Businesses have a range of industry-standard processes and talented professionals dedicated to identifying and managing enterprise risks. Moreover, public companies must adhere to the Security and Exchange Commission’s risk management framework, which has clear reporting and remediation mandates for financial, operational, information technology and security, legal and regulatory, and general business risks.
And yet, despite all of these procedures, resources, and regulations, we are seeing businesses continue to experience highly consequential and catastrophic disasters. While the names change, and the specific details differ, enormous business failures happen in all industries and to companies both mature and nascent — General Motors, Volkswagen, Wells Fargo, Equifax, WeWork, Boeing, Wirecard, FTX, Silicon Valley Bank, and on and on and on.
How do these prominent companies so consistently fail to uncover, assess, and deal with systemic risks? In our experience working with private-sector partners to manage risks, there are three prominent factors.
First, standard processes are ideal for addressing routine, predictable, and well-understood issues. However, by their very nature, consequential risks are the opposite of these characteristics — they are rare, uncertain, and hard to decipher in advance. Following existing risk mitigation procedures may create the illusion of due diligence, but those step-by-step processes are inadequate to deal with risks that are truly unthinkable.
Second, front-line employees — who see risks emerging before their bosses — may feel uncomfortable or unsafe reporting those risks. Or, even when the employees document and report the risks to a manager, that manager may not adequately address them. Executives should strive to create a culture where reporting risks is welcomed, but they should not assume that their own workforce will sound the alarm early enough or consistently enough.
Finally, the C-suite may be aware of specific risks, but wrongly believe that they are controllable or immaterial. Indeed, the Federal Reserve Bank of San Francisco reportedly warned Silicon Valley Bank leaders multiple times about the bank not having enough cash on hand in the event of a bank run. However, Silicon Valley Bank’s leaders apparently severely underestimated this financial risk, or perhaps hoped that it would never come to pass.
Given these all-too-common organizational pathologies, how might businesses proactively confront the next systemic risk? One approach could be with the routine and targeted use of Red Teaming. This methodology and mindset can complement existing risk mitigation processes, cultures of low psychological safety, or senior leadership risk misperceptions.
Below are three steps you can take to incorporate Red Teaming into your approach in order to enhance your organization’s ability to detect, respond to, and recover from threats.
Drive Alignment Around Your Risk Strategy
When it comes to an organization’s risk strategy, leaders often assume that their teams are well-versed in it and are acting in harmony. The reality is that misaligned teams are more common than leaders realize and can cause significant disruptions in execution, particularly in novel situations where risks are higher. Red Team workshops are one powerful tool to assess, improve, and align the team around the organization’s current risk strategy.
By identifying potential blind spots, challenging assumptions, and determining the overall risk appetite, teams can establish appropriate controls and ensure consistent risk awareness and mitigation efforts across the organization. The result is a more comprehensive and robust risk strategy, enabling the organization to navigate complex situations with confidence.
Conduct Business War Games
A business war game is a dynamic, structured exercise where small teams assume the role of competitors as well as other entities that could affect the organization’s success—government regulators, investors, or customers. The goal is to force participants to make decisions and respond to the specific real-world scenario collectively to test the robustness of their assumptions and see the potential costs and consequences of their decisions in a “safe” environment.
Executives and employees who participate describe these exercises as challenging and yet stimulating; reducing barriers to creative thinking and novel ideas while enabling the team to deliver a collective vision that will be more resilient in the face of competing and external perspectives.
Develop 'What If' Scenarios and Contingency Plans
Having fostered a more aligned leadership team, and considered adversarial perspectives, resilient organizations should also develop contingency plans for the most probable alternative future scenarios and consequential risks that could greatly disrupt their business, such as geopolitical instabilities, extreme natural disasters, supply-chain challenges, emerging technologies, workforce disruptions, and the prospect of an economic downturn.
During this process, teams brainstorm together, pressure-test plans, challenge assumptions, and identify early-warning indicators and the corresponding response plans. The result is a more aligned and adaptable team that is best prepared to navigate the challenges of an ever-changing business landscape and plan for tomorrow’s problems.
Risks come in all shapes and sizes. Red Teaming unlocks trust, common purpose, shared consciousness, and empowered execution, essential organizational capabilities that will allow you to address adverse events in a purposeful way, with minimal scrambling — even when events inevitably do not play out the way leaders had imagined or hoped.