The Greatest Threats Posed to an Organization May Not Be the Most Obvious Ones
Written by Dr. Ernst Volgenau
I encountered an organizational approach to risk using probability and statistics many years ago as the newly appointed Director of Inspection and Enforcement at the US Nuclear Regulatory Commission (NRC). I read a report by a panel of experts on nuclear power plant safety which concluded that US power plants were likely to be very safe due to conservative design and redundancy.
The report interested me because my office of about 700 engineers, physicists, radiological biologists, and physical security experts inspected all the commercial power plants in the US. My charter was to conduct thorough inspections, issue appropriate penalties for violations, and also improve the inspection and enforcement program. I eventually submitted my recommendations and left the NRC in order to start a company.
About a year later, at Three Mile Island, a partial core meltdown occurred. So far as I know, no one was killed or severely injured, but according to the reactor safety study, it was a very low-probability event. How could that be? The answer is that although the design of the reactor was fundamentally sound, operators made mistakes and created an event that was not anticipated in either the design or the safety study.
It is probably true that no machine can be invulnerable to human error. This was not surprising to me. Among all of the power plants that we inspected, some were operated very well and others were poorly managed. However, the latter were technically in compliance with regulations, and our lawyers would not agree to enforcement actions which they felt we would lose in court. I concluded that CEOs and senior management teams of poorly managed plants were not interested in strong values and culture.
The nuclear accident at Chernobyl in the Ukraine was a different issue. Evidently both the design and implementation (procedures, training, and motivation) were weak. While at the NRC years before that accident, I toured a Soviet nuclear power plant. My hosts and I discussed the difference in Soviet and American designs. The Russians criticized our emphasis on nuclear safety, feeling that it was far too costly. However, they eventually paid a heavy penalty for their shortcomings.
My conclusions from these experiences are that risk abatement systems must be both well designed and properly managed and that effective management depends on good corporate values and culture.
If we could list all corporate risks, their penalties, and probabilities, then a good policy would be to minimize the total expected penalty. Unfortunately, such an approach is computationally unrealistic because we cannot predict well the penalties of risks or their probabilities. Even listing the most important risks can be formidable, such as: changes in the market, interruption of the supply chain, lawsuits of all types, cyber attacks, theft, natural catastrophes, and so forth.
Assuming we can agree on the most dangerous events, a risk matrix is an intuitive equivalent to complex calculations. The “y” axis is the increasing negative impact of risk events and the “x” axis is the likelihood of these events occurring. The objective is, through cost-effective measures, to keep these risks near the origin—that is, away from high-impact, high-probability events. The discussion can be simple and at a high level.
My company, SRA International, Inc., was exposed to a variety of risks over nearly four decades of business, partially because we went through a very broad span of business phases: one-person start up; four years on the list of fastest growing privately held companies; spinning out four information technology companies during the dotcom boom; the sixth most successful IPO on the New York Stock Exchange in 2002; five years of stock run-up, eventually reaching about $1.7 billion in revenue and more than 6,000 employees; two changes to the CEO and senior management team; a decrease in the market and resulting business problems; sale of the company to a private equity firm; and gradual recovery.
Nevertheless, we found that only a few factors significantly decreased shareholder value. First was loss of key people brought about by the transition of the management team. During this period of roughly six years, our values and culture gradually decayed. Senior managers, preoccupied with other problems, began to violate one of the key precepts of our Honesty and Service ethic: that is, taking care of our people.
The second most important risk factor was loss of key customers, also because of the decline in values. Quality work and customer satisfaction is one of our most cherished values. The departure of experienced, motivated middle managers resulted in the loss of important contracts—something that had almost never happened to us in the past.
A third risk factor was acquisitions, and it was also related to our values and culture. After only a few months in our company, the new CEO decided to buy a firm located in a foreign country that was involved in a business where we had no experience. Many of our seasoned executives thought that it was a risky move but were afraid to speak out because the CEO did not accept one of our longstanding cultural precepts (the best ideas win). The acquisition was terrible. We lost a lot of money, and in trying to correct this problem, were distracted from our core business.
The final risk factor was associated with diversification. We had previously diversified into new work closely related to our existing business, but then tried to move into attractive markets that we did not understand. Our attempted expansion wasted money and detracted from our basic business.
My conclusion from all of these experiences over nearly 40 years is that, while the board and senior management team should take precautions to deal with large expected risks, the greatest dangers to a successful organization are likely to be those that damage corporate values and culture.
Author Biography:
Ernst Volgenau has a wealth of management and educational experience. A Naval Academy graduate with a PhD in Engineering (UCLA), he spent 20 years in the Air Force, attaining the rank of Colonel, headed the Office of Inspection and Enforcement at the US Nuclear Regulatory Commission, and then founded and led SRA International, Inc. as CEO for 27 years, remaining Chairman for the rest of the company’s history. Not trusting solely his own judgment, the author collected the perspectives of others who had helped to build the firm.