ERM in the Red Zone: Lessons from the Super Bowl

Mark Saltsgaver , Steven Strammello


June 3, 2012

(Photo: Getty Images/Gregory Shamus)

Risk management is nothing new to major sporting events. The success of a high-profile event such as the Super Bowl often depends more on what doesn't go wrong rather than what goes right. The organizers of the 2012 Super Bowl were certainly not the first to think through the risks -- from bad weather to traffic to accidents to criminal acts.

What did seem to be new in 2012, however, was the way in which enterprise risk management (ERM) principles were applied to identifying and mitigating the risks. In fact, the Host Committee was told that Indianapolis was the first host city to apply ERM tools and principles on such a broad scale.

The success of this approach could be seen in the high praise the event drew from fans, sportswriters and National Football League (NFL) officials alike. As Pro Football Weekly publisher Hub Arkush summed it up shortly afterward: "'Super,' in fact, is the best way to describe Indianapolis' effort...There is very little I can imagine that could have been done better."

While a Super Bowl presents many unique risks, the Host Committee also recognized that the event is similar in many respects to any other large, elaborate undertaking. It is managed through a highly complex structure that involves not only the Host Committee and staff but also thousands of volunteers, all of whom are charged with a specific area of responsibility. This means there are literally thousands of opportunities for someone to fail to see the big picture. Such an environment demands the enterprisewide recognition, assessment and mitigation of risk that only ERM can provide.

Consider, for example, what would have happened if a major power outage had struck downtown Indianapolis February 5, just before kickoff. Virtually every aspect of the event would have been affected, so each division, committee and subcommittee needed to have a response plan ready.

Inevitably, though, each of these dozens of disconnected contingency plans would affect other plans, and some would almost certainly conflict. ERM provided a way to cut across these divisions, coordinate the contingency planning and build enterprisewide mitigation plans that addressed and balanced all of the widely divergent effects.

Event Risk vs. Business Risk

Despite the similarities between the Super Bowl and any other large enterprise, there are also some significant differences that set "event risk" apart from the "business risk" that most ERM managers are accustomed to handling. The most fundamental of these differences is the way risk is measured and quantified.

In most businesses, success -- and hence risk -- is measured by the bottom line. For an event such as the Super Bowl, however, the financial outcome is secondary. Obviously, nobody wants the event to be a loss, and appropriate controls are essential. But nonfinancial risks, especially reputational risk, are the greater concern.

This distinction is important because nonfinancial risks cannot be shared or transferred as readily by purchasing insurance, one of the most widely used risk management strategies. In many cases, the only practical ways to manage nonfinancial risks are to avoid the risk in the first place or to accept the risk and prepare to respond.

That brings up another important difference between event risk and business risk: the balance between prevention and preparation. Prevention certainly played a role in the Super Bowl's risk management, but many of the most material risks to a large-scale event cannot readily be avoided, reduced or shared -- which means preparation and contingency planning take on greater significance.

The other major difference between event risk and business risk is the changing nature of risk over time. There is a time-related component to most business risks too, but for an event that is scheduled for a specific day, the relationship of risk to time is especially strong.

In the case of the Indianapolis Super Bowl, the relationship of risk to time was apparent very early. During much of the spring and summer of 2011, when the Host Committee had to make major commitments of time and resources, the number-one risk the committee faced was entirely out of its control. A labor dispute between the NFL and its players' union threatened to delay the season, forcing the committee to prepare for the possibility of the Super Bowl being postponed -- or even cancelled.

All of those risks disappeared August 4, however, when the players ratified a new collective bargaining agreement. Overnight, labor disruption went from being the highest risk to being an after thought.

Super ERM Lessons

It is always risky -- so to speak -- to extrapolate broad lessons from a single experience. Nevertheless, several general insights gained from the Indianapolis Super Bowl Host Committee's successful risk management seem especially applicable in business settings.

First, not all risks can be monetized -- but all must be quantified. Most businesses categorize risk by the financial impact an event is likely to have. But assigning a dollar value to intangibles, such as reputational risk, is often time-consuming and somewhat arbitrary.

For example, it was virtually impossible to accurately determine the dollar cost of bad publicity that would result from an accident at the Super Bowl site. Instead, such risks were quantified in terms of the reach and exposure they likely would receive. An accident that would generate only local news coverage might be considered relatively low risk, but an accident that would be covered by ESPN or Sports Illustrated was assigned a higher risk. And if the story was likely to get the attention of national general-interest media such as the New York Times or USA Today, it was in an even higher category of risk. Even though such risks could not be readily monetized, some system of quantification and classification was necessary to evaluate, prioritize and prepare contingency plans.

Another insight from the success of the Super Bowl is the importance of being ready to respond to risk, not just prevent it. Naturally, most business managers want to be ahead of the curve in mitigating risk, so most ERM programs focus on three of the four conventional risk management methods: avoiding, reducing or transferring risk.

In the case of the Super Bowl, however, much more attention was paid to the fourth risk management method: accepting and preparing for risk. In the same way, a prudent business risk manager must recognize that even the best risk avoidance plan might fail. Devoting too much attention and resources to prevention -- at the expense of a comprehensive response plan -- can actually increase the organization's exposure to risk.

The Super Bowl experience also made clear that response plans should be multifaceted and multilayered. We often think of risk in black-and-white terms -- either a risk will occur or it won't. In reality, however, most risks are much more complex.

For example, the Super Bowl historically has been held almost exclusively in cities where it does not snow. Florida, California and New Orleans have hosted 35 of the 46 total Super Bowls. So as only the fourth cold-weather city to host a Super Bowl, Indianapolis naturally focused on the risk of inclement weather. The contingency plans quantified and prepared for varying degrees of weather risk -- an inch of snow and 30-degree weather presented a dramatically different risk profile from a foot of snow and 10-degree weather.

However, the weather that eventually materialized presented a risk no one had factored into their contingency planning: the risk of unusually pleasant weather. The Indianapolis Business Journal estimates that the unseasonably balmy temperatures during the week before the game attracted as many as 1.1 million visitors to the three-block-long Super Bowl Village -- nearly double what the Host Committee had projected.

Beautiful weather was a good problem to have, but the high turnout presented a new set of risks in terms of traffic and crowd control. The lesson for businesses is clear: as you prepare your contingency plans, be ready for unexpected good news as well as bad.

An additional lesson businesses may take away from the success of the Super Bowl in Indianapolis: using ERM techniques can contribute to an organization's long-term success and open up even greater opportunities in the future.

Even as the teardown began and crews worked to put downtown back to normal, Host Committee members and other community leaders were looking ahead to a possible bid to host another Super Bowl. Based on the highly favorable reviews for Super Bowl XLVI, there is every reason to believe that the NFL will be eager to bring its championship game back to Indianapolis.
Mark A. Saltsgaver was co-chair of the Super Bowl 2012 Risk Management Committee and is senior director of corporate risk management at Eli Lilly and Company in Indianapolis.
Steven P. Strammello, CPA, CIA, CFSA, CRMA, was co-chair of the Super Bowl 2012 Risk Management Committee and is managing partner of risk consulting services in the Indianapolis office of Crowe Horwath LLP.