We are in a new era of globalization, information technology, biotech and the activist shareholder, and the term 'risk' now takes on a whole new meaning among companies. Fortunately, there are rigorous risk assessment processes being developed, and the effective boards will review them with interest. In addition, there is new technology such as Ontospace, developed in Europe by Ontonix, a proprietary system which assesses and measures both complexity and risk based on the premise that the more complex a company becomes, the more vulnerable it is to risks from unexpected upsets.
Using tools such as this can greatly improve a company’s—and its board of directors’—consideration of how to plan for and mitigate risks. The goal, of course is to protect the investment of the owners in the face of new and unpredictable crises.
An earthquake, a tsunami, a hurricane, a tornado and a flood are familiar natural risks. A nuclear power plant meltdown caused by an earthquake and a tsunami, and disruption of suppliers of critical components—that’s a whole different level of complexity based risk. The risk caused by a nation restricting access to materials, like China on rare earth minerals, is another unpredicted kind of risk. The only way these risks can be considered and mitigated is by combining scenario analysis and systematic analysis of complexity and risk, following a careful process. That’s tough duty, right? But it is de rigueur for the 21st century multinational company.
Then there are the two unexpected risk scenarios I refer to in my title: a “bug” causing a risk and a crisis. The first was a few years back when I served on the board of a company using ash wood for shovel handles. This wood’s properties are ideal for long handled tools and for baseball bats. It is commonly found in the upper Mid-West and further east into NY, PA and WV. The problem was actually a real “bug,” the emerald ash borer, a hitchhiker from Asia. Assumed to enter the country with infested wooden pallets, it quickly began infesting the native ash forests and damaging them, causing trees to die.
Long handled tools had used ash for handles for over a century, and now its supply was threatened. The alternate plan required either using fiberglass (more costly and no better) or alternate woods like hickory (not as strong/resilient as ash). Major league baseball bats are using more hickory, since synthetic materials are banned. Even then there is an issue of the grain pattern (weaker in certain spots) and the density (to make bats of ideal length, strength and weight that big leaguers prefer.)
I left that company a number of years ago, but I now live in an area where the bug infestation is still requiring ash trees to be removed and destroyed. How does a board consider such an “off-the-wall” kind of risk? Very carefully, was the answer; using plans A, B and C each with alternative materials, costs and conversions.
The other kind of “bug” is one I have been writing about quite often lately: a computer “bug,” or more specifically a virus, a worm or some other form of malware. Imagine the consternation of Iranian nuclear experts when the Stuxnet worm selectively attacked and disrupted their Siemens controlled centrifuges. Imagine how Americans would feel if they knew how many attacks must be repelled each day by our government and their Internet service providers—and corporate icons. The count is in the thousands of attempted invasions during some weeks. No one in the Federal government really knows what to protect against next. First there were simple attempts by hackers, mostly mischievous, to just show that they could “break into” government systems. Now the malware attacks have become more serious.
A decade ago, a wave of worm viruses spread, each infecting millions of systems, wreaking havoc and requiring extensive “cleansing and restarts” of computers. Code Red, and Code Red II were the culprits a decade ago, and both seemed to have “expiration dates,” but who knows what fragments they left behind. Then came NIMDA (Admin spelled backward, since it seized administrative control of infected systems). Later, the most widespread of all was Conficker, believed to originate in the “hacking universities” of China.
It’s hard to prove where a “bug” like Stuxnet or Conficker comes from, just like it’s hard to know which pallets carried the first emerald ash borers. One thing that is not hard to know is that there will be more, and worse invasions—of computers, smart phones, the Power Grid, Global Positioning Satellite systems, and the even the U.S. Department of Defense.
By now, I hope you see the huge and daunting challenges these bugs can present to companies and their boards of directors. When the range can be from a tiny burrowing insect riding across the Pacific in a pallet, to an earthquake caused tsunami leading a nuclear plant meltdown and supply chain disruptions, only one conclusion can be reached: the more complex and harmful the risk, the more important that someone properly identify and assess risks while making plans to mitigate them—even if nobody knows quite how to stop them.