Abstract
Risk management failures are common in organizations that fail to plan effectively. Risk management is defined by several theorists as the assessment and quantification of the various risks that an organization runs and also the prescription of measures to reduce or avoid the risk in question (Alexander & Sheedy, 2005; Lam, 2003; Roehrig, 2006; (SAA, 2009).
This paper looks at a scenario where an organization failed to manage its risks effectively leading to a huge loss. The case study seeks to link theories of risk management to actual field experience. Throughout the paper, I shall seek to identify the particular causes of the loss and the measures which the organization would have taken to mitigate the loss.
Introduction
Hubbard (2009) describes risk management as the “identification, assessment, and prioritization of risks followed by coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events or to maximize the realization of opportunities.”
Risk is defined as the result of an uncertainty in an organization which could be financial, legal, natural or a deliberate act of a competitor or adversary (Crockford 1986; Gorrod 2004). Many organizations that practice risk management are mostly concerned with those risks that are well within their control and those which can be quantified and assessed.
The criterion in risk management is similar in all organizations due to the standardization of the process. The ISO standard requires that risk management is done in five steps (SAA 2009; Institute of Risk Management 2002). First, the risk manager identifies and characterizes the threats that the organization is faced with.
Next, he or she assesses the vulnerability of the organization’s critical assets to the identified threats. The third step involves determining risk which involves establishing the expected consequences of a threat materializing. The next step involves identification of ways to reduce the risk established. Finally, the manager prioritizes strategically all risk reduction measures.
The identification of risks plays an important role in risk management. Once the risk that is likely to cause problems is identified, the risk manager should work from the source of the problem or the problem itself (Alberts et al. 2008; Charles 2004). Therefore, there are two ways of analysis risk; source analysis and problem analysis.
Source analysis involves investigation of the internal and external elements of the system that are vulnerable to risk such as employees, project stakeholders e.t.c that can be considered risk sources (Van Deventer et al. 2004).
Problem analysis looks at identifiable threats e.g. threat of accidents, loss of money, stealing of private information e.t.c. These threats are extrinsic to the company and involve customers, shareholders and government entities all of which are outside the organization’s control (Moteff 2005).
The method of identifying risks generally depends on the industry practice (Hutto 2009) and thus various industries use any of the following methods; objective-based risk identification which is based on the organization’s objectives (Dorfman 2007).
Scenario-based identification that looks at market scenarios (Hopkin 2010), taxonomy-based identification which analyzes risk sources through taxonomy and best-practices approach (Borodzicz 2005), common risk checking where the particular industry provides a list of known risks (Stulz 2009) and finally, risk charting which combines all the approaches above with an aim of identifying resources which are at risk (Charles 2004).
Risk assessment is the natural successor to risk identification. An identified risk has to be assessed for the two factors of probability and severity (Stulz, 2009). Probability is the likelihood of occurrence while severity is the magnitude of loss that would ensue upon the attaching of risk. Risk assessment helps in prioritization of risks and the drafting of a risk management plan.
Since it is difficult to evaluate rates of occurrence of all risks and also determining the severity of losses for immaterial risks, risk assessment heavily relies on best educated opinions and statistical information (Lam 2003). In quantification of risks, risk managers rely on several formulae that have been adopted as part of risk management practice (Stulz 2009).
Risk determination is often considered a part of assessment but the two are different in their aims. While assessment looks at severity and probability, determination seeks to ascertain the particular consequences that come with the attaching of a particular risk (Charles 2004).
Once the risk manager finds out the magnitude of the loss and severity of the risk, he or she now determines whether the organization should consider ways of risk reduction or ignore it altogether. Risk determination is therefore an integral part in prescribing risk reduction measures. After all the above steps, the organization then decides what method to use to reduce risk.
Stulz (2009) states the several ways an organization can reduce risk such as; risk avoidance where the organization ceases to engage totally in a particular activity that has been deemed risky, risk reduction where measures are put in place to reduce losses that may occur if the risk were to attach, risk sharing through outsourcing and/or insurance and risk retention where the organization accepts the risk and budgets for it.
Finally, the risk manager has to prioritize all the risk reduction measures for all the risks identified so as to ensure sufficient allocation of enough resources for serious risks. Implementation of the risk management plan is another important part of risk management since without it the whole process would be defeated.
Risk management failure therefore occurs from the failures in one of the above steps (Alexander & Sheedy 2005). It can be concluded that a failure to properly identify, assess, determine, prescribe appropriate risk reduction measures and prioritize amounts to risk management failure.
A failure in risk management could prove to be a nightmare for any organization and thus should be avoided at all costs. This paper shall look into such a failure and establish which part of risk management was faulty.
Case study: The Toyota Recall Debacle
The Toyota recall case popularly known as ‘pedalgate’ in the US occurred between November 2009 and February 2010. It involved three recalls of several vehicle models made the Toyota Motor Corporation. The reason for the recalls was a reported unintended acceleration in some Toyota models.
The first of the three recalls was made on 2nd November, 2009 and was intended to correct an incorrectly placed floor mat which could lead to an entrapment of the accelerator model leading to accidental acceleration.
The second was made on 21st January, 2010 after it was established that accidental acceleration was also caused by the mechanical sticking of the vehicle’s accelerator pedal. The third recall was made in February, 2010 and was intended to correct the anti-lock brake software for three of Toyota’s hybrid models.
In total, Toyota recalled around 9 million vehicles from the US, Europe and China. The spate of recalls was triggered by 50 fatalities reported in the US which the National Highway Transport and Safety Authority (NHTSA) attributed to manufacturer errors in vehicle design.
However, Toyota had already identified these errors in its October Defect Information Report (DIR). Due to the media attention given to the debacle, there were numerous other reported incidents of accidental acceleration though further investigations revealed that driver error was the most common fault.
The Toyota models recalled first included the Camry, Avalon, Corolla, Matrix, RAV4,Sequoia, Tundra and Highlander. The second recall expanded the list to include the Venza and Highlander and also extended the recall to Europe and China. In Europe, recalls were made for the Yaris, iQ, Auris, Aygo, Verso, Corolla, RAV4 and Avensis. The third recall was for the hybrid vehicles which are the Prius, Sai and Lexus HS 250h.
All in all, Toyota suffered massive losses from these recalls. Multiple law suits were filed against it and the sale of its multiple-recalled vehicles was suspended in various markets. The company estimated that the entire debacle would cost them over $ 2.47 billion dollars in actual losses.
However, the greatest loss was the denting of customer confidence in Toyota vehicles which saw reduced sales. The value of Toyota shares also slumped by over 15% during the entire period.
Causes of the recall: A case of failure in risk management
The massive recall of 9 million units of Toyota vehicles was caused by serious design flaws made in Toyota’s assembly plants. While the vehicles were of different designs, they shared common features such as an accelerator pedal and braking system. This should have been adequately foreseen by the company’s management as a substantial risk.
Additionally, the company failed to provide an override system in the recalled products leading to multiple recalls for the same products which further increased the company’s losses. The problems of unintended acceleration and inefficient braking system could have been solved through providing an alternative system but the company insisted on ‘cosmetic’ repairs rather than well-researched mechanical changes in design.
The managerial problems that led to Toyota’s huge loss and dented image are thus threefold. First, the company did not have a risk management plan to foresee this kind of situation.
Secondly, the top managers went for cost cutting as the company’s priority instead of safety and quality and finally, the management failed to look for stopgap measures to end the problem immediately leading to frustrated customers and further losses.
Theories of organizational risk management failure
According to Stulz (2009), the occurrence of a huge loss in a company does not necessary indicate a failure in risk management or that a mistake was made. However, such a loss can be used as evidence of a failure in risk management in almost all circumstances.
While effective risk management is not a guarantee against failure, a good risk manager does his or her best to ensure that the people who determine the organization’s risk appetite, the top management, understand the risks, the probability of their occurrence and the magnitude of loss (Scott 2007).
According to Mullins (2007), the ultimate decision as to whether to take risk or avoid it lies with the senior management of the organization. It is not part of the risk manager’s mandate to decide which risks to ignore but he/she is tasked with establishing all the risks (Tompkins 2005) and presenting all the information gathered to the management to decide on the next course of action.
The failure of risk management therefore lies mostly on the decisions of the top management (Yukl 2006). Therefore, decentralization of decision making through a ‘middle’ organizational structure as compared to a top-down decentralized system is a viable way to reduce risk.
French et al (2008) state that among the leadership skills required of managers, the manager’s directorship role plays a vital part in an organization’s strategy development. The directorship role includes decision making and formulation of strategy.
Decision making skills of the manager are very vital for risk management. This involves; working with all the available information, avoiding ‘jumping’ into conclusions, knowing their risk preferences, considering all points of view and optimizing the limited resources (Herbert 1997).
When there is a failure in decision making, then the management of risk is put into jeopardy. Since risk involves assets and resources of the organization including its employees, good leadership skills are also needed to manage them effectively.
A poor leader is likely to have a significant part of his workforce being a risk to the organization rather than an asset (Yukl 2006). Disgruntled employees pose the risk of financial loss through underperformance or malicious activities that stem out of their dissatisfaction with their managers (Weick 1979).
Stacey (2007) states that proper strategic management can also be an effective way to avoid risk. Poor strategic management is thus a risk management failure in the sense that the organization lacks direction and is thus vulnerable to risks that come from uncoordinated leadership and lack of goal-oriented strategies.
Stulz (2009) categorizes risk management failures into five groups; failure by use of inappropriate risk metrics, poor measurement of known risks, overlooking risks, poor communication to top managers and poor management of risk. The first four failures can be attributed to the risk manager while the last part is the fault of the top management.
Appropriate risk management involves using the right risk metric. Risk metrics inform the risk manager what kind of risk he or she should assess that is relevant to the organization. Measurement of a wrong metric whether accurate or not will definitely result into a failure in risk management since it will not relate to the organization’s dynamics.
Poor measurement of a known risk on the other part places the organization in a precarious situation since the organization’s management will not get accurate information to make the right decision regarding the risk. Just like poor measurement of known risks, miscommunication results in the top management making the wrong decision due to the provision of inaccurate data by the risk manager.
Relating theory to the Toyota case
Using Stulz’s (2009) theory on risk management failure, there is a failure in risk management in as far as measuring appropriate metrics is concerned. The company did not construe that their ‘lean’ manufacturing system that was designed to cut costs would be a risk in the long run.
Using similar parts for all its models and centralizing the supply chain was a foreseeable risk that any risk manager would have identified and quantified. However, due to the lack of a risk management plan in the first place, the organization was already exposed to the risk without an adequate remedy.
Huczynski & Buchanan (2007) state that an organization’s top management should embrace leadership and management styles that are strategically sound for the organization.
Through this, the organization should attempt to decentralize its decision making since it is economically sound that those close to the subject matter are in the best position to make a decision about it e.g. owners of dealerships in the US are more likely to make correct sales decisions that the company’s executives in Japan.
However, Toyota’s top-down organizational structure vested all decision making to the top management in Japan thus centralizing the system which increases risk.
Another theory by French et al (2008) and Montana & Charnov (2008) states that an organization is naturally dependent on the leadership skills of its top management. Therefore any organization that is run by leaders who have not honed their directorship, supervisory, communication, negotiation, coordinating and motivation skills runs a risk. These leaders are a risk in themselves (Yukl 2006).
In Toyota’s case, the top management failed to provide leadership in the sense that it did not recommend a thorough research into the causes of the accidental acceleration but instead it preferred easier ‘quick fix’ measures such as replacing floor mats instead of a holistic inquiry into the mechanical systems of the vehicles.
Measures to avoid risk management failure at the organizational level
An organization needs to be dynamic (Fincha & Rhodes 2005). It must at all times move with the changing times. To do so, its top-level management needs to possess sufficient leadership skills (Argyris 1976; McGrath 1962; Mumford1986; Hackman & Walton 1986). The first step to avoid risk at an organizational level should be an enterprise wide risk management plan (Olson 2003).
Most organizations have annual plans but these are usually insufficient in meeting the demands of the time (Borman & Brush 1993). With the current financial crisis, managing risk should be on the minds of organizational leaders since it would be difficult to absorb losses while all players in the industry are struggling.
In Toyota’s case, the company should have put in place a risk management plan which would have enabled it to put in place measures that would counter the effects of their lean manufacturing system that requires uniform supply and design. A thorough risk assessment would have assisted the company to establish that its policy would eventually lead to loss.
Alternatively, the company should have decentralized its operations such that only few vehicles or models would have been affected by the design flaws. Its top managers should also have had the foresight to see that the uniform supply and distribution system would run a risk in the event of manufacturer error. The poor leadership provided by the company’s top executives was thus the main cause of the risk management failure.
Conclusion
Toyota’s loss is a good example of a failure to properly manage risk. Organizations should embrace the risk management measures of avoidance, transfer, retention and/or reduction depending on the nature of the risk so as to avoid suffering similar losses. Reducing risk should always start as an initiative of the organization’s leadership and thus proper risk management is a product of good leadership (Hatch 2006; Robbins 2004).
References
Alberts, C.; Audrey, D., & Lisa. M. (March 2008) Mission Diagnostic Protocol, Version 1.0: A Risk-Based Approach for Assessing the Potential for Success. Retrieved from https://resources.sei.cmu.edu/library/asset-view.cfm?assetID=8665
Alexander, C., and Sheedy, E. (2005). The Professional Risk Managers’ Handbook: A Comprehensive Guide to Current Theory and Best Practices. London, PRMIA Publications. Print.
Argyris, C. (1976) Increasing Leadership Effectiveness. New York, Wiley. Print.
Borman, C., and Brush, D. (1993) More progress toward a taxonomy of managerial performance requirements. Human Performance, 6(1), 1-21.
Borodzicz, E. (2005). Risk, Crisis and Security Management. New York: Wiley. Print.
Charles, T. (2004). Risk and Financial Management: Mathematical and Computational Methods. John Wiley & Son. Print.
Crockford, N. (1986). An Introduction to Risk Management (2 ed.). Cambridge, UK, Woodhead-Faulkner. Print.
Dorfman, M. (2007). Introduction to Risk Management and Insurance (9 ed.). Englewood Cliffs, N.J, Prentice Hall. Print.
Fincha, R. and Rhodes, P (2005) Principles of Organizational Behavior, Oxford, Oxford University Press. Print.
French, R., Rayner, C., Rees, G., and Rumbles, S. (2008) Organization Behaviour. Chichester, Wiley. Print.
Gorrod, M. (2004). Risk Management Systems: Technology Trends (Finance and Capital Markets). Basingstoke: Palgrave Macmillan. Print.
Hackman, J., and Walton, E. (1986) Leading groups in organizations. San Francisco, Jossey-Bass. Print.
Hatch, M. (2006) Organization Theory: Modern, symbolic, and postmodern perspectives. Oxford, Oxford University Press. Print.
Herbert, S. (1997) Administrative Behavior: A Study of Decision-Making Processes in Administrative Organizations. London, The Free Press. Print.
Hopkin, P. (2010) Fundamentals of Risk Management. Kogan, Page. Print.
Hubbard, D. (2009) The Failure of Risk Management: Why It’s Broken and How to Fix It. New York, John Wiley & Sons. Print.
Hutto, J. (2009) Risk Management in Law Enforcement, Applied Research Project. Texas State University. Print.
Huczynski, A. and Buchanan, D. (2007) Organization Behaviour. Harlow, FT, Prentice Hall. Print.
Lam, J. (2003) Enterprise Risk Management: From Incentives to Controls. New York, John Wiley. Print.
McGrath, J. (1962) Leadership behavior: Some requirements for leadership training. Washington, D.C, U.S. Civil Service Commission. Print.
Montana, P. J., and Charnov, B. H. (2008) Management: Leadership and Theory. New York, Hauppauge. Print.
Moteff, J. (2005) Risk Management and Critical Infrastructure Protection: Assessing, Integrating, and Managing Threats, Vulnerabilities and Consequences. Washington DC: Congressional Research Service.
Mullins, L. (2007) Management and Organization Behaviour. Harlow, FT: Prentice Hall. Print.
Mumford, D. (1986) Leadership in the organizational context: Conceptual approach and its application. Journal of Applied Social Psychology, 16(6), 508-531.
Institute of Risk Management (2002). A Risk Management Standard. London: Institute of Risk Management.
Olson, J. (2003) Organizational Culture Putting the Organizational Culture Concept to Work. The Behavior Analyst Today, 3 (4), 473 – 478.
Rayner, Charlotte. and Adam-Smith, David. (2009) Managing and Leading People, London, CIPD. Print.
Roehrig, P. (2006) Bet On Governance To Manage Outsourcing Risk. Business Trends Quarterly. Retrieved from http://www.btquarterly.com/?mc=bet-governance&page=ss-viewresearch
Robbins, S. (2004) Organizational Behavior – Concepts, Controversies, Applications. Washington, D.C, Prentice Hall. Print.
Stacey, R. (2007) Strategic Management and Organizational Dynamics. Harlow FT Prentice Hall. Print.
Standards Association of Australia (SAA) (1999). Risk management. North Sydney, N.S.W, Standards Association of Australia. Print.
Scott, R. (2007) Organizations and Organizing: Rational, Natural, and Open Systems Perspectives. Pearson, Prentice Hall. Print.
Stulz, R. (2009) Risk Management Failures: What are they and when do they happen? Journal of Applied Corporate Finance, 2(3), pp. 5-19.
Tompkins, J. (2005) Organization Theory and Public Management. London, Thompson Wadsworth. Print.
Van Deventer, D., Kenji, I., and Mark, M. (2004). Advanced Financial Risk Management: Tools and Techniques for Integrated Credit Risk and Interest Rate Risk Management. New York, John Wiley. Print.
Weick, K. (1979) The Social Psychology of Organizing. London, McGraw Hill. Print.
Yukl, G. (2006) Leadership in Organizations. Upper Saddle River, Prentice-Hall. Print.