6 The Art of Boat Spotting: Understanding Political Risks

Hans Læssøe was not sure where to begin, so he Googled “strategic risk management.” An engineer by training, Læssøe was a twenty-five-year veteran of the Lego Group, the privately owned Danish company best known for its Lego brick toys. It was 2006 and the Lego Group was in trouble. Global sales had plummeted and the company had narrowly avoided bankruptcy just two years earlier. Part of the problem was that executives had no systematic process for understanding, assessing, or managing strategic risks in an industry dependent on the rapidly changing tastes of kids and expansion into emerging markets. The Lego Group was understanding risks, all right, but they were operational risks like what to do if a machine broke down, a facility caught on fire, or the company’s legal team found trademark violations. A new chief financial officer began working with Læssøe to build a strategic risk management capability—including political risks—from scratch. They had no playbook, so Læssøe created one as he went along.¹

He started by gathering two dozen of the most creative thinkers he knew in the company across functions. Then he and his team brainstormed with key people from support functions such as product design, logistics, marketing, and compliance so that they could understand how risks interacted with different aspects of the value delivery chain. Læssøe’s group conducted its own half-day risk identification brainstorming session, then narrowed down the top risks to about a hundred. In addition to financial and economic risks, the group identified a number of political and strategic risks, including the start of a trade war between the United States and China; a physical threat to its vital factory in Monterrey, Mexico; and a regulatory change that would prevent the company from using certain materials to make its toys.²

Next he involved two veteran Lego Group executives with a broad view of the company to spend several days with him carefully and systematically estimating both the likelihood and the potential financial impact of each risk. “We asked ourselves: What is the likely revenue impact given a certain scenario? Why do we think so? How did we get to that number?” said Læssøe. They used mini-scenarios for each risk and developed a simple 5-by-5 scale to measure the probability and impact for each. Læssøe used numbers that he thought would be easier for most people to distinguish: A very high likelihood had a 90 percent chance of occurring, high likelihood meant 30 percent, medium likelihood was 10 percent, low was 3, and very low was 1 percent. Finally, Læssøe’s team went back to senior managers who needed to “own” each risk to get their feedback, ideas, and buy-in about risk identification, prioritization, and mitigation strategies. Læssøe believed strongly that risk leaders had to develop the risk strategy to own the risk. He saw his role as partnering with business managers in their effort to identify and mitigate risks, not serving as a compliance check on them.³

Ultimately, Læssøe’s initiative created a database of strategic risks—including political risks like what would happen if regulations suddenly banned the use of certain materials or if the United States and China engaged in a trade war—and a systematic, continuous process to engage every important business leader, including the board, in setting the risk appetite, understanding and identifying risks, and integrating risk assessment and mitigation into business planning.⁴

Rather than making the company more risk-averse, the process helped the Lego Group seize opportunities more aggressively,⁵ which contributed to a stunning turnaround. In 2015, Lego posted revenue increases of 25 percent, to more than $5 billion; net profits rose 31 percent to $1.3 billion; and with 350 new product launches, the company saw double-digit sales growth in nearly all of its markets.⁶ The Lego Group began thriving again thanks in large part to Læssøe’s innovations in risk management.

How can companies more clearly see political risks? There is no one process or tool that guarantees success. But there are many steps companies can take to get better at what Læssøe calls “boat spotting”—identifying big emerging challenges before you miss the boat.⁷

The most important one is realizing that understanding risks is not just about looking outside your office, at the risks “out there” in the world. It’s about looking inside your company—developing the core competencies and organizational culture for good boat spotting. As we’ll see, companies that understand risks well develop a common language for seeing and discussing risk systematically. They evangelize the importance of setting the risk appetite and owning risk across the company. And they work to harness creativity, perspective, and truth-telling to reduce blind spots.

The Lego Group

There is seeing, and then there is seeing. Risks are out there, but unless they are internalized and prioritized, companies are unlikely to take concerted action to manage them effectively.

It’s much like how many of us treat news about healthy living habits. We all know we should exercise regularly, sleep well, and eat fruits and leafy green vegetables instead of fried and processed foods. But few of us actually do these things. (Condi is one of them, exercising every morning even as secretary of state, and trying to get seven hours of sleep each night. “You don’t want me making decisions on behalf of the United States of America on four hours of sleep,” she told her staff.) Many people do not take the actions they know they should because the risk is general—and their life is specific. It often takes a wake-up call—a high cholesterol test, a back injury, or something worse that translates the general risk into a very personal one—to prompt concerted action.

The same is true for companies. Knowing or listing risks is the easy part. Internalizing and prioritizing the management of those risks is much harder. Asking these three questions—explicitly and often—can help turn knowledge of the risks “out there” into concerted action “in here,” where it can make a difference.

1. What is my organization’s political risk appetite?

Companies that manage political risk well start with a grounded general understanding of what risks they are willing to accept and what risks they are not. Their risk appetite is explicit, updated, widely known, and closely tied to business strategy.

As we noted in chapter 1, political risk always rides shotgun with reward. Weighing the risk and reward of a business decision depends on many factors. These include:

• Time horizon—How long will it take for an investment to pay off? Oil companies operate with very long time horizons. Retailers, less so. For Vinod Khosla, the founding CEO of Sun Microsystems and a leading Silicon Valley entrepreneur and investor, timing is essential. Khosla’s firm, Khosla Ventures, focuses on both for-profit and social impact investments. He recalled to us one particular technology start-up investment. His team assessed that there were substantial political risks that the start-up’s intellectual property would eventually be taken if it entered a foreign market. The question was how long before that happened. Khosla estimated that the start-up probably had a ten-year window to make profits, which provided sufficient returns to move forward. As Khosla Ventures notes prominently on its website, “Every plan has risks, and we both understand and cherish risk.”

• Alternatives—What other investment options is the company considering to put capital to work? One reason why oil companies end up in unstable places is that there is only so much good geology in the world.

• Ease of exit—If political risks become acute, is it possible to exit the market easily, by, for example, selling a foreign plant or investment to a local owner? How constrained are exit options by the type of investment at stake?

• Visibility to customers—How might political risks become reputational risks for your company’s brand that damage relationships with key clients?

Risk appetite also often varies in some systematic ways by industry type and firm size.

Some industries are naturally more accepting of risk than others. Consider manned spaceflight versus commercial aviation. In its thirty-year history, the space shuttle program fleet flew 135 missions with 833 total crew members.⁸ Two missions ended in tragedy—the 1986 Challenger accident and the 2003 Columbia accident, which together killed 14 astronauts.⁹ That’s a crash rate of 1.48 percent. If U.S. commercial airlines had the same accident rate as the space shuttle, there would be about three hundred fatal plane crashes every day.¹⁰ Fatal accidents are always tragic, but they are more expected in spaceflight than they are in commercial aviation because space is seen, correctly, as inherently risky. Astronauts understand that. Their risk appetite is large, and they are considered heroes precisely because everyone is well aware of just how dangerous the job is. Before he became the first astronaut to orbit Earth in February 1962, John Glenn saw the November 1961 explosion of an Atlas rocket with a monkey on board. When asked how he felt about his space mission aboard the same kind of rocket, Glenn joked, “How would you feel sitting on top of a machine with a million parts all made by the lowest government bidder?”¹¹ Commercial airlines would never stay in business with a risk appetite like NASA’s.

Consumer-facing companies like cruise lines, restaurants, and amusement parks confront public reputational risks that other industries (like extractive industries or business-to-business firms such as Oracle, Salesforce, or Dow Chemical) do not. Manufacturing companies tend to face greater political risks involving labor shortages, stoppages, and disputes. Apparel companies face particular corporate social responsibility risks involving working conditions and human rights in overseas facilities. Oil and gas companies are accustomed to operating in politically challenging environments where the “aboveground” risks of political crackdowns, corruption, instability, asset seizure, and violence are often persistent and substantial. Their investments can be driven largely by “belowground” geological factors instead of aboveground ones in part because consumers do not choose a local gas station based on where its unleaded fuel is sourced. By contrast, family-oriented entertainment companies like the Walt Disney Company are hyperaware of where and how they operate. Disney would never open theme parks in places like Nigeria, Libya, Venezuela, or Iraq. In fact, Disney has one of the lowest political risk appetites of any major firm in the world because executives have long recognized that the company’s brand is its most valuable asset.

Frequently named one of the most powerful global brands,¹² Disney has become synonymous with safe and magical family entertainment, whether through its theme parks, cruise lines, movies, or cable television channels. Customers admire, trust, and adore Mickey Mouse, and the company wants to keep it that way. That means aggressively monitoring and mitigating any political developments—from terrorist attacks to inhumane overseas labor practices in the manufacturing of Disney-branded apparel—that could negatively impact the reputation of the “happiest place on earth.” Disney was one of the first in a wave of companies after the September 11, 2001, terrorist attacks to develop a political risk unit, and has been a leader in political risk management ever since. As one Disney security executive told us, “Nothing hurts the mouse. It’s a zero-risk threshold across all lines of the business.”

“Nothing hurts the mouse. It’s a zero-risk threshold across all lines of the business.”

—Disney security executive

Perhaps the most important source of variation in risk appetite—and one that companies do not consider enough—is personal. Anyone who has ever watched kids in a playground knows that risk tolerance varies greatly by individual. When Amy’s two sons were young, they would go to a weekly preschool gym class that included obstacle courses. One son raced through, climbing, diving, and running as fast as he could. The other son never tried a single course. Instead, he would sit on the side, safely watching everyone else, memorizing how the different patterns of courses changed from week to week. Research has found that these differences in risk tolerance tend to be innate and lasting. One study compared the penchant for risk-taking among identical and fraternal twins and found that genetics explains as much as 55 percent of the difference between people’s willingness to take risks.¹³ Researchers have identified several genes, such as the “worrier” gene (COMT) and the “impulsiveness” gene (DRD2), that are associated with the tendency to take risks.¹⁴ (Beyond genetics, many factors, including geography, gender, age, religion, birth order, friends, and family, have been found to influence one’s risk tolerance.) Risk tolerance is not just about physical risks. Claudia Sahm, an economist at the Federal Reserve Board, surveyed twelve thousand respondents over a ten-year period about a series of hypothetical gambles of lifetime income. She found that risk tolerance differed greatly across individuals but was relatively stable for a particular person.¹⁵

Every year, we run a simulation in our political risk class in which five different Stanford MBA teams deal with the same political risks for the same hypothetical company, an American cruise line named Triton. The students receive detailed backgrounders on the fake company (including personnel and financial performance), the cruise industry, and key political risk considerations. Here is a short summary of the scenario:

In class, each team develops recommendations, presents its analysis, and fields rapid-fire questions from Triton’s board of directors (played by Amy, Condi, and class research and teaching assistants).

We have run this simulation for five years, involving 25 teams and 125 students. The results are pretty wide-ranging. About a third of the teams opt to remain in all existing Mexican ports of call but add various modifications to onshore excursions. About half the teams elect to shift itineraries across Mexican destinations (spending more time in Cabo, for example). And about one team every year or two decides to leave the Mexican market entirely. That’s a substantial amount of variance. Remember, all five teams each year have identical background information, and the students are part of the same business school community, taking the same core first-year courses. What’s more, this variance is not especially lumpy; we see a spread of different strategies each year. What best explains these outcomes? To be sure, this is hardly a scientific study, but we believe the answer lies in differences in the personal risk appetites of the team “CEOs” who are selected at random. Two moments drove this point home for us.

In 2016, two student teams took the exact same piece of data as justification for completely opposite decisions. The first noted that Mexico was “just 8 percent” of Triton’s business, so the company could afford to exit the Mexican market. The very next team started by noting that “Mexico is important to us, 8 percent of our business, and that could grow.” For one team, 8 percent was low. For another, it was high. The same information analyzed through different risk lenses led to different decisions.

Another time, in 2012, we were down to the last of our five team presentations. The four previous teams had all advocated strategies that involved remaining in Mexico, though some wanted to shift itineraries within the riviera while others wanted to beef up security and oversight of onshore excursions. Then Team 5 gathered in front of the room. The team CEO, Jessica Renier, was confident and adamant: Triton would pull out of Mexico immediately. You could feel the other students in the room suddenly growing uncomfortable: The herd had moved in the opposite direction. Jess and her team were alone, in front of their peers as well as the “board.” What exactly were they thinking? And why?

Condi and Amy remember pressing Jess. “What’s the business loss to the company for this sudden move?” Amy asked. “This is a big decision. How will you communicate this to your customers?” Condi queried. Jess stood firm. “Triton cruise lines has a zero-tolerance policy when it comes to safety and security issues involving our passengers. And we mean what we say. I’m the CEO. It’s my call, I stand behind it, and I want everyone to know that this is who we are as a company. I’ll take the short-term hit to my balance sheet. The risk of one passenger being harmed is exponential, and you can’t ever anticipate how bad that will be.” The room was abuzz. It was a bold and commanding presentation. And it stemmed entirely from Jess’s deep-seated views about what risks she was and was not willing to accept as the leader of her hypothetical company. Before the board presentation, we had observed all of the team deliberations and we knew that Jess’s team was evenly split about what to do. The decision was hers.

Later, Jess offered these reflections:

• I remember thinking that it came down to my call. Whatever it is, in my opinion, with political risk you have to make a bold call. You can’t “split the baby.” By trying to compromise, you open yourself to both risks. Which is the worst decision instead of just calling it one way or the other. I made the decision and just told the team, “This is the decision that I am going to make.”

• Evaluating the risk, we looked at general business trends. Tourism in the area was going down. You generally want to look for growth markets. I remember other teams arguing that we should stay because if everyone else leaves, then we can dominate the market. If the degree of risk is so bad that everyone is leaving and you are the one that stays, that’s not a reason to stay. It’s not a reason you want to be known for owning the whole market share.

• Stats only get you so far. That’s true in all political risk situations. When evaluating risk, you get inundated with stats and information, and the first thing you have to do is immediately cut out the stuff that doesn’t apply. Or else it can cloud your decision.

There was no right answer to the simulation. The point of the exercise was to explore how and why different groups of people come to different judgments about political risk when facing the same situation. Jessica Renier made a call that most of her classmates did not because she had an innate view about what the company’s risk appetite should be and what role the CEO should play.

Companies, like individuals, often see the same risks differently. They develop with specific cultures, identities, and ways of viewing the world that filter data in different ways. Yes, risk appetite does vary systematically across industries, as we noted above. Disney and Chevron are unlikely to accept the same levels of political risk to their businesses. But that does not mean firms should make the same political risk calls just because they are within the same industry. In Iraq, for example, both ExxonMobil and Royal Dutch Shell originally made a strong play to sign exploration and production contracts with the Kurdish regional government during 2011. Both companies were well aware that they faced substantial political risks operating in northern Iraq at the time. These included a decades-long independence movement by Iraqi Kurds, disputed territorial claims between the central government and the Kurdish regional government over the oil-rich lands involved in the contracts, unresolved legal conflicts over the management and distribution of oil revenues across Iraq, and a fledgling Iraqi democratic government struggling to contain sectarian violence. When Baghdad learned that the Kurdish regional government had signed an oil deal with ExxonMobil, the first industry “supermajor” to do so, the central government in Baghdad threatened to cancel Exxon’s contract to develop a major oil field in the southern part of Iraq. The threat was significant: Southern Iraq offered some of the largest potential oil reserves in the world. Despite the threat, Exxon held firm, betting that Baghdad would let both deals go through. Shell, however, was not willing to take that chance. It called off its talks with the Kurds to preserve its contracts in the south. Two supermajors faced the same choice at the same time in the same industry. Neither one was wrong. Each made the best call they could based on a clear understanding of their own risk appetites.

The most important thing about risk appetite is that you know what it is. This sounds obvious. It isn’t. In many organizations, risk appetite is assumed. It’s implicit. Everyone thinks they understand it. But it is much better to make the risk appetite as explicit as possible, for three reasons. First, as we noted in chapter 4, human cognition is a tricky thing; even when we have the same concrete facts, we can and do interpret them differently. The second is turnover: New people are always entering an organization, and they may walk in the door with a very different understanding of what the company’s risk appetite is or what it should be. Third, risk is dynamic. It is always changing, and a company’s risk appetite may shift with it. As Royal Caribbean president and COO Adam Goldstein told us, “To be successful in managing political risk is very much an ongoing undertaking. It’s not episodic.” If everyone thinks they know what the risk appetite is but nobody ever discusses it, misunderstanding is more likely. Making hidden assumptions less hidden improves decision-making, whether it is for economic modeling, intelligence analysis, or corporate strategy. Companies that explicitly set their risk appetite are more likely to develop a coordinated, effective, and nimble approach to risk management.

There are many ways to establish the risk appetite. At Suncorp Limited, a leading insurance and financial services firm in Australia, the firm’s risk appetite is developed deliberately each year. “We formally set the risk appetite annually, and that’s tied into our strategic planning cycle and process,” says Clayton Herbert, Suncorp’s chief risk officer. The process “sets the boundaries within which strategies are built.”¹⁶ At Canadian electricity company Hydro One, chief risk officer John Fraser facilitates a handful of workshops each year where he asks employees from all levels and departments to identify and rank the foremost risks they feel the company faces. Employees use an anonymous voting system to rate each risk on a scale of 1 to 5 based on its impact, the likelihood of occurrence, and the strength of existing controls. Fraser then uses the rankings for discussion at workshops, and employees are given the opportunity to share and debate their risk perceptions. Based on the discussion, the group develops a company-wide consensus that is recorded on a visual risk map, recommends action plans, and designates an “owner” for each major risk.¹⁷ The specifics vary by company, but the best practice is the same: Start by asking what your organization’s risk appetite is. If you do, the business will be better positioned to make good decisions about what risks to accept, and why.

2. Is there a shared understanding of our risk appetite? If not, how can we foster one?

The second question every business leader should ask is closely tied to the first: Is there a shared understanding of the company’s risk appetite? It is not enough for a CEO, a chairman of the board, or a senior executive team to know the company’s risk appetite. Everyone needs to know it. Shared understanding across the organization is crucial. If political risk management is the responsibility of just the “risk people,” you’ll be in trouble. The best companies ensure that political risk is everyone’s business, from the boardroom to the sales floor, and spend a great deal of effort evangelizing so that everyone shares a common language for discussing risk, a consistent and repeated process for identifying risk, and a sense of ownership about risk.

At Disney, the shared understanding about “not hurting the mouse” pervades the company. As a Disney security executive told us, “It’s weirdly inculcated in every business leader.” Disney “is one of the greatest places” to do political risk management, said the executive, “because everyone accepts that what you’ve got is going to be valuable. You’re not bugging anyone when you give them bad news. I don’t know how that got transmitted, but it’s there.”

Many leaders in political risk management develop formalized processes for identifying and evangelizing risk, raising both awareness and understanding across business units. Paychex has one of the most creative. A public company with more than a hundred offices serving more than half a million small and medium businesses, Paychex has been providing payroll, human resources, and benefits services since its founding in 1971. Each year Paychex’s risk management team holds what they call the “Tournament of Risk,” modeled after the NCAA men’s basketball March Madness tournament. About two hundred top leaders, from every business group and functional unit (including IT, finance, marketing, and sales), meet to collectively review sixty-four top risks identified by the risk team based on estimated impact, likelihood, speed, and other factors. During the tournament, risks such as credit risk, regulatory risk, and data security “compete” against one another in brackets where all two hundred business leaders get to vote electronically. The winning risk with the most votes in each head-to-head match then advances to the next round of “play.” One year, for example, pricing took the top prize. Frank Fiorille, Paychex’s senior director of risk management, emphasizes that the final risk scores don’t particularly matter. “The ultimate goal for the Tournament of Risk is to gain collective feedback from senior leadership,” he said. “It is one way to get executives engaged and interested in risk.”¹⁸

The Mexican company Cemex is one of the world’s leading building materials companies, with forty-three thousand global employees, trade relationships with more than a hundred countries, and $15 billion in annual sales.¹⁹ At Cemex, the chief risk officer and his team prepare a global risk agenda for the company two times a year—more often if events warrant it. The global risk agenda includes both country-and corporate-level issues, and engages all top managers to identify risks and suggest ways to mitigate them. The results are presented to the executive committee of the board, “so they are always aware of the issues that we’ll be facing,” notes Enrique Alanis, Cemex’s chief risk officer. Alanis views communication, or, in his words, “evangelizing about risks and our preparedness,” as an integral part of his job.²⁰

At the Lego Group, identifying political and other strategic risks is now integrated into the business strategic planning process.²¹ Over the past decade, Hans Læssøe designed the risk management function to develop a common understanding of risk appetite, a shared language for discussing risk, and clear ownership of risk throughout the company. All project managers at Lego must be trained in risk management. Probability and impact of risks are rated along consistent quantifiable metrics. And the risk team calculates a “net earnings at risk” each year that management and the board use to set Lego’s risk appetite and estimate its risk exposure.²²

What Disney, Paychex, Cemex, and the Lego Group have in common is buy-in from the top about the importance of understanding and managing political risk, practices that create shared knowledge of the company’s risk appetite, and a system that ensures there is focused responsibility for owning specific risks. In all of these companies, the risk appetite is clear, widely held, and updated. There is enough guesswork in the political risk business as it is. Knowing your own company’s risk appetite should not be part of it.

3. How can we reduce blind spots?

Every person and organization has blind spots. The trick is figuring out ways to reduce them so you can see emerging risks before it’s too late. Paychex’s Fiorille is particularly concerned with what he calls “risks around the corner,” whether they are market trends or changing political conditions. “I always think that it’s the bus that you don’t see coming is the one that runs you over,” said Fiorille. “The emerging risk piece is the key.”²³

Vivek Karve, chief financial officer of Marico, a leading Indian consumer goods company, is especially concerned about risks that arise gradually around the corner. “Some aspects of how any business is conducted can be slow killers,” he notes.²⁴ One such risk is consumer activism in India. “Inability to deliver quality goods to consumers is one of our top reputation risks. Marico has invested significantly in ensuring that top quality products are delivered to its consumers,” he told Deloitte in its 2014 annual reputation risk survey.²⁵ Another slow-killing political risk is environmentalism. “Companies that disregard the environment in pursuit of profits may well find that this could come back to bite them,” notes Karve. Marico is so concerned about rising environmentalism that it has already started going green, shifting to PVC-free packaging and using renewable energy for 90 percent of its needs.²⁶

There are three ways that organizations—from toy companies to spy agencies—reduce blind spots and better see risks around the corner: imagination, walking in the shoes of others, and processes that prevent groupthink at the top.

Imagination: Lessons from Star Trek

The Star Trek brand, which started with a television series in 1966 and has generated a television and movie franchise in the fifty years since, features two lead characters who provide a nice way of thinking about the role of imagination. Captain Kirk is the dashing, maverick captain of the starship Enterprise. Kirk is creative, unorthodox, and emotional, a man who flouts convention and has a sky-high appetite for risk. Lieutenant Commander Spock, Kirk’s second in command, is the opposite. He is half Vulcan, a people who are devoid of human emotions and operate solely on the basis of logical reasoning. Though Spock’s human half occasionally surfaces, he is notoriously data-driven, logical, and focused on following established procedures and conventions. Kirk and Spock are each flawed characters who would surely fail alone. But together, they have a yin and yang of imagination and analysis, action and thought, rule-flouting and rule-following that always wins the day.

This make-believe dynamic duo conveys a real-world message: Kirk and Spock are far more effective together than they are apart. The same is true with risk identification and analysis.

Risk analysis, which we turn to in the next chapter, is Spock—it is about hard-nosed, unsentimental analysis of facts. Risk imagination is much more Kirk. It is about creativity, emotion, and thinking about what could be, not just what is. Pure analysis without imagination can fail to see when history curves, when trends emerge that make discontinuous change more likely. Pure imagination without analysis can also lead to failure by focusing on futures that will never happen instead of realities that are already here. It takes imagination to understand risks. It takes structured thinking to analyze them. Like Spock and Kirk, imagination and analysis are better together.

Understanding risks as a first step is an exercise in imagination. J. Tomilson “Tom” Hill serves as the vice chairman of the Blackstone Group and president and chief executive officer of Blackstone Alternative Asset Management, the largest discretionary investor in hedge funds in the world, with $69 billion in assets under management as of July 2016. Blackstone also has skin in the game, with $1.8 billion of the firm’s and employees’ assets under management. Thinking about risks of all types is core to everything Hill does. “Our institutional investors,” he says, “expect us to protect their capital in every different scenario.”²⁷ Hill and his team start with imagination. They are always thinking about what could change in the world that would affect Blackstone’s investments. “Frequently the consensus is wrong,” Hill told us. “People assume things will continue this way forever… The biggest mistake is believing the future will look like the present. It almost never does.”

“The biggest mistake is believing the future will look like the present. It almost never does.”

—Tom Hill, president and CEO, Blackstone Alternative Asset Management

At FedEx, founder and CEO Fred Smith has long treated risk identification and management as a board-level and senior management issue, not just an operational one. Chapter 8 examines how FedEx mitigates risks operationally at its Global Operations Control Center in Memphis. But as Smith told us, “We look at [political risk] more at the senior management level as one of the most important things we have to manage.”

In the 1990s, Smith was serving on board audit committees of other companies when he noticed something important: The audit committees were talking increasingly about information technology issues, not just budget issues. So he decided that his FedEx board should focus more on IT issues, too. They set up a board information technology and oversight committee. And over time, FedEx recruited new board members with IT and cyber security expertise such as Judith Estrin, who served as Cisco’s chief technology officer and Silicon Valley technology pioneer, and John “Chris” Inglis, former deputy director of the National Security Agency. Ten years ago, Smith also elevated the chief information security officer and began working with cyber security companies like Mandiant to improve FedEx’s defenses. Smith was able to move faster than many companies because he first noticed trends while serving on other boards, and he made sure that his own board would have the expertise to understand and manage what he calls the “looming cyber risks.”

Companies also use an array of specific tools to help spot emerging risks. The Lego Group uses Google Trends, which shows word searches by region over time going back more than a decade, to try to see trends that could present risks or opportunities for company products.²⁸ Paychex’s “Tournament of Risk” uses “gamification”—turning an analytic exercise into something competitive and fun—to get creative juices flowing. Many organizations, from Blackstone Alternative Asset Management to Shell, the Lego Group, the U.S. National Intelligence Council,²⁹ the World Economic Forum, and the University of California, Berkeley’s Center for Long-Term Cybersecurity, use scenario planning.³⁰ To keep it interesting, the Lego Group even gives its scenarios fun names like “Murphy’s Surprise” for its scenario on trade protectionism and lack of resources, and “Brave New World” for one on significant growth driven by Asian markets.³¹ (We will talk more about scenario planning dos and don’ts in the next chapter. The point here is that scenario planning is first and foremost a tool to spark imaginative thinking about risks around the corner.)

War games are also becoming increasingly popular tools to identify and understand risks. Used in the U.S. military since 1886, war games are exercises that are designed to provide a better understanding of future possibilities and current weaknesses in thinking and capabilities by simulating an interaction with an adversary and seeing how that interaction unfolds.³² One of the most frightening results occurred in a 1983 Pentagon war game called Proud Prophet, which was declassified a few years ago. The game ran around the clock for two weeks, included actual U.S. officials, including the sitting secretary of defense and chairman of the Joint Chiefs of Staff, and used real American top-secret war plans. Yale professor Paul Bracken, who advised the war game, writes that it was “the most realistic exercise involving nuclear weapons ever played by the U.S. government during the Cold War.”³³

Proud Prophet revealed that many of the core ideas that American military planners and policymakers were employing to deal with the Soviet Union were, in Bracken’s words, “either irresponsible or totally incompatible with current U.S. capabilities.”³⁴ Among them was the strategy of limited nuclear war—the idea that a few, smaller nuclear strikes against the Soviet Union would lead the Soviets to accept a cease-fire rather than engage in a total nuclear war with devastating consequences for the planet. In Proud Prophet, the “Soviets” (played by American officials) did not show restraint once the United States launched a limited nuclear attack. Instead, the Soviets viewed the “limited strikes” as an attack on their homeland and their national honor, and consequently responded with a massive nuclear retaliatory attack against the United States. The United States then reciprocated, and in the end half a billion people died, NATO was no more, and large swaths of the planet were rendered uninhabitable by radiation.³⁵ Proud Prophet showed that the theory of escalation control could be wrong and reckless. U.S. war planners assumed limited nuclear war would reduce catastrophic risks. Proud Prophet revealed that limited nuclear war might very well magnify them.

War gaming in recent years has spread outside the Pentagon. Procter & Gamble, Cadbury, Pratt & Whitney, Mars, and market leaders in more than fifty industries worldwide have all used them. Amy’s former employer, McKinsey & Company, in 2012 wrote an essay advocating the value and use of war games by companies seeking to better deal with cyber threats. The McKinsey essay noted that one cyber war game enabled a public institution to discover that its risk identification was way off: The organization’s security processes were focused on online fraud when the greater risk was a loss of confidence in the aftermath of a breach.³⁶

Like scenario planning, there are better and worse ways to conduct effective war gaming, and there is a large literature about how to do it well.³⁷ Here, our aim is to give you a glimpse of the wide range of tools that are already being used to foster imagination and reduce blind spots.

Walking in the Shoes of Others: Lessons from Labadee

Risks are often hard to see because businesses do not anticipate the concerns, interests, values, and incentives of others. Trying to imagine any particular risk or situation from another stakeholder’s perspective can help uncover hidden risks before they become a problem.

In the last chapter, we recounted that first, difficult meeting in the Haitian church between Royal Caribbean’s Peter Whelpton and local residents who were deeply worried about the cruise line’s plans to establish a private resort in Labadee. “My God, they came after me,” Whelpton reflected. He thought the entire deal might go down before it ever got started. Whelpton had the critical support of his Haitian friend Pierre Chauvet, who knew the residents, spoke Creole, and urged them to listen. But that was not enough. Whelpton knew he had to look at the situation from the residents’ perspective, acknowledge their concerns, and address them. The local community was skeptical. They were worried that the land would be destroyed and jobs would not be forthcoming. They lived in abject poverty and political turmoil. They had no relationship with Whelpton or the company. They had no reason to trust them and no idea what benefits might ever come to Labadee. “I tried to put myself in their shoes,” Whelpton told us. “How are they going to look at what I’m doing? Am I doing it for them? Am I doing this with them? Am I doing this to them? You don’t want to do it to them.” For every project, he told us, he tried to think about how others might view it. “I’m saying to myself, ‘I’m Haitian. I’ve never seen a project like this before. I’m suspicious.’ Once you can do that, then you know how to go at it and you get a lot farther that way… Start from that point and work your way to build friends.” What began as a tense meeting ended in a productive discussion about what the local residents hoped for and feared. Whelpton left with a better understanding of what he needed to do to bring them on board, including providing jobs and running water, and genuinely committing to the community.

The shooting down of a Malaysian airliner over eastern Ukraine during Russia’s invasion and resulting civil war in 2014 showed how walking in the shoes of others, even if you may not agree with or follow their decisions, can still uncover hidden risks. The Dutch Safety Board investigation found that the airliner was hit by a missile while it was traveling from Amsterdam to Kuala Lumpur. (Many believe the missile was fired by Russian-backed separatists in Ukraine who mistakenly thought the civilian airliner was a Ukrainian military plane.) The report faults the Ukrainian government for not closing its airspace sooner, noting that two days before the Malaysian airliner was hit, two Ukrainian military planes were also hit while flying at commercial airliner altitudes. There was good reason to close the airspace, the report finds, but Ukrainian authorities resisted. Why? The report offers no answers, but a risk officer with experience in commercial aviation does.³⁸ “There are reasons governments don’t want to close their airspace,” he told us. Chief among them are overflight fees and, perhaps more important, sovereignty. For the Ukrainian government to have closed its airspace, he said, “would have acknowledged that they had limited control over their territory. It would acknowledge that they did not have control over their airspace, that they were in a civil war and didn’t have sovereign control.” To identify risks well, he told us, risk managers in airlines have to walk in the shoes of government officials and understand why their overflight decisions might come too late—and why airlines need to be more proactive. Some airlines, in fact, were proactive: Australia’s Qantas and Korean Air both stopped flying over Ukraine several months earlier amid concerns about increasing tensions on the ground and implications for overflight safety in the air.³⁹

Preventing Groupthink: Lessons from the Secretary of State

Processes that encourage truth-telling and dissent within the organization can also reduce blind spots. We have talked a lot about the importance of developing a shared understanding of the risk appetite across your organization. But it is also important to create strong channels for dissenting views, new information, difficult feedback, and unconventional thinking to get to the top. Those who use these channels also need to be rewarded: Just because you build it does not mean they will come. The dark side of shared understanding is developing a siege mentality where everyone believes the same things, uses the same lenses, and dismisses alternative perspectives. Psychologists have a name for the organizational pressures that cause groups to come to a uniform view even when they shouldn’t. It’s called groupthink.

Earlier, we shared the study that our colleague Bill Perry conducted about what makes some secretaries of defense more effective than others. It is a subject of high personal interest: Perry served as Bill Clinton’s secretary of defense. He found that the secret sauce for success was not sheer intelligence. The key was their ability to prevent groupthink. Secretaries of defense who did not welcome opposing points of view rarely got them—and, as Perry recounted, “they [made] big mistakes because of it.”

When Condi became secretary of state for President George W. Bush, preventing groupthink was very much on her mind. Inside the State Department, the secretary is referred to as “S.” It was amazing, she recalls, how people would walk around Foggy Bottom saying, “S thinks this,” or “S wants that.” This was all very well-meaning. State Department foreign service officers, civil servants, and appointees were not trying to lie or hide the ball. They were trying to fix problems before they ever got to the secretary’s desk. But that sometimes meant that by the time problems did arrive on Condi’s desk, they had become even more difficult to fix.

That’s exactly what happened in 2007, when Congress passed the Western Hemisphere Traveler Improvement Act, mandating that anyone traveling between the United States and Canada had to have government-issued identification. It was an effort to improve border security, and it meant that Americans who had been traveling to Canada without any documentation now would need travel documents. “When most people hear they need government ID for travel, they think they need passports,” Condi thought. “And passports is me.” Envisioning Americans in Buffalo or Detroit traveling to Canada to watch hockey games, she suspected that the State Department would face a spike in demand for U.S. passports as a result of the new law. She gathered her team and asked, “Will we be able to meet increased demand for passports?” The answer was yes. Some weeks later, while doing her early morning workout, Condi happened to see on television the lead local news story: A woman who had spent her life’s savings on a trip to the Caribbean could not get her passport in time to take the trip. “So I go into the office,” she recalls, “knowing that Congress would be all over this by 10 a.m.” She called another meeting with all the key personnel in charge of passports and asked if there was a problem. “We’re a little behind,” they admitted. “How far behind?” she asked. “Six months.” It was April. Summertime travel was fast approaching. “And so we went on red alert,” she recalled. “I dedicated resources. We mobilized interns. We brought in retired officers. We brought in anybody who could process passports so that we could catch up.”

In the midst of the crisis, Condi had dinner with her cousin Lativia. “This demand for passports is crazy,” Condi said. Her cousin replied, “Yeah, I went ahead and got mine renewed because it was about to expire.” Condi asked, “Oh, when does it expire?” Lativia answered, “In a year.” That moment crystallized what was happening: It wasn’t just Americans traveling to Canada who wanted passports. Expectations of delay were causing even more people to get their passports renewed, making matters worse.

By the time hockey season rolled around that winter, the six-month delay had been cut to two months, but it was still too long. “I had identified the problem but I did not stay on top of it,” Condi later reflected, “so by the time it got to me, it had become a crisis.” Looking back, she wished she had directed someone to stay on top of the passport process every couple of weeks after the law was first passed. “You know, you’re the secretary of state. You’re doing Middle East peace. But passports become a crisis. And you think, ‘Passports? Really?’ It’s a systems issue. People don’t pay enough attention to systems. I wish the people who had run the passport office had told me they were behind. I could have gotten more resources on it earlier to help solve the problem.”

While the passport backlog did not work out as she had hoped, Condi took deliberate steps to create truth-telling mechanisms so that she could get information from the ground, and honest advice, early and often. She did this by hiring in special roles three people she had known for years: Steve Krasner, Philip Zelikow, and later Eliot Cohen. Steve, an international relations expert, had been a faculty colleague of Condi’s at Stanford for more than twenty years and was brought in as the director of policy planning, the secretary’s think tank. Philip, a historian who had taught at the University of Virginia and Harvard, had coauthored a book with Condi about German reunification and served as her counselor. He was succeeded by Eliot Cohen, an academic colleague of Condi’s for many years. All three advisers played invaluable roles in giving her information and counsel that she otherwise would not have heard. “Steve Krasner, Philip Zelikow, and Eliot Cohen would always tell me what they really thought,” she reflected. “And as secretary, you really need that. You need to have someone who can close the door and tell you what you might not want to hear.”

The process generally worked very well. In Iraq in 2005, for example, state-building efforts were faltering. A major part of the problem was poor coordination between the State Department and Defense Department efforts on the ground. So Condi sent Zelikow and Ray Odierno, her military liaison, to Iraq to get a better understanding on the ground of the challenges and to recommend some new approaches. “We had to a have a different system,” Condi recalls. “And they came up with PRTs,” provincial reconstruction teams. PRTs started in Afghanistan but had been used for a different purpose: extending the central government into the highly decentralized country. In Iraq, PRTs would prove highly successful with the strategy of “clear, hold, and build” to combat al-Qaeda and its associates and allow economic and political institutions to take hold. Sending two trusted advisers outside the normal channels proved critical in adapting an approach from Afghanistan to the very different conditions of Iraq.

The lesson from Condi’s experience is to find ways for truth-tellers to reach the top of your organization and build systems that keep information and honest perspectives flowing. For many companies, including the Lego Group, this means ensuring that the senior executive in political risk reports directly to the CEO or CFO. For others, like Cemex, it means political risk falls within the purview of the broader board of directors, not just the audit committee, which tends to look at issues from a compliance perspective. The most important thing to remember is not to isolate political risk from the senior levels of the organization. Do not put political risk in a corner. Make sure your political risk team has a seat at the senior table.

Organizations cannot identify every risk all the time. But reducing blind spots through imagination, walking in the shoes of others, and truth-telling can help master the art of boat spotting.

6

The Art of Boat Spotting: Understanding Political Risks