Group rethink – understanding ecosystem risk

“No man is an island entire of itself”

 

John Donne, who wrote this in 1624, could well be referring to the FTX Crypto Exchange crash and burn in November 2022. At the time of writing there are thought to be dozens of companies involved with losses of $20-50bn. Perhaps FTX is the definition of an ecosystem gone wrong: poor governance, next to no regulatory oversight, lack of clarity about its objectives, negligible end-to-end risk understanding, eccentric cultures, poor and opaque metrics and a lack of common purpose for the greater good. All this was driven by a cult-like adoration of the main individual and crypto-mythology. Following FTX’s failure, other crypto businesses suffered the consequences of being part of the same ecosystem and filed for insolvency.

Will the FTX debacle change how we manage ecosystems and their risks? That is like asking whether the South Sea Bubble (which happened less than a century after John Donne was writing) would forever change corporate governance: it seems unlikely that regulation will spread across these ecosystems rapidly.

However, for every issue there is a perfect time and place. The early 1990s, when I first wrote about extended enterprise risk management, was not the right time. When I edited and co-wrote the IRM’s booklet “Extended Enterprise: Managing Risk in Complex 21st Century Organisations”, it was still not the right time – everyone thought I was talking about supply chain risk management, which was the issue of the day. There is a substantial difference. Supply chain management is about procurement, generally led by a tier one supplier, whereas ecosystem management is about running the activities of the whole system.

However, there have been significant advances in how ecosystems are managed. When I immersed myself in the world of financial market infrastructures (FMIs), I knew that the time had arrived. Pay.UK, where I chaired the board risk committee, is responsible for the systemic risk that could arise in the UK retail payment systems: BACS, faster payments and cheques. Now, I am working with an international non-governmental organisation reviewing the risk culture in what is essentially a significant extended enterprise operating across multiple organisations.

Are these two isolated examples? Not in my view: I see them everywhere. For example, the NHS, referred to in the singular, is a multitude of organisations that together provide healthcare to the nation. As we have seen throughout 2022, power and gas supplies operate through distributed networks, using central networks of cables and pipes. In the banking arena, open banking is an ecosystem that is currently evolving.

So what have I learnt from dealing with this topic at length in the boardroom as well as in consulting assignments? I have discovered that it is irrationally difficult to define the boundaries of any given ecosystem, and that everyone has their own concept of any ecosystem and no two people are likely to agree on this. I have also discovered that there are very few practical tools for managing risk across ecosystems. However, some positive developments are beginning to emerge.

Defining an ecosystem

Despite having just said that it is difficult to do, it is important to define the extent of the ecosystem. Take UK retail bank payments, for example. There are banks (of various dimensions) as well as FinTechs that handle payments on behalf of their customers. There are infrastructure companies that develop, maintain and operate the systems that send the payment messages from the payer’s account to the payee’s account. There is the FMI that sits at the centre (or the edge?) of the ecosystem establishing the rules of the game. There are end-users (individuals), corporates large and small, governments, charities and an endless set of people and organisations who want to make and receive payments. There are myriad companies providing services to any of the end-users. And there are regulators: FMID (part of the Bank of England that oversees FMIs), the Payments Systems Regulator (PSR), the Treasury and competition authorities.

Where are the boundaries of such an ecosystem? Does it concern where regulators directly regulate? Or where the banks and FinTechs are obliged to follow rules set by the FMI? Given the relative size of some of the banks compared to the FMI, who really sets the rules? Does its reach extend to someone writing a cheque for her grandchild’s birthday?

In my view the key is complexity in that each ecosystem represents a complex multi-stakeholder environment. So, the definition for my purposes is that an ecosystem exists where we are engaging with a complex, multi-stakeholder environment where competing interests come together to make complex processes work for the benefit of individuals, many (or most) of whom have little or no interest in the workings of others in the extended enterprise, but who nevertheless want it to work in its entirety.

In other words, there is a joint endeavour by a wide range of people and organisations coming together for a common purpose, frequently operating in multiple and diverse societies. Where these work well, such as in payments, they can underpin the economies in which they operate, or, as in the case of open banking, they can unlock potential for innovation. Where they work badly, they can cause lasting societal damage.

Every time you think you have defined an ecosystem, the chances are that something will have changed because of the inherent complexity and, in many cases, because the informality of some of the relationships conflicts with black letter regulation.

 

First steps

I can see four principal steps that would help us to get a grip on assessing an ecosystem:

1 Define the common goal that is shared among the parties that have come together in pursuit of this objective. In practice, there are often several goals, for example, in a payment system it might be to establish a frictionless system that enables money to move efficiently around the economy. Or it might be to reduce fraud, in which case this could conflict with aims to make the system frictionless.

2 Define the participants in the ecosystem. In our example, creating a frictionless financial system would involve identifying the banks, FinTechs, regulators, tech infrastructure provider and others. However, if the aim is to reduce fraud the participants may be different – much of the fraud in retail payment systems originates on the internet rather than in the banking systems, so perhaps participants would include Meta, Alphabet, Twitter and so on, on whose platforms fraudulent payments originate.

3 Understand the extent of common values among participants, who holds the power, the influence of regulators (especially when there are multiple regulators in the same or different jurisdictions), and who benefits from the ecosystem. Without understanding these components, it is hard to imagine that all participants can work harmoniously towards the same goal. It does not become impossible, but orders of magnitude more complicated.

4 Define the level of coupling. Are the organisations in the ecosystem closely coupled, loosely coupled or entirely detached? In our FMI example, the PSO (Pay.UK) is closely coupled with its technology provider (through the contractual relationship), loosely coupled with the banks (through the rule book), and entirely detached from end-users (although end-users may be influenced by direct marketing activities). This is important because the PSO (in this example) exercises control over risks to a diminishing extent, although the risks may be just as important to the ecosystem as a whole, irrespective of where they originate. Note, however, that just because a stakeholder is loosely coupled does not mean it can be ignored. On the contrary, payment systems need a clear focus on the needs of those making payments, trying to reduce detriments. The issue is simply that the PSO has relatively little influence over them.

Managing risk across an ecosystem

Once you are clear about the shape and dimensions of the ecosystem, it is time to start managing risks across it. Risks will inevitably pass between organisations, and risk failures in one organisation can have devastating consequences in other parts. Typically, in most ecosystems there is comparatively little exchange of risk information between participants. The dysfunction of having different approaches and risk cultures across the ecosystem means that participants have little visibility of other participants’ risks.

This risk blindness results in sub-optimal performance. A strong central ecosystem manager, or strong regulation, may lead to the establishment of rulebooks, but often separate risk management functions attempt in vain to manage risk just within their own organisations.

There are new tools and techniques to enable ecosystem managers to visualise the risk flow across the ecosystem, and potentially to see the build-up of new and emerging risks across the value chain. One example now emerging rapidly is the concentration of risk emerging from the existence of just three main cloud providers: previously downtime would be a function of individual participants, but if one cloud provider has a dominant position in the industry, then their downtime becomes a risk to multiple members of the ecosystem.

Relationships

Management of ecosystems is much less about hierarchy than about relationships. There are few people (apart from some regulators with effective tools at their disposal) who can make other participants do anything that they do not want to do. Many participants are members of multiple ecosystems, and often the amount of time and effort they invest in any single ecosystem may be small in terms of their business, but disproportionately important in the context of the ecosystem itself.

The most important tool in managing risk across ecosystems is building multi-dimensional relationships where issues can be discussed, plans disseminated and agreed, and future ambitions thrashed out. This will help to reduce the impact of risks that are thought of as Black Swans in some parts of the ecosystem, while being readily identifiable by other parts.

The future

The world is full of ecosystems. Recent events have shown how important many of these are, especially when a key risk was unthinkable in parts of each ecosystem: Covid-19 disrupted whole economies; the war in Ukraine disrupted grain shipments, IT developments and ecosystems such as energy and water in the country; Brexit illustrated the difficulties of extracting a national economy from the huge range of ecosystems across Europe. I believe that we should move from managing risk simply within our own organisations, to managing risk across the various ecosystems on which we are each independently and co-dependently reliant.

Maybe, if we develop greater awareness of how to manage across ecosystems, we might begin to address the greatest issue for all ecosystems right now – climate change.

To complete the quotation from John Donne:

No man is an island entire of itself; every man

is a piece of the continent, a part of the main;

if a clod be washed away by the sea, Europe

is the less, as well as if a promontory were, as

well as any manner of thy friends or of thine

own were; any man's death diminishes me,

because I am involved in mankind.

And therefore never send to know for whom

the bell tolls; it tolls for thee. 

Richard Anderson is a risk management consultant, former chair of the Institute of Risk Management, and a chair or INED on various boards.

 

This article was published in January 2023.