How CEOs can mitigate compounding risks

| Article

One of a CEO’s most important responsibilities is to create enduring value for shareholders. However, history shows how elusive that ambition is. Only 15 percent of the companies on the Fortune 500 list 50 years ago are still there today. Many once-iconic businesses ended up shutting down or being acquired because their leaders failed to address risks that they deemed insignificant, unlikely, far off in the future—or ones they didn’t see at all.

In today’s complex business environment, corporations face webs of intersecting risks whose combined impact is difficult to predict and manage. When several such hazards materialize simultaneously, the cumulative effect can pose an existential threat to the organization. Such compounding risks are particularly dangerous because management teams tend to underprepare for their combined impact. While corporate risk management processes track and strive to mitigate individual threats to the organization, they rarely assess the repercussions of several shocks occurring at once.

When a company’s compounding risks turn into a full-blown crisis, industry peers, regulators, and commentators inevitably speculate about how the organization’s management could have failed to address the looming threat. How, for example, could photography equipment makers have missed the smartphone revolution that ravaged their business when they created the first digital cameras? In most cases, the cause isn’t willful ignorance or negligence but rather insufficient foresight: failing to ensure that the organization identifies potential compounding risks or delaying adequate actions to mitigate their impact. As complex, far-reaching risks mount, from geopolitical tensions to climate change, CEOs and boards cannot afford to be caught unprepared.

Three types of compounding risks

The threat of compounding risks has grown more severe because of the highly interconnected world that corporations operate in today. Often the causes of compounding risks are viewed as black swans, or “unknown unknowns” that no one could have foreseen, but in most cases the underlying risks can be predicted. To recognize them early on, leaders need to ask which known threats—from cyberattacks to technological disruptions to public health crises—could come together to create a compounding risk that should be considered in their risk mitigation strategies.

Compounding risks share two common features: the characteristics of the compounding risk are distinct from the underlying risks, and the compounding risk often has a different likelihood or impact than the underlying one. Further, compounding risks fall into three distinct categories: connected, cumulative, and novel risks.

Connected risks are threats to the business from multiple sources that leaders perceive as unrelated but that are in fact linked within a broader interconnected system. A single event that disrupts one part of the system can ripple out to other parts. For example, the COVID-19 pandemic caused declines in both regional manufacturing capacity and worldwide container-shipping capacity—two risks few companies anticipated being triggered by the same event. Similarly, during the 2008 financial crisis, organizations found suppliers and customers in disparate geographies going out of business as the crisis’s fallout reverberated across global markets. Most recently, Russia’s invasion of Ukraine created connected compounding risks for some organizations, such as a higher cost of raw materials combining with the sudden loss of international consumer markets.

In each case, a single risk—a pandemic, an economic crisis, a regional war—could have been existential in its own right. Most leaders realize that such significant events would disrupt their businesses, but the way these crises ricocheted across an interconnected business world caught many by surprise.

The second category of compounding risks is cumulative risks, whereby one or more risks build over time to trigger a single major shock. The underlying risks are often known to management teams and may even be rigorously monitored. However, the metrics usually only track individual incidents (for example, how often an IT system goes down) and the thresholds for alerting senior management are set high (such as a certain percentage of accounts being past due). As a result, leaders are often unaware that the frequency or severity of these risks is mounting. Just like compounding interest, they accumulate, exacerbating the threat as years pass in part because the second- and third-order consequences may not be considered. For example, the risk framework may estimate the percentage of transactions lost during a single IT outage but not the potential lifetime revenue of a lost customer or the reputational damage and possible customer exodus caused by repeated outages.

Author Malcolm Gladwell defines this tipping point as “the moment of critical mass, the threshold, the boiling point.”1  Just as a single bump in the road may not cause a loose tire to fall off but a longer rough stretch does, so an individual event may be manageable but a series of them can become an existential threat. One industrial company faced near bankruptcy when bad acquisitions, high debt, and a bloated balance sheet left it deeply exposed to the fallout of the 2008 financial crisis. Or consider catastrophic industrial accidents: thanks to modern safety protocols, a single failure point is unlikely to cause a disaster, but multiple safety failures occurring simultaneously can become a crisis. Social media is a frequent source of this type of compounding risk because a few negative tweets or posts can spread virally, perpetuating a (potentially false) narrative that deeply damages an organization’s reputation.

The final form of compounding risk, which we call novel risk, involves multiple known material risks—be they cyberattacks or threats to the business model or vulnerabilities caused by financial maneuvers—combining to create an unexpected new risk with distinct characteristics. The underlying risks are often long-term in nature, such as the impact of climate change, geopolitical tensions, or technological disruptions. Recent years have provided ample illustration of the dangers that a sudden new risk layered onto existing risks can pose. Companies carrying large debt loads were able to manage that risk—until the pandemic battered their returns. Cryptocurrency miners’ high demand for microchips seemed tangential to many businesses—until pandemic-induced technological acceleration and supply chain problems created a worldwide chip shortage that brought numerous manufacturers to a standstill.

In most cases, the underlying risks are on companies’ radars. The novel challenges these risks could create in combination, however, are not. Neither is the need for risk functions, management, and boards to pressure-test their ability to navigate such compounding risks.

How to address compounding risks

As the individual responsible for balancing the company’s short-term performance with long-term prosperity, the CEO holds ultimate responsibility for addressing compounding risks. To get a handle on such threats, leaders can take four steps: ensure their risk governance program covers compounding risks, validate that their teams are adequately prepared to manage such risks, leverage a horizon approach to investing to ensure long-term vectors of compounding risk are not ignored, and consider compound-risk scenarios when planning big strategic bets.

Strengthen risk management governance. Leaders should instruct their risk management functions to broaden the aperture on the risk scenarios they monitor to include compounding risks. For example, once risk managers have identified the top risks to the business, they often create an enterprise-level risk management map. Instead, the team should consider how and which individual risks could combine to create a new compounding risk, with particular focus on risks that may be minor individually but have high frequency (IT outages, for instance). Looking at the business through the lens of the customer rather than through product offerings can help risk managers see small but recurring friction points that could cause customers to leave.

All risks are best tracked through a formal risk management process. It’s critical to establish accountability, with senior executives’ performance scorecards linked to risk management goals and boards regularly updated on how management is preparing for compounding risks (see sidebar, “The board’s role in addressing compounding risk.”) Establishing early warning signals will allow leaders to see how risks are evolving. For example, what leading indicators are you monitoring to understand how shifting or escalating geopolitical tensions could create compounding risk for your operations in the short or long term?

Run “premortems” on managing risks. The current volatility has led many organizations to embrace scenarios in strategic planning, but most “what if” constructs don’t cover the full range of compounding risks. Analyzing factors that could produce a crisis can help management teams identify compounding risks and their consequences across multiple time horizons. In such premortem sessions, the team assumes a major negative event (for example, a 75 percent sales drop), then works backward to imagine how such a scenario might occur. What products could customers use as substitutes for your offerings? What could cause them to switch? What occurrence could critically harm the company’s reputation?

During workshops or executive retreats, futurists and other experts from inside and outside the organization can help the leadership team recognize compounding risks they may otherwise not consider. The key to a successful premortem is having a “challenger” mindset and reviewing multiple scenarios in which compounding risks can lead to a crisis.

Use a horizon planning approach. Many compounding risks stem from trends with long-term time horizons such as climate change, market or business model innovations, or changing consumer behaviors. These risks tend to build slowly until they hit the tipping point of becoming existential for the organization. A horizon planning approach can help management teams address risks that can emerge at various stages by looking at three horizons: first, maintaining and defending the core business; second, nurturing emerging businesses; and third, creating genuinely new businesses.

Addressing the last horizon is particularly important to mitigating long-term risks. For example, many energy companies are investing in decarbonizing their businesses even as they continue to rely on fossil fuels. Likewise, most car companies are developing electric cars while continuing to sell gasoline-powered vehicles. In essence, the horizon approach prepares companies for the next industry disruption—which often takes the form of a compounding risk, such as a combination of regulatory changes, consumer behavior shifts, and technological advances.

Make big bets that address long-term risks. As part of the horizon approach, the CEO needs to make big strategic bets that can fundamentally change the organization’s trajectory. Such investments enable a company to evolve along with its industry and in the process hedge long-term risks. However, these big bets should not be aimed at neutralizing a single risk but at mitigating numerous threats the organization faces, as industry disruptions are likely to stem from a confluence of risks.

Compounding risks are often missed by risk management functions, CEOs, and boards. Yet when unidentified, unmonitored, and unaddressed, they can threaten organizations’ survival. With mounting geopolitical tensions, rapid technological shifts, and other long-term threats that have wide-ranging implications, CEOs need to ensure that their organizations are tracking the interactions among different risks and are prepared for multiple crises striking simultaneously.

Explore a career with us