Deloitte & Touche LLP Principal Rick Funston is the co-author, with Stephen Wagner, of the new book “Surviving and Thriving in Uncertainty: Creating the Risk Intelligent Enterprise” (Wiley, 2010).

Over the past several weeks, I conducted an e-mail exchange with Rick. Our chat focused on the book as well as some more “out there” issues, including what the corporate risk management program of 2030 might look like.

Eric Krell: Your book is packed with all of the topics that my readers (and I) are interested in, so it’s a pleasant challenge for me to find a starting point in my questioning.

First, I’m really enjoying reading this book. My eyes lit up when I read the table of contents. And I find myself nodding along with the excellent discussions – “re-imagining risk management,” “unrewarded risk vs. rewarded risk,” “calculated risk taking creates value,” etc. in every chapter I’ve read so far. I’ve been assembling my own risk management manifesto, so it’s fun for me to see how you have organized your thinking on such a broad topic.

OK, so let’s get started … by defining for readers what you mean by “risk intelligence.” Please define this term (which I dutifully shared with my readers when you and your colleagues first coined it several summers ago) in a sentence or two. Second, if you would, please describe “risk intelligence” for me in, say, five words.

Rick Funston: Risk intelligence is the ability to effectively distinguish between two types of risks: the risks that must be avoided to survive by preventing loss or harm; and, the risks that must be taken take to thrive by gaining competitive advantage. Risk intelligence is the ability to translate these insights into superior judgment and practical action to improve resilience to adversity and improve agility to seize opportunity.

Eric Krell: In five words?

Rick Funston: How about, “Managing risk before it manages you.”

Eric Krell: Thanks, Rick. I appreciate, and am impressed, with your brevity and clarity (my question was longer than your answer). Your book primarily focuses on exploring risk intelligence skills and the risk intelligent organization, yet I find a couple of early chapters highly instructive.

Can you crystallize the arguments you make in Chapters 2 and 3 by summarizing why “conventional risk management has failed” and how “an unconventional approach to risk management” makes sense today?

Rick Funston: Eric, I am delighted to hear you are enjoying the book.

Conventional risk management has failed for many reasons and the book addresses 10 of these “fatal flaws.” The following addresses three of these flaws and how “an unconventional approach to risk management” can help counter them.

1. Failure to check your assumptions. First and possibly foremost, conventional risk management failed because the assumptions which under-pinned it were not constructively challenged. This begins with assumptions about the nature of risk itself.


1. Risk is to be avoided. Conventional risk management focused primarily on the protection of existing assets and risk avoidance (unrewarded risk). In unconventional risk management, risk taking is essential. Certain risks must be taken to create future growth (rewarded risk) while others must be avoided. Without risk, there would be no profit. Without risk, companies would become competitively disadvantaged and stagnant, as a diet of pure risk aversion is a recipe for extinction. Risk avoidance is necessary but not sufficient for competitive advantage. Risk is also traditionally seen solely as an event yet there is also a risk of inaction and missed opportunity.
2. Extreme events are extremely rare. Conventional Gaussian mathematical models exclude extreme events and thus those who rely on such models (e.g., VAR) will find themselves “blindsided.” Extreme events are much more common than most people think. While the market sometimes exhibits a random walk, it also runs, hops, skips and jumps. It is not just mildly random, it is also wildly random. Authors Taleb and Mandelbrot discuss this extensively. Taleb refers to such extreme events as black swans. It wasn’t just the math that contributed to the sub-prime crisis, it was also the assumption that the national price of housing in the U.S. would continue to rise indefinitely.
3. Markets are rational and efficient. Conventional wisdom suggests that people make decisions after carefully weighing all of the information available and make rational calculations. False. The markets are highly sentimental. For example, the VIX index measures fear. While the market has periods of calmness and apparent rationality, it is increasingly characterized by manias, panics and crashes which are often irrational. Ironically, computerized trading can serve to exacerbate this as we saw recently. When the market is building, people see no ceiling and become manic buyers. When the market inevitably crashes they see no floor and become panic sellers. This is not rational. We even call these market sentiments “bulls” and “bears.”
2. Failing to be constantly vigilant. The importance of challenging your assumptions goes far beyond conventional market and economic theory. It also applies to your most fundamental assumptions about the business environment and your business model.

1. It's business as usual. False. Shift happens. It is inevitable, incessant and irresistible. An uncertain and turbulent business environment is characterized by sudden, violent change and business as “unusual”. Whatever the dominant business model is today, it will be replaced sooner or later. These represent opportunities for the unconventional competitor, e.g., digital vs. analog, Southwest vs. traditional airline industry. These shifts can be understood as “black swans”. While they cannot be predicted, can they be detected faster? Who will have first mover advantage? How can you either defend against them or leapfrog the competition by becoming the black swan?
2. Unfortunately, dominant incumbents often fail to see such shifts coming because of their success. Yet what was once the recipe for success can overnight become a recipe for disaster and the book describes many of these examples. The risk of the dominant incumbent is often the risk of inaction or only incremental action when a bold move is required. The challenge for senior executives is twofold:

1. Make their fundamental “life and death” assumptions about the business explicit (the thesis or White Swan)
2. Challenge those assumptions (the antithesis or Black Swan)
3. Once the Black Swans have been described, then you must look for signals
4. If evidence of black swans can be detected, then develop a synthetic strategy to incorporate the best of both worlds.
3. Failure to factor in velocity. Conventional risk management assesses impact and likelihood. As discussed above, likelihood is a poor metric for inherent risk. A factor that is too often overlooked is velocity. How good or bad can it get? How fast can it happen? Commercial paper literally dried up overnight. The market recently had its biggest intra-day drop ever in less than 15 minutes only to rebound and recover most of that loss just minutes later. How fast do you need to be able to respond to a threat? Alternatively, how fast to do need to be able to seize an opportunity? For example, a number of companies that severely restructured their costs in order to survive the downturn are now finding it difficult to ramp up again as demand returns faster than anticipated.

The remaining seven flaws and skills are described in the book.

Eric Krell: Rick, your book concludes by identifying 10 practices that companies can use to effectively boost their enterprise’s risk intelligence. I’m curious about what the enterprise’s risk management capability might look like once companies do so … Can you peer into your crystal ball and tell me what you see corporate risk management capabilities/programs looking like 10 or 20 years down the road if companies generally embrace risk intelligence?

Rick Funston: In the risk intelligent enterprise of the 21st century, risk intelligent management capabilities are an integral part of the way the company plans and operates. Risk is the potential for failure that results in loss, harm or missed opportunity including the risk of inaction. Consideration of risk, like quality, is built into every core decision-making process and part of everyone’s job. Risk intelligence is about judgment and discipline in the face of uncertainty and turbulence.

No one is perfect and no one is immune to failure. Mistakes will still be made. But how can the enterprise better survive them and learn from them? Risk intelligent management is not something you do after your day job is done. Risk intelligent management is performance management and is an integral part of compensation (short and long-term).

Intelligence and insights are proactively gathered about both opportunities and risks. The successful enterprise recognizes that the greatest risks may be the risks of inaction (failure to adapt to a changing environment). Risk intelligent enterprises understand that calculated risks need to be taken to innovate and to create future growth (new markets, new products and services, new business models) but these risks need to be thoroughly understood and managed. This is how the business is run. There are other risks that need to be avoided because they offer no ethical reward (operational failures, non-compliance, unethical behavior).

Without boldness, the enterprise can cease to be competitive. Yet bold undertakings can fail. Risk intelligent executives and directors understand this and try to anticipate how the initiative might fail so they can prevent such failure or respond quickly to limit damage. In these ways, the risk intelligent enterprise is able to survive and even thrive in uncertainty and turbulence.