Skip to main content
main content, press tab to continue

5 risk-management lessons that apply to the public and private sectors

By John Merkovsky | September 28, 2021

Public- and private-sector organizations can learn a lot from Florida’s innovative portfolio approach to risk management.
Risk and Analytics|Corporate Risk Tools and Technology|Work Transformation|Property Risk and Insurance Solutions
Climate Risk and Resilience|Geopolitical Risk

I recently attended a session on how the State of Florida is taking an innovative, long-term view of risk management at the World Economic Forum’s Sustainable Development Impact Summit. The session focused on actions taken by a state, but Florida’s motivating challenges would be familiar not only to other public entities, but also to private-sector organizations.

Chris Sprowls, Speaker of the Florida House of Representatives, was joined by Carl Hess, President of Willis Towers Watson; Eric Silagy, President and CEO of Florida Power and Light; and Rhea Law, Interim President of the University of South Florida. Speaker Sprowls had extensive knowledge of the 10-year risk prioritization and mitigation plan Willis Towers Watson is developing with Florida. The state is using a data-driven, portfolio view of risk to most effectively and efficiently mitigate the myriad risks Florida faces: vulnerability to climate change, industrial and natural disasters, water contamination and scarcity, to name just a few.

As a long-time advocate of the necessity of a portfolio view of risk, I was unsurprised that Florida is already reaping benefits from this undertaking, but I was struck by the universality of many of the lessons the state and its partners learned in the process. Through the discussion with Hess, Silagy and Law, it was clear that a wide variety of organizations face similar risk challenges and can benefit from Florida’s experience.

The following are my key takeaways from the session:

  1. 01

    Risks need to be considered on a longer time horizon for us to break out of “firefighting” mode

    Regardless of whether one operates in the public or private sector, there’s a fundamental tension here: Businesses operate by quarterly earnings periods and governments follow election cycles. Risk planning must go beyond such short time horizons. “It’s particularly important that the time period for risk mitigation can’t just be a quarter or a year. The strategy that you need to employ may go well beyond a one-year period…It’s very difficult but it’s critical to coming up with the right solutions,” explained Carl Hess.

    Taking a long-term view of risk requires a change of culture. You can’t just talk about exposures or make a list; rather you need to consider risk every single day, according to Eric Silagy. Doing so enables organizations to move beyond simply responding to crises (firefighting mode) but rather, anticipating risk, preparing for the unexpected and being ready to respond effectively when a risk becomes a reality.

    Speaker Sprowls suggested organizations create plans that look 10 years ahead using an intelligence-based approach to appropriately prepare for the unexpected. He likened the change in thinking from the mostly reactive manner law enforcement was conducted before September 11, 2001, to the anticipatory, intelligence-based approach adopted after 9/11.

  2. 02

    We need a common language for identifying risks across the enterprise

    Some risks, such as hurricanes, are well understood in terms of their frequency, severity and how they impact us. But the risks that are the best understood and analyzed, the most obvious, shouldn’t necessarily be the highest priority. Within companies, there are a variety of functions, experts and specialists who speak different languages and use different performance indicators to understand the risks in their own areas. Establishing a common language and creating a shared view of risks is key to ensuring the top risks are appropriately identified and managed.

    Hess suggested that the language to understand risks across an enterprise or state should be statistics. “By looking at all risks and mitigating actions at once in a common language (the language of statistics) you reveal the efficient frontier of risk strategies: those for which you cannot reduce damage from risks without increasing cost and you also cannot decrease cost without increasing damages,” Hess said.

    For example, Willis Towers Watson identified the top 80 risks in collaboration with experts within Florida. Through a combination of interviews and surveys of experts from Florida’s government, academia and the corporate world, as well as elected representatives, Willis Towers Watson was able to prioritize the state’s top 20 risks over the next 10 years.

  3. 03

    We also need a common framework for measuring the impact of different risks

    To prioritize the numerous risks an organization faces, they need to be measured using a common framework. Rhea Law suggested that data and analytics could play a significant role in helping organizations determine potential impacts to better inform decision making.

    While some risks have direct financial impact, others may have significant consequences that are not easily quantified. For a corporation, we typically measure impact through outlay or lost income, prioritizing risks that could impact a budget or threaten solvency. But those measures don’t fully translate to a public entity like Florida. Financial impact is the most universally measurable, so Willis Towers Watson started with GDP impact. However, Florida is eager to explicitly quantify impact to other state priorities.

    Speaker Sprowls invited collaboration from the World Economic Forum to support valuation of Florida’s natural environment.

  4. 04

    To make enterprise-level decisions about risk, you need to move from a siloed view to a portfolio view of risks

    Most big risks do not happen at the same time – they are independent or uncorrelated. Hess compared managing risks to diversification in an investment portfolio. “[Risk mitigation] actions don’t deliver value equally; some cost more than others, but if you put it all on the same page you can allocate limited capital the most efficient way.”

    Such a portfolio approach to risk is only possible if you move beyond siloes and identify and measure risks at the enterprise level.

  5. 05

    Good risk management confers benefits beyond mitigating exposures

    For public entities as well as businesses, actively managing risks leads to a more predictable, stable environment, which is necessary to attract capital. Hess pointed out that for a business, risk management can affect debt ratings and help attract investment capital.

    For a state it can attract more residents or visitors, which has been the case in Florida. Better risk mitigation has helped foster greater economic activity – jobs growth – and the ability manage even more risk because the state has more resources to do it. So having a solid framework for risk management becomes a virtuous cycle to feed opportunity, Silagy pointed out.

I thoroughly enjoyed the discussion, and left feeling energized about the many ways risk management continues to be a uniquely rewarding field. I look forward to continuing to see risk analytics make corporations, states and the world a more stable place.


Head of Risk & Analytics and Global Large Account Strategy, WTW

Contact us