Risks do not normally come out of the blue. Most are well within the familiar ground that risk managers tread. They can be hedged, mitigated or offloaded. Sometimes, however, a catastrophic event can appear from nowhere. Should day-to-day risk management processes prepare an organisation for these eventualities?

Some would say no, because the time and effort required to prepare for the unlikely diminishes the resources available to handle more important tasks. Others would say yes because, after all, what is a risk manager’s job if it is not to manage risk?

The world has seen its fair share of high-consequence, low-likelihood events over the past two years. A global pandemic, and now the outbreak of war in Ukraine, are the most obvious examples. Broadly speaking, businesses were prepared for neither – despite the warning signs.

“While preparing against this kind of risk may seem counterintuitive given their rarity, planning against such eventualities can be a matter of survival,” says Matteo Ilardo, a risk researcher at Cambridge Judge Business School’s Centre for Risk Studies. “Identifying such existential risks is the first step towards mitigating them. Still, while such risks are many, risk managers’ budgets are finite. The best way to account for them is to prioritise, assessing which ones create a potential existential threat to a company’s core business.”

Beyond ERM

Standard enterprise risk management (ERM) practices are not typically set up to handle catastrophic risks – even when rigorous and focused. And when they aren’t, they will certainly fall short.

“ERM is a formalised process that many organisations use to show they have something called risk management,” says Professor Torben Juul Andersen of Copenhagen Business School. “It has its advantages but they are sometimes difficult to show. The basic concept is that you can identify and assess risk in advance and monitor exposures as you go along – which is difficult.”

Tim Chadwick, the group chief risk officer at PIB, an insurance intermediary group, makes a similar point. “It’s critically important to have risk as a pillar of the organisation’s culture,” he argues, adding that having “strong emerging risks monitoring and risk communication” that helps executives make decisions fast is important too.

Fair enough – yet it’s clear that effective risk management is easier said than done. For years, after all, a financial crisis was on the risk radar. But the extent of the economic damage after the 2008 crash still caught everyone by surprise. Be it unexpected results in elections, growing tensions between the world’s superpowers, or the more frequent emergence of highly contagious viruses, there have been signs that risk management must expand beyond its usual boundaries.

The World Economic Forum’s annual risk report, for instance, put pandemics on the radar in 2019. Even so, the potential implications were not absorbed by business leaders and the likelihood of a Covid-like disaster was deemed too low for them to make serious plans.

“Then we have a war very close to us in Europe, and though we have been observing Putin’s changing behaviour over time and saw the military build-up, we didn’t react,” says Andersen. “We don’t know how it will play out, but it has repercussions for economies, companies and societies. We are increasingly facing major events that we cannot predict and do not fit the nice framework of risk management. We need something else.”

“While not easy, scenarios can help in assessing the impact such risks may have on a company, which then must decide which mitigating actions could reduce their potential impact to an acceptable level,” adds Ilardo. “The main goal of risk managers with regard to such catastrophic risks is to act so that their impact on the organisation will fall below the existential threshold.”

Scenario planning is a key tool for quantifying risk, and identifying a range of potential mitigating strategies – but it must be applied to specific events. In other words, risk managers still have choices to make.

“I’ve benefitted from past scenario exercises looking at a potential pandemic and its implications, but I think it’s key to recognise the limitations of such exercises,” stresses Chadwick. “You can guarantee that the event in reality, while often sharing some similarities, will be different.”

Tim Chadwick (pictured) says risk should be part of a company’s culture.

The fog of war

Though increasingly likely since Russia annexed the Crimean peninsula in 2014, the invasion of Ukraine in February 2022 seems to have caught businesses and politicians off-guard. Even if a ceasefire were declared tomorrow, the economic implications will be deep and far-reaching.

The humanitarian crisis is the priority, no doubt, but the consequences of economic damage to both Ukraine and Russia are dire. Nor can the fallout of the conflict necessarily be contained. “With rising interest rates, inflation, fuel costs, commodity prices and challenges in relation to staff availability,” says Chadwick, “the global economy and management will continue to see significant challenges in the years ahead.”

That’s particularly true given the deep sanctions against Russia, essentially a form of economic warfare against the Putin regime. Already, some Russian banks have been cut off from the SWIFT international payments system, and the Russian central bank’s foreign assets have been frozen. The rouble has crashed and Russian interest rates doubled to 20%. Sanctions are reducing Russia’s trade volumes, and international businesses – among them Amazon, Apple and Volkswagen – are withdrawing or scaling down local operations.

In the long run, sanctions could lead to the fragmentation of the global financial system. In the short term, gas and oil prices, as well as the price of agricultural commodities and base metals, will rise sharply. So how bad will sanctions be for businesses that must now rework supply chains in Russia and Eastern Europe?

“Very bad,” believes Professor Kevin Dowd of Durham University, whose research focuses on financial risk management. “The big issue here is the ‘law of unintended consequences’. Sanctions are bad, period, and should almost never be used. When they are used, and especially so indiscriminately, they have all sorts of bad effects – boomerang effects – that no-one ever foresaw, at least not in time to duck.”

“Going back historically, sanctions don’t achieve their objectives,” Dowd adds. “Sanctions against Mussolini in the 1930s didn’t stop his effort to conquer Abyssinia. Cutting off oil to Japan in the run up to Pearl Harbor put Japan in the situation where it had either to agree to US demands or go on the attack.”


European share prices in the automotive, banking and utilities sectors have fallen by this much since the invasion of Ukraine.



As of early March 2022, Brent crude was trading above this figure for the first time since 2014.

The Oxford Institute for Energy Studies


Russia and Ukraine account for more than a quarter of the world’s trade in wheat and for more than 60% of global sunflower oil and 30% of global barley exports.


As well as reconsidering their operations in Russia, many businesses are rethinking their supply chains, particularly if they are over-reliant on single sources, principally manufacturing locations in China.

“Even before Russia’s invasion of Ukraine, underlying macrotrends such as technology and resource nationalism, the redrawing of supply chains, concerns over the US and China decoupling, and broader deglobalisation forces were putting into question cost-benefit analyses of investing into China,” says Ilardo. “Now, the many ambiguities of Beijing’s stance with Moscow are building on these pre-existing concerns and increasing investor hesitancy.”

The Covid-19 pandemic re-emphasised the importance of preparing for risk.

“A similar crisis concerning China would not only see Western governments pursuing punitive actions,” he continues. “Companies would feel strong pressures to follow suit, thus accelerating the decoupling that many of them had so far tried to limit. Russia’s invasion of Ukraine may become an important precedent to understanding and anticipating emerging risks in the rapidly shifting geopolitical landscape.”

Nevertheless, Ilardo believes that businesses have, so far, dealt well with the short-term impact of the war.

“Global businesses are showing good resilience capabilities in face of some of the indirect economic implications of Western sanctions against Russia such as supply chain disruptions, commodity shocks, and fragile confidence,” he says. “In part this is due to the experience of the pandemic and its relative proximity to this crisis. This experience broadened risk managers’ strategic perspective beyond more immediate and specific threats.”

Rethinking risk management

The aftermath of Covid and the impact of the war in Ukraine are causing risk managers to reconsider not only the kind of risks they include in their analyses, but also how to create the flexibility to deal with the unforeseen and unexpected.

“They need the agility to respond quickly to change,” says Andersen. “Regulatory requirements come out of a control-based mindset that can’t handle the uncertainties that come upon us. We need other approaches to foster resilient adaptation.”

“Global value chains have been managed to optimise through outsourcing to access lower factor cost, so business leaders have had a tendency to look at short-term economic gains, often at the cost of reduction in flexibility,” he adds. “So, when the systems are rocked they don’t work well.”

The standard approach means outliers are included in the risk profile but, while acknowledged, are not met with a concrete plan.

“Risks are put on the radar but no measures put in place because future events are considered unlikely,” Andersen continues. “So, companies often deal with short-term operational things they can observe, but recording thousands of risks creates a bureaucracy that detracts from the really important things. The most important aspect of risk management is that it should help you to think. It should support and challenge your thinking.”

Scenario planning can bring an organisation’s leaders together to discuss how a business can deal with change and where its weaknesses are. A theoretical stress test of the supply chain, partner relationships and other potential vulnerabilities is good for the whole business, not just for managing catastrophic risk.

“For me,” says Chadwick, “Covid re-emphasised the importance of a flexible and agile approach to risk. It specifically underscored the criticality of actively tracking emerging risks and regularly reviewing and updating your risk assessment; recognising when to expedite preparatory measures; having a high-level plan and framework and capable team to manage high impact events.”

“Covid re-emphasised the importance of a flexible and agile approach to risk. It specifically underscored the criticality of actively tracking emerging risks and regularly reviewing and updating your risk assessment.”

Tim Chadwick

The big stumbling block, however, is that this requires long-term planning.

“Firms can choose to have good managers who are seriously committed to their firms’ long-term survival who are then prepared to hire good people to address these risks seriously,” says Dowd. “But many firms merely pay lip service. All the firms I have worked with claim they want quality, but few are willing to pay for it and I take anything they say as just the usual corporate guff.”

Building resilience, creating a holistic approach to risk, making agility a core characteristic of a business – all these are essential for dealing with the unknown, but they depend on a view of risk and strategy that looks beyond the next quarter’s earnings report.