Risk Views with Michele Wucker, Chief Executive Officer, Gray Rhino & Company (Chicago) and Board Member of IRM India Affiliate
Hersh: Your concept of “gray rhinos” has provided a compelling framework for understanding and acting on obvious yet overlooked risks. In your experience, what are some of the most common “gray rhinos” that businesses face today, and what strategies have you found most effective in helping organizations develop a proactive stance towards these risks?
Michele: Businesses face so many obvious, probable gray rhino risks –but only some of them respond effectively. These gray rhinos can involve external risks tied to geopolitics, technological disruptions, political instability, and shifting economic cycles and markets. But they also involve internal and operational risks like organizational culture, succession planning, safety violations, and entrenched attitudes and resistance to change.
The most effective strategies are based on recognizing that there is absolutely no shame in recognizing that humans are vulnerable to cognitive biases that interfere with our ability to respond effectively to known problems. In fact, that recognition carries great power –because it means that organizations can correct for those biases and blind spots. Creating value through the positive management of risks starts with intentional decision making analysis and design.
The most important thing is to not stop at identifying risks, but rather to be brutally honest with yourself about whether you have taken proactive steps to be sure that you can respond effectively and whether they are likely to work to mitigate the risk. If the problem is already unfolding, analyze how you have responded so far and again, be honest about whether they are working. Be aware of what your competitors are or are not doing, because responding most adeptly can create value for your organization. Also get outside advice if you need it, including about best practices if they are available.
Hersh: In light of your research and observations, how do you perceive the role of Chief Risk Officers (CROs) in identifying and managing “gray rhinos”? What qualities and skills do you believe are essential for CROs to effectively guide their organizations through these visible but often underestimated risks?
Michele: The qualities that make a great CRO are humility, collaboration, empathy, intuition, creativity, curiosity, diligence, and persistence. Education is important here, which is why I so appreciate the IRM’s work to cultivate a new generation of risk leaders. Its fellowship program and ERM certification are great ways to develop and hone the skills that CROs need to lead their organizations not just to safety but also to value creation.
All too often, organizations or policy makers know what risks they face and sometimes even have a plan for responding. But, as we have seen over and over again, just having a plan isn’t worth anything if you don’t use it. Someone at your organization needs to have both the responsibility and the power to put that plan into action.
That’s where Chief Risk Officers become incredibly important. If they’ve done their job right, they have relationships across the organization and even with some key stakeholders like regulators –so that when (not if) something goes awry, they can respond immediately if they have been given the power they need.
Most risks do not exist in a vacuum but rather in conjunction with other risks which can either ameliorate or intensify risks in the system, and which can have unintended consequences. CROs can look holistically at the risks facing an organization to understand how different risks affect each other and to help prioritize them. Ideally, the CRO has a good understanding of the behavioral side of risk management which is essential for developing a healthy risk culture that encourages people to pursue opportunities and to think their decisions through so that they do not take ill-advised risks that could easily go awry.
Hersh: From your perspective, what are the challenges and opportunities in integrating gray rhino theory into existing enterprise risk management (ERM) frameworks? How can organizations adapt their ERM practices to better anticipate and respond to these high-impact risks? Do you need a separate risk register and how do you avoid confusing these events with black swans?
Michele: By far the biggest challenge is hubris: leaders who believe that they don’t need to take a fresh look at obvious challenges. Another challenge is the tendency of decision makers to treat risk analysis as a box-ticking exercise rather than as an ongoing opportunity to create value. Finally, keeping risk management in a silo is a huge mistake. Risk awareness and a sense of responsibility and agency needs to be part of strategy and operations from the top to the bottom.
The difference between gray rhinos and black swans is very simple so there should be no confusion: if you can see it ahead of you, it is a gray rhino. If you can only see it in hindsight, it is a black swan. The whole point of black swan theory is that the world is unpredictable, so investors need to be prepared to be agile. The point of gray rhino theory is that everyone needs to challenge ourselves to be among those who respond to obvious dangers and opportunities –rather than letting ourselves be trampled or let rivals channel the power of gray rhino trends and events.
Hersh: With the rapid pace of AI and geopolitical instability, how do you foresee the landscape of enterprise risk evolving over the next decade? What new types of “gray rhinos” do you anticipate emerging, and how should organizations prepare to address them?
Michele: I have deeply mixed feelings when people ask me what gray rhinos I see –although I do appreciate and respect the appreciation of my work that the question reflects. First, gray rhino theory works best when people identify gray rhinos for themselves from their own unique perspective. And second, people are so fascinated with seeing unusual and new risks down the road that they fail to deal with what’s right in front of them. It’s very hard to prepare to address something you cannot see clearly.
As far as enterprise risk evolving, I see two important trends. First is the growing appreciation of complexity and systems dynamics. Second is increasing attention to the behavioral side of risk management which is taking its rightful place alongside the quantitative approaches that have dominated risk management.
Hersh: Finally, drawing on your extensive experience in studying risk behaviors and outcomes, what personal lessons or insights have you gathered about leadership in times of uncertainty? How can leaders cultivate a culture that respects and responds to risk without succumbing to fear or inertia?
Michele: Good leadership in times of uncertainty is remarkably like the Serenity Prayer they famously teach people in Alcoholics Anonymous: to accept what you cannot change, to change things for the better when you have the power to do so –and crucially, to know the difference.
People feel more comfortable when they can control at least some of the elements of the world around them, whether in their homes or in their workplace. So it’s important for leaders to provide people with a sense of personal agency as widely as appropriate. Setting the right example is a powerful leadership tool: be open about the known challenges the organization and team are facing, about what you are doing to address them, and how you are adjusting as you evaluate how well those measures are working
Hersh: Your work on “gray rhinos” not only applies to organizations but also to nations and their approach to managing systemic risks. Based on your observations and research, how do you assess the risk maturity of different countries, particularly in their ability to foresee, prepare for, and manage gray rhino events? Are there any nations that you believe exemplify best practices in risk management, and what can other countries learn from their approach to enhancing their own risk maturity?
Michele: It’s way too risky to answer that question! Countries vary widely in their risk management approaches and the right policies for one country may not be the right ones for another.
However, there are some examples of specific initiatives that I think many countries could copy.
First, in late 2021 and early 2022, the United Kingdom published two reports on risk management, risk planning and preparedness, and how to build resilience, based on lessons learned from the Covid-19 pandemic. That’s an important exercise that should happen regularly, not just after a crisis.
One of the things the UK did to improve, based in no small part on the conclusions of those reports, was to appoint a national-level head of the government risk profession. I would love to see many countries appoint national chief risk officers or the equivalent and give the those public servants real power to coordinate actions so that blueprints for responding to known risks do not go ignored –which is what happened in the United States and many other countries during the pandemic.
In any country, top-level national risk leadership can help governments at the federal, state/province, and local levels to collaborate on various shared risks which can both reduce overall costs and improve response. It can help avoid situations where agencies and jurisdictions are working at cross purposes. And it can help to set a national tone on risk prevention which is important in uniting citizens around a shared purpose.