There was a little girl,
Who had a little curl,
Right in the middle of her forehead.
When she was good,
She was very good indeed,
But when she was bad she was horrid.
HENRY WADSWORTH LONGFELLOW
Nobody wants to think about risk when things are going well, but it only takes a moment for things to turn from very good to horrid. In my experience as a board director I've had CEOs say about a proposal that 'There's no risk.' My response: 'There is always risk.'
Risk is a key focus for the board and so it can be a good starting point when opening a conversation on asset management. Asset management takes a risk based approach to creating value from assets. One of the fundamental questions is 'What could go wrong?'
Asset Managers typically have a focus on operational risks and use techniques such as FMECA (failure mode, effects and criticality analysis) to identify what could go wrong, what the impact could be, and how that impact could be avoided or mitigated. While operational risks are important, boards also need to look beyond these to the full range of strategic risks faced by the company.
For example, asset obsolescence is an important factor in investment decisions and the risk of carrying stranded assets is a significant strategic consideration for the board. Just as assets may become technologically redundant when they are replaced with a newer model, assets may also become politically or economically redundant. The important question for the board is not 'Will the asset fail?' but 'Will the market fail to need the asset anymore?' Even if you're the best blacksmith, you don't want to be the last blacksmith when horses make way for cars.
A fundamental characteristic of risk, is that it relates to the unknown. In 2014, Sony Pictures Entertainment was hit by a disabling cyberattack that brought the company to a standstill. This was a known risk, against which they were unprotected. Their executive director of information security at the time said, 'I won't invest $10 million to avoid a possible $1 million loss. It's a valid business decision to accept the risk.' However, this turned out to be a gross underestimate. The direct costs of the attack were over $100 million, not including the reputational costs and flow-on impacts to individual staff whose personal information was stolen.
The board's role in risk is to reduce the unknowns by raising their own awareness. How well are you balancing risk against cost and performance? Are your information systems adequately supporting a risk based approach? Are your valuable intangible assets as well protected as your valuable tangible assets? Have you locked your car, or did you leave the keys in the ignition?
Regardless of the type of risk being considered, the fundamental question remains the same - What could go wrong?