Risk Professional - December 2009

Regarding Obama’s responses to the terrorist threat, Ridge praises the president for his outreach to the Muslim world. “I hope he builds on it,” he says. But he opposes Attorney General Eric Holder’s investigations into alleged torture of terrorism suspects. Ridge, who has been outspoken against such practices as waterboarding, contends that probes or eventual prosecutions could have a chilling effect on future attempts to obtain information that would prevent attacks on Americans at home or abroad.

In the geopolitical/business vein, Ridge sees Iran as a potentially greater threat to international commerce than an unstable Pakistan or erratic North Korea because it could lead to the spread of nuclear weapons in the volatile Middle East.

Climate and Cyber Responsibilities

Though he views climate change as something of a global risk management challenge, Ridge believes it is not directly linked to national security, as Obama has argued. “As we develop alternative energy resources, examine clean coal technology and revisit nuclear energy options, we have to stay ahead of climate change challenges and risks to future environmental initiatives,” Ridge says.

He adds that it will be incumbent on the corporate community to follow the letter of the law on the environment; businesses that go beyond the minimum project a sense of community that could be rewarded financially – and in brand power and goodwill – as they are viewed favorably by consumers.

For similar reasons, cybersecurity flashes prominently on Ridge Global’s radar. The CEO sees it as one of the biggest operational and reputational threats corporations must face.

In a globally interconnected world, consumers, companies and governments are constantly at risk from isolated hacking to large-scale espionage and everything in between. Mobilizing against cyber risks requires, for example, chief financial officers to open their doors and minds to information technology departments’ resource requirements.

At the same time, Ridge underscores the value of, and need to protect, data as a crucial business asset: “There is enormous liability if it falls into the wrong hands and is used improperly.”

Risk management may have been undervalued historically, but Ridge’s business reflects a more enlightened view, and he sees the biggest bang for the risk management buck in infrastructure assessment: “The greatest value is that it identifies potential risks and monitors things that could trigger them.

Excerpted comments from Tom Ridge’s book, The Test of Our Times, and his interview with Risk Professional correspondent Ted Knutson.

On working with corporate directors: “The first thing I do is sit with board members to see if they view risk preparedness as a focus of their fiduciary responsibility. Then I review with them the internal infrastructure they use to identify risk and to determine whether or not they view risk management as an investment or an expense.”

On where companies fall short: “I’ve never run into a company that views risk management and resiliency at the same level as quality and safety.”

On the need for consistent, global standards: “A multinational has to apply the same risk analysis throughout the supply chain . . . . It can’t afford to let anybody in the supply chain, no matter how far removed, view risk less seriously than it does.”

On the economic costs of security: “The challenge in reconfiguring how we provided security along our northern and southern borders was complicated by the need to keep the flow of people and goods at pre-9/11 levels. It was the first and most dramatic lesson for me that some obvious and defensible measures could easily impede commerce and threaten our economic competitiveness.”

It’s a process tool. It’s like embedding quality.”

Conversely, the greatest downside is to underestimate the potential vulnerability of a company’s global network, he maintains.

One of a corporate risk officer’s most difficult jobs is to explain credibly for top managers the difference between threats that require vigilance or awareness and those that call for some form of prompt action. Ridge says it’s not unlike the threat-level assessments – famously disseminated in color codes – undertaken at DHS, when there was a danger of over-reaching and sounding like Chicken Little.

But Ridge subscribes to the theory that it’s far better to be over-prepared. “When it comes to risk management,” he says, “it’s better to manage the risk before it manages you.”