Distributors face many kinds of risk, including product liability claims, economic uncertainty, employee injuries, natural disasters and supply chain disruptions. By identifying potential scenarios, and ranking and planning for each of them, risk can be reduced and managed, says Vernon Grose, author of Managing Risk: Systematic Loss Prevention for Executives and founder of Omega Systems Group Inc. Grose is a former member of the National Transportation Safety Board and a risk management aviation expert who has applied lessons from that work to help businesses and organizations.
Staff Writer Angela Poulson spoke with Grose about how distributors should approach risk in their businesses.
MDM: Can you tell me more about the types of risk companies face and how companies typically address them?
Vernon Grose: Risk is a subject which has been broken up into specialties. For example human resources has to watch the risk of discord in the company. There is also legal counsel, because there are always liabilities that can be brought against these companies.
You also have lost financing where you go insolvent, and that risk is called lost financing risk. Environmental control risks deal with toxicity, such as if you have an explosion like they had in Texas when a refinery exploded – that smoke and the result of that fire will impact all kinds of companies in the area.
When there are defects in the products that you are delivering to your clients, we call those defects quality assurance risk. Then you have security risks, with the threat of someone coming in – a terrorist or a criminal – you can have crazy people with guns come in and you’ve got to be able to handle that risk. There are also safety risks, which are hazards like fire.
All of these dimensions of risk have to be integrated so that they all can be managed somehow. If you look at British Petroleum’s failure in the offshore drilling in the Gulf three years ago, it was absolutely wrong. They didn’t have a systematic approach to offshore drilling. So now they’re spending billions of dollars to promote on television the nice beaches on the Gulf, spending all of that money to go back and cover up what they did wrong. They should have seen it.
Same with Enron. They spent millions of dollars on risk management, but they failed to identify what ultimately took them to bankruptcy. You need to have a systematic, all-encompassing look at your risk – otherwise you’re going to get bitten at some point.
MDM: Tell me about your SMART (Systems Methodology Applied to Risk Termination) technique for managing risk.
Grose: As far as we know, it’s a unique technique. It’s a very simple 10-step process based on an all-encompassing systematic view of a company, agency or organization that wants to manage its risk. It’s been successful in a wide variety of settings, both public and private. For example, the Washington Metro in D.C. used it in designing their system. We’ve put it into medical centers in California. Exxon used it for offshore drilling. And it was used to mitigate any possible terrorist attack in the 1984 Olympics after the 1972 massacre at the Munich games. The process has also been applied to coal mining, corn refining and even religious training in a church. So we have a wide dispersion of applications which causes us to think the technique has validity.
The very first thing we do in SMART is identify the organization as a system. By that we mean we put boundaries around it, so everything it consists of is inside the boundary and everything outside of that we consider to have nothing to do with it.
The next step is to define the known inputs and desired outputs of that system. The known inputs are those forces or conditions that caused that system to come into existence. On the output side, it’s those things that are required for it to stay in business or allow it to continue business.
As we go through the rest of the process, we can then identify risk scenarios and judge each one according to how severe the scenario is, how probable is it and what would you have to do to stop it from happening or handle it when it does.
MDM: How do you help companies to see beyond the risks they may have already identified?
Grose: Risk is a word sort of like integrity. Nobody knows quite how to define it, and when you can’t define something, you can’t manage it. To identify risks that aren’t yet apparent, you need a methodology. The key is foresight, and that’s where we use what we call a risk scenario. If you rely on existing data, like accident or loss data that you might get from your insurance company, that’s all post-facto.
In step 3 of the SMART technique we build a functional model of the known system. Companies have to be able to define what set them up in business, what will keep them in business and what they do functionally. When we use the word function, we mean only what they do,not why or where or who or how. We’re saying what, and that “what” diagram then is like a provocateur, a stimulator that forces them to think about every step of their existence and what they are doing functionally. Out of that they write scenarios, little stories of things that could go wrong in all of those areas.
These risk scenarios just have to pass Murphy’s Law – can they really happen, even though they may be really rare or crazy or odd? If it could happen, then we foresee it and write it up. In this way, we introduce foresight into what could happen even for risks that are not immediately apparent.
MDM: What makes your system different from other traditional risk management systems?
Grose: There are several things. What’s remarkably different is that we have a third dimension. Most risk management programs out there look at severity and probability of a risk. We look at a third dimension, which is cost of countermeasures. You cannot manage risk unless you involve money because without that, you can only moralize risk, not manage it.
The second thing that makes us different is that we utilize insider wisdom. Instead of hiring so-called experts from the outside who really don’t know risks, we believe that the insider knows more about their risks than anyone else. What they don’t have is the methodology for extracting that and putting it all together for decision-making.
The third difference is that we have a software program called TOTEM that allows the executive to rank all identified risks, so he or she will know the No. 1, No. 2 and No. 3 risk and so on, rather than just looking at a big unorganized pile of risks. At the top of the TOTEM pole you would have a risk that is horrible and could happen every five minutes and could be fixed for a dime. At the bottom would be nuisances that happen every eon which would cost $100 million to fix.
MDM: Why is it important to have a risk ranking system?
Grose: Companies don’t have enough money to fix everything. There are many, many risks and they are not all equal. Some of them could be fixed very cheaply and some would require lots of money. There’s never enough money to control or eliminate all identified risks, so there has to be a means of making it as cost-effective as possible because that business wants to stay in business, and that takes money.
Examining and ranking risks is also important from a legal point-of-view, because you don’t want to be caught where your company is being sued for something you didn’t even dream could happen. When you put the effort into identifying and ranking risks, you’re much better off in the courtroom than if you were just cruising down the road without even considering the possibilities.
MDM: Are there elements of risk evaluation that companies often overlook or underestimate?
Grose: They very definitely do overlook things. For example, there are three cost elements in risk. The first is risk financing, which is the cost of insurance and worker’s compensation and your budget for your risk management office and outside consultants.
The second cost element is risk control, which we call the cost of doing business because to operate, companies must have health, safety and security personnel and hardware and software. This category involves preventative maintenance for equipment, warnings and protective devices like signs and
sirens. This category also includes audits, assessments, inspections and so on.
The cost element that’s overlooked by almost everybody is risk extraction. That’s the involuntary penalty for either unfinanced or uncontrolled risks, such as lost energy sources, raw materials, labor, capital and so on. It also includes property, liability and worker’s compensation losses that they may have to pay.
MDM: In one of your blogs, you said that human beings are rarely discussed as sources of risk but that employee behavior is the central issue in accidents. Could you tell me more about that?
Grose: I do a lot of work with aircraft crashes. Using that as an example, I’ve flown jump-seat – the jump seat is where you sit right behind the captain – on a flight where the captain had not met his copilot before. These two men will encounter certain circumstances where they really have to act like a team, and they cannot be in the process of saying hello to each other when that happens. But I’ve seen this before. Other times, airlines will put people together where one of them will be very talkative while the other guy is kind of a sulker. It really impacts how they fly the airplane.
These subtle human contributions can be significant, although they won’t always show up immediately. Take the Boeing 777 crash in San Francisco in July where they have a flight coming in from Seoul, Korea. The captain, sitting in the left seat, had more hours under his belt than any of the other pilots on the plane, but he had never flown a 777 airplane into San Francisco. Think about what this means. He is in the left seat, which means he’s the commanding pilot, but the guy in the right seat has flown into San Francisco many, many times. They start descending into San Francisco and they idle back on the engines, and the airplane begins to sink pretty fast.
Now, the pilot in the right seat could have warned the pilot that he was coming in too low, but he is not as senior as the guy in the left seat. There is an Asian tradition that you always respect your elders, and it can spill over into behavior like this where he did not challenge the guy on the left. Nobody’s talking about this element openly, but I’m convinced that probably played a role. There are subtle things, particularly in the human area, that have to be looked at.
This sort of thing applies even in the distribution business. Distributors probably think a lot about whatever it is they’re distributing, but who is going to receive it? What will their attitude be when receiving it? Will they fail to check it adequately to make sure it is the right stuff, or might they actually see things your people don’t see?
MDM: Should companies manage risk internally or hire an outside expert?
Grose: Insurance companies oversell their ability to help as outside experts. They don’t understand what’s going on inside that company. Who really understands it are the people there. They may not have a way to handle their knowledge, but they have the knowledge of what could go wrong.
We operate on the premise that no outsider could ever really know a company’s risk as well as those directly involved. To capitalize on that premise, we have companies designate risk juries composed of executives, specialists and generalists who sit and look at every one of these risk scenarios that have been prepared and rank them.
For more on the SMART risk management system, visit www.omegainc.com.