Managing Risk In the 21st Century
By Thomas A. Stewart

(FORTUNE Magazine) – The year 2000 arrived right on time. Planes stayed up till they were supposed to come down. Phones worked. Power flowed. My pay was directly deposited in my bank account for a sum no less (and, alas, no more) than it ought to have been.

There are, however, Y2K bugs in other kinds of organizational software--our mindsets. We need to test our business activities against the demands of a knowledge-based century. Take risk management, a responsibility of the treasury function. Most risk managers haven't begun to cope with the real threats 21st-century companies face. Like the drunk in the old joke who looks for his lost keys under the streetlamp because the light is better there, risk management is dealing with visible classes of risk while greater, unmanaged dangers accumulate in the dark.

Risk--let's get this straight upfront--is good. The point of risk management isn't to eliminate it; that would eliminate reward. The point is to manage it--that is, to choose where to place bets, where to hedge bets, and where to avoid betting altogether. Though most risk-management tools--insurance, hedging, diversification, etc.--have to do with reducing loss, the goal is to maximize the gains from the risks you take.

The familiar, under-the-streetlamp risks are by no means trivial. They are things like hazards (such as fires and chemical spills), fraud, currency fluctuation, politics, and war. If you know about Bhopal or Barings Bank or do business in Asia or Russia, you know how dangerous those risks are. They are palpable risks to tangible things: buildings, bankrolls, inventories. Says Donald Lessard, deputy dean of the Sloan School at MIT and a risk-management expert: "Much of risk management is focused on which objects are at risk. The emphasis is on the physical or financial object, not on the source of risk."

That's a shortcoming. Just as intellectual assets have come to dominate tangible assets, so risks to intellectual assets and processes now dwarf traditional sources of risk. Often these risks never take objective form. Lessard explains: "Think of the difference between the e-world and the physical world. Today if you were to value a shopping center, you'd go out and count the visitors. Before, you'd look at the buildings." So where should we look for these new risks?

--Your reputation or brand. When a bad batch of carbon dioxide in Coca-Cola sickened some Belgian children last summer, Coke's European operating income fell about $205 million, and Coca-Cola Enterprises, the bottler, incurred $103 million in costs. What about the cost to brand equity? One highly imperfect proxy: Coke's market capitalization fell $34 billion between June 30 and Sept. 30, 1999.

--Your business model. Asset-free, knowledge-intensive competition is to entrenched business models what the Panzer was to the Maginot Line. MP3, the software that allows people to burn their own CDs from the Web, is changing the music business more fundamentally than anything since radio. E*Trade, 18 years old, forced Merrill Lynch, 180, to change its way of doing business. AutoNation sold more than $1 billion worth of cars online in 1999--a threat to a model that's created countless millionaires. Yet the new guys' very nimbleness creates its own risks, which traditional risk management can't help. You can protect the hard assets of a brick-and-mortar mall. Click-and-order stores are much more exposed: Cash flow is just about all they've got.

--Your human capital. The obvious human-capital risk is flight--especially in a tight labor market--but it's only part of a larger, subtler problem. When the CEO intones, "People are our most important asset," he's wrong, even if he's sincere. People are your most important investors. Your stock of human capital matters less than your flow of it. Any turbulence--and is there anything but turbulence these days?--can disrupt the flow, damaging your ability to attract human capital or people's desire to collaborate. Says Thomas Davenport, a partner at Towers Perrin: "Uncertainty is a real enemy of human capital. People rebalance their ROI by cutting back the investment."

--Your intellectual property. Many risks to intellectual property--theft, for example--can be dealt with in obvious, if sometimes onerous, ways. Here's the cutting-edge question: How do you manage risk in the process by which new intellectual property is created? How do you cope with the fact that the safer a given R&D project is, the less likely it is to be a big-money breakthrough? How do you balance the virtues of specialization against those of diversification?

--Your network. No company is an island, entire of itself; odds are your business is embedded in a network you do not control. It's not just that AOL might crash and cost you a few days' sales; your whole business may depend on tangible and intangible assets that belong to outsourcing partners, franchisees, sugar daddies, or standard-setters. For example, hundreds of companies and all e-commerce depend on the World Wide Web Consortium to keep standards like XML (extensible markup language) from becoming an incomprehensible muckup of dialects.

There are a couple of patterns here. First, an ever-greater part of business risk comes from sources your company can't own--people, partners, environments. Second, volatility isn't just a currency or stock market risk anymore. Labor markets, technologies, even business models oscillate at higher frequencies--their behavior more and more resembling that of financial markets.

In those patterns are hints of how to manage intellectual risks--which we'll examine next time.