This major research report, produced by Cass for Airmic (the Association of Insurance and Risk Managers in Industry
and Commerce) investigates the origins and impact of over twenty major
corporate crises of the last decade. The crises examined involved substantial,
well known organisations such as Coca-Cola, Firestone, Shell, BP, Airbus,
Société Générale, Cadbury Schweppes, Northern Rock, AIG, Independent Insurance,
Enron, Arthur Andersen, Railtrack, the UK Passport Agency and also some smaller
firms. Several did not survive and most of the rest suffered severe
The aims of the research were to trace the deeper causes of the crises, to
assess the post-event resilience of the companies involved and to consider the
implications for the risk management of companies in general.
The report is built around eighteen detailed case studies which analyse the
impact of critical events both on the enterprises most directly affected and,
in many cases, on other associated firms. There are references to around forty
organisations in total.
The case studies provide a rich source of lessons about risk, risk analysis and
risk management, in the context of critical events of many different types,
ranging from fires and explosions, product-related and supply chain crises to
fraud and IT failures. The report details over one hundred specific 'lessons
about risk' which emerge from the case studies.
Much broader lessons have also been distilled from the case studies. Several
of the firms studied were destroyed by the crises that struck them. While
others survived, they often did so with their reputations in tatters, and faced
an uphill task in rebuilding their businesses. The research concluded that the
firms most badly affected had underlying weaknesses which made them especially
prone both to crises and to the escalation of a crisis into a disaster.
These weaknesses were found to arise from seven key risk areas that are
potentially inherent in all organisations and which can pose an existential
threat to any firm, however substantial, which fails to recognise and manage
them. These risk areas are beyond the scope of insurance and mainly beyond the
reach of traditional risk analysis and management techniques as they have
evolved so far. In our view, they should be drawn into the risk management
process. They are as follows:
A. Board skill and NED control risks-
limitations on board competence and the ability of the Non-Executive Directors
(NEDs) effectively to monitor and, if necessary, control the Executives.
B. Board risk blindness- the failure of
boards to engage with important risks, including risks to reputation and
'licence to operate', to the same degree that they engage with reward and
C. Poor leadership on ethos and culture
D. Defective communication- risks arising
from the defective flow of important information within the organisation,
including to board-equivalent levels.
E. Risks arising from excessive
F. Risks arising from inappropriate
incentives - whether explicit or implicit.
G. Risk 'Glass Ceilings'- arising from the
inability of risk management and internal audit teams to report on risks
originating from higher levels of their organisation's hierarchy.
The report concludes that a number of developments are necessary to deal with
- The scope, purpose and practicalities of risk management will need to be
re-thought from board level downwards in order to capture these and other risks
that are not identified by current techniques.
- The education of risk professionals will need to be extended so that they
feel competent to identify and analyse risks emerging from their organisation's
ethos, culture and strategy, and from their leaders' activities and
- The role and status of risk professionals will need to change so that they
can confidently report all that they find on these subjects to board
The full article can be downloaded from