Over the past 10 years, risk management has evolved from an often overlooked, back-office discipline to a vital component of securing every organization's future. Sure, many companies still have not actually embraced and cultivated the outlooks of the risk professionals on their payroll, but the events of the past decade have made the core concepts impossible to ignore any longer. From Y2K, 9/11 and Enron through Katrina, pandemic threats and the Wall Street collapse, the world has faced a relentless onslaught from all directions. And in looking back at recent history, there is only one logical conclusion: the world needs risk management now more than ever.
The past 10 years have been a period of unprecedented growth in the risks facing organizations. From the grim realities of international terrorism to the proliferation of environmental threats, a rapidly changing set of challenges jeopardized businesses in every sector.
The result has been a sea change for the risk management industry. In the past decade, business executives have recognized the need to implement new policies to confront these new risks-something that has led to the emergence of risk management as a critical support industry and the rise of risk management officers as vital to executive decision-making.
In 1999, risk managers were typically relegated to back offices, working alongside accountants and actuaries. They focused on two main issues: financial risk management and a technical glitch many at the time predicted would bring industry and government to a standstill, something they called the Y2K bug.
Flash forward to today. Risk management has evolved from an obscure function of finance and insurance to an approach necessary for organizational resilience. Risk management's rise over the past decade has dramatically altered the way organizations think about things like disaster planning and business continuity. What started as a niche department with little or no ability to influence organizational behavior has transformed into a critical source of strategic planning with a direct line to top management.
All of these changes were set in motion over fears about a computer programming glitch and some misplaced ones and zeros. Predictions about the impact of the Y2K bug were dire: Without intensive investment in IT infrastructure, updates and redundancies, the second January 1, 2000, hit the clocks, airplanes could fall from the skies, electric grids could shut down and bank accounts could be erased.
Instead, something much more unexpected happened-nothing. Aside from small, localized disruptions (150 slot machines at race tracks in Delaware stopped working, for instance) the year 2000 entered with a whimper and the risk manager's worst fears never materialized.
Nevertheless, Y2K triggered a shift in how organizations thought about risk management, and investment in the space changed significantly. For the first time, risk managers were looking at how a single event could impact the entire operation. Focus shifted away from looking merely at financial risk implications, and internal investment flowed into IT risk management.
The after-effects of Y2K engendered two distinct views. The first argued that proactive investment in IT risk management and cooperative efforts across industries had averted disaster. The counter view suggested the entire saga was much ado about nothing. In the absence of a crisis, it was hard to tell if investment in risk management was working.
September 11, 2001 would irrevocably change the terms of the debate, however, permanently altering how organizations thought about threat assessments, preparedness and response. As the shock of the 9/11 tragedy slowly wore off, corporations realized that they were largely unaware of their employees' locations, whether traveling to offices, client sites or globally. For the most part, companies simply could not-or did not-track personnel travel. This left managers without a quick and effective way to communicate with employees in a time of crisis.
Risk management firms stepped up to meet this challenge with a variety of innovative solutions. Thus an enduring focus within the industry emerged: visibility. Companies began to demand a more detailed and comprehensive picture of all the moving parts throughout their operations. They wanted to know where their people were, what the status of travelers was and how vulnerable facilities and supply chains were to threats, both obvious and unforeseen.
The events of 9/11 also brought the issue of enterprisewide risk management to the forefront. The 9/11 attacks demonstrated the devastating impact an external happening could have on business operations-and the need to understand and plan for potentially catastrophic threats, however distant they may seem.
While 9/11 brought the deep need for enterprisewide risk management into focus, as the decade progressed, it was environmental threats that tested these new ideas and pushed the burgeoning risk management industry to mature.
In 2003, a strange new virus, Severe Acute Respiratory Syndrome, terrorized China, Canada and the global travel industry. Prior to the SARS epidemic, most companies did not take the threat of a pandemic seriously, let alone one that could have a crippling impact on their operations. SARS highlighted the need for pandemic planning as affected countries reported employee absences of 30% to 50% and frozen supply chains-factors that had long-lasting effects on core organizational functions.
The pandemic planning services of many risk management firms and the infectious disease preparedness plans in many companies are the direct result of the SARS scare, which highlighted the need for monitoring pandemics in real time and adapting policies to meet each season's new challenges. We can see the affects of this change in mindset today, as pandemic preparedness plans are continually being re-written to account for variations in the current H1N1 pandemic.
Events like 9/11 and worries about the impact of a possible pandemic drove a new way of thinking about risk management and mitigation. Increasingly, managers began to focus on systemic risks and preserving the integrity of business operations as a whole. Focus shifted from simply anticipating threats and preparing for crises in any one sector of a company and toward concepts such as business continuity and business resiliency.
In 2005, another unprecedented disaster tested this new idea of resiliency and forever changed assumptions about maintaining business continuity in the face of catastrophic events. As the massive devastation of Hurricane Katrina became apparent, complacency surrounding the ability of businesses to anticipate and respond to major disruptions within the United States was washed away along with large parts of New Orleans and the Gulf Coast region. It soon became apparent that state, local and federal systems were ineffectual in handling this crisis. Many risk managers came to the same stark conclusion: this could happen here.
Katrina was a giant wake-up call for risk managers whose mitigation planning often relied on local, state and federal authorities to take the lead in response. Moving forward, risk managers and companies began to rethink this strategy and incorporate responsibility for business continuity and resiliency in their organizational plans.
Katrina underscored the need for greater operational visibility, employee tracking and, most of all, enhanced communications. During and immediately after Katrina, business continuity collapsed not only because of physical damage to infrastructure, but also due to an acute breakdown of communications. Employees were scattered, cell phones were not working and managers had a difficult time locating personnel, understanding their status and reconstituting operations.
This communications breakdown drove new thinking in contingency planning, leading to the development of systems that would allow operations to rebound more smoothly and quickly following a crisis. Perhaps workers could log into a pre-established central website to find information? Perhaps companies could compile a database of contact information and send updates via text message? Katrina taught risk managers and organizations harsh lessons about the importance of communications and physical operational redundancies in business continuity planning.
Recent developments are yet again causing major changes in the industry and will define what is to come in 2010 and beyond. Old risk management questions are new again as companies grapple with the aftereffects of the global economic meltdown. Well into 2010, risk management will refocus on financial risk mitigation, as companies struggle with how to anticipate, prepare for, avoid and emerge stronger from future economic disasters.
Meanwhile, those within the risk management space are feeling the financial pinch. As their clients cut costs, risk management firms and the preventative services they offer often find themselves on the chopping block. Money that had been flowing into risk monitoring, prevention and resiliency programs earlier in the decade is now being funneled into the core functions that support vital operations within organizations. As a result, much of the progress in the risk management field has been stalled or lost.
But as the past 10 years have taught us, operational threats are wildly variable and totally unpredictable. And many analysts agree that the next decade will witness even greater potential threats, such as an accelerated global competition for resources like water and energy. Such conflicts could cripple supply chains by making it significantly harder for companies to produce and distribute their products. Additionally, access to skilled employees may pose continuity challenges, as an aging population is replaced by a younger workforce poorly trained in mathematics and sciences (at least in developed countries), which will shrink the pool of capable workers.
As our economy becomes more globalized it also becomes more fragmented and brittle. The entities to which large multinationals outsourced operations are in turn outsourcing, while the network of suppliers and producers grows more and more complex. Any breakdown in this chain could create significant challenges for business continuity and resiliency.
Trends in the risk management industry have emerged and faded away only to re-emerge under new circumstances. Though specific changes have swept the industry on a macro-level, too few companies have absorbed the hard-earned lessons of the past 10 years. To continue the gains made in risk management, organizations will have to reaffirm the value of systemic risk planning while continuing to promote the role of risk manager as an integral part of strategic decision-making at the executive level.
And if we are not better prepared for the risks of the coming decade than we were for those of the recent past, we have only ourselves to blame.