The fire at the factory lasted just 10 minutes. The sprinklers worked as they were supposed to. Unfortunately for a handful of companies hustling after a major share of an expanding mobile phone market, that factory was full of semiconductors. And semiconductors can’t get wet.
The bolt of lightning that started the fire in Royal Philips Electronics’ factory in Albuquerque, New Mexico, on March 17, 2000, struck at the heart of supply chains for Nokia and Ericsson, two northern European companies that, along with Motorola, were dominating mobile phone sales at the time. Nokia and Ericsson were the biggest customers for chips produced at the Philips plant, and after the fire, officials at Philips estimated a weeklong disruption in chip manufacturing. A week became over a month. No chips, no phones.
Nokia was ready to handle the disruption, and within a year, its market share was up 2 percent. Ericsson, however, wasn’t so prepared. The company lost 2 percent of market share, announced an annual loss of over $1.6 billion, eliminated thousands of jobs, outsourced its mobile phone manufacturing, and brought in Sony for a fifty-fifty merger on its handset design and marketing.
But the Philips factory fire resulted from just one lightning bolt. Imagine the scope of economic loss in a hurricane, in a tsunami, in an earthquake. Or in a tsunami on top of an earthquake.
THE YEAR 2011 isn’t even over, but it already ranks as the worst year in history for economic losses caused by natural disasters. The 9.0-magnitude earthquake that flushed a tsunami through northern Japan in March caused $210 billion in losses, according to global reinsurer Munich Re. Add to that $20 million for earthquakes in New Zealand, $14.5 million for tornadoes in the United States, $7.3 million for Australian floods, and about 350 other events around the world, and the global disaster tab for the first six months of 2011 comes to $265 billion.
Of that $265 billion, Munich Re estimates that just $60 billion was insured— partly because of indirect business interruption costs not covered by insurance, but also because not enough business assets are insured in the first place. In fact, most years, well under half of all economic losses are covered. As for the rest? “The polite term is ‘self-insurance,’” says Brian Thomas, a sustainability consultant who runs the blog Carbon Based. The impolite term? “In many cases,” says Yossi Sheffi, author of The Resilient Enterprise, “when it’s one company’s problem, usually the company eats it.”
When disaster is a problem for many companies, Sheffi points out, the losses may be spread throughout society. For example, when the federal government makes an official disaster declaration, it sends aid to state and local governments, and it provides loans, tax relief, and other support to businesses and homeowners. However, even with government assistance, international aid, and insurance, companies that have fallen victim to natural disasters are likely on the hook for most of their losses.
And natural disasters are on the rise. According to the Intergovernmental Panel on Climate Change, an international body created by the United Nations Environment Programme and the World Meteorological Organization, global climate change has already started to affect the “frequency, intensity, and length” of some extreme weather events, such as droughts and cyclones. Munich Re, which has studied climate change for 38 years, notes that dramatic increases in the frequency and intensity of weather-driven disasters are “indications for a causal association for climate change.”
Munich Re data show disaster losses increasing from $75 billion in the 1960s to $660 billion in the 1990s. European insurer Allianz SE projects, by 2019, a 37 percent increase in insured losses from catastrophes caused by climate change. Of course, in the regions of the world most exposed to natural disaster, such as cities and coastlines, the population has increased, as have industrialization and the wealth it generates—meaning that there is more value in the places that are most at risk. Just look at Florida’s population boom. In 1950, fewer than 3 million people lived in the hurricane-battered state. In 2010, it was almost 19 million. A 2006 estimate by the Hazards and Vulnerability Research Institute found that 91 percent of Americans lived someplace with at least a moderate risk of natural disaster.
Peter Hoeppe, who runs Munich Re’s Geo Risks Research division, was part of a team that investigated whether climate change was responsible for the rise in disaster costs after accounting for the increase of assets in at-risk regions. He and his co-authors found that to be the case, identifying a “climate variability impact”— a 4 percent rise in adjusted losses that “cannot be explained by socioeconomic factors,” such as rising population.
Whether or not global climate change is responsible for an increase in disaster-related economic losses is still being established. But the fact that the number of disasters is increasing—and costing more money—is clear. With that in mind, companies might do well to examine their vulnerability to catastrophe. Companies often portray their global presence as an asset, but when the increasing frequency and intensity of natural catastrophes are factored in, they need to think about it as global exposure as well.
WALMART HAS MORE than 9,000 stores spread across 28 countries. Ten of those stores are within 15 miles of New Orleans. So, during the last weekend of August 2005, a lot of people in Bentonville, Arkansas, were nervous. Nervous but prepared. The company already had specific plans for hurricanes. “[The company] triggered a response every time a storm vaguely came in its direction—at a ‘tropical storm’ designation, not even ‘hurricane,’” says David Ingram, executive vice president with global reinsurer Willis Re. “They calculate a cost of business disruption each time there’s a warning.”
Walmart began making calculations about Katrina before the storm even had a name. Six days before landfall in Louisiana, while the storm system was still 350 miles east of Miami, Walmart started collecting data. It looked at purchasing patterns at stores in areas likely to be hit by hurricanes, matched it with meteorological data on Katrina’s potential path, and shipped items accordingly. It sent generators and dry ice, established communication patterns, and assigned roles for employees to deal with damage on the ground. “When Katrina hit and the whole region was out of business, Walmart was open for business the next day,” Ingram says. “Their parking lots became staging areas for most of the response teams.”
Walmart had a systematic risk-management process in place years before the storm hit. In the 1990s, Walmart’s CFO tasked a vice president with developing a companywide risk-management strategy. The resulting plan identifies the most important risks by plotting them on x and y axes for probability and impact. A leadership team votes on risk prioritization. Staff from many departments talk about risk mitigation and lay out procedures to deal with each risk. Then they figure out roles for those procedures, set timelines, measure whether plans actually mitigated the risks, and calculate the overall effect on finances.
Such an enterprisewide approach to risk management has a name: enterprise risk management, or ERM. Since it first gained prominence in the 1990s, ERM has achieved buzzword status, and an industry has built up around it. You can get ERM software from SAS. You can get a master’s degree in ERM from St. John’s University. You can choose from legions of ERM consultants.
Stuart Greenbaum, a professor at Washington University in St. Louis’ Olin Business School, says that, beginning with the savings and loan crisis, “this series of calamities we’ve had has prompted a new level of corporate discipline embodied in this code of enterprise risk management. It elevates corporate oversight to a higher level.” ERM advocates describe earlier risk- management practices as “siloed.” Each department might have had a risk manager, but they didn’t communicate, and they didn’t have much influence with upper management. The new approach is systemic (or “holistic,” as its advocates often say) and expects formal support at the highest levels of management. Sustaining the movement is pressure from the outside: Investors, regulators, and even ratings agencies are eager to see well-documented ERM practices. (In 2008, Standard & Poor’s decided to base corporate ratings partly on a review of companies’ ERM.)
The ability to quantify risk down to the finest detail is one of the most attractive selling points in ERM, especially when it comes to “tail risks”—the high-impact, low-probability events that can completely wipe out an organization. “They are the most improbable of disasters,” Greenbaum says, “but with the most calamitous of outcomes.”
The collapse of Japan’s Fukushima Daiichi nuclear power plant was a tail risk. There’s no question that it was a high-impact event. Japan gave the nuclear crisis the highest rating there was: 7 out of 7, the same as Chernobyl. It was also a low-probability event. Engineers must have considered 14-meter waves unthinkable because the plant was built to withstand 5.7-meter waves. “It’s a very human response to imponderables,” Greenbaum says. “What do you do with an imponderable? You don’t ponder it.”
However, as much security as quantification can provide, overreliance on quantification is its own risk. Anette Mikes studies risk management as an assistant professor at Harvard Business School. In an expert panel conversation published in the October 2009 Harvard Business Review, she noted the danger in replacing human judgment with the “scientification” of risk. “Models are not decision makers,” she said. “People are. So the real issue is the culture you have around modeling.” Indeed, the final report of a national commission created by Congress to “examine the causes” of the U.S. financial crisis of 2008 repeatedly cited failures of risk management, including relying too much on quantification. “Financial institutions and credit rating agencies embraced mathematical models as reliable predictors of risks, replacing judgment in too many instances,” the commission wrote.
The quantification of a company’s exposure to disaster, even if it is practiced judiciously, can’t happen in a vacuum. If a company’s CEO and board are not invested in ERM, then the effort is wasted, as it was in the financial crisis. “I happen to sit in downtown New York,” says Willis Re’s Ingram. “What you hear from risk-management people in firms that had trouble is that they had trouble getting a meeting with anyone with any decision-making power.”
A 2008 study by property insurer FM Global unearthed an alarming statistic. “Ninety-six percent of financial executives surveyed said their companies have opera- tions that are exposed to natural catastrophes like hurricanes, floods, and earthquakes,” the company wrote in a report called “Flirting with Natural Disasters: Why Companies Risk It All.” “Yet fewer than 20 percent said their organizations were ‘very concerned’ about such disasters affecting their bottom line.” The study also found that half of companies reported not being “well-prepared” for a hurricane, yet 80 percent were exposed to hurricanes.
Walmart is an example of what can go right when a CEO and lower management are in sync when it comes to preparing for risks. But not every company has Walmart’s resources. It can be expensive to prepare for tail risks. The farther out on the tail you go, the more resources you need to devote to preparing for those risks. “One way of overcoming the economies-of-scale disadvantage with a small company is by increasing the risk,” said Ingram. For example, you can skip out on insurance you think you can’t afford. But one day you may find you can’t afford not to have it. “It’s like that old commercial,” he says. “‘Pay me now or pay me later.’ It looks good until the earth starts shaking.”
FIVE YEARS BEFORE the Philips Albuquerque plant caught fire in 2000, an episode of supply chain problems caused Nokia to miss out on several million dollars in sales. The CEO didn’t want that to happen again, so he asked an executive named Pertti Korhonen to figure out a way for the company to find out quickly when a problem was threatening to become a crisis. Amit Mukherjee, president of Ishan Advisors in Massachusetts, studied the resulting change in Nokia’s culture. “From the point of view of process, they created an incredible sense-and-respond process,” he says. The new culture allowed “an immediate sense of something going wrong in the environment.”
Korhonen has had 11 years to reflect on the lessons of the Albuquerque fire and apply them to disaster preparation at Outotec, a Finnish company that provides technology for processing minerals and metals. It’s a $1.3 billion company with 3,300 employees based in 24 countries. That’s the kind of exposure to disaster that demands systematic risk management. “There has to be an approach,” Korhonen says, “that forces one to stop, sit down, and instead of just executing day-to-day business, put your risk-management hat on, think what could go wrong, and prepare backup plans for that.”
When Nokia’s CEO first asked him to protect the company’s supply chain, Korhonen looked beyond headquarters, focusing on the strength of the company’s relationships with customers, technology partners, and suppliers. Nokia set up a system in which someone would call suppliers once a week to confirm the next week’s deliveries. After the fire at the Philips plant, “someone in production simply picked up the phone and didn’t get the answer he was expecting,” says Mukherjee. Nokia then put those semiconductor chips on an already existing “special monitor” list and began checking it every day.
Why did Nokia spring into action after just one phone call placed by someone in the procurement department? Because Korhonen, then Nokia’s top troubleshooter, believed that bad news should travel fast. “The reason why things become problems,” says Mukherjee, “is that people don’t have information early enough to do anything about it. Most companies have a simple policy: Don’t share information unless you have to.” It should be the other way around, he says. Of course, sensitive information should be protected, but the vast majority of information should be shared. It was this approach, Mukherjee believes, that helped save Nokia after the fire.
Communication is one thing, execution another. Fortunately, part of Korhonen’s risk-management plan—also backed by his CEO—was to give lower-level executives the authority to make decisions on the fly. Nokia’s culture kept its employees informed and in constant communication, and power was distributed appropriately.
Ericsson was not ready to react to the Albuquerque fire—the head of its mobile phone division didn’t even know about the fire until more than two weeks after Philips put it out. The company eventually found its footing after merging with Sony. But when the March 2011 Japan earthquake struck, Sony Ericsson took another major hit on its supply chain. CEO Bert Nordberg referred to April 2011 as a “formidable catastrophe.” The quake shut down the company’s Japanese suppliers, and Sony Ericsson had to redesign handsets to accommodate substitute components. “Had it not been for the earthquake and the supply chain constraints,” Nordberg told Dow Jones Newswires in July, “we would have shipped 1.5 million more units and we would have been profitable during the second quarter.”
As Korhonen continues to oversee Outotec, he recognizes that his approach to disaster preparation isn’t going to win him any gold stars, especially if no more disasters cross his path. “The challenge is that there is no instant payback,” he says. But if you do good, proactive risk management? Eventually, Korhonen says, “it pays back.”