Cover Story

An Animal Kingdom
Of Disruptive Risks
Where was the board? As a corporate director, imagine you find your-
self in one of these difficult situations:
■■ Unexpected financial losses mount as your bank faces a sudden
collapse during a 1-in-100-year economic crisis.
■■ Customers leave and profits drop year after year as a new tech-
nology start-up takes over your No. 1 market position.
■■ Negative headlines and regulatory actions besiege your compa-
ny following undesirable tweets and other belligerent behavior from
the CEO.
These scenarios are not hard to imagine when you consider what
unfolded before the boards of Lehman Brothers, Blockbuster, Tesla,
and others. In the context of disruptive risks, these events
can be referred to as black swans, gray rhinos, and white
How boards can elephants, respectively. While each has unique character-
oversee black istics, the commonality is that all of these risks can have a
major impact on a company’s profitability, competitive posi-
swans, gray
tion, and reputation.
rhinos, and white As presented in the 2018 NACD Blue Ribbon Com-
elephants. mission Report on Adaptive Governance: Board Oversight
of Disruptive Risks, most companies are unprepared for
By James C. Lam a volatile, uncertain, complex, and ambiguous (VUCA)
business environment. In a recent NACD poll, 62 percent
of directors viewed disruptive risks as “much more impor-
tant” than five years ago. Only 19 percent of directors, however, ex-
pressed confidence in management’s ability to address such risks.
This gap between awareness and confidence is well founded. Ac-
cording to a separate study, the average time companies exist within
the S&P 500 index has declined from 33 years in 1964 to 24 years
in 2016, and is forecasted to drop to 12 years by 2027. Indeed, value
creation and destruction is occurring at an unprecedented and ac-
celerating speed.
In a VUCA world, boards need to expand their risk governance
and oversight to include disruptive risks. This article addresses three
fundamental questions:
■■ What are black swans, gray rhinos, and white elephants?
■■ Why are they so complex and difficult to deal with?
BOB KAYGANICH

■■ How should directors incorporate these disruptive risks as part

of their oversight?

24 NACD Directorship January/February 2019

January/February 2019 NACDonline.org 25
Cover Story

Tesla co-founder and CEO

Black Swans
Elon Musk agreed in 2018
Black swans are events that are highly improbable, difficult to pre- to step down as chair as
dict, and have massive impact. The 2008 financial crisis serves as a part of a settlement with
clear example. The fourth-largest investment bank, with a 158-year US regulators of a lawsuit
history, Lehman Brothers filed for the biggest bankruptcy in US his- alleging he duped investors
tory on Sept. 15, 2008, sending global markets plummeting. Other with misleading statements
noteworthy examples include the invention of the Internet, the 9/11 about a proposed buyout
attacks, and the dot-com crash. Such events could all be considered of the company.
“unknown unknowns”—they were unexpected and their effects
only became clear after the fact.
By definition, black swans are unforeseeable tail-risk events. In-
dividually, these events are highly improbable, but collectively they
occur far more frequently than one might expect. For example, New megatrends have been brewing for years, with visible risks and op-
York City was hit by 100-year storms two years in a row—Hurricanes portunities, but many companies have yet to respond effectively.
Irene in 2011 and Sandy in 2012. While we tend to view black For example, artificial intelligence is often treated like a shiny new
swans as threats whose damage can be at best mitigated, it is im- object, though its origin dates back to 1956 at Dartmouth College,
portant to recognize that they can also be great opportunities whose when a computer learned to beat humans at checkers.
rewards disproportionately flow to the well-prepared. A timely and
principled approach to even the most ominous events can generate While Elephants
outsized returns, such as the wealth creation by some hedge funds White elephants are extant, existential risks that are difficult to
that shorted the markets prior to the 2008 crash. address. Decisive actions are made difficult because they are no-
win situations fraught with subjectivity, emotions, and loyalties. A
classic “elephant in the room” example is a money-losing business
favored by the CEO. These situations could also be considered
“known knowns,” or big problems that we know about and that
we know we should do something about, but toward which we fail
to act appropriately. For instance, Tesla’s stock recently went on a
roller-coaster ride during a period in which co-founder Elon Musk
tweeted about going private and then appeared to be smoking can-
Global markets nabis on video. The US Securities and Exchange Commission
plunged after fined Musk and Tesla $20 million each and forced Musk to give up
Lehman Brothers the role of chair (he remains CEO). How should any board deal
filed for bankruptcy with an iconic CEO who is misbehaving?
in September 2008. Other examples of white elephants can be found in the sexu-
al harassment and abuse cases that collectively ushered in the
Gray Rhinos #MeToo movement. In addition to dealing with powerful CEOs,
These probable, high-impact trends are clearly observable but often boards often need to toe the line between growing profitable busi-
ignored. Disruptive technologies are great examples of gray r­ hinos. nesses and being socially and ethically responsible. Consider the
The rise of Netflix and the demise of Blockbuster occurred over alleged role of Big Pharma in the opioid crisis, or any company
many years. In 2000, Blockbuster passed up an offer to buy a start- facing the dilemma of marketing a potentially dangerous product.
up called Netflix for $50 million. Blockbuster filed for bankruptcy Back in 1994, imagine how directors of the seven tobacco compa-
PHOTOS: ASSOCIATED PRESS

in 2010; today Netflix is worth over $100 billion. Gray rhinos could nies felt when they witnessed their CEOs testifying under oath and
also be considered “known unknowns”: we know these emerging before the US Congress that nicotine was not addictive.
trends could have massive impact, but we don’t know how to react
appropriately. Examples of current gray rhinos include artificial in- Complexities and Biases
telligence, blockchain, cybersecurity, and climate change. These Why are companies so ill prepared for disruptive risks? There are

26 NACD Directorship January/February 2019

three main challenges: (1) standard enterprise risk management view of risks and a focus on short-term results (e.g., quarterly earn-
(ERM) programs may not capture them; (2) they each present ings), resulting in a reluctance to invest for the longer term.
unique characteristics and complexities; and (3) cognitive biases ■■ Status quo bias is a preference to preserve the current state.
prevent directors and executives from addressing them. This powerful bias creates inertia and stands in the way of appro-
Standard tools used in ERM, including risk assessments and priate actions.
heat maps, are not timely or dynamic enough to capture uncon- To overcome cognitive biases, directors must recognize that they
ventional and atypical risks. Most risk quantification models—such exist and consider how they impact decision making. Moreover,
as earnings volatility and value-at-risk models—measure potential board diversity, objective data, and access to independent experts
loss within a 95 percent or 99 percent confidence level. Black swan can counter cognitive biases in the boardroom.
events, on the other hand, may have a much smaller than 0.1 per-
cent chance of happening. Gray rhinos and white elephants are Recommendations for Consideration
atypical risks that may have no historical precedent or operational How should directors help their organizations navigate disruptive
playbooks. As such, disruptive risks may not be adequately ad- risks? They can start by asking the right questions in the context of
dressed in standard ERM programs even if they have the potential the organization’s business model and strategy. The sidebar below
to destroy the company. lists 10 questions that directors can ask themselves and management.
The characteristics and complexities of each type of disruptive In addition, directors should consider the following five recom-
risk are unique. The key challenge with black swans is prediction. mendations to enhance their risk governance and oversight:
They are outliers that were previously unthinkable. That is not the 1. Incorporate disruptive risks into the board agenda. The
case with gray rhinos, since they are generally observable trends. full board should discuss the potential impact of disruptive risks as
With gray rhinos the main culprit is inertia: companies see the part of its review of the organization’s strategy to create sustainable
megatrends charging at them, but they can’t seem to mitigate the long-term value. Disruptive risks may also appear on the agenda
risk or seize the opportunity. The key issue with white elephants is of key committees, including the risk committee’s assessment of
subjectivity. These no-win situations are often highly charged with
emotions and conflicts. Doing nothing is usually the easiest choice Questions on Disruptive Risks for Boards
but leads to the worst possible outcome.
While it is imperative to respond to disruptive risks, cognitive 1. Does our board composition, culture, and agenda support
biases can lead to systematic errors in decision making. Behavioral oversight of disruptive risks?
economists have identified dozens of biases, but several are espe- 2. What are the three to five scenarios that could kill the
cially pertinent in dealing with disruptive risks: ­company?
■■ Availability and hindsight bias is the underestimation of risks 3. What are the three to five scenarios that could increase
that we have not experienced and the overestimation of risks that market value by 10 times in the next three years?
we have. This bias is a key barrier to acknowledging atypical risks 4. Given our business strategy, have we stress-tested the most
until it is too late. critical assumptions?
■■ Optimism bias is a tendency to overestimate the likelihood of 5. Do we have a set of early warning indicators for emerging
positive outcomes and to underestimate the likelihood of negative and existential risks?
outcomes. This is a general issue for risk management, but it is 6. What opportunities have we missed over the past three
especially problematic in navigating disruptive risks. years due to inaction rather than lack of knowledge?
■■ Confirmation bias is the preference for information that is 7. If we operate “business as usual,” what could be our great-
consistent with one’s own beliefs. This behavior prevents us from est regrets in the future?
processing new and contradictory information, or from responding 8. Are we honestly facing issues related to undesirable behav-
to early signals. ior or dysfunctional culture?
■■ Groupthink or herding occurs when individuals strive for 9. Are we fighting one fire after another without addressing
group consensus at the cost of objective assessment of alternative the root causes?
viewpoints. This is related to the sense of safety in being part of a 10. Does our board reporting provide appropriate outside-in,
larger group, regardless if their actions are rational or not. forward-looking information?
■■ Myopia or short-termism is the tendency to have a narrow

January/February 2019 NACDonline.org 27

Cover Story

enterprise risks, the audit committee’s review of risk disclosures, the ■■ Market intelligence data that provides directors with useful
compensation committee’s determination of executive incentive “outside-in” information, including key business and industry de-
plans, and the governance committee’s processes for addressing velopments, consumer and technology trends, competitive actions,
undesirable executive behavior. The key is to explicitly incorporate and regulatory updates.
disruptive risks into the board’s oversight and scope of work. ■■ Enterprise performance and risk analysis including key per-
2. Ensure that fundamental ERM practices are effective. formance and risk indicators that quantify the organization’s sensi-
Fundamental ERM practices—risk policy and analytics, manage- tivities to disruptive risks.
ment strategies, and metrics and reporting—provide the baseline ■■ Geo-mapping that highlights global “hot spots” for economic,
from which disruptive risks can be considered. As an example, the political, regulatory, and social instability. This can also show com-
definition of risk appetite can inform discussions of loss tolerance pany-specific risks such as third-party vendor, supply chain, and
relative to disruptive risks. As an early step, the board should ensure cybersecurity issues.
■■ Early-warning indicators that provide general or scenario-
specific signals with respect to risk levels, effectiveness of controls,
To overcome inertia and deal with gray and external drivers.
rhinos, the company needs to establish ■■ Action triggers and plans to facilitate timely discussions and
decisions in response to disruptive risks.
organizational processes and incentives 5. Strengthen board culture and governance. To effectively
to increase agility. oversee disruptive risks, the board must be fit for purpose. This re-
quires creating a board culture that considers nontraditional views,
questions key assumptions, and supports continuous improvement.
that the overall ERM framework is robust and effective. Otherwise, Good governance practices should be in place in the event a white
the organization may fall victim to “managing risk by silo” and miss elephant appears. For example, what is the board protocol and
critical interdependencies between disruptive risks and other enter- playbook if the CEO acts inappropriately? In the United States, the
prise risks. 25th Amendment and impeachment clauses are in place osten-
3. Consider scenario planning and analysis. Directors should sibly to remove a reprehensible president. Does the organization
recognize that basic ERM tools may not fully capture disruptive have procedures to remove a reprehensible CEO?
risks. They should consider advocating for, and participating in, The chart on the opposite page summarizes the key characteris-
scenario planning and analysis. This is akin to tabletop exercises for tics, examples, indicators, and strategies for identifying and address-
cyber-risk events, except much broader in scope. Scenario analysis ing black swans, gray rhinos, and white elephants. The end goal
can be a valuable tool to help companies put a spotlight on hidden should be to enhance oversight of disruptive risks and counter the
risks, generate strategic insights on performance drivers, and iden- specific challenges that are presented. To mitigate the unpredict-
tify appropriate actions for disruptive trends. The objective is not to ability of black swans, the company should develop contingency
predict the future, but to identify the key assumptions and sensitivi- plans with a focus on preparedness. To overcome inertia and deal
ties in the company’s business model and strategy. In addition to with gray rhinos, the company needs to establish organizational
scenario planning, dynamic simulation models and stress-testing processes and incentives to increase agility. To balance subjectivity
exercises should be considered. and confront white elephants, directors should invest in good gov-
4. Ensure board-level risk metrics and reports are effective. ernance and objective input that will support decisiveness.
The quality of risk reports is key to the effectiveness of board risk
oversight. Standard board risk reports often are comprised of insuf- The Opportunity for Boards
ficient information: historical loss and event data, qualitative risk In a VUCA world, corporate directors must expand their traditional
assessments, and static heat maps. An effective board risk report risk oversight beyond well-defined strategic, operational, and finan-
should include quantitative analyses of risk impacts to earnings and cial risks. They must consider atypical risks that are hard to predict,
value, key risk metrics measured against risk appetite, and forward- easy to ignore, and difficult to address. While black swans, gray
looking information on emerging risks. By leveraging scenario rhinos, and white elephants may sound like exotic events, directors
planning, the following reporting components can enhance dis- could enhance their recognization of them by reflecting on their
ruptive risk monitoring: own experiences serving on boards.

28 NACD Directorship January/February 2019

 Given their experiences, directors should provide white elephant in the boardroom, a company can For Further
a leading voice to improve oversight of disruptive remediate an unspoken but serious problem. In the
Reading
risks. They have a comparative advantage in seeing current environment, board oversight of disruptive
the big picture based on the nature of their work— risks represents both a risk management imperative
part time, detached from day-to-day operations, and and a strategic business opportunity. D James Lam, Imple­
with experience gained from serving different com- ment­­ing Enterprise Risk
panies and industries. Directors can add significant James C. Lam is president of James Lam & Associ- Managerment: From
value by providing guidance to management and ates, a risk management consulting firm. He is a di- Methods to Applications
helping them see the forest for the trees. rector and chair of the risk oversight committee of (Wiley, 2017)
Finally, there is an opportunity side to risk. There E*TRADE Financial and an independent director of
are positive and negative black swans. A company RiskLens. Lam served as a commissioner for the 2018 Nassim Nicholas Taleb,
can invest in the positive ones and be prepared for NACD Blue Ribbon Commission initiative on board The Black Swan: The
the negative ones. For every company that is tram- oversight of disruptive risks. He was also a 2018 NACD Impact of the Highly
pled by a gray rhino, another company is riding it Directorship 100 honoree. Email him at james@james- Improbable, 2nd ed.
to a higher level of performance. By addressing the lam.com. (Random House Trade
Paperbacks, 2010)
Identifying and Addressing Black Swans, Gray Rhinos, and White Elephants
Michele Wucker,
Risks Probability Challenge Examples Indicators Strategies The Gray Rhino: How to
Black Swans Low Prediction Invention of the Breakdowns in Develop scenario Recognize and Act on
(“unknown Internet, 9/11 historical price analysis, early warning the Obvious Dangers
unknowns”) attack, 2008 correlations, indicators, and We Ignore, (St. Martin’s
economic crisis sudden and contingency plans Press, 2016)
unexpected
shocks Goal: preparedness Report of the
NACD Blue Ribbon
Commission on
Gray Rhinos Moderate to Inertia Disruptive Emerging Establish processes Adaptive Governance:
(“known high technologies, megatrends, for innovation, Board Oversight of
unknowns”) cybersecurity, capital experimentation, and Disruptive Risks
climate change formation and change management (free download at
value creation NACDonline.org)
by start-ups Goal: agility

White Extant Subjectivity Irrational or No-win Invest in good

Elephants unethical CEOs, situations, governance, company
(“known dysfunctional conflicts culture and values,
knowns”) culture, of interest, objective advice, and
dangerous emotional crisis management
products, meetings,
#MeToo unexpected and Goal: decisiveness
movement sharp declines
in business
performance

January/February 2019 NACDonline.org 29