Risky Business

Ship through icebergsCasino operators, like insurance companies, make their money from the risk business. Statistics, probabilities and the design of games and machines all work to benefit them. Fraud, theft, competition, card counters, damage to reputation, gambling software and disruptors – these are negative risks that casino operators recognise, analyse and treat in various ways, such as through surveillance, rules, market intelligence, acceptance and pricing. But how do they manage the risks associated with their facility being used for a heinous, criminal, public act such as the shootings at Mandalay Bay in Las Vegas on the 1st of October 2017?

This article does not seek to analyse or criticise the preparedness or response of Mandalay Bay, its owner MGM, or any of the local, state and federal authorities involved; however, this terrible incident should serve as a reminder to businesses to comprehensively consider all risks, even those so outrageous so as to defy prediction and definition.

Many will be familiar with ISO 31000:2009 Risk management – Principles and guidelines or the COSO Enterprise Risk Management-Integrated Framework or other frameworks. Fundamentally, they are similar in that they contain steps or processes to:

  • consider the context
  • identify the risks
  • analyse the risks
  • evaluate the risks
  • treat the risks
  • monitor and review

All enterprises and industries face comprehensive risks. While there are some risks peculiar to individual enterprises, there is much more in common between similar businesses, industries or activities. So, in the generic framework outlined above, the context is largely shared and the risks to business as usual are common, for a given industry in a particular location.

For Mandalay Bay and its competitors, their shared context is that their revenue is a function of their venue being accessible, visible and well patronised. People go to Las Vegas for positive experiences and businesses thrive on their positive appeal. Of the hazards, the amount of money floating around Las Vegas and the tendency for the visiting public to behave with less caution are a magnet for crime. Gun laws in Nevada are not strict. Mass shootings occur in the US often enough. The terrorist threat level in the US is ‘elevated’ – there is a significant risk of terrorist attacks and symbols of capitalism and indulgence are appealing targets for would-be terrorists. Some parts of the US are more prone to natural disaster than others. But, as noted at the opening of this article, enterprises face other types of risks to their business on a daily basis.

At some point in time, the owners of all similar enterprises in a location have made a decision on a business case to build, own and/or operate them, having considered that the potential risks are manageable given the expected return on their investment. Where one enterprise then becomes distinguishable from another is whether and how risks are analysed and evaluated, the risk appetite of its leadership, its values, how risk is treated, how effectively it monitors risks and reviews and adjusts its response, and its resilience should a risk event occur.

The Las Vegas shootings were the manifestation of a risk to Mandalay Bay that ‘the venue is exploited to perpetrate a mass casualty attack on the public’. Assume that this risk had been expressed sometime previously in a risk management context. Having identified the risk, it should be analysed in terms of its likelihood and impact. The goal is to understand the risk and its components which might make it increase or decrease. In business, the impact is usually measured in financial terms – this may be estimated using analogous situations. For example, MGM Chief Executive Officer Jim Murren has openly reported the impact on its business in Las Vegas and several hundred of Mandalay Bay’s 7,400 employees will be affected. Other similar businesses could use this information for their future risk analysis. Alternatively, the impact may be estimated using some indirect metric, such as consumer confidence or visitor numbers, or something like damage to a brand or reputation. The likelihood is ideally expressed as a probability, but this is not as easy as calculating the payoff for a roulette wheel, nor is it always possible. Often a crude descriptive scale is all that can be applied. The point here is not to be exact, but to be as consistent as possible when analysing each risk.

Evaluating the risk takes into account the severity of the risk, what control a business might have over the risk, the cost of any control, potential losses and potential benefits or opportunities. Regardless of the methods used to analyse and evaluate the risks, the result is a list of risks which can be ranked and a decision made on any treatment of the risks. The goal is to be able to decide whether to do anything about a risk and, if so, what to do?  Emerging from this process is a list of risks to be treated.

Risks can be treated by:

  • avoiding the activity that generates the risk
  • mitigating the risk by reducing its impact or likelihood
  • transferring the risk through insurance, outsourcing or sharing, such as in a partnership
  • accepting the risk

Looking again at a hotel/casino operator on the Las Vegas strip where the risk that the venue is exploited to perpetrate a mass casualty attack on the public is evaluated such that the owner decides to do something about it and treat the risk:

Can they avoid the activity?

No, as it would be inconsistent with the business objectives to not operate the facility.

Can they reduce the likelihood?

Yes, as the operator of private premises, they have the right to decide who and what is permitted on the premises. The operator could introduce a policy whereby firearms are not allowed to be brought on their premises by members of the public. This could be backed up by incentives or disincentives, or by a comprehensive security checking regime, surveillance and weapons detection equipment. Unenforced policy is inexpensive, but ineffectual. Strictly enforced security policy is complex and obviously more expensive to implement. Executed thoughtlessly, the policy could generate a new risk that the ‘positive experience’ that the operator wants the guests to have is diminished. There is nothing that a business could do to prevent a disturbed individual or terrorist group from deciding to carry out an attack, but it is feasible that they could reduce the likelihood of them using their venue.

Can they reduce the impact?

Yes. Physical response arrangements and effective training and coordination of staff, as well as cooperation with law enforcement agencies, can reduce the physical impact. Business continuity and contingency plans can reduce the financial and operational impact on the business. It may even be possible to offset the cost of mitigation by attracting patronage due to it being a safer facility.

Can they transfer (some of) the risk?

Yes. Diversification of investment is an obvious strategy. Insurance may be worthwhile. Practiced engagement and cooperation with local law enforcement authorities shares the burden of mitigation, as does the development and adherence to industry codes and standardised policies in cooperation with other venues that make all of them less appealing as a target or attack platform. In Australia, government seeks to transfer to the private sector some of the costs and obligations arising from some terrorist risk through the recently released document Australia’s Strategy for Protecting Crowded Places from Terrorism, which states, “Owners and operators of crowded places have the primary responsibility for protecting their sites, including a duty of care to take steps to protect people that work, use, or visit their site from a range of foreseeable threats, including terrorism”, while encouraging and promoting information sharing, guidance and strong partnerships between the private and public sectors.

Should they accept the risk?

Risks whose severity is low, whose likelihood is remote or where the cost of mitigation or transfer outweighs the impact, are usually accepted. This is different from ignoring the risks altogether, as some degree of monitoring and review should be ongoing. After mitigating a risk, it probably still exists at a reduced level and is then accepted. Sometimes a risk must be accepted when there are no viable treatment options, but where the likelihood or impact are still substantial. It is critical for contingency plans to be in place for such risks and for adequate resources to be available to implement those plans.

Risks are not static and response arrangements may not remain appropriate. Following the Las Vegas attack, one would expect operators of hotels and casinos in Las Vegas, as well as analogous operations elsewhere, to have re-assessed this type of risk and to have reviewed their response arrangements. It is the cost of doing business, whether for profit or otherwise, that such monitoring and reviews be ongoing. So, while the Las Vegas tragedy reminds everyone to comprehensively consider all risks, especially those that do not promise to deliver a tangible, positive business benefit, operators should ensure that risk management is built into business processes rather than bolted on.