Flying Blind: Boeing Risk Management
The Boeing 737Max plane crash saga is an important risk management story. It is also the story of how financial statements are misleading.
Flying Blind, the 737 Max Tragedy and the Fall of Boeing is the title of a book by Peter Robison published in 2021.
The 737 Max, a new design of an old model, suffered two crashes soon after it went into service, and was grounded. The loss of the plane to compete with a new Airbus model, and the reputational damage, had severe and long lasting financial effects on the company.
Companies that manage risk are safer and more secure, and their financial statements can be relied on. Companies that don’t manage risk are vulnerable and their financials are misleading.
Boeing had long been known as a company that prided itself on engineering prowess. Safety would naturally flow from respect at the top for the expertise of those folks “on the ground” actually doing the day-to-day work. In fact “sensitivity to operations” and “deference to expertise” are two key risk management principles.
(See The Psychology of Risk – Don’t Let It Pervert Your Insurance Choices for more on this.)
From Engineering-centric to cost-obsessed
Over time, correlated with the merger with McDonnell Douglas in 1997, the company culture changed to one focused almost exclusively on financial results. In 2004 CEO Harry Stonecipher said this to the Chicago Tribune:
“When people say I changed the culture of Boeing, that was the intent, so that it’s run like a business rather than a great engineering firm. It is a great engineering firm, but people invest in a company because they want to make money.”
What’s missing in that statement is the answer to the question: short term or long term?
Through the Stonecipher era and beyond, the focus on risk took more and more a back seat in favor of financial results, according to the book, news reports and FAA/government investigations. After the second crash in October, 2018 disturbing reports started coming out. The Wall Street Journal reported that Boeing had “withheld information about potential hazards” after the paper began their review of the company. We now know that a navigation software defect, if activated, put the plane in a nose down position that could not be overridden by the pilot.
Yet, bizarrely (from the risk management viewpoint) even after the first crash, warning enough, Boeing kept stonewalling and hiding information, particularly from the FAA. At the same time, Boeing’s stock price was rising ever-higher.
For an understanding of the way cost-cutting, in this case safety related costs, can contribute to a short term rosy financial outlook (or at the very least how the risk is not reflected in the financials), see this long- term Boeing stock chart:
The chart’s high point represents the date of the second crash on March 10, 2019. After the second one, there was no more talking their way out of the problem. As you can see, as of the date of the chart, 8/21/22, neither the stock nor the company has recovered three and one-half years later.
(For another prominent example of the danger of failing to respect risk: The BP Gulf Oil Spill- A Risk Management Debacle)
The Failure of Risk Management Lurks Undisclosed Until the Ax Falls
CEO’s are your financials misleading?
You’re showing assets on your balance sheet and the silent promise is that those assets will continue to be there. Liabilities are shown and, subject to uncontrollable events, those liabilities should not dramatically, suddenly, increase, or at least that is the assumption of those viewing your financial statements. There is no guarantee of this by the audit process. In fact, companies that do not manage risk may look more profitable in the short run, because they have reduced short run expenses by ignoring risk management.
Here’s a way to quantify what we’re talking about:
A firm needs capital to finance its daily operations — to cover payroll, rent, materials and all the other corporate activities. Call this Operational Capital. This is measured by traditional financial statements.
A firm also needs capital to finance risk — to pay for things that unexpectedly go wrong like fire, flood and lawsuits. This is called Risk Capital, and is not measured by traditional financial statements.
There are three sources of risk capital:
- Cash that the firm has on hand. To be sufficient, it would have to be an awfully significant amount, and it would probably not survive because of competing demands for its use.
- Off-balance sheet capital such as a credit line which would be tapped in the event of a loss which had to be financed. The loan would have to be paid back, however.
- Insurance. With insurance the financial consequences of loss are transferred to an insurer in return for the premium.
Also, risk management is broader than just insurance. Losses can be prevented by safety or quality control efforts, and risk can be transferred to customers, business partners, subcontractors, etc. via contract. This reduces the need for risk capital.
The risks to which the firm are subject are potentially catastrophic. How is management of these risks reflected in financial statements? Not at all!
Financial statements do not consider the need for risk capital. A cursory look at an insurance schedule comprises the due diligence. Whether limits are adequate in relation to actual exposure and whether terms and conditions (the actual policy language — all 1000’s of pages) are adequate is a crap shoot. The other elements of a risk management program — the loss control and contractual transfer — would not be factored in at all either. Bottom line: risk is not even considered on a qualitative basis – not to mention quantitative.
When the convention of risk capital is not used to make comparisons between firms, they all look alike — the financials do not reflect the difference. As the saying goes: “All boats float alike when the weather is calm.” Risk always uses capital. If it is not funded it creates a deficit. Only after a disaster does the deficit finally surface – a metaphoric contrast to the company itself which is under water.
Risk Adjusted Return on Capital
Consider two companies that generate a 15% return on equity. One manages risk completely, while the other is subject to the mercy of the gods. Until something happens they appear to be equal according to the financial statements. Mysteriously, there is an abundance of notes to the financials, but nothing substantive on risk management or the lack thereof.
The true measure is return on “economic capital,” the total of operational capital plus risk capital.
Firm activities will generate risk and a certain amount of capital is required to handle that risk. To the extent risk is prevented or transferred to other parties, less risk capital is required. If risk is financed via insurance, that is utilizing off-balance sheet capital and that reduces the need for on-balance sheet capital. (The premium is reflected as an expense on the income statement).
If both firms generate $.15 for every dollar of capital that is measured by the financials, then the return on equity is 15% (.15/1.00) for each. If Company A manages risk completely via loss control and insurance, then risk capital required is zero. The risk adjusted rate of return for Company A is truly 15%. Company B, though, doesn’t even attempt to manage risk. By default loss will have to be paid out of cash or loans. Assume risk capital of $.75 is required for every dollar of operational capital. The risk adjusted rate of return for Company B, then, is .15/(1+.75) = 8.5%.
So traditional financial statements show the two companies to have the same ROE. The risk adjusted financials, though, show the big difference between the two.
All boats float alike when the weather is calm
The SEC sporadically validates this concept by reacting to crises and advising public companies that they need to disclose how they are managing certain risks – terrorism and cyber risk being two recent examples. The SEC might not realize that just noticing and reacting to the risk of the event that just happened is not actual risk management. Two principles of risk management are that a) historic losses need a very long experience period to be valid predictors, the more severe and remote the loss, the longer it needs to be; and b) recency bias (the tendency to focus on what just happened) is a psychological phenomenon you should not be fooled by. But, again, we thank the SEC for illustrating financials are not complete without incorporating the risk component.
Financials do not stand alone, and if your CFO is not reporting on risk management, you’re not getting the whole story.
We cannot rely on quarterly profits because numbers can be manipulated in such a short time frame. Even years of continuous profit and growth can be unreliable if risk is not managed. A truly robust firm is one that manages risk while at the same time producing the consistent financial numbers the CFO is so proud about.
Thank you Boeing!
We can count on companies such as Boeing to vividly illustrate this principle from time to time!
The largest companies have entire risk management departments reporting to the CFO. You need risk management too.
(c ) Licata Risk & Insurance Advisors, Inc. 2022
mailto:[email protected]; 617.718.5901
Aug 21, 2022