professional level, in each major business. It must have clear upward reporting channels.

In the end, BP, which we can consider a proxy for any company, is responsible for its own sustainability. Responsible regulatory oversight requires cohesion and clarity on the political front, so it won't be here any time soon. Meanwhile, there are many functions you can profitably outsource, but risk management isn't one of them.