3910ed5a-aeac-45d3-8206-12dcef244678

.pdf

School

Waianae High School**We aren't endorsed by this school

Course

MKT 311

Subject

Management

Date

Dec 19, 2024

Pages

Uploaded by PresidentRose11058

9-117-113 R E V : D E C E M B E R 1 5 , 2 0 1 6 This module was prepared by Professor Robert Simons with the assistance of Research Associate Jennifer Packard. Parts of this module are adapted from Robert Simons, Performance Measurement & Control Systems for Implementing Strategy, Prentice Hall, 2000 and Robert Simons, "How Risky is Your Company?"Harvard Business Review 77, no. 3 (May/June 1999), pp. 85-94. Copyright © 2016, 2017 President and Fellows of Harvard College. To order copies or request permission to reproduce materials, call 1-800-545-7685, write Harvard Business School Publishing, Boston, MA 02163, or go to www.hbsp.harvard.edu. This publication may not be digitized, photocopied, or otherwise reproduced, posted, or transmitted, without the permission of Harvard Business School. ROBERT SIMONS Strategy Execution Module 13: Identifying Strategic Risk Competing in any industry entails risk. However, the more aggressive and fast-paced the business and its management, the greater the potential for a misstep. In this module, we consider the different types of strategic risks that can imperil the firm. Then, we illustrate how to use the risk exposure calculator—a diagnostic tool to identify organizational pressure points that could cause these risks to rise to dangerous levels. Finally, we discuss the conditions that could cause individual employees to willfully expose the business to risk. After identifying the sources of strategic risk, we study the control tools and techniques that managers employ to manage these risks.Sources of Strategic Risk A dictionary defines risk as “the possibility of suffering harm or loss.”1In a business setting, managers must be sensitive to conditions that can cause specific categories of risk to become dangerous. These conditions are a function of the business strategy chosen by top managers. To effectively manage their business, all managers must assess strategic risk, which is an unexpected event or set of conditions that significantly reduces the ability of managers to implement their intended business strategy. Figure 13-1highlights the focus of our analysis. Business strategy—at the center of the figure—1The American Heritage Dictionary of the English Language, 5th ed., (Boston: Houghton Mifflin Harcourt, 2011). What You Will Learn in this Module: This module begins with a discussion of the three sources of strategic risk—operations risk, asset impairment risk, competitive risk—and considers how these risks can undermine an entire business. Then, the risk calculator is introduced as a diagnostic tool to assess the extent to which growth, culture, and information management create risk pressures. Finally, you will learn about the dangerous triad of pressure, opportunity, and rationalization that can create temptation for employees to engage in misrepresentation and fraud. For the exclusive use of Z. Terao, 2024.This document is authorized for use only by Zen Terao in Strategic Management 02 (Dunn, UH Manoa) taught by Sheldon Dunn, University of Hawaii from Aug 2024 to Feb 2025.

117-113 Strategy Execution Module 13: Identifying Strategic Risk 2 is our starting point. Working outward from the center, we consider three basic sources of strategic risk that potentially affect every business: operations risk, asset impairment risk, and competitive risk. If the magnitude of any of these risks becomes sufficiently large, the firm becomes exposed to franchise risk. Figure 13-1Sources of Business Risk Source: Author. Operations Risk Operations riskresults from the consequences of a breakdown in a core operating, manufacturing, or processing capability. All firms that create value through manufacturing or service activities face operations risk to varying degrees. Things can (and do) go wrong in the operating core of the business. Defective products can be shipped, maintenance can be neglected leading to breakdowns, customer packages can be lost, and transactions can be erroneously processed. Any operational error that impedes the flow of high quality products and services has the potential to expose the firm to loss and liability. Operations risk becomes a strategic risk in the event of critical product or process failures. In a food or drug manufacturer, for example, operations risk is encountered if a toxic substance is inadvertently mixed in with a product formulation. For a financial institution, operations risk is encountered if trades are not executed properly or if a transactions clearing system fails. Fidelity Investments Company, for example, processes over one million transactions each day in its mutual funds business. With more BusinessStrategyOperations RiskAsset Impairment RiskCompetitive RiskFranchise RiskCustomersCompetitorsSuppliersRegulatorsFor the exclusive use of Z. Terao, 2024.This document is authorized for use only by Zen Terao in Strategic Management 02 (Dunn, UH Manoa) taught by Sheldon Dunn, University of Hawaii from Aug 2024 to Feb 2025.

Strategy Execution Module 13: Identifying Strategic Risk 117-113 3 than $2 trillion invested, customers expect their transactions to be processed promptly and accurately.2Any failure of processing technology would be devastating to the business. Basic business strategy affects any firm’s exposure to operations risk. For example, e-commerce marketer Groupon spent huge sums on marketing, Super Bowl ads, and social media to support its aggressive growth strategy. However, Groupon’s transaction processing system was not ready to handle the deluge of new business, leading to irate customers when Groupon was unable to deliver the deals offered on its site. As suppliers and customers shifted their business to competitors or stopped using online coupons altogether, Groupon’s business dwindled and the CEO was fired.3In another example of operations risk, consider fast food chain Chipotle Mexican Grill. The company attempted to differentiate its products through local food sourcing and on-site preparation to maximize freshness. Unfortunately, this strategy led to severe consequences when employees in the Pacific Northwest used ingredients tainted with E. coli and, in the Northeast, food preparation employees who were ill caused two norovirus outbreaks. These quality and food safety failures resulted in criminal investigations and loss of confidence by customers. Earnings plummeted 44%. The company’s survival was placed in jeopardy. Chipotle responded by centralizing some food processing steps, increasing cooking requirements to ensure food safety, and implementing new training processes for all employees and suppliers.4In most industries, there are some competitors who knowingly choose strategies in which the safety and/or quality of their operations are critical to success—thereby assuming significant operations risk. This is true for an electric utility that chooses to generate power using nuclear reactors instead of purchasing bulk power from another provider. The strategy of entering the generation business—backward integrating—coupled with the decision to generate power using nuclear reactors rather than fossil fuels, increases operations risk significantly. In high technology businesses, where certain aspects of operations are “mission critical” to the implementation of strategy, any error or downtime can be sufficiently serious to threaten the viability of the business. We have discussed already the substantial operations risk at large financial institutions like Fidelity Investments. Consider also the operations risk at the John F. Kennedy Space Center. Because managers rely on complex technologies, even a small failure in operations can imperil the safety of the space shuttle and its crew. As a result, NASA has assumed significant operations risk. The consequences of operations risk are often triggered by employee error. Most of these errors are unintended and/or accidental. Occasionally, however, employees may consciously decide to cut corners in quality or safety to meet performance targets or receive bonuses. For example, the horrific nuclear accident at Chernobyl was caused by operators and managers who intentionally falsified performance indicators to ensure that they would achieve production targets and earn desired bonuses. Errors also arise from lapses in cybersecurity. As electronic data systems expand to touch every aspect of modern life, intentional errors and breakdowns can be caused when unauthorized individuals actively seek to compromise computer-based information systems. Such invaders—who can be motivated by thrill-seeking or financial gain—may attempt to obtain backdoor access to a 2Fidelity, “Fidelity by the Numbers: Corporate Statistics,” https://www.fidelity.com/about-fidelity/fidelity-by-numbers/ corporate-statistics, accessed June 13, 2016. 3Doug Gross, “Why the Online ‘Daily Deals’ Craze Fizzled,” CNN, March 4, 2013, http://www.cnn.com/2013/03/01/tech/ web/daily-deals-decline/, accessed June 1, 2016. 4”Chipotle Works to Regain Customer Trust After Disease Outbreak,” CBS News/AP, February 8, 2016, http://www.cbsnews.com/news/chipotle-works-to-regain-customer-trust-after-disease-outbreak/, accessed June 1, 2016. For the exclusive use of Z. Terao, 2024.This document is authorized for use only by Zen Terao in Strategic Management 02 (Dunn, UH Manoa) taught by Sheldon Dunn, University of Hawaii from Aug 2024 to Feb 2025.

117-113 Strategy Execution Module 13: Identifying Strategic Risk 4 computer system to steal critical information such as passwords and credit card numbers or openly attack a system to harm the company and/or demand a ransom. Applying the Inputs → Process→Outputs Model Applying the inputs→process→outputs model (see Module 3: Using Information for Performance Measurement and Control) is critical for identifying and controlling operations risk, especially when technology failures can lead to inefficiencies and breakdowns. Analyzing operations according to the inputs →process → outputs model provides guidance about what key processes should be standardized and controlled tightly to assure safety, quality, and security. This is a first step in the assessment of operations risk. As discussed in Module 4: Organizing for Performance, standardization and scalability are appropriate for critical internal processes that lie at the core of a business’s operations. The inputs → process→ outputs model should be used in all critical parts of the value chain to identify points where system errors could damage key operations or impair important assets. Standardization, good cybersecurity, and practices such as Total Quality Management (TQM) based on best practices, benchmarking, and engineering studies can then be used to ensure that inefficiencies and breakdowns do not create significant operating risks for the business. Asset Impairment Risk Moving outward from the core of Figure 13-1, the second source of strategic risk is asset impairment risk. An asset is a resource owned by the firm to generate future cash flows. An asset becomes impairedwhen it loses a significant portion of its current value because of a reduction in the likelihood of receiving those future cash flows. Like other risks, asset impairment risk is largely a function of the way that managers have chosen to compete. Asset impairment can become a strategic risk if there is deterioration in financial value, intellectual property rights, or physical condition of assets that are important for the implementation of strategy. Financial Impairment Financial impairment results from a decline in the market value of a significant balance sheet asset held for resale or as collateral. An asset becomes impaired when the future cash flows accruing to the firm are no longer sufficient to support the asset’s balance sheet valuation (computed as the net present value of those future cash flows). For example, firms holding significant Venezuelan assets found these assets impaired when the government devalued the bolívar in early 2016. Argentine assets became impaired in the same way in 2002 and again in 2014. In each of these cases, currency devaluation decreased the expected value of future cash flows. Similarly, the value of a long-term bond portfolio may sink dramatically with a rise in market interest rates (which increases the discount rate used in the NPV calculation).All firms that sell goods or services on credit face the possibility that accounts receivable—a financial asset on the balance sheet—will prove uncollectable. Credit riskoccurs when a creditor becomes bankrupt or insolvent and is unable to pay contractual obligations as they become due. All businesses that extend payment terms are exposed to credit risk, although some strategies expose the business to more credit risk than others. Managers must balance risk and reward as they choose the conditions and terms under which they are willing to grant credit. Most businesses can increase sales and revenues if managers are willing to offer more liberal credit terms to customers who are poor credit risks. Long pay-back periods coupled with low levels of collateral increase the risk and cost of default. Alternatively, managers can minimize credit losses by turning away sales on account, but at the cost of foregone revenue. Similarly, they can insist on marketable collateral to secure loans or withhold the legal transfer of title until payment is made in full. For the exclusive use of Z. Terao, 2024.This document is authorized for use only by Zen Terao in Strategic Management 02 (Dunn, UH Manoa) taught by Sheldon Dunn, University of Hawaii from Aug 2024 to Feb 2025.

Strategy Execution Module 13: Identifying Strategic Risk 117-113 5 Depending on the strategy of the firm, creditors may be individuals, businesses, or even governments. At the extreme, a business may be exposed to risk at the national level (called sovereign risk) when a foreign government becomes unable or unwilling to repay its debts. Sovereign risk is greatest, of course, when a business follows a strategy that results in significant cross-border financial exposure in politically unstable countries. Recent economic instability in Greece and political instability in Ukraine increased sovereign risk for many firms. Financial trading firms—those that routinely buy and sell financial securities—often enter into agreements to buy or sell assets on specified dates in the future. These agreements are called forward contracts. Such firms are exposed to a special type of credit risk known as counterparty risk—the risk that the other party to the agreement may be unable to honor its contractual obligation due to insolvency or inability to deliver what was promised. This risk can become substantial if a large number of transactions and forward contracts are concentrated with a small number of counterparties or if failures of specific financial institutions can lead to a general market insolvency. For financial trading businesses such as banks, retail stockbrokers, and mutual funds, specific business strategies determine how much financial impairment risk the business is exposed to. Firms following high-risk strategies often hold unhedged assets such as global derivatives and other highly leveraged securities whose value can change rapidly and erratically. More conservative competitors may choose strategies that limit their financial impairment risk: they eschew highly-leveraged instruments in favor of more easily controlled investments. Financial impairment is often due to unpredictable changes in financial market variables. However, like operations risk, assets may sometimes become impaired by the willful actions of employees. Consider these examples: •A bank vice president wished to improve the asset position of her balance sheet at year-end. Accordingly, she sold a portfolio of mortgage loans to a friendly bank. She did not inform anyone of the agreement to repurchase the mortgage portfolio in six months. •A bond trader lost $1 million on currency market trades. He instructed accounting personnel to post the loss to a suspense account. He explained that he would offset the loss against an open position that was guaranteed to generate a sizable profit. Bank Lending Risks Employees sometimes decide to step out of bounds to take advantage of certain situations. The manager of a bank’s branch did precisely this. One of his customers was a construction company that was having problems obtaining a loan from other banks. The bank officer agreed to give the company a loan if, in exchange, the construction company did some work at his house for free. Apparently, the bank officer thought that this was a mutually satisfactory arrangement: the company received the credit that it was looking for, and he was able to have his house remodeled. The bank officer then decided to use the same approach with two other customers, also in the construction sector, who approached the bank for loans. In due course, the regional manager noticed the increased credit risk that the branch was taking with these customers and decided to investigate. He quickly discovered the reasons for their credit approvals and fired the branch manager. For the exclusive use of Z. Terao, 2024.This document is authorized for use only by Zen Terao in Strategic Management 02 (Dunn, UH Manoa) taught by Sheldon Dunn, University of Hawaii from Aug 2024 to Feb 2025.

117-113 Strategy Execution Module 13: Identifying Strategic Risk 6 In cases such as these, employees expose a business to asset impairment risk in their attempts to hit performance targets and/or cover-up previous losses. Manufacturing and service firms are not immune from financial impairment risk. When excess cash is invested in short-term financial assets, any business may be exposed to financial impairment risk. For example, managers of industrial or consumer-products companies may be tempted to bolster their short-term profitability by taking unhedged financial positions that pay off if financial markets move in predicted directions. As a result of this type of gamble, Procter & Gamble lost millions of dollars in highly leveraged derivative positions. Such financial speculation, undertaken in the hope of generating high returns, also caused the bankruptcy of several U.S. municipalities such as that of Jefferson County, Alabama, in 2008. Impairment of Intellectual Property RightsFor many companies today, intangible resources such as intellectual property and proprietary customer information are far more valuable than the tangible assets on the firm’s balance sheet. Many software and internet firms are good examples. The market value of Google, Amazon, and Apple is not a function of their balance sheets, but rather reflects the estimated value of future cash flows related to their intangible intellectual resources. Similarly, the value of ethical drug manufacturers such as Merck and Pfizer resides primarily in their research capabilities, patents, and trade secrets.For these firms, the potential for loss or impairment of these intellectual property rights creates significant strategic risk. Impairment may be due to unauthorized use of intellectual property by competitors (e.g., patent infringement), unauthorized disclosure of trade secrets to a competitor or third party (such as leaking of proprietary computer code, manufacturing procedures, or formulas), and failure to reinvest in intellectual capital as asset quality deteriorates over time (e.g., failure to upgrade information-based assets or invest in employee training). Physical ImpairmentAssets can also become impaired by the physical destruction of key processing or production facilities. This impairment may be due to fire, flood, terrorist action, or other catastrophe. Managers whose business depends on large-scale data centers must ensure that processing can be switched to backup facilities without significant loss of operating capacity. Risk managers are typically responsible for ensuring adequate coverage for insurable physical destruction risks and the implementation of fail-safe backup plans to protect against mission-critical processing failures. Competitive Risk So far, we have considered strategic risks due to defective transaction flows (operations risk) and impaired value of balance sheet assets and intangible resources (asset impairment risk). The third source of strategic risk has to do with the risks inherent in market competition. Competitive riskresults from changes in the competitive environment that could impair the business’s ability to successfully create value and differentiate its products or services. Examples of competitive risks include the actions of competitorsin developing superior products and services (for example, vinyl records were replaced by compact discs, which, in turn, were displaced by downloadable audio and online music streaming), changes in regulationand public policy (e.g., regulators requiring electric utilities to sell off their fossil fuel generation facilities), shifts in customertastes or desires (such as fashion fads), and changes in supplierpricing and policies (e.g., preferential pricing for “super” retailers) (Figure 13-1). Competitive risk, by definition, is faced by all businesses that compete in dynamic markets. Regardless of the industry in which a business competes, so long as it has active competitors and demanding customers, it is exposed to competitive risk. The five-forces analysis, covered in Module 2: For the exclusive use of Z. Terao, 2024.This document is authorized for use only by Zen Terao in Strategic Management 02 (Dunn, UH Manoa) taught by Sheldon Dunn, University of Hawaii from Aug 2024 to Feb 2025.

Strategy Execution Module 13: Identifying Strategic Risk 117-113 7 Building a Successful Strategy, provides a starting point to consider the direction from which these risks can emanate: •Intense rivalry from existing competitors can change the basis of value creation •Demanding customers may choose to switch suppliers •Suppliers may choose to limit availability or increase the cost of critical inputs •New competitors may enter the industry with new technologies and products •Substitute products or services may become available with superior costs or attributes5Managers must be constantly alert to the risk that they will fail to anticipate and react to these competitive risks quickly, thereby allowing the rules of the competitive game to turn against them. However, competitive risk can also be created by the actions of employees. Employees can inadvertently damage the franchise in their attempts to maximize short-term profit. These kinds of risk are created when employees act inappropriately in dealing with customers, suppliers, and competitors. For any given strategy, a series of questions can reveal those employee behaviors that could imperil the strategy. Customers: What employee actions could drive customers away?•A small consulting firm competed by offering specialized services to an elite group of demanding clients. Employees in a branch office provided consulting services to the competitor of a large and important client. As a result of a perceived conflict of interest, the large client severed relationships with the firm. Suppliers:What employee actions could cause important suppliers to stop supplying the firm? •A beer distributor relied on a national brewer for the majority of its business. Employees became complacent and allowed relationships with the supplier to deteriorate. Because of poor service, the brewer awarded distribution rights to a competing wholesaler. Substitute Products:What employee actions could cause customers to switch to competing products or services? •To obtain commission bonuses in an electronic-instrumentation business, salespeople pushed obsolete products that were stockpiled in inventory. Customers wishing to purchase the latest technology placed orders with new suppliers who were trying to build market share. New Entrants:What employee actions could cause new competitors to enter the industry? •In a cable television business, abuses in customer service caused regulators to increase competition by licensing new competitors. Interactive controls systems (Module 11: Using Diagnostic and Interactive Control Systems) are essential to monitor competitive risks in a culture that could potentially create barriers to impede the free flow of information about emerging threats and opportunities. 5Michael E. Porter, Competitive Strategy(New York: The Free Press, 1980). For the exclusive use of Z. Terao, 2024.This document is authorized for use only by Zen Terao in Strategic Management 02 (Dunn, UH Manoa) taught by Sheldon Dunn, University of Hawaii from Aug 2024 to Feb 2025.

117-113 Strategy Execution Module 13: Identifying Strategic Risk 8 Franchise Risk Unlike the three sources of risk enumerated above (operations, asset impairment, and competitive risk), franchise risk is not in itself a sourceof risk. Instead, it is a consequenceof excessive risk in any one of these three basic risk dimensions. Franchise risk occurs when the value of the entire business erodes due to a loss in confidence by critical constituents. Franchise risk occurs when a problem or set of problems threatens the viability of the entire enterprise. In the worst case, customers stop buying a business’s products or services because they lose confidence in the company’s ability to deliver what it has promised. However, loss of confidence by other constituents—suppliers, regulators, or business partners—can be equally devastating (Figure 13-1). Loss of confidence in either a brand or the entire corporation—the hallmark of franchise risk—can result from any of the risks previously enumerated. Consider the following examples: •Operations risk—following the well-publicized explosion of its oil rig “Deepwater Horizon” in 2010, British Petroleum managers fought to restore public confidence that safety procedures and environmental controls were adequate. This was not an easy task: the public was outraged, consumers boycotted BP stations, employees left the company, and government agencies began in-depth investigations. Huge investments were required to clean up the oil spill, pay legal costs, and to begin to rebuild the company’s reputation, costing BP over $50 billion.6•Asset impairment risk—during the financial crises of 2008, the public lost confidence that besieged banks, reeling from losses in real estate collateral, had sufficient resources to repay depositors. The “run-on-the-banks” that occurred at several institutions required federal agencies to step in and guarantee deposits as a means of restoring confidence. One casualty was securities and banking firm Bear Stearns. Rumors arose that the bank could not meet its obligations to bond-holders. As a result, the bank was unable to obtain sufficient liquidity to remain in business. Bear Stearns was forced to file for bankruptcy. A loan from the U.S. federal government helped support the company until its assets were acquired by J.P. Morgan. •Competitive risk—the disastrous slide in market share at BlackBerry, reflecting quick-moving competitive forces and eroding technical leadership, caused many in the industry to lose confidence in the company’s ability to support its products. As a result, software developers declined to invest in BlackBerry applications, and customers abandoned BlackBerry handheld devices in favor of competitors’ products. Franchise risk—sometimes known as reputation risk—occurs when business problems or actions negatively affect customer perceptions of value in using the business’s goods or services. The intrinsic value of a business (i.e., its value proposition) is based on customers’ willingness to pay for a known set of attributes and quality. Any significant breakdown in operations, impairment of assets, or erosion of competitive strength can negatively influence public perception and drive away customers. For any firm operating in a competitive market, reputation is critical to the ongoing ability to create value. When customers have a choice about which firms’ products to buy, reputation risk must be a major concern for managers. Franchise risk is acute, however, for any firm that depends on its reputation for integrity as a critical competitive resource in attracting and maintaining customers. For example, public accounting firms, defense contractors, airlines, and pharmaceutical firms (among many others) hold a public franchise that depends on the public’s faith in the integrity and 6“A Costly Mistake,” The Economist, July 2, 2015, http://www.economist.com/news/business-and-finance/21656847-costly-mistake, accessed July 6, 2016. For the exclusive use of Z. Terao, 2024.This document is authorized for use only by Zen Terao in Strategic Management 02 (Dunn, UH Manoa) taught by Sheldon Dunn, University of Hawaii from Aug 2024 to Feb 2025.

Strategy Execution Module 13: Identifying Strategic Risk 117-113 9 trustworthiness of their business. What are the effects of a story that appears in the morning newspaper describing how managers of a specific mutual fund have been manipulating published figures to deceive investors? How long will the franchise of that business last? A damaged reputation can destroy the franchise—and ultimately the business—literally overnight. Many of the pitfalls of risk management can be avoided if early warning systems are in place to warn managers of impending problems. Diagnostic exception reports that focus on key indicators can alert managers if risk levels are unacceptable. Examples of some common risk indicators are: Operations Risk •system downtime •number of errors •unexplained variances •unreconciled accounts •defect rates/quality standards •customer complaints Asset Impairment Risk •unhedged derivatives on balance sheet •unrealized holding gains/losses •concentration of credit or counterparty exposure (e.g., total debt due from specific financial institutions) •default history Competitive Risk •recent product introductions by competitors •recent regulatory changes •changes in consumer buying habits reported in trade journals •changes in distribution systems •drop off in product sales Franchise Risk •customers/bids lost to competitors •unfavorable news coverage •pending lawsuits/legal actions •system downtime •competitor business failure For the exclusive use of Z. Terao, 2024.This document is authorized for use only by Zen Terao in Strategic Management 02 (Dunn, UH Manoa) taught by Sheldon Dunn, University of Hawaii from Aug 2024 to Feb 2025.

117-113 Strategy Execution Module 13: Identifying Strategic Risk 10 Source: Author. The risk exposure calculator is a diagnostic tool to estimate the magnitude and type of “pressures” that might lead to a substantial failure or breakdown. As suggested by Figure 13-2, the nine pressure points that we discuss are additive. One pressure feeds upon the other. If the pressure builds too high, operations risk, asset impairment risk, and competitive risk can cause irreparable damage. Let’s look at each of the pressure points in turn. Assessing Internal Risk PressuresWe have now outlined the types of strategic risk that all firms potentially face. Managers must assess their exposure to these risks based on their specific business strategy. Now we move to the second step of the analysis by attempting to understand how strategic risks may be exacerbated by the context within which the organization operates. Based on a variety of factors, firms competing in the same product markets may be exposed to very different levels of risk. The risk exposure calculator(illustrated in Figure 13-2) analyzes the pressure points inside a business that can cause strategic risks to “blow-up” into a crisis. Some of these pressures are due to growth, some are due to management culture, and some are due to information management. Collectively, these forces can “surprise” management in the form of operating errors, impairment of assets, and crises of customer confidence. Figure 13-2The Risk Exposure Calculator For the exclusive use of Z. Terao, 2024.This document is authorized for use only by Zen Terao in Strategic Management 02 (Dunn, UH Manoa) taught by Sheldon Dunn, University of Hawaii from Aug 2024 to Feb 2025.

Strategy Execution Module 13: Identifying Strategic Risk 117-113 11 Risks Pressures due to Growth Growth is a fundamental goal of most high-performing businesses. Yet, success in achieving market-driven growth can bring risk for three reasons. The first reason relates to the unrelenting pressure for performance that is a hallmark of high-growth companies. High-growth companies typically have very high performance expectations for their managers and employees. Goals are set at demanding levels. Employees are informed that they are expected to deliver results (or else risk punishment or possible replacement). Incentive rewards and bonuses are linked directly and explicitly to performance. Under these circumstances, some people may feel intense pressure to succeed at all costs and may, therefore, take unacceptable credit risks. They may, for example, take unacceptable credit risks by selling goods and services to customers with poor credit ratings; they may cut corners to speed operations; or, they may be tempted bend revenue-recognition rules to book profits before full completion of a sale. If pushed hard enough, some employees may even consider misrepresenting their true performance to cover up any temporary shortfalls. Rapidly expanding scale of operationsis another sign of successful growth. Successful companies grow bigger. However, rapidly increasing scale can also bring undesirable levels of risk. Resources become strained to the limit as people and systems work beyond their normal capacity. Infrastructures designed for a small operation quickly become inadequate. New production, distribution, and service facilities must be brought on line and integrated into overall operations. As a result of rapidly expanding operations, mistakes and breakdowns may occur. Operations errors are likely to creep into the system. New customer accounts may increase credit risk. Product or service quality may suffer, increasing franchise risk. Sony’s Cadmium Crises Failing to recognize potential operations risks left video game maker Sony with a nightmare scenario. Just as the company was revving up shipments for the Christmas season, the Dutch government put a hold on 1.3 million boxes of PlayStation game systems. Government agents discovered that the cables in one of the PlayStation’s game controls contained an illegally high amount of cadmium, a toxic substance that can be leeched into the air and water after disposal. Sony rushed to replace the cables, but resulting shipping delays over the important holiday season cost the company $130 million in lost sales. The retailers who were Sony’s customers were angry and could not allow their shelves to remain empty, so they increased orders from Sony’s competitors leading to increased competitive risk. Concerned about their reputation, Sony managers hurried to ensure consumers and concerned environmentalists that there were no health risks from products that had been previously purchased. Sony performed an 18-month review of over 6,000 factories before finding the source of the problem. Sony executives vowed that they would never be surprised by quality-related operations risks again. To prevent future problems, they implemented a new inspection process and built a new supplier management system to ensure that all parts from suppliers met quality and regulatory standards. ____________________ Source: Daniel C. Esty, “Riding the Green Wave,” The Washington Post Online, http://www.washingtonpost.com/wp-adv/specialsales/environment/articlenew3.html, accessed June 6, 2016.For the exclusive use of Z. Terao, 2024.This document is authorized for use only by Zen Terao in Strategic Management 02 (Dunn, UH Manoa) taught by Sheldon Dunn, University of Hawaii from Aug 2024 to Feb 2025.

117-113 Strategy Execution Module 13: Identifying Strategic Risk 12 Growth also means hiring large numbers of new people to staff operations. Competitive advantage cannot be achieved by waiting until all the right people are in place before launching new products and services. Sometimes, in the rush to staff new positions, background checks may be waived and minimum performance standards and educational qualifications may be lowered.Newly-hired employees may lack adequate training and experience and, as a result, not fully understand their jobs. Decreasing experiencecan, therefore, result in increased possibility for inadvertent error. Bad business decisions may expose the firm to asset impairment risk and franchise risk. These risks are significantly increased when a business lacks consistent values. Consistent and strong core values are an essential foundation in any highly competitive business. In new, start-up businesses that have not had time to allow consistent values to emerge and take hold, managers and employees may make very different assumptions about organizational purpose and acceptable behaviors. In larger, more-diversified businesses, different business units within the same firm may have very different core values. This occurred, for example, when General Electric—an industrial company—purchased and attempted to manage Kidder Peabody, a financial brokerage firm. The core values in these businesses were so different that it was difficult to communicate a consistent set of corporate-wide beliefs about the acceptable risks and behaviors. What was seen as an acceptable credit or operations risk in one business was completely unacceptable in another business, and vice versa. Confusion about values and beliefs invites individuals to engage in behaviors that increase risk—especially impairment risk and franchise risk. These three pressure points—unrelenting drive for performance, expanding scale of operations, and decreasing experience and shared values—operate together in an additive fashion to increase the possibility of errors of omission and commission. Quite simply, people under pressure make mistakes. An error of omissionoccurs when an employee inadvertently omits to perform an action that is necessary to protect the franchise and/or assets of the business. An error of commissionoccurs when an employee purposefully follows a course of action that increases risk, impairs assets, or otherwise endangers the business. Paradoxically, it is success and growth that creates the potential for errors of omission and commission. Performance pressure, increasing size, and the hiring of new people generally indicate a healthy, vibrant company. Yet, these same forces can easily become catalysts for risk and error. Managers at Boston Retail faced these risks as the business rapidly grew from one store to many, and then began expanding beyond the Boston area to the New York market. To minimize out-of-stock and customer service risks, the company opened an additional warehouse to service the New York market. Aggressive revenue growth targets were set for each new store. New store managers and employees were hired. At the same time, managers were aware of the risks that could arise from expansion and the hiring of these new employees. To protect against these risks, staff from Boston were brought to New York to train new employees and to communicate Boston Retail’s values throughout the new stores. Sales results, inventory levels, and customer service scores were monitored carefully so that potential problems could be identified early. Risks Pressures due to Culture The culture of any organization—determined by its history and top-management leadership style—is the second major cause of risk in businesses. For example, many organizational cultures encourage entrepreneurial risk taking. Individuals are motivated to be as creative as possible in finding and creating market opportunities. Although this is usually healthy, there is always the danger that individuals may pursue or create opportunities that significantly increase strategic risk. In a culture of entrepreneurial risk taking, investments may be made in risky assets, deals may be struck with counterparties who For the exclusive use of Z. Terao, 2024.This document is authorized for use only by Zen Terao in Strategic Management 02 (Dunn, UH Manoa) taught by Sheldon Dunn, University of Hawaii from Aug 2024 to Feb 2025.

Strategy Execution Module 13: Identifying Strategic Risk 117-113 13 have a limited ability to honor their contracts, commitments may be made that are difficult to fulfill, or employees may engage in behaviors that damage the reputation of the business. Culture also influences the willingness of subordinates to inform superiors about potential risks in the business. Early warning signs about impending problems are often evident to employees who are in day-to-day contact with operations, customers, suppliers, and competitive markets. Too often, however, this critically important early warning information is not communicated upward to senior managers. In some organizations, this reluctance arises from a well-foundedfear in bearing bad news. In businesses where senior managers have a low tolerance for dissent, or are known for “shooting the messenger,” information barriers are inevitable. People become afraid to voice their concerns for fear Boston Retail Company Throughout the fifteen modules that comprise the Strategy Execution series, Boston Retail Company is used as an example to illustrate key concepts. Boston Retail, introduced in Module 1: Managing Organizational Tensions,is a clothing chain based in a suburb of Boston. The founders began with one store and a novel idea: to offer cheap but fashionable clothing to students who attend Boston’s many colleges and universities. Their customers are young, enjoy wearing the latest fashions, but have limited income. With early success, Boston Retail began expanding, quickly increasing the number of stores and employees. Boston Retail examples can be found in the following modules of the Strategy Execution series. These modules are available from HBP Publishing at www.hbsp.harvard.edu. Product # 117-101Module 1: Managing Organizational Tensions117-102Module 2: Building a Successful Strategy 117-103Module 3: Using Information for Performance Measurement and Control 117-104Module 4: Organizing for Performance 117-105Module 5: Building a Profit Plan 117-106Module 6: Evaluating Strategic Profit Performance 117-107Module 7: Designing Asset Allocation Systems 117-108Module 8: Linking Performance to Markets 117-109Module 9: Building a Balanced Scorecard 117-110Module 10: Using the Job Design Optimization Tool to Build Effective Organizations117-111Module 11: Using Diagnostic and Interactive Control Systems 117-112Module 12: Aligning Performance Goals and Incentives 117-113 Module 13: Identifying Strategic Risk 117-114Module 14: Managing Strategic Risk 117-115Module 15: Using the Levers of Control to Implement Strategy For the exclusive use of Z. Terao, 2024.This document is authorized for use only by Zen Terao in Strategic Management 02 (Dunn, UH Manoa) taught by Sheldon Dunn, University of Hawaii from Aug 2024 to Feb 2025.

117-113 Strategy Execution Module 13: Identifying Strategic Risk 14 of sanction or other personal repercussions. As a result, the communication of early warning information breaks down, and top managers can be caught off-guard when problems surface unexpectedly. Additionally, some cultures foster a spirit of internal competition, which brings a unique set of issues relating to risk. In these cultures, top managers often knowingly foster a sense of competition among subordinates vying for bonuses and/or promotion. Private information often brings power and rewards to the holder, so individuals jealously guard information. This tendency is exacerbated in a culture where advancement is perceived as a zero-sum game. To advance their own careers, employees may increase business risk by gambling with business assets, credit exposure, and firm reputation in attempts to enhance short-term performance. Unfortunately, the pay-offs and costs from these behaviors are asymmetric. If the gamble pays off, the individual is rewarded with large bonuses and promotions. If the gamble results in a substantial loss for the firm, however, the worst that can happen to the employees is losing his or her job. The business is forced to absorb the financial or reputation loss. These three cultural factors—entrepreneurial risk taking, fear of bearing bad news, and internal competition—feed off each other to create forces that lead to incomplete management information. In organizations where these pressures are intense, managers may, as a result, be uninformed about dangers that lurk in their businesses. Employees take unwarranted risks, hold back bad news, and resist sharing information. Accordingly, managers may unknowingly increase performance pressures and ramp up the scale of the business with little understanding of the potential risks. Executives at Boston Retail minimize risks due to cultural factors in several ways. Store managers are given freedom to hire and manage associates, oversee product sales in their stores, and provide excellent customer service. To control entrepreneurial risk taking, major decisions such as determining which product lines to carry, product ordering, pricing decisions, and the opening of new stores are all handled at the headquarter level. Boston Retail executives minimize fear of bearing bad news by explaining to managers and employees that they expect all bad news to be communicated immediately so that issues may be dealt with. They have adopted the internal motto of "Bad News Can't Wait." Any employee who knowingly delays communicating bad news to his or her manager is reprimanded. Finally, Boston Retail minimizes risk from internal competition by setting both individual and company-wide goals. Internal competition is fostered through monthly contests which provide rewards such as a pizza party to the store with the most sales per customer. While the employees enjoy the pizza party and the recognition that comes with being the winning store, managers believe it is not enough of an incentive to tempt an employee to take inappropriate risks. At the same time, employees know that they will all receive a cash bonus for each quarter that the company as a whole meets sales targets. This encourages employees from all stores to work together to meet the business goals. Risks Pressures due to Information Management The final category of risk is due to information management, which can create risk in several ways. First, transaction velocity—created by high transaction volume and increased processing speed—can increase the possibility of operations risk. In 1991, for example, Fidelity Investments processed 250,000 transactions per day; by 2015, the business processed over 1.3 million transactions per day.7If information technology had failed to keep pace with this increase in processing demand, operational errors would have been inevitable. Accordingly, Fidelity has made massive investments in technology 7Fidelity, “Fidelity by the Numbers: Corporate Statistics,” https://www.fidelity.com/about-fidelity/fidelity-by-numbers /corporate-statistics, accessed June 1, 2016. For the exclusive use of Z. Terao, 2024.This document is authorized for use only by Zen Terao in Strategic Management 02 (Dunn, UH Manoa) taught by Sheldon Dunn, University of Hawaii from Aug 2024 to Feb 2025.

Strategy Execution Module 13: Identifying Strategic Risk 117-113 15 to ensure that support is adequate as the business grows. Target suffered the consequences of information processing risk related to increased transaction velocity when its processing infrastructure was unable to keep pace with increased demand. When Target offered deep discounts and free shipping for their 2015 “Cyber-Monday” event, online orders were twice what was expected. Target’s servers could not keep up. Customers attempting to order products were often met with a message saying “please hold tight.” The inability of Target’s infrastructure to keep up with demand resulted in angry customers and an estimated $3 billion of lost sales.8Transaction complexityalso increases risk. As transactions become more complex, fewer people may fully understand the nature of these transactions and how to control them. Cross-border agreements in international operations, creative financing of customer purchases, and elaborate consortium arrangements can all produce highly complex contracts. Without full understanding of contractual obligations and the nature of contingent cash flows, asset impairment risk increases substantially. The increase in complexity in highly leveraged derivative financial products (i.e., financial instruments whose value fluctuates based on changes in the values of other underlying assets) has caused more than one well-managed firm to sustain substantial losses. 8John Ewoldt, “Record Traffic on Cyber Monday Led to Site Troubles for Target, Others,” MinneapolisStar-Tribune, November 30, 2015, http://www.startribune.com/target-com-crashed-for-about-an-hour-on-cyber-monday-shoppers/358880861/, accessed June 13, 2016. Ransomware: New Risks through Technology As new technologies emerge, so do new strategic risks. Businesses increasingly must protect against criminal hacking, phishing attacks, and cyber-crimes that include threats to customer and employee personal information or exposure of potentially sensitive company data. One of the fastest growing threats to information management systems is called ransomware. In these cases, criminals hijack a computer or server, encrypting the data until a ransom is paid, resulting in impairment of assets. Ransoms range from hundreds of dollars to hundreds of thousands of dollars. While individuals and businesses have both been targeted, big businesses are increasingly being victimized because of their deep pockets. Recent attacks have included hospitals, police stations, and schools. In 2016, Hollywood Presbyterian Hospital paid $17,000 for the release of their data while the Horry County School District in South Carolina paid $8,500. CEOs and CFOs are often targeted because criminals assume they will have important sensitive information on their devices. In the first quarter of 2016, costs related to ransomware attacks (including ransoms, downtime, and recovery) were estimated at $209 million, up from $24 million for the full year of 2015. While government authorities such as the FBI fight to stop these attacks, criminals continually design new software and domains, making them difficult to catch. The best defense is to maintain frequent, clean back-ups of all data, keep software up-to-date, and train employees on best practices for avoiding computer infections. ____________________Source:Fahmida Y. Rashid, “Ransomware Demands are Working, Fueling an Increase in Attacks,” InfoWorld, June 1, 2016, http://www.infoworld.com/article/3077859/security/ransomware-demands-are-working-fueling-an-increase-in-attacks.html, accessed June 2, 2016.For the exclusive use of Z. Terao, 2024.This document is authorized for use only by Zen Terao in Strategic Management 02 (Dunn, UH Manoa) taught by Sheldon Dunn, University of Hawaii from Aug 2024 to Feb 2025.

117-113 Strategy Execution Module 13: Identifying Strategic Risk 16 Gaps in diagnostic performance measuresalso increase risk. If managers are unaware of potential problems, they cannot take remedial action to contain the risk. All types of risk need appropriate diagnostic systems to track current risk levels and serve as warning indicators. Operations risk indicators, financial and credit risk indicators, and systems that provide early warning about changes in competitive risk and franchise risk should be in place (we discuss these indicators in Module 14: Managing Strategic Risk). These diagnostic indicators often require specialized information processing systems that can consolidate information across dispersed operations; if these systems are fragmented or inadequate to supply information about problems, the consequences of risks are magnified. Finally, highly decentralized decision makingcan increase risk. In decentralized businesses, individuals are encouraged to make decisions autonomously and create opportunities without constant monitoring and oversight by superiors. As we discussed in Module 4: Organizing for Performance, a local value configuration is appropriate when top managers wish to focus resources and decision making in local markets. Because of the freedom created by such decentralized structures, fewer operating rules and constraints are imposed on operating managers. Consequently, they may be able to engage in activities that increase risk without requiring approval from corporate-level managers. Moreover, when several separate businesses within the same firm are acting independently, understanding the aggregation of risk across business units becomes important. For example, aggregating credit risk over several businesses in the same firm may be important if those businesses are all making risky loans to the same customer. By decentralizing credit approval, the concentration of credit risk is greatly increased. These three pressure points—transaction complexity and velocity, gaps in diagnostic performance measures, and decentralized decision making—can lead to lapses in diagnostic information and inefficiencies and breakdownsin transaction processing. Such inefficiencies and breakdowns can, in turn, significantly increase operations risk, asset impairment risk, and franchise risk. Boston Retail executives were aware of these risks. As Boston Retail's business grew, so did the number of transactions that were processed, increasing the possibilities for errors. Boston Retail responded by implementing a new information management system, both in the front and the back-end of the stores. The new front-end system allowed customer transactions to be handled more quickly. The new system included a chip card reader to better protect customer data. If an employee tried to override pricing errors in the system, or when there were returns, the transaction needed to be approved by the store manager with access to the system through a password that was changed monthly. The new system also communicated with the back-end system that tracked inventory levels, purchase data, and created sales reports for management. These sales reports, along with key data such as customer service ratings and labor costs, were reviewed by the management team on a monthly basis so that emerging risks could be quickly identified. The nine pressure points listed in Figure 13-2 provide a window into a business to calibrate the potential for significant risk and loss due to employee or management error, systems breakdown, and bad information. Once identified, managers can estimate the magnitude of the strategic risk exposure and ensure that organizational attention is devoted to controlling significant risks. Using the Risk Exposure Calculator To use the risk exposure calculator, managers must apply their best judgement. They must consider each type of internal pressure carefully and then rate each key from 1 (if the risk is deemed low) to 5 (if the risk is considered high). For the exclusive use of Z. Terao, 2024.This document is authorized for use only by Zen Terao in Strategic Management 02 (Dunn, UH Manoa) taught by Sheldon Dunn, University of Hawaii from Aug 2024 to Feb 2025.

Strategy Execution Module 13: Identifying Strategic Risk 117-113 17 For example, as managers consider the risk pressures associated with the first key—pressures for performance—they should ask themselves several questions: •Are aggressive stretch goals set from the top with little input from subordinates? •Does performance-based pay represent a large portion of total compensation? •Are star players given special attention and recognition? •Do financial markets expect particularly high returns in the near future? If several of these questions are answered with a "yes," pressures for performance are likely to be high. After each key is rated, the scores are added together as shown in Figure 13-2. The total score will indicate whether an organization's risk exposure falls into the safety zone, the caution zone, or the danger zone. The Safety ZoneA total score between 9 and 20 puts an organization in the safety zone, indicating a low level of risk from errors or events that could threaten the health of the business. However, this score may also indicate that the company is playing it too safe. Companies that are innovative and growing must occasionally take calculated gambles to succeed. The Caution ZoneA total score between 21 and 34 indicates that the organization is in the caution zone. While this score indicates that overall risks are not excessive, managers must still watch for high scores in any particular dimension. For example, if scores are low for growth and culture but are high for information management, there is reason for concern: information management risks should be addressed. The Danger ZoneIf the total score is between 35 and 45, alarm bells should be ringing. Organizational leaders must take fast action to mitigate risks and protect the business from disaster. To do this, executives should use the internal controls described in Module 14: Managing Strategic Riskand the levers of control detailed in Module 15: Using the Levers of Control to Implement Strategy. The risk exposure calculator can, and should, be used at various levels within an organization. As scores are compared, executives will likely find that subordinates are aware of risks unseen by those at the top of the organization. This process may reveal that one division has higher risks than others, prompting the need for a discussion about how to address those risks. The risk exposure calculator can also be used to track changes in risk levels over time. One executive who calculated risk exposure annually discovered that risks at her company had slipped from the safety zone to the danger zone. She quickly alerted the senior management team who took swift action to bring risks back down to an acceptable level. Misrepresentation and Fraud So far in this chapter, we have discussed strategic risks and the pressures that heighten these risks. But there is one special case—misrepresentation and fraud—that must be considered separately. Sometimes, because of the pressures identified previously, managers and/or employees may knowingly subject the firm to unacceptable levels of risk. Employees may misrepresent their performance (or that of their business) or misappropriate company assets. Bad decisions can be covered up and expose the firm to loss of valuable assets. In most instances, the amounts involved are small. For the exclusive use of Z. Terao, 2024.This document is authorized for use only by Zen Terao in Strategic Management 02 (Dunn, UH Manoa) taught by Sheldon Dunn, University of Hawaii from Aug 2024 to Feb 2025.

117-113 Strategy Execution Module 13: Identifying Strategic Risk 18 Sometimes, however, these actions have severely damaged—or even destroyed—the businesses in which these people worked. In Module 1: Managing Organizational Tensions, we made some heroic assumptions about the inherent nature of people in high-performing organizations: we assumed that they want to contribute, achieve, innovate, do competent work, and will choose to do what is right based on socialized personal values (learned through family and religious teaching, laws, organizational norms, and so on). However, we also identified organizational blocks that can overturn these tendencies and lead to dysfunctional behaviors: confusion about how to contribute, temptation and pressures, conflicting demands with too few resources, and fear of failure. We must now confront the consequences of these organizational blocks. In all too many of these cases, senior managers were unaware of the risks to which employees had exposed the business. Employees had either covered up their actions (to the extent they had contravened stated policies) or failed to report information to superiors that would have given early warning about potential problems. The 2011 scandal at Swiss bank UBS, in which rogue trader Kweku Adoboli generated over $2 billion in losses, was a chilling reminder to all managers of the types of risks that they must guard against. Accordingly, we must analyze the forces that can cause individuals to willfully misrepresent or alter data, engage in fraud, or otherwise expose the business to unacceptable levels of risk. A Dangerous Triad Generally, people employed by business and nonprofit organizations do not start out to do bad things. Most often—even in blatant cases of misrepresentation and fraud—the individual started down a “slippery slope,” starting with a small misdeed that, over time, gains momentum and grows in magnitude. Soon, the subterfuge becomes too large for the employee to control. Employees are most likely to engage in wrongful acts—including misrepresentation and fraud—that expose the business to risk when three conditions exist simultaneously. These three conditions—pressure, opportunity, and rationalization—are illustrated in Figure 13-3. As we shall discuss, all three conditions are necessary before most individuals would start down the slippery slope. 1. PressureThe pressures to achieve profit goals and strategies are intense in any high-performing organization. The risk calculator highlights many of these pressures. Sometimes, the combination of extrinsic and intrinsic forces will create pressure to manipulate accounting records and/or misuse company assets for personal gain. Extrinsic pressures are due largely to the performance goals and incentivesthat were the subject of Module 12: Aligning Performance Goals and Incentives. As we discussed there, high performing organizations are typically high pressure organizations. Employees are often under significant pressure to meet difficult performance goals. Success in meeting these performance goals can bring substantial financial rewards, including salary increases, bonuses, and possible promotion. Pressure to meet goals may be enhanced by the desire for recognition of success—by superiors, subordinates, and peers. Correspondingly, failure to meet performance goals can result in loss of prestige, reduction in compensation, and, sometimes, dismissal. Together, the potential for rewards and the fear of failure can create a high level of pressure to succeed, sometimes at all costs. For the exclusive use of Z. Terao, 2024.This document is authorized for use only by Zen Terao in Strategic Management 02 (Dunn, UH Manoa) taught by Sheldon Dunn, University of Hawaii from Aug 2024 to Feb 2025.

Strategy Execution Module 13: Identifying Strategic Risk 117-113 19 Figure 13-3A Dangerous Triad Source: Author. Pressures to bend the rules or otherwise misuse company assets or resources for personal gain can also be due to personal problemsthat originate outside the work place. Debts, addictions, or other personal crises may create severe pressures to engage in fraud or misrepresentation to take advantage of an employer or misappropriate company assets. 2. OpportunityThe second necessary condition for willful error and fraud is opportunity. Even if someone is under great pressure to bend the rules to achieve performance goals and/or misappropriate assets, they can only engage in wrongful acts if the opportunity to do so exists. In other words, they must have access to valuable assets and/or be able to manipulate accounting and performance measurement systems to their advantage so that their actions are undetected. Thus, control systems must be sufficiently flawed that any misdeeds will not be detected. As noted in Module 1: Managing Organizational Tensions, however, one of the fundamental tensions of management: there is too much opportunity and too little management attention. Employees are surrounded with opportunity, especially in high-innovation organizations that rely on the creativity of empowered employees. Yet management attention is limited; there is simply not enough time or attention to monitor all the activities of every employee. When performance pressure is coupled with opportunity to use company assets for personal gain or inflate performance measures, a dangerous situation is created. Any individual in these circumstances will feel temptation—temptation to secure rewards and/or use weaknesses in control systems to their advantage. Notwithstanding this great temptation, however, there is one additional prerequisite that must occur before most people will engage in wrongful acts or misdeeds that put the company at risk. They must believe that what they are doing is not really creating risk for themselves or the business. Strong internal controls (discussed in detail in Module 14: Managing Strategic Risk) help to reduce the opportunity for misdeeds. At Boston Retail, like all retail stores, managers are aware of the risk that employees may be tempted to appropriate cash or merchandise for their own use. To combat the potential risk for cash theft, cash is counted each morning, undeposited cash is stored in a vault, and sales records and cash are reconciled and recorded at the end of each day. To avoid theft of inventory, the inventory is counted and compared with accounting records on a monthly basis, anti-theft tags are attached to all stock, and deliveries are counted and compared against purchase orders. PressureTemptationOpportunityRationalizationFor the exclusive use of Z. Terao, 2024.This document is authorized for use only by Zen Terao in Strategic Management 02 (Dunn, UH Manoa) taught by Sheldon Dunn, University of Hawaii from Aug 2024 to Feb 2025.

117-113 Strategy Execution Module 13: Identifying Strategic Risk 20 3. RationalizationEmployees—even those experiencing great temptation and pressure—are unlikely to succumb and engage in wrongful actions unless they can find rationalizations for their aberrant behavior. Employees know the difference between right and wrong and typically will not engage in actions that contravene generally accepted moral codes of our society. A variety of studies has shown that when employees engage in damaging or unethical behaviors, they will do so only if they can justify their actions with one or more of the following excuses:•The action is not “really” wrong—Employees may convince themselves that many other people do similar things, and/or the action is not serious enough to warrant concern. For example, an auditor may routinely underreport the hours worked by subordinates in an attempt to meet client budget targets. •The likelihood of being caught is small—Because people often have the opportunity to manipulate company records to cover up their acts, they often believe that they will never be found out. Thus, they may have little fear that their behavior will ever be discovered. •The action is in the organization’s best interest—Employees may convince themselves that misrepresenting performance or manipulating data can advance the firm’s interest. For example, an employee may lie to a government investigator because she believes that the investigator is an “enemy” of the business and is trying to hurt it. •If exposed, senior management would condone the behavior and protect the individuals involved—To the extent that employees believe they are working to protect or further the company’s interests, then their rationalization often takes the next logical step. They convince The Postman Rings Twice, but Opportunity KnocksU.S. Postal employee Gregory Giordani was given ample opportunity for misappropriation. He took advantage of it to open his own illicit side business. In his position as an information technology coordinator, he was given broad authority to order any parts or tools needed for computers or printers. Costs for these parts were charged directly to the U.S. Postal Service with little oversight. Over seven years, Giordani ordered thousands of items not needed by the Postal Service including ink toner cartridges and motorcycle parts which he resold on eBay, making an extra $500,000 for his own pocket. Suspicions were raised when Giordani was noticed driving around town in a new BMW, sporting a new diamond watch, and giving out expensive Knicks tickets. After an investigation, Giordani was sentenced to 37 months in prison for embezzlement and tax evasion and was ordered to repay $489,000. While there is no way to know what pressures Giordani felt or what rationalization he may have used, he was certainly given the opportunity, one of the legs of the dangerous triad, to act inappropriately. Removing the opportunity by providing more oversight and controls over purchasing practices could have removed the temptation and prevented Giordani’s misdeeds. ____________________ Source:John Marzulli, “Wotta Shiphead. Postal Worker Grabbed for Ripping Off Gov’t in eBay Con,” New York Daily News, July 14, 2010, p.11; Deon J. Hampton, “Postal Worker Sentenced for Theft, Tax Evasion,” Newsday, December 12, 2012, http://www.newsday.com/long-island/nassau/postal-worker-sentenced-for-theft-tax-evasion-1.4326249, accessed June 2, 2016.For the exclusive use of Z. Terao, 2024.This document is authorized for use only by Zen Terao in Strategic Management 02 (Dunn, UH Manoa) taught by Sheldon Dunn, University of Hawaii from Aug 2024 to Feb 2025.

Strategy Execution Module 13: Identifying Strategic Risk 117-113 21 themselves that if they are caught and forced to explain what they did and why they did it, their superiors would understand, support them, and stand by them.9Managers of all high performing businesses—where there is typically a great deal of both performance pressure and freedom—must ensure that employees cannot easily fall back on these rationalizations. All three of these conditions—pressure, opportunity, and rationalization—must be present before employees or managers can be expected to abuse their access to information or assets for personal gain. If only two of the three prerequisites are present, there is unlikely to be significant risk. For example, opportunity and pressure without rationalization will cause most employees to avoid actions that they know to be wrong, even in the face of temptation. Their conscience will intervene. Similarly, rationalization and opportunity by themselves are unlikely to lead to problems if there is no external or internal inducements to bend the rules. Why take any risks if there are no pressing reasons? Finally, pressure and rationalization—a potentially dangerous combination—can be contained effectively if employees are denied the opportunity to engage in actions that could put the business at risk. Control systems and safeguards must be sufficient to deny unauthorized access to accounting records and/or valuable assets. Thus, to control the risks that employees may engage in willful misrepresentation or fraud, managers must remove at least oneof the three prerequisites. We discuss how effective managers do this in the Module 14: Managing Strategic Risk. Learning What Risks to Avoid Unfortunately, the most common, but painful, way of learning about risk is to suffer the consequences firsthand. For example, the manipulation of revenue numbers to hit performance targets can cause acute embarrassment and even lawsuits. The reputation damage can be substantial. If misstatements are material, financial statements must be restated and the indiscretion must be reported to regulatory authorities (and will likely be picked up by the business press). In these cases, two results are almost certain. First, the managers involved in the indiscretion will be disciplined—probably fired along with their superiors, who will be held accountable for poor leadership and oversight. Second, top managers will install new controls—clearly specifying the consequences to those who are tempted to cross the line—to ensure that this damaging behavior will never happen again. Vicarious learningoccurs when managers witness a failure or mishap in another business and realize that the same thing could easily happen in their own business (“There, but for the grace of God, go I”). For example, when a massive data breach at Target in 2013 resulted in potential criminal hacker access to 40 million customer credit cards, other retailers rushed to install new control systems, such as card-chip readers, in an attempt to avoid the customer outrage and lawsuits Target faced as a result of the breach. To determine strategic risk, a look at failures can be revealing. One technique is to annually review all projects that have failed—that is, those that were significantly over budget or failed to meet client expectations. A series of intense meetings is then devoted to discussing the causes for these failures and attempting to learn from them to ensure that they will not recur. Thus, over time, managers learn that there are certain types of projects that do not fit their core competencies and should be subject to special controls and management attention. For example, after reviewing failed projects, a successful 9S.W. Gellerman, “Why ‘Good’ Managers Make Bad Ethical Choices,” Harvard Business Review, 64 (1986), pp. 85-90. For the exclusive use of Z. Terao, 2024.This document is authorized for use only by Zen Terao in Strategic Management 02 (Dunn, UH Manoa) taught by Sheldon Dunn, University of Hawaii from Aug 2024 to Feb 2025.

117-113 Strategy Execution Module 13: Identifying Strategic Risk 22 U.S. construction company has learned that they have a poor track record at successfully building sewage treatment plants and have, accordingly, declared these types of projects out-of-bounds. Module Summary Strategic risk comes in many different forms. Managers must assess the nature of the risks facing their business based on the ways that they have chosen to compete in the market. The primary forms of risk are operations risk, asset impairment risk, and competitive risk. If any of these risks become severe, the franchise of the entire business may be at stake. There are nine pressure points that mangers should analyze in determining the potential level of risk inside their businesses. These pressures are due to growth, culture, and information management. In combination, these pressure points can lead to errors, incomplete management information, and inefficiencies and breakdowns. Risk often leads to adverse consequences because of the actions or inactions of employees. Most often, these actions are inadvertent. But, sometimes, they may be willful. Whatever the cause, employee actions are more likely to cause risk when pressure is high inside the organization. Individual employees may sometimes create risk by engaging in wrongful acts—either misrepresentation or fraud. This is most likely if three conditions exist: (1) pressure to bend the rules, (2) opportunity to access valuable assets and/or manipulate accounting records, and (3) rationalization that these actions are “not really wrong.” In Module 14: Managing Strategic Risk, we discuss how to control strategic risks. Managing risk effectively means utilizing specialized control tools and techniques. All managers must understand how to control these risks, because nothing less than the survival of the business may be at stake. For the exclusive use of Z. Terao, 2024.This document is authorized for use only by Zen Terao in Strategic Management 02 (Dunn, UH Manoa) taught by Sheldon Dunn, University of Hawaii from Aug 2024 to Feb 2025.

Strategy Execution Module 13: Identifying Strategic Risk 117-113 23 Terms Defined in Previous ModulesAsseta resource owned or controlled by the entity that will yield future economic benefits. Examples include plant, equipment, cash on hand, and inventory. (Module 2: Building a Successful Strategy) Benchmarkinga technique used to calibrate an organization’s efforts against a “best of class” yardstick. (Module 6: Evaluating Strategic Performance)Bonusadditional reward or payment for successful achievement of a task. (Module 12: Aligning Performance Goals and Incentives) Budgetresource plans of any organizational unit that either generates or consumes resources. (Module 5: Building a Profit Plan) Business strategyhow a company creates value for customers and differentiates itself from competitors in a defined product market.(Module 1: Managing Organizational Tensions) Controlthe process of using information to ensure that inputs, processes, and outputs are aligned to achieve organizational goals. (Module 3: Using Information for Performance Measurement and Control) Core competenciesspecial resources and know-how possessed by a firm that give it competitive advantage in the marketplace. (Module 2: Building a Successful Strategy) Five forcessystematic analysis of competitive dynamics to determine the nature and intensity of competition. The five forces are customers, suppliers, substitute products, new markets, and competitive rivalry. (Module 2: Building a Successful Strategy) Franchisea business’s distinctive ability to attract customers who are willing to purchase the business’s products and services based on market wide perceptions of value. (Module 2: Building a Successful Strategy)Goala formal aspiration that defines purpose or expected levels of achievement in implementing the business strategy. (Module 2: Building a Successful Strategy)Incentivea reward or payment that is used to motivate performance. (Module 12: Aligning Performance Goals and Incentives) Informationthe communication or reception of intelligence or knowledge. It is the critical vehicle for profit planning, performance measurement, and management control. (Module 3: Using Information for Performance Measurement and Control) Intended strategyplanned strategy that managers attempt to implement in a specific product market based on analysis of competitive dynamics and current capabilities. (Module 2: Building a Successful Strategy)Market valuethe total value of ownership claims in the business as priced by financial markets. Represents the highest, most aggregate, measure of value creation. (Module 8: Linking Performance to Markets) Measurequantitative value that can be scaled and used for purposes of comparison. Measures are necessary to ensure that performance goals are achieved. (Module 12: Aligning Performance Goals and Incentives) For the exclusive use of Z. Terao, 2024.This document is authorized for use only by Zen Terao in Strategic Management 02 (Dunn, UH Manoa) taught by Sheldon Dunn, University of Hawaii from Aug 2024 to Feb 2025.

117-113 Strategy Execution Module 13: Identifying Strategic Risk 24 Organizational blocksobstacles that organizations create that inhibit employees from working to their true potential. (Module 1: Managing Organizational Tensions)Performance goala desired level of accomplishment against which actual results can be measured. (Module 12: Aligning Performance Goals and Incentives) Performance measurement systemsinformation systems that managers use to track the implementation of business strategy by comparing actual results against strategic goals and objectives. A performance measurement system typically comprises systematic methods of setting business goals together with periodic feedback reports. (Module 1: Managing Organizational Tensions) Planningthe process of preparing an economic and strategic roadmap for a business. Planning provides a framework for setting aspirations through performance goals and ensuring an adequate level and mix of resources to achieve these goals. (Module 3: Using Information for Performance Measurement and Control) Product marketa defined competitive market for a specific product or category of products. (Module 2: Building a Successful Strategy) Profitthe residual economic value after interest expense and income taxes (both of which are nondiscretionary payments). Based on accounting assumptions, profit is the economic value that is available for distribution to the residual claimants—equity holders—or for reinvestment in the business. (Module 5: Building a Profit Plan) Profitabilitythe ratio of net income to sales. Profitability indicates how much profit was generated for each dollar of sales. (Module 5: Building a Profit Plan) Resourcea strength of the business embodied in the tangible or intangible assets that are tied semi-permanently to the firm. (Module 2: Building a Successful Strategy) Standarda formal representation of performance expectations.(Module 3: Using Information for Performance Measurement and Control) Total Quality Management (TQM)a management approach that standardizes and streamlines key operating processes to ensure high levels of quality and/or low defect rates. (Module 3: Using Information for Performance Measurement and Control) Value propositionthe mix of product and service attributes that a firm offers to customers in terms of price, product features, quality, availability, image, buying experience and after-sales warranty and service. (Module 8: Linking Performance to Markets)For the exclusive use of Z. Terao, 2024.This document is authorized for use only by Zen Terao in Strategic Management 02 (Dunn, UH Manoa) taught by Sheldon Dunn, University of Hawaii from Aug 2024 to Feb 2025.

Strategy Execution Module 13: Identifying Strategic Risk 117-113 25 Suggested Study Cases To enhance your understanding of the ideas covered in this module, we recommend that you study one or more of the following Harvard Business School Cases. These cases are available from Harvard Business School Publishing at www.hbsp.harvard.edu.•A Letter from Prison (HBS No. 110-045) •Kidder, Peabody & Co.: Creating Elusive Profits (HBS No. 197-038) •Atlanta Schools: Measures to Improve Performance (HBS No. 114-001) •First Solar: CFRA’s Accounting Quality Concerns (HBS No. 113-044) •Choice Point oCase A (HBS No. 306-001) oCase B (HBS No. 306-082) •Enterprise Risk Management at Hydro One oCase A (HBS No. 109-001) oCase B: How Risky are Smart Meters (HBS No. 112-073) •Société Générale: The Jérôme Kerviel Affair oCase A (HBS No: 110-029) For the exclusive use of Z. Terao, 2024.This document is authorized for use only by Zen Terao in Strategic Management 02 (Dunn, UH Manoa) taught by Sheldon Dunn, University of Hawaii from Aug 2024 to Feb 2025.