NCMM Executive Director Tom Stewart and special guest Phil Renaud from the Risk Institute discuss how the middle market can navigate and avoid risk.
Transcription
Reconnaissance, resilience, recovery. Put them together and you have a recipe for managing risk.
Welcome to the market that moves America. A podcast from the National Center for the Middle Market which will educate you about the challenges facing mid-sized companies and help you take advantage of new opportunities.
Hurricanes and fires-- political change-- technological disruption that transforms industries. Middle market companies face all kinds of risks. Some of them threaten the very life of a company. How can they identify those risks, protect themselves, and build resilience? Let's find out. I'm Tom Stewart. I'm the Executive Director of the National Center for the Middle Market at the Fisher College of Business at the Ohio State University.
We're the nation's leading research center focusing on the concerns and needs of mid-sized companies which account for the middle third, a third of private sector employment, and GDP, and the lion's share of economic growth. It is indeed the market that moves America. The National Center for the Middle Market is a partnership between Ohio State and SunTrust Banks, Grant Thornton LLP, and Cisco Systems.
With me today is a special guest, Phil Renaud who is the Executive Director of the Risk Institute at the Fisher College of Business. Phil, glad to have you.
Thanks, Tom, good to be here and happy to talk about risk in this day and age, helping middle market companies.
Indeed, well, tell us about the Risk Institute, first of all. I mean you're across the hall from me but--
Other than that, yeah, we're--
Aside from that.
We're a relatively new center here at Ohio State-- about 3 and 1/2 years old. And we're approaching 30 members. And six founding members are included in the Risk Institute. Among those nationwide, EY-- Ernst & Young, Huntington Bank, Patel. The, obviously, OSU, and Aon, are founding members.
What's the mission of the Risk Institute?
We focus on enterprise risk management. So the whole of risk as it impacts an enterprise. So within that--
So it's the risk that would involve a CEO and a board and the top leaders.
Correct.
This is the stuff that is across the whole enterprise that really needs to be brought-- get to cease with the--
Right, so we're focusing on risks involving strategy, risk involving the operational side of the business, certainly, and those risks that are insurable.
We just did a survey of 1,000 middle-market companies. Those are companies with revenues between 10 million and a billion dollars a year. About three categories of risk. We looked at strategic risk, operational risk, and digital risk in particular. Strategic, we focused on-- we met things like macroeconomic changes, changes in ownership, disruptive technology, large forces like that. Operations, meaning business continuity issues-- something like things like hurricane, supply chain disruption, and similar events. And digital including both cyber security breaches and the breakdown of IT systems themselves.
The first thing that we found is that fully half of the 1,000 companies we surveyed said that they had been hit by one or more of those in the last two years. Does that surprise you?
No, not at all. In fact, I would have suspected it to be even higher than that, Tom, when you think about the impact on business today from any number of different areas. One-- technology changing as fast as it is. Two-- extreme weather events. Just think about the last couple of months, right? The speed in which weather is upon us and the severity in which those storms are hitting us. Changing--
At weather events of fire as well and--
In fire.
--we burned out, which is still-- as we record this just before Christmas, we are still seeing fires out of control in Southern California.
And San Fran and LA area as well. And the speed of supply chain adds risk as well the dynamics of how we move product, the size of the ships in which product is contained on those. So to the extent that there's a weather event-- the amount of product that could be harmed because of that rather event grows geometrically. And--
[INTERPOSING VOICES]
Actually you think about that. We had major storms in the Southeast in some of the biggest ports. I think Savannah is on its way to being the biggest port in the United States. I think Long Beach may still be but just think about that and think about being a company that depends on those ports for your goods come in or your goods going out.
Absolutely. You think about the large ports of Seattle, Long Beach, Savannah, Newark on the east coast. Any one particular event or strike in Long Beach could disrupt significant commerce in this country.
So let me dig into digital a little bit because, I mean, if I think back to my own knowledge of risk and enterprise-- risk management, the phrase emerging, I think about 15 or 20 years ago. Is that probably about right? Digital wasn't on the horizon. I mean we did talk about the breakdown of computer systems in the back office. But cyber security risk, I mean, it's couple of things that we found. First of all, 17% of companies said they've been hit by some digital problem in the last two years. That number seems low because we know it takes about 205 days before a company knows it's been hit if it's been attacked.
Exactly right. And I think that is low from our side of the street-- very low. I did a little bit of research prior to sitting here. And I think of companies that are namesake of major, major institutions here. Intercontinental hotels-- Dunn and Bradstreet-- the IRS-- g-mail-- Brooks Brothers-- Blue Cross-- Verizon-- on and on. The list goes--
So I think sometimes mid-sized companies think those evil hackers with the black hats-- they're going after the JP Morgan Chase's or the Target's. They're not going after us.
No, absolutely not. They're going after everyone. Just look at the list of companies that have been impacted in 2017, either have been hacked or you don't know you've been hacked, in many respects.
Yes, and one of the things that's going on in that business, and we talked about this on an earlier edition of this podcast is that the rise of ransomware means that they're just going out after anybody and just saying, Send me 100 Bitcoin. And it doesn't matter how big your company is.
Well, some research done by a firm called Control Risk Group which is a major-- that thinks about ransomware and extortive crime, for example, had a study. And in 2007 0% companies reported having any extortive attempts on them. In 2017 when they looked at it again, 28% of the companies report--
3 out of 10 companies have got that black screen saying--
Exactly.
Send us money or--
Exactly, and that's not isolated to large companies. That's companies across the map.
One of the things that I think is interesting in our survey. 50%-- 49% recognized it as extremely or very challenging, which is to say the alarm bells went off-- emergency, emergency, emergency. But they also said two-thirds of them said they cleaned things up within a month and 60% said they recovered fully. So this seems in this category of risks to be a total fire drill or a five alarm fire. But one that you can put out if you're well prepared.
You can put it out if you're well prepared. I mean, if we think about some of the recent events-- let's take Equifax-- which impacted 143 million consumers.
Including me-- I assume you.
Including me. We think about what's the root cause of that? The root cause of was failure to apply a patch to their system. So there's a little event-- failure to provide a patch had a massive consequence to every one of us, virtually. There's was a recent event, eBay, on December 10th, actually, just a couple of days ago that involved an interface with Google on how that interface failed. And in some respects, some very sensitive purchasing data got out in the general public. So again, how business is transacted in the case of Equifax-- how I'm protecting my business with patches that are prescribed. And in the case of eBay and Google, how I'm transmitting this information between one another.
So if you go beyond, I mean, the cyber risk is one. And, of course, where it's changing all the time as the technology is changing and people playing catch up. Some of the more classic areas of operational risk-- some of the things that we've mentioned. The supply chain disruptions and things like this. It feels like there is a pretty good body of knowledge about how to prepare for these risks to, I guess, prevention mitigation and recovery.
When you think about that body of knowledge, what do companies forget? What is the most common mistakes that companies make? They should have done this. They knew they should have done it and didn't.
I'll call it failure to prepare or failure to be resilient, OK. A couple of good examples in my world prior to coming to the university was doing some work for a number of middle market companies. And one middle market company had been using a vendor-- This is a tier 1 supplier to make its final product for 25 years or more.
And when we looked at the root cause of this particular event, which was a fire at a factory in Asia, spoke to leaderships, saying, Have you done anything to prepare for the inevitable challenge that may exist with that particular vendor? The answer is, Why would I? They've been doing work for us for 25 years. So it's that failure to be resilient. The failure to think about what are the options to failure-- to think of alternative suppliers whether--
So my light switch is always turned on. Why should I bother to stock candles.
Why should I worry. The lights are on. They're working today. In this particular case, they had tools and dies, raw material, work in process. They had it all because they were a key event for 25 years.
Some of these guys just in this case the story you're talking about is a mid-sized company. But in some cases, a big company, a Proctor and Gamble can have backups-- can have backup data farms-- can have all of the alternatives. I'm a $50 million company. How do I afford that? I know one answer is, You can't afford not to have it. But how do I identify that stuff which I absolutely have to spend on, no matter how cheap I am?
Well, I mean, one tool that we use or would suggest is, I refer to it as a director's risk assessment. So every year, go through your organization and prioritize things that could impact your business. Some of those could be operational. Some of those could be strategic. Some of those could be cyber-- on and on. That could even be leadership risk.
Could be even leadership. It could be an aging workforce, for example.
Or a particular group that may retire. We were working with a firm of recent. And we're talking to them about this aging workforce. And the statement was made that 60% of their IT staff is approaching retirement in the next five or so years-- 60%. So think about that. Think about that as a risk to your business.
It's interesting, it's mid-sized businesses, especially private and often family health businesses. A private business is often founded by a bunch of buddies. We all went to business school together. We're all golfing buddies, whatever it is. And the result is we're all about the same age. And we've been working together now for 20, 30 years. And suddenly we're beginning to realize that we're all getting bald. We're all getting old, and we haven't actually built the talent succession and diversity. And that turns into an enterprise risk.
It's an enterprise risk, and it's a growing risk. I think of just risk management, for example in that profession. Many companies call us saying, Phil, can you help us find talent for risk management professionals? They're just not out there which is what the Risk Institute is about. We're looking to create that talent and that talent pipeline in the next three to five years. And risk is even more dynamic than IT. 70% of risk professionals are over the age of 50-- 70-- 70% over the age of 50.
So it's great for young students coming along because their career path is wide open and rich with opportunity. But it's scary as companies think about contingent planning for risk professionals in their organization or those who can deal with risk within their business.
Now I may be too small to have a chief risk officer, but I'm not too small to make that directors list of the key risks that I might face. And I want to focus on the third one here that we mentioned, which is the strategic risk. The data from our survey were really scary about this. First of all, it was the most common. 27% of these people-- 17% said they had a cyber risk. We've agreed that's too small. But 27% of that same group of people said that they had been affected by some big strategic risk of the most common-- it was the most damaging.
Only 40% say they recovered completely from a shock within the last two years. And it's the hardest to prepare for. Only one in three said that they were prepared. So these big hairy, hard to recover from risks came from out of left field. It's also sort of not in the curriculum of trap a classic risk management, because you can't insure against those.
No, you can't insure against it. But you can prepare for it, right? I mean I talk about two particular areas-- business continuity, BCM, Business Continuity Management. And probably even more important to that is a term we refer to as CBI-- Contingent Business Interruption or Contingent Business Continuity, OK. Those that impact a vendor or those that impact someone that's distant from your firm is perhaps even more important.
Because if you're not evaluating the risks that they undertake and some of those could be strategic as well. Some of those could be operational risks. But it's important to kind of have a holistic view of what could impact you, both yourself and your vendors-- you're key vendors.
A guy named Don Sull who is at London Business School, an old pal of mine, has a really interesting exercise that he does with companies in which he asks them to think about two different attributes of professional boxers. One is the ability to be agile-- the Muhammad Ali-- float like a butterfly-- sting like a bee-- the ability to avoid a punch. And the other is the ability of something he calls, absorptive capacity which is the ability to stand there and take a punch.
And that's sort of George Foreman, right. And very few companies are equally good. But very few are Jack Dempsey, right. But he likes to say, Put yourself on some grid and some matrix of agility versus absorptive capacity. And then see what you can do to make your weak hand a little stronger. If you're agile, you don't want to go full bore absorptive capacity because you don't want to lose the agility. But what can you do to do a little rope-a-dope or whatever--
I think first of all, you need to think through it, OK. So I can be a small company. I can be a PNG, a multibillion-dollar organization. But you need to think about this director's risk assessment tool, I would say. Or risk assessment tool in general that forces you to think about what are the areas that, perhaps, I'm weakest at. What are the areas that, at least, I can absorb a punch? Or what are the areas that I'm particularly good at, OK. And sometimes when we put it down on paper and we start thinking about it, it's very revealing. It's very revealing.
We had some friends of ours at SunTrust, one of our sponsors, that in the aftermath of the hurricanes in Florida who discovered that there were a number of their clients-- who did not know what was in their loan covenants or in their agreements with their banks to basically-- I need credit. Am I ready. Do I have a line of credit ready? So that's an example of absorptive capacity. Do you have a good line of credit, or do you have cash in the bank? What can you do so that you can--
Take on the next 30 days.
Take on the next 30 days, yeah, exactly.
I mean think about flood insurance. This Houston event was very eye opening. First of all, flood insurance deals with what I call the 1% of that. And that is the 100-year floodplain.
Which seems to happen every three or four years these days, but--
You're exactly right. But what happened in Houston? The 100-year floodplain became the 500-year floodplain, OK, which is a 0.2% probability of event. But all these people down in Houston now are faced with, not the 100-year event, but the 500-year event.
Well, and also, even if it's 0.2%, if it happened to me, it's 100% for me right now. And so in some way I have to be prepared.
Right, and a lot of those people nor was the federal government thinking about this because the flood maps had not been updated. It's an interesting thing. A recent study showed that $5.5 trillion in assets and 40 million Americans are at risk of flooding, OK. This came out after Houston, where people are now scratching their heads going, How could this have been so bad or what did we miss? It was because the maps hadn't been updated. So now the project of updating the maps to make sure that we really know what the risk is and where the event can strike is particularly important.
One of the things that I'm taking from this conversation is that there's real value, first of all, in thinking about these three types of risk, including always the talent element that underlies all of them. Because you can have a disruption problem or an IT problem that is a talent problem. And the supplier and vendor problem, my ecosystem problem. But to sort of actually step back from today's business, say, Wait a minute. What could come from out of left field? What could hit us? What Uber could Uber us? Or what other disruption could happen to get your mind free there? And then start thinking about what can I insure? What can I--
Absorb.
Well, first of all, what must I protect, right? So there's always a burning building home. One of the things I've got to take out of--
I'm going to do that.
What have I got to protect? But what can be insured and replaced? Where can I build redundancy and basically start working those things down to it. Then I say, What is the amount that I just have to be able to be resilient about? And shapes narrow of a problem--
Resilience goes well beyond what I can insure, OK. So let me give you a good example on cyber-insurance, OK. Cyber-insurance today-- the market for cyber-insurance five years ago was virtually nonexistent. Now it's in high demand. OK, a middle market company can expect to pay for a million dollars worth of coverage, about $10,000. So $10,000 to a mil. It's a lot of money. Now to get--
That tells you how prevalent the attacks are.
Well, exactly right, right? So it's a law of probability. So I've got a high probability that my cost is going to go up. But you think about, in order to get that cyber-insurance, I've got to expose my business to a lot of audit, all right. So they're not giving the $10,000 a mil away just to give it away. They're going to research how prepared you are. How resilient you are. What steps have you taken? Have you installed the proper patches? Do you have a proper department? Do you have skilled people, et cetera, et cetera, focused on that.
So the demand for cyber-insurance, is growing exponentially because of the events that have taken place. The pricing of that coverage is growing as well. So it's something that people have to really start paying attention to, OK. But let me go back a step. To be resilient doesn't necessarily cost you money. It's time in preparation. So that example of the factory that I've been doing business for 27 years and everything is OK. Had I taken some steps back with this business taken some steps back and looked at, Yeah, I've got all my eggs in one basket here. Would it make sense to look for an alternative supplier? That alternative supplier could be in another region, OK.
So let's take Fukushima, for example. That event took just about everybody out in that one area. So I could have had an alternative vendor 10, 20 miles down the road. I'm still impacted by it. But if I have another vendor in another geographic region, then perhaps that's a smart thing to do. It builds some resilience. It builds some capacity in my business to also assist me to recover quickly.
Let's take supply chain and the speed at which supply chain moves today. No one's really creating warehouses any more product are they, Tom-- right? Where I can go to a shelf and pull off 25 particular widgets. The supply chain moved so quickly that it's just in time. Whether it's steering wheels to the big auto manufacturer or some other electronic component to, let's say, middle market company. But what happens-- these large shipping container boats. These boats hold upwards of 4,000--
They might hold your year's supply, yeah.
Well, that's my point. That could be a whole year's supply. It's very efficient to move product on one boat because the cost goes down geometrically. But if I hit a tsunami on the way, and I lived through that when I was with a large retailer. We had our entire swimsuit line on one boat--
Swimming with the fishes, right.
--that was swimming with the fishes and literally could have bet the business. It's that sense. So we think about it, yeah, it was efficient to move in on one boat. But, perhaps, it would have been smarter if we divided into three boats for that ship.
You know, we're just about out of time, but what I'm hearing is really interesting and naturally thinks about-- we've been talking about strategic risk-- operational risk, and particularly about digital risk. But I'm hearing a theme that you might call about the three R's-- the reading, writing, of risk. And one might be reconnaissance and really getting a wide view of all three of these, right. Reconnaissance-- one might be resilience. How do you build excess capacity-- set extra vendors.
The financial resilience you might need. And third is recovery, and that recovery's going to go a lot better if you actually have thought through what's going to happen. And have your playbooks for and so will resilience. I mean, so if you have your playbooks and realizing the unthinkable. If you think about the unthinkable, you can make some plans for it and start recovering from it. And if you can think about recognizance, resilience, and recovery, maybe this risk animal can be, if not completely tamed, at least caged and domesticated from time to time.
Exactly right.
All right. So with that, I want to thank you, Phil Renaud, who is the Executive Director of the Risk Institute at the Ohio State University Fisher College of Business who is here to talk to us about how middle market companies can understand and cope with the risks that they face. And I'd like to thank you for listening to the market that moves America. Never miss a new episode. Subscribe to the podcast on iTunes, stitchery, Google Play, or wherever find podcasts can be found. And you can subscribe and learn more about us at our website, middlemarketcenter.org. Thanks very much.
[CLASSICAL MUSIC PLAYING]