Which risks will be more dangerous in the future? Internal or external risks, ask Michael Bruch and Dr Rudolf Kreutzer of Allianz

Ever since human beings have had an awareness of the future, they have wanted to know what is in store for them. As neither crystal balls nor computer screens will give them any reliable indication, however, they have developed various hopes and fears. Back in the mists of antiquity, people were afraid of ghosts, gods and demons, in later eras of devils or witches, and today of viruses, climate change or terrorists. In all these cases, these were and are threats which menace human beings from outside, so called external risks.

In light of the damages which could possibly arise, many people overlook the fact that there are also internal risks for which they themselves are responsible. If they fail to identify these or underestimate them, the result will be failures or distress, such as for example loss of credibility, mismanagement or burnout. In this case, looking for external culprits is no remedy, but instead exacerbates the damage.

Allianz Global Corporate & Specialty (AGCS), the industrial arm of the Allianz Group, carried out a series of analyses in its Research & Development division to find out what the greatest risks for its customers will be in the future. These customers include not only large companies, but particularly their employees and executives. We have detailed the key findings of these analyses below.

The best known global risks of our time

With the aid of an international group of experts, the World Economic Forum identified the major risks the world faces and published them in the Global Risk Network Report in 2009.

They are assessed according to likelihood of occurrence, loss expenses and human casualties. According to the analyses, the greatest risks include food price volatility, asset price collapse, fiscal crisis, slowing Chinese economy, chronic disease, international terrorism, extreme climate change-related weather, pandemic and critical infrastructure breakdown.

These are the typical risks seen in an industrialised country from the viewpoint of an objective observer and which – should he be affected personally – impact on him from outside. They all bear the characteristics of external risks, that is to say, of risks which are caused outside individuals’ own sphere of responsibility. They attract the largest portion of public attention and today appear to be the major risks for the individual, for companies and for society as a whole.

Our own analysis of the most important global developments and the risks and opportunities they entail revealed the following topics:

- Further increase in the human population (?competition for resources, migration, ?urbanisation)

- Climate change (?space weather, holocene/ice age transition)

- Increase of intangible needs (?demand for health, wellness, love, knowledge)

- The gap between rich and poor continuing to widen (?expansion of the security economy, ?change in the function of money)

- Technology development continuing to accelerate (?scarcity of classical resources and energy, ?development of new forms of energy).

External risks which could gain significance in the future therefore include for example:

- Geomagnetic storms during the next period of maximum solar activity in 2012, resulting in potential blackouts in critical infrastructures

- Monopoly risks for hardware and software in information technology, which also lead to ongoing blackouts

- Vaccination disasters during preparation for pandemics because of increased time pressure in production

- Loss of data security in internet traffic despite encryption.

Apart from these, there are also the internal risks, that is to say, those for which the observer himself can be accountable. For individuals, these include egotism, ambition, resistance to change and pessimism. Within companies, additional risks arise as well, including for example blind faith in figures, lack of checks and balances, tunnel vision or short-term thinking. Usually, the internal risks are pushed to the background in light of the apparent portent of the external risks.

Many employees and executives find it relatively easy to manage external risks, but quite difficult to address internal risks openly. Therefore it is more comfortable not to deal with them or to classify them as less important. Furthermore, no comparison takes place either as to which risks – the internal or the external ones – can cause the greatest damage, particularly because there are no simple benchmarks for comparative risk evaluation.

The greatest risks for companies

The question about the greatest risk facing a company could be answered just as easily as the question about the greatest risk facing human beings. The simplest answer would be: “death”.

In this comparison between human beings and companies, we notice that only the human being inevitably has to die. While humans can live to about 120 years of age at the most, the lifespan of a company is not necessarily limited. There are numerous companies around the world that reach multiples of this life span, with some more than 1,000 years old.

This gives rise to the following questions: “What gives these companies their longevity?” and “What risks are life-threatening and which are deadly for companies?”

AZT Risk & Technology GmbH, the leading consulting entity of AGCS for risk engineering, safety, and technology carried out numerous consultancy projects in the past. As part of a survey of risk awareness in German conglomerates, some 300 executives were asked in an interview which risks they regarded as particularly threatening to the survival of their company. The following dangers were named most commonly – starting with the highest frequency:

- “… Competition …”

- “… Changes in consumption and consumer behavior …”

- “… Employee demands …”

- “… State regulatory policy …”

- “… US mortgage lending risks and financial market turbulence …”

- “… US dollar exchange rate …”

- “… Developments in raw material and energy prices …”

- “… Ratings …”

- “… Shareholder behavior …”.

What is striking is that almost all these responses share the same characteristic of being an external threat affecting the company from outside. Only about one percent of respondents regarded an internal risk as being conceivably a risk which could threaten the survival of the company, that is to say, a risk that is generated within the company, like for example:

- “… Sabotage of data protection by adept insiders …”

- “… Loss of expertise through inability to maintain key competencies …”

- “… If I make a wrong decision as CEO …”.

This low share of responses mentioning internal risks could easily be explained by the fact that disclosing internal risks in a survey that is carried out by an insurance company is not desirable under corporate policy. However, there is another possible explanation, because top management could very well have only limited knowledge of internal risks. The explanation for this might lie in the survey we took among middle management and lower levels of corporate hierarchy at the same time. The share of their responses mentioning internal risks was considerably higher at about 30 percent. We also discovered that the flow of information, particularly in the direction of higher levels of hierarchy, does not function so well for these risks as it does for external risks.

In the same survey, the various levels of hierarchy were also asked about the reasons for any failures they experienced and any set goals they did not achieve. The qualitative and quantitative distribution of these responses was identical across all levels, that is to say, external reasons were named primarily.

External attribution

In psychology, this external causal attribution or allocation of blame is termed “external attribution”. This thought pattern is widespread in both professional and private daily life. It is frequently expressed when the people concerned are reporting about workplace conflicts, road traffic accidents or marriage crises: the other party is almost always at fault. This is also expressed in most annual reports when the reasons for failures or losses in the reporting year are being described. And it can be found with similar regularity among the pages of the risk report listing the possible reasons for not reaching set targets in the future. For example, the risks foreseen for the future by the 30 DAX companies in 2008 and 2009 were almost exclusively external risks:

- “… Losses due to global recession …”

- “… Disruptions in the supply chain …”

- “… Product imitations …”

- “… Price volatility among raw materials …”.

It was only recognised in a few cases, particularly in the financial services sector where risk awareness is better developed, that internal risks can also have serious effects, like for example:

- “… Negative effects of management’s business strategy decisions …”

- “… Limits of our own risk models …”.

Not only in Germany, but also worldwide, there are global players that do not mention any internal risk factors in their annual reports. The willingness to address this issue openly and self-critically is greater in many companies in the USA, for example, than in Europe. These risks are then typically presented in a generic manner:

- “…If we are not able to achieve our overall long-term goals, the value of an investment in our company could be negatively affected …”

- “… If we are unable to maintain our brand image and corporate reputation, our business may suffer …”

- “… Our risk management and loss mitigation efforts may not effectively mitigate the risks we seek to manage …”

- “… The integration of … may not be successful …”

Based on analyses about the successes and failures of 50 top managers (primarily in Germany and the USA), we examined how the thought pattern of attribution differed among more or less successful people. The results are clear:

1) The more frequent and the larger the failures are, particularly at the end of a person’s working career, the more frequently only external attribution is used to explain. In contrast, these people use internal attribution only when giving reasons for their few personal successes. Managers who are failures do the opposite when explaining the success and failure of other managers.

2) People who are constantly success-oriented behave completely differently. They look for and recognise both internal and external attributions for every success and for every failure. They also apply this behavior when explaining the successes and failures of other people.

Causes of worst cases

As an AGCS analysis of companies’ most spectacular major loss events over the last decades shows (oil tankers, nuclear power stations, oil rigs, skyscrapers, chemical factories and aircraft were particularly affected), the companies survived the loss event although the financial loss was as much as several billion US dollars. This might be due in no small amount to their good insurance cover.

However, in the same period, a raft of other well-known companies also suffered spectacular losses and subsequently ceased to exist (for example from the automotive, aeronautic, banking, insurance and energy sectors). What is significant is that no externally influencing or physical events preceded any of these business failures. This shows that internal risks can cause financial damages that are 100 times greater than the external ones.

The greatest threats facing companies are not related to unforeseeable external events, but to ongoing, observable conditions existing within companies.

The causes of the breakdowns or of the internal risks could be summarised, as commonly seen in several media, under the headings of “management failure” or “mismanagement”. The following causes, for example, could be listed under these headings:

- Wrong strategic decisions (short-term thinking, overcapacity, overdiversification, selection of unsuitable advisors, monocausal thinking)

- Lack of leadership (technical incompetence, hubris, lack of credibility, negative role model behavior, lack of self-criticism)

- Lack of separation of powers (dependencies between supervisory board, management board and auditors)

- Corporate crime (corruption, embezzlement, personal gain, creative accounting, fraud)

- Lack of innovation.

However, attempting to lay the blame solely at the feet of management points to a lack of systemic thinking, for ultimately the quality of management depends not only on the people carrying out the function, but is always the result of the interplay between them and the owners, employees, the market and society as a whole.

Risk management system

Since time immemorial, business owners have relied on instruments and the people around them to overcome risks successfully. The bigger the company, the wider responsibility has to be spread, for example across controller, auditor, actuary, safety officer, accountant, lobbies. New areas of risk are constantly being added and new “tools” constantly have to be developed, for example information protection, compliance, sustainability development. Today, however, risk management has to play the key role in dealing with risks in large companies. The significance of this task is frequently underestimated.

Identifying and assessing risks reliably is a difficult skill that not only every person, but also every company, has to be able to master individually for themselves. There is no list and assessment of risks that can be transferred 100 percent from one company to another. To make their task easier, many companies rely on a – to a large extent standardised – risk management system which was installed by risk management service providers. Most of these systems are computer-aided and focus primarily on external risks, like for example market risks, credit risks, exchange rate risks, interest rate risks or regulatory risks. In these cases, the risk management system itself is a new risk. Generally, only a few internal risks are listed and are given lower priority, for example IT outage, compliance violations, industrial accidents, fire.

If high importance is not placed on self-criticism in a company of this nature, selective risk awareness can lead to the worst-case loss.

An AZT analysis of the risk management systems of companies that went bankrupt showed that most frequently the collapse was triggered by the following in-house causes:

- Thinking in terms of figures instead of systemically

Example 1: Every risk is evaluated quantitatively (probability of occurrence, extent of loss) at a particular point in time and a measure budgeted for it according to a ranking scale. In this process, two errors are made repeatedly:

a) No follow-up is made to assess whether the evaluation and thus the ranking have changed over time

b) No analysis is made to check whether the various measures taken generated new risks.

Example 2: Depending on the level of risk assessed, risks are classified into categories with different action requirements, for example “not tolerable”, “must be reduced” and “acceptable”. Such classification does not allow for the fact that a number of acceptable risks can combine to become a risk that is not tolerable.

Example 3: Significant qualitative factors have been identified (for example demotivation, loss of expertise, taboos), which cannot be assessed using quantitative evaluation methods, however. Because the computer-aided system cannot process them without figures, they are not entered into the system and as a consequence are not managed.

- Thinking in terms of specialist discipline instead of interdisciplinarily

Example 1: The risks are identified – if at all – and assessed only by the specialist discipline which generates them. Because of a lack of knowledge about the consequences, secondary effects and delayed effects in other disciplines, these are not taken into consideration. In addition, because analysis by an independent and interdisciplinary body is lacking, tunnel vision becomes an organisational principle.

Example 2: Two companies are merged to utilise technological synergies. Risk analysis deals primarily with technological risks only. Risks pertaining to organisational psychology are not identified and are not managed. The two corporate cultures become enmeshed in a covert power struggle that prevents the utilisation of the technological synergies.

- Short-term orientation instead of long-term orientation

Example: Employees’ and executives’ performance is only rewarded subject to achieving short-term goals. No examination is carried out to determine possible negative effects of this performance in a subsequent period.

- Invisibility of risks at top management level

Example: No risk identification and assessment takes place for risks that are generated at the top management level. Lower levels of the hierarchy undertake no attempts to do this because of fears that such attempts will be sanctioned negatively.

- Insufficient experience among those responsible for risk management

Example: Responsibility for risk management is delegated to a newcomer to the company, who neither knows the systemic relationships within the company nor has sufficient life experience. Because he regards the position as a stepping stone to greater tasks, the task seduces him to posturing and to “whitewash” the results.

- Passing responsibility to the risk management department

Example: After a risk management system is introduced, the various divisions in the company feel they have been relieved of their responsibility. Because they count on the reliable functioning of the system, they increase their risks without informing the system accordingly.

In a nutshell companies are at risk because they ignore or underestimate their internal risks. To prevent this, a company’s owners or shareholders, as well as its management and employees, must ensure that the risk management system values internal risks at least as highly as external risks in the future. This valuation will not only enable losses to be reduced, but also allow successes to be increased.