I find myself enjoying the beach more and more in retirement. I enjoy watching the people walking on the beach and of course enjoying the sound of the waves as they come crashing in. All in all, it is a very pleasant experience. And of course, I expect to continue seeing the beach and enjoying the beach experience. This has created a kind of “normalcy bias” …. the beach has always been pleasant and therefore I expect it will continue to be pleasant. Erudite Risk in its recent DRB risk report has discussed normalcy bias in detail. All risk managers and in-house counsel need to pay attention.
Normalcy bias can be seen as a major reason why so many companies as well as some countries were not prepared for Putin’s invasion. After all, Putin hadn’t invaded Ukraine for a number of years so the odds were that he wouldn’t…despite the signals leading up to the invasion. Normalcy bias can be seen affecting everyone’s perception of many kinds of risks. Yes, geopolitical risk is a major risk that is now looked at perhaps with a greater degree of interest. But financial risk, operational risk, and legal risk among others should also be looked at in a new light. Has normalcy bias affected a company’s perception of the risks it faces? If no one actually thinks risks should be taken too seriously as such risks have never led to a major crisis, have they really taken a hard look at the risks facing the company? Does the risk mitigation strategy really work when everyone’s perception is clouded by normalcy bias?
The Black Swan event may be more likely to happen than people think. In today’s business climate, more and more crises are beginning to happen when a few years ago many never thought they would occur. Everyone was lulled to sleep because of “normalcy bias”. So people tend to lump Black Swan events into risk events they thought would never happen. A kind of normalcy bias has set in, people continue to look at potential risk events as they always looked at them. Nothing happens until of course it does.
But risk events you never thought would happen may very well happen. Just because you look at the past or present a certain way doesn’t mean it will be the same in the future. North Korea hasn’t attacked South Korea in more than 70 years. Many look at the potential of a North Korean attack as nil because they don’t even remember the last invasion. Today, South Korea’s younger generations have no recollection of the post-war years and extreme poverty that many went through following the Korean War. Younger politicians think it is absurd that an attack would occur. But there have been warning signs. North Korea has ramped up its ballistic missile program as well as its nuclear testing. But a kind of normalcy bias or complacency has set in. If an attack occurs, it may catch everyone by surprise. Just look at the Russian invasion of Ukraine.
If you or your organization does business in South Korea or anywhere else in Asia, are you prepared in case there is an invasion or attack on South Korea? What about Taiwan? Or anywhere else in Asia? What plans are in place? Have you really spent time analyzing all the details or have you simply paid lip attention to it because everyone believes it won’t happen? After all, nothing has happened in 70 or 80 years (except for bombings, acts of terrorism and kidnappings, threats, nuclear bomb testing, etc). My advice when it comes to risk mitigation is to plan for every eventuality regardless of how you perceive it. Don’t let normalcy bias set in. This includes:
In essence, don’t let normalcy bias set in. It may be too late to act once the unthinkable happens.
I am currently enjoying the view overlooking the beach from the balcony of my condo in Busan. Everyone is coming out now that the weather is getting warmer. People are enjoying the beach. Boats are everywhere and people are flocking to the pubs lining the beach. Everyone appears to be having a good time. Even though I spend time thinking about my retirement and my upcoming trip to the US, I am caught up in the news surrounding the Russian invasion of Ukraine and the current devastation Russia is inflicting on its neighbor.
What has surprised me about the Russian invasion which should have been foreseen by NATO countries and even the Ukraine prior to the actual invasion (the US intelligence services accurately forecast the invasion several weeks prior to the actual invasion) was that it was missed by almost everyone. Most countries and even companies thought Putin would not invade and when it happened were caught flat-footed. Why? When geopolitical risks are potentially catastrophic, why did the world miss it ? The invasion has resulted not only in increased gas and commodity prices (already increasing), the destruction of the Ukrainian and Russian economies, loss of life, and destruction of property, but serious blows to the multinationals and companies doing business in Russia. And of course, countries are scrambling to find alternative sources of food supply as Russia and Ukraine are major exporters of wheat and fertilizer.
Perhaps one reason for the failure to seriously acknowledge the major geo-political risk faced by many….i.e. the Russian invasion is best described by Erudite Risk in its South Korea DRB Risk Report as “normalcy bias”. People and companies tend to view risks as minor when things seem to be normal. What was true yesterday and is true today will be true tomorrow. If things seemed normal yesterday and still seem normal now they will be normal tomorrow. As Russia did not invade Ukraine since taking Crimea, no one thought Putin would go in. Since Europe seemed to be stable in 1938 the West did not think Hitler would invade Poland and start a World War. Multinationals did not seem to pay attention to geopolitical risks after Crimea. Why would Putin invade Ukraine? Things seemed rather normal one month or two months ago even though there were a few disturbing signs that all was not well.
If companies and governments took a closer look at Putin, his beliefs and his military buildup, geo-political risks in Europe should have taken center stage. But it appears that this was not the case. So, when I think about risk issues facing companies, organizations, and even countries, the major question that should be on everyone's mind is whether or not they have adequately addressed all major geopolitical risks facing them. Are supply chain issues adequately addressed? Are logistics issues addressed? What about sources of supply? And of course, from a contractual and insurance standpoint, are those issues addressed?
For companies doing business in South Korea, the threat of war is always a risk they face. Seoul is not far from the DMZ and any altercation between North and South Korea would have an immediate impact upon Seoul and its surrounding cities. Companies doing business in South Korea not only have many risks to think about such as operational risk, market risk, legal risk, and financial risk but geopolitical risk as well. Therefore, a company contemplating a business project in Korea must at least on a tactical level consider the implications of geopolitical risk as well as everyday market risks. However, I think there is a sense of complacency affecting those doing business on the Korean peninsula. Companies may talk about potential risks but I don’t see a sense of urgency.
Considering recent geopolitical events, many companies should review old risk management policies and procedures, in case of updates, are needed. Of course, some risk management processes that should be reviewed are not being considered as they are viewed as too expensive or impractical. Such is the case with political risk insurance.
Companies face many kinds of risks when engaged in offshore projects; of course, geopolitical risk is one of them. This comes about when a government changes its policy, ideology, or even itself which creates instability, disorder, war, strikes, riots, etc. What must be done to manage such a risk? Political risk insurance comes to mind, but some forms of political risk insurance that are offered by capital –exporting nations ( such as OPIC, etc.) are subject to politically motivated conditions or motivations that may not take the needs of the investor into account. Case in point- OPIC can only operate in countries that have a bilateral investment treaty with the US. If you are a US investor trying to invest in a country that lacks a bilateral investment treaty with the US- you are out of luck when trying to obtain political risk insurance from OPIC. This is true of outer countries which supply similar political risk insurance through export development programs. For more on political risk see my previous blog: “Managing Political Risk” at Seoullegalriskmgmt.com.
As 2020 comes to a close, it is time for many organizations to analyze its risk management processes and how well the processes managed the risk events that has recently occurred. For many companies, Covid-19 was a catastrophic or near catastrophic event. Those companies that were prepared to handle the pandemic (such as those that had business continuity plans in place, etc.) were able to handle the risks presented by Covid 19. Those that were not prepared had a harder time. What successful companies know is that in order for a company to succeed it not only has to a sustainable business model but it has to constantly review its risk processes. After all, what happens when the current business model does not work anymore? What happens when the risks outweigh the benefits of continued standard corporate operations? So, maybe it’s time to re-examine your risk management processes. Do they really work?
When talking to your staff or to other departments, how often have you heard the phrase “That the way we have always done things.” Just because corporate processes have been done one way doesn’t mean that the best way or even in todays’ fast changing world- the right way. Even after 2008 many companies continued to use the failed metrics that got them into trouble in the first place. Even the credit markets haven’t changed as much as you would think after 2008. And of course, some companies have not changed processes during Covid. But why?
I truly believe that once processes are created in a corporate or bureaucratic environment, it is as if the processes have been set in stone. They are very hard to change. Even if the world around the company has changed. It is human nature to accept what has been done in the past. Few people want to “rock the boat” even if the proverbial boat is actually sinking. Companies get into real trouble because of this. What happens if the company’s business model is out of date or its business plan is no longer viable? Just because it worked in the past doesn’t mean it will work in the future.
I therefore caution everyone not to blindly accept the current risk management processes in place. Risk managers as well as in house counsel and other managers should be challenging risk management metrics on a regular basis. Counsel should be auditing departments on a regular basis. Does that compliance program really work? Does the business continuity plan really work? Maybe it did 5 years ago. But what about today?
What about re-examining the areas of risk management responsibility? The areas should include the purpose and policy of the RMD in the organization, the functions and execution points of the RMD (who does what, when, how, reporting lines, etc.) as well as a detailed outline of the procedures and processes of the RMD. Procedures and processes can include:
-conducting risk assessments of the organizations’ divisions and departments
-developing solutions for the various risk management issues
-developing business continuity plans
-coordination with various departments to assist with compliance issues
-oversee loss control concerns
-develop training for the organization’s employees covering various risk related areas of concern such as product safety, etc.
Remember, if local or national laws have changed maybe the current processes are out of date. If your organization was not prepared for the Covid 19 pandemic, maybe the current processes are out of date. If the products that your company manufactures or the services it provides have changed maybe the internal processes surrounding the review of those products and services are out of date. What about the current geo-political environment? When reviewing your current product liability review processes have you factored in the new risks created by the Internet of all Things? These risks are real. Are you ready for them? Does your current business model still work or is it outdated? What about data privacy laws? What about business continuity plans?
It is a fundamental truth that all things change. Of course, some things change faster than others. Regardless, don’t rely on your old or standard risk management processes to continue to provide the same level of comfort they did in the past. Continue to review and to modify them if necessary. And don’t think that just because “that the way things are done” your company should continue to operate as usual.
So if you haven’t re-examined your risk management processes- now is the time to do so.
Recently, a number of airlines have announced plans to cancel flights to South Korea due to the corona virus outbreak. Korean companies such as Samsung and LG have had to shut down production lines in some of their Korean based plants as well, causing a cascading number of economic issues to impact Korea’s economy as well as the world’s supply chain. Much of the world’s high tech based supply chain is based in Northeast Asia ( China, South Korea, Japan, etc.) and the negative effects of the corona virus can be seen everywhere. As a major supplier of memory chips, cell phones, computers, consumer electronics and home appliances, any disruption in Korea’s economy spells trouble for the rest of the world.
Until recently, for companies doing business in South Korea, the most pressing geo-political risk was the threat of war. Seoul is not far from the DMZ and any altercation between North and South Korea would have an immediate impact upon Seoul and its surrounding cities. However, the impact of the current virus, drives home the fact that for companies doing business in South Korea, not only do they have to think of geo-political risk in terms of war, but as health emergencies and pandemics as well. Therefore, a company contemplating potential business projects in Korea must at least on a tactical level consider the implications of geopolitical risks as well as everyday market risks such as financial, legal and operational risks.
Considering recent geo-political events, many companies should review old risk management policies and procedures, in case updates are needed. Companies are only now beginning to realize they are not prepared to handle the escalating risks caused by the corona virus. Of course, what happens if there really is a true global pandemic? Many companies are not prepared for that. Some risk management processes that should be reviewed are not being considered as they are viewed as too expensive or impractical. Such is the case with political risk insurance.
Companies face many kinds of risks when engaged in offshore projects; of course geo- political risk is one of them. This comes about when a government changes its policy, ideology or even itself which creates instability, disorder, war, strikes, riots, etc. Or of course health risks that effect the region. What must be done to manage such risks? Political risk insurance comes to mind, but some forms of political risk insurance that are offered by capital –exporting nations ( such as OPIC, etc.) is subject to politically motivated conditions or motivations that may not take the needs of the investor into account. Case in point- OPIC can only operate in countries which have a bilateral investment treaty with the US. If you are a US investor trying to invest in a country which lacks a bilateral investment treaty with the US- you are out of luck when trying to obtain political risk insurance from OPIC. This is true of outer countries which supply similar political risk insurance through export development programs.
For more on political risk see my previous blog: “Managing Political Risk” at Seoullegalriskmgmt.com.
