rom the “largest and most sophisticated [cyber] attack” the world’s yet seen, in the words of Microsoft President Brad Smith, to the January 6th insurrection attempt at the U.S. Capitol, the most serious challenge to the U.S.’s constitutional order in a century, 2021 has been characterized by historic risk and uncertainty. This volatile trendline, continued from the preceding year, offers no sign of abatement. Organizations are facing a fast-moving landscape of shifting customer expectations and unremitting public scrutiny, sweeping regulatory challenges, and technology-driven change that is certain to expose firms to new risk.
This new reality, however, has not penetrated the halls of business schools, charged with educating the next generation of analysts and leaders. While the pace and contour of risk will increasingly affect work across every role and industry, business students are graduating unequipped to manage risk. In most curricula today, risk is treated as an incidental component of a business activity—think corporate fraud as part of an accounting course. What is needed, however, is a more systematic treatment that provides students the tools and mindset to think like the risk managers they will need to be. Enterprise risk management (ERM) must join internal rate of return (IRR) and Porter’s Five Forces as recognized mainstays in the curriculum of business education.
Overlapping trends that organizations are facing today underscore the urgency of getting this right: accelerated global trends and dispersion of risk; increasing demands on organizations to behave with transparency and accountability; and the expectation that individual leaders will be agile in addressing uncertainty and change. Affording the subject of risk management little attention can have material consequences not only on a student's future career, but also on the long-term fortunes of organizations.
Consider, first, the big picture facing organizations today as relates to the profile of risk they face. Short of past periods of global war, businesses today face a more diverse array of risks than at any time in modern history: cyber incidents of every form, intellectual property theft, insider threats, employee misconduct, regulatory uncertainty, climate change, physical and digital supply chain risks, and many more. Even if an organization does not put itself in the crosshairs by offending the sensibilities of a rogue dictator with considerable cyber capabilities, no enterprise is exempt from today’s macro risks. Even organizations considered “out of bounds” to mischief—think water treatment plants, or hospitals—are not immune to risks as diverse as ransomware to sabotage. Incidents that would have led the evening news two decades ago—such as a flaw in Microsoft email software unlocking the inboxes of at least 30,000 organizations, including small businesses and governments—are now considered part and parcel to the cost of doing business.
This comes at a time when organizations are increasingly expected or obligated to be far more transparent. New and anticipated disclosure requirements—on items ranging from more “actionable” cyber vulnerabilities to sustainability and human capital—will place the onus on businesses to become more transparent. Pressure from investors, unorthodox competitors, and investigative sleuths will also raise the cost of poor governance and planning. What might have been once ignored or hidden—a messy personnel situation, a hack of customers’ data—today demand accountability. With non-market challenges no longer so easily obscured to customers, employees, stakeholders, or the public, demonstrating competent risk management is an important barometer for successful stewardship. Stung by the deficit of trust that impacts all organizations today, an enterprise’s value will be increasingly influenced by the ability to effectively and openly assess, address, and communicate its risks.
All this will require business leaders who can anticipate and evaluate risk, understand its varied impact across a business, and provide solutions on how to address or mitigate it. Risk is no longer a consideration that can be shoved off wholly on one business group; instead, it is a constant factor that must be understood across business and functional verticals. Technology risk is not the sole remit of a CIO, any more than regulatory uncertainty is the sole responsibility of a general counsel. Business students, particularly MBAs jostling for management roles in their near future, must arrive with a foundational understanding of these issues and frameworks.
Unfortunately, in evaluating the top-tier MBA programs, it is not clear that most students are receiving even a survey-level view of risk management. A review of core curricula among the U.S. News & World Report’s top 15 MBA programs found that only one university has a required class focused on risk and uncertainty: University of Virginia’s Darden School of Business. This class, Decision Analysis, focuses on “framing, analyzing, and proactively managing decisions involving uncertainty, whether the uncertainty results from general conditions or the actions of competitors.”
At most programs today, key principles may be covered on a disjointed basis in different classes. Decision theory—calculating and evaluating trade-offs—may be covered in statistics and econometrics, whereas responding to external stakeholders would be central strategic communications elective. More specialized courses might unearth topics that would be salient in a survey-level view of risk, such as due diligence (mergers and acquisitions) or cognitive biases (marketing psychology). Even economics has much to offer in understanding the role of incentives, as underscored by security technologist Bruce Schneier in a recent essay on why maximal and short-term profit-seeking inherently leads to vulnerabilities such as those that wracked SolarWinds.
Modern business education needs a more coherent effort to fuse these threads together. This can be achieved with different approaches, such as a stand-alone foundations class, a series of distinct modules within existing courses, or action-based simulations. The "Crisis Challenge" exercise at the University of Michigan's Ross School of Business is one example of just such a hands-on experience. Other schools, such as Paris-based HEC, are now adopting this as a worthwhile model (full disclosure: the author is a Michigan MBA graduate).
While specific approaches may vary by pedagogical philosophy, what is needed is a survey of core enterprise risk management principles, an understanding of the diverse threat vectors facing business today, and the mindset to tackle head-on the myriad strategic and operational risks they are likely to face in their career.
a global affairs media network
Future Business Leaders Need a Firmer Grasp on Risk
Photo by Sean Benesh via Unsplash.
March 23, 2021
New risk vectors and increasing demands for transparency will place a premium on the ability for leaders to effectively assess, address, and communicate risk. Business schools need to restructure how they teach risk to account for this reality.
F
rom the “largest and most sophisticated [cyber] attack” the world’s yet seen, in the words of Microsoft President Brad Smith, to the January 6th insurrection attempt at the U.S. Capitol, the most serious challenge to the U.S.’s constitutional order in a century, 2021 has been characterized by historic risk and uncertainty. This volatile trendline, continued from the preceding year, offers no sign of abatement. Organizations are facing a fast-moving landscape of shifting customer expectations and unremitting public scrutiny, sweeping regulatory challenges, and technology-driven change that is certain to expose firms to new risk.
This new reality, however, has not penetrated the halls of business schools, charged with educating the next generation of analysts and leaders. While the pace and contour of risk will increasingly affect work across every role and industry, business students are graduating unequipped to manage risk. In most curricula today, risk is treated as an incidental component of a business activity—think corporate fraud as part of an accounting course. What is needed, however, is a more systematic treatment that provides students the tools and mindset to think like the risk managers they will need to be. Enterprise risk management (ERM) must join internal rate of return (IRR) and Porter’s Five Forces as recognized mainstays in the curriculum of business education.
Overlapping trends that organizations are facing today underscore the urgency of getting this right: accelerated global trends and dispersion of risk; increasing demands on organizations to behave with transparency and accountability; and the expectation that individual leaders will be agile in addressing uncertainty and change. Affording the subject of risk management little attention can have material consequences not only on a student's future career, but also on the long-term fortunes of organizations.
Consider, first, the big picture facing organizations today as relates to the profile of risk they face. Short of past periods of global war, businesses today face a more diverse array of risks than at any time in modern history: cyber incidents of every form, intellectual property theft, insider threats, employee misconduct, regulatory uncertainty, climate change, physical and digital supply chain risks, and many more. Even if an organization does not put itself in the crosshairs by offending the sensibilities of a rogue dictator with considerable cyber capabilities, no enterprise is exempt from today’s macro risks. Even organizations considered “out of bounds” to mischief—think water treatment plants, or hospitals—are not immune to risks as diverse as ransomware to sabotage. Incidents that would have led the evening news two decades ago—such as a flaw in Microsoft email software unlocking the inboxes of at least 30,000 organizations, including small businesses and governments—are now considered part and parcel to the cost of doing business.
This comes at a time when organizations are increasingly expected or obligated to be far more transparent. New and anticipated disclosure requirements—on items ranging from more “actionable” cyber vulnerabilities to sustainability and human capital—will place the onus on businesses to become more transparent. Pressure from investors, unorthodox competitors, and investigative sleuths will also raise the cost of poor governance and planning. What might have been once ignored or hidden—a messy personnel situation, a hack of customers’ data—today demand accountability. With non-market challenges no longer so easily obscured to customers, employees, stakeholders, or the public, demonstrating competent risk management is an important barometer for successful stewardship. Stung by the deficit of trust that impacts all organizations today, an enterprise’s value will be increasingly influenced by the ability to effectively and openly assess, address, and communicate its risks.
All this will require business leaders who can anticipate and evaluate risk, understand its varied impact across a business, and provide solutions on how to address or mitigate it. Risk is no longer a consideration that can be shoved off wholly on one business group; instead, it is a constant factor that must be understood across business and functional verticals. Technology risk is not the sole remit of a CIO, any more than regulatory uncertainty is the sole responsibility of a general counsel. Business students, particularly MBAs jostling for management roles in their near future, must arrive with a foundational understanding of these issues and frameworks.
Unfortunately, in evaluating the top-tier MBA programs, it is not clear that most students are receiving even a survey-level view of risk management. A review of core curricula among the U.S. News & World Report’s top 15 MBA programs found that only one university has a required class focused on risk and uncertainty: University of Virginia’s Darden School of Business. This class, Decision Analysis, focuses on “framing, analyzing, and proactively managing decisions involving uncertainty, whether the uncertainty results from general conditions or the actions of competitors.”
At most programs today, key principles may be covered on a disjointed basis in different classes. Decision theory—calculating and evaluating trade-offs—may be covered in statistics and econometrics, whereas responding to external stakeholders would be central strategic communications elective. More specialized courses might unearth topics that would be salient in a survey-level view of risk, such as due diligence (mergers and acquisitions) or cognitive biases (marketing psychology). Even economics has much to offer in understanding the role of incentives, as underscored by security technologist Bruce Schneier in a recent essay on why maximal and short-term profit-seeking inherently leads to vulnerabilities such as those that wracked SolarWinds.
Modern business education needs a more coherent effort to fuse these threads together. This can be achieved with different approaches, such as a stand-alone foundations class, a series of distinct modules within existing courses, or action-based simulations. The "Crisis Challenge" exercise at the University of Michigan's Ross School of Business is one example of just such a hands-on experience. Other schools, such as Paris-based HEC, are now adopting this as a worthwhile model (full disclosure: the author is a Michigan MBA graduate).
While specific approaches may vary by pedagogical philosophy, what is needed is a survey of core enterprise risk management principles, an understanding of the diverse threat vectors facing business today, and the mindset to tackle head-on the myriad strategic and operational risks they are likely to face in their career.