Is Your Risk Management Too Good?
The current thinking among many pediatricians and child-rearing experts is that we have developed a generation of overmanaged “bubble-wrapped” kids. While keeping our offspring relatively free of broken bones, knee scrapes, and misery, inducing infectious diseases, is quite admirable; it may be doing more harm than good in the long run. In a 2015 position paper,1 a diverse group of child health and safety experts issued a position paper that stated, “Access to active play in nature and outdoors—with its risks—is essential for healthy child development.” The paper continued to warn against “‘Hyper-parenting,’ ‘invasive parenting,’ or ‘intensive parenting,’ in which a climate of ‘inflated risk’ leads parents to micromanage all aspects of their children’s lives in an effort to protect the child from adverse experiences.” In essence, it was a call for parents to stop bubble-wrapping their kids and let them play freely with all of the resultant risks that this might entail.
Is the same happening in corporate management? In other words, are managers becoming so risk-adverse and so conscientious in designing and implementing risk management strategies that they are in effect creating “bubble-wrapped” corporations? Furthermore, is this risk-centric management paradigm setting up companies to be unable to deal with the inevitable risks that are inherent to being in business? Has risk management in effect become “too good”? The phenomena known as risk homeostasis says that the answer is yes!
Why Is Risk Management So Strong?
There are four reasons why risk management is so prevalent in the current mindset of corporations and the corporate culture in general. The four reasons, which are interrelated, are: (1) a natural dislike of uncertainty, (2) the culture created by the marketing and politics of fear, (3) the legal and regulatory framework of risk, and (4) managers have an almost innate need to believe that they are doing something useful in part to avoid the onset of the imposter syndrome.
It is quite natural to dislike uncertainty, although admittedly not all do. Some people like uncertainty—they like not knowing what is coming next, to essentially live their life going from surprise to surprise. However, these people are in the minority, and most certainly, the stock market does not like surprises. Even good surprises such as an unexpected jump in earnings can be met with less than an enthusiastic response.
The main reason people dislike uncertainty is that it lays waste to the best designed plans. The old management axiom of if you want to see God laugh all you have to do is tell her or him your plans holds whenever risk and uncertainty are present. The degree of success of strategic planning, and even tactical planning, is generally inversely related to the amount of uncertainty. The greater the level of uncertainty, the less effective plans tend to be. A high level of uncertainty implies that managers need to think and react in real time, which, in turn, can be a creator of stress and of course mistakes. Uncertainty, of course, also implies that things may turn out better than expected, but the natural pessimism that many managers seem to possess means that upside uncertainty or risk is often discounted. The assumption seems to be that Murphy’s Law—that anything that can go wrong will go wrong—is the dominant mindset.
While it is natural to want to be able to plan, to foresee the future and have a good idea of what is going to happen, it is not reality. The world of business is inherently risky and uncertain. That is also a very good thing, for without uncertainty, there would not be a need for managers and decision makers. Nor would there be a need for experts. Without uncertainty, it would be a relative straightforward task to calculate the optimal path and execute a plan rather simplistically. For this reason, it is fortunate that the world of business is not as certain as the natural world of physics.
Uncertainty causes stress, frustration, extra work, and it demands focus, flexibility, and determination to deal with ambiguity. Given this, and the constant demand from investors for predictable returns, it is easy to see why risk management has become a central activity of manager’s, directors and regulators.
Building on this natural tendency to want to avoid uncertainty is the marketing of risk. In his book, Risk: The Science and Politics of Fear,2 author Dan Gardner highlights numerous cases of where a fear of risk has been exploited for political and marketing means. Gardner highlights how fear of uncertainty has been used to “market” climate change, political campaigns, security systems, antibacterial hand lotion, and a host of other consumer products or political concepts. Fear of change, and more particularly, fear of a loss is a very powerful motivator, and thus, provides an extremely effective basis for a marketing message.
All of this, of course, has played into the hands of the burgeoning legal and regulatory framework that managers now find themselves operating within. Sarbanes Oxley (SOX) regulations, Basle III regulations along with Dodd Frank rules for the financial industry, as well as the omnipresent tort legal framework are an increasingly large set of rules and threats that managers need to be cognizant of on a daily basis. While regulations have always been a necessary part of almost any well-functioning economy, their presence seems to be increasing at an unnecessary exponential pace.
While there are many other reasons, some good, some not so good for having a strong culture of risk management, the final major factor is that professional managers have an innate need to believe that they are doing something to justify their position as manager. Just as a parent naturally wants to do everything in their power to protect their child from unnecessary harm in order to consider themselves a good parent, a manager likewise needs to conceptually believe that they are doing everything in their power to protect the assets entrusted to them by the firm’s stakeholders. While the glory of implementing a profitable strategy can accelerate a management career, the reality is often that the glow from such success fades quickly, while the disgrace of a major miscalculation stays with one’s reputation forever.
The economist John Maynard Keyes supposedly once stated that “worldly wisdom teaches that it is better for reputation to fail conventionally than to succeed unconventionally.” The current convention is to have an unassailable set of risk management protocols, no matter what the cost, or what the effect is on the efficiency or growth of the firm, and thus, risk management rules.
The well-documented imposter syndrome plays into this. A manager who does not take every precaution is likely to be accused of being negligent in a career harming way. To justify their corporate existence and paycheck, managers often believe that they are first and foremost to protect against losses and in turn this gets translated into making sure that the firm has a strong risk management culture and system.
Harmful Effects of a Too Good Risk Management System
So, how can something as intuitively and naturally good as wanting to avoid risk become a bad thing? Is it really possible to have too much of a good thing? The answer is an unqualified yes! There are a large number of ways that it is possible to have too much risk management or too strong of a focus on risk.
The first and most counterintuitive effect is what is known as risk homeostasis. Risk homeostasis is a well-documented phenomenon that states that people will react in such a way that they take riskier actions to counteract the risk prevention mechanisms in place until the overall level of risk is the same or even greater.
For example, assume that you are about to go driving in a strong snow storm and the roads have not yet been plowed and you know they are very icy and slippery. Assume that you need to drive to a location in a small compact budget car that does not have snow tires, nor does it have any snow-based traction control systems. Now suppose that you make the return trip under the same wintery conditions, only now you are driving a large luxury sports utility vehicle with four-wheel drive, that has snow tires as well as advanced traction control systems specifically designed for driving in snowy and icy conditions. Does your driving style change? The statistics say yes, as paradoxically you are more likely to be in an accident driving the luxury sports utility vehicle that has all of the advanced safety systems. With the sport utility vehicle, you will drive more confidently, and thus, less cautiously. This change in driving behavior actually increases your probability of being in an accident, despite the added safety systems. In fact, if you have such a vehicle, you are more likely to make a dangerous trip than you would if you had an econobox car that you knew would be tricky to drive in the hazardous winter conditions. For this simple reason by itself, you are actually increasing rather than decreasing your risk.
As another example, consider crossing a busy street in a large city. You have a choice of crossing at a designated crosswalk with a crossing signal, or you can dodge traffic and jaywalk in the middle of two intersections. When you jaywalk, you are more likely to be careful to look both ways, actually look out for cars and be more careful in your steps in crossing. You also will not be looking at your smartphone while jaywalking. However, when you cross at the crosswalk, you are much more likely to cross without checking to see whether all traffic has stopped, and you are also more likely to cross while checking your handheld device. If in the crosswalk, you are also likely to be oblivious to a vehicle that failed to stop for whatever reason for the traffic signal.
Risk homeostasis is not limited to specific safety mechanisms, such as traction control or crosswalks. It can also extend to a risk culture. Extending the example of crossing a busy city street, take for instance, the case of crossing the street in my home city of Halifax Nova Scotia. In this city of approximately 350,000 on the east coast of Canada, there is a strong culture of cars stopping for pedestrians who are waiting at a crosswalk to cross the street. Visitors to Halifax frequently comment on it, and in fact, it is a local joke that cars will stop even if it appears that a pedestrian might be even “thinking” of crossing the street. Despite this respectful and safety conscious culture, there has been a rash of car–pedestrian accidents in crosswalks, so much so that the government has increased the fines for pedestrians crossing inappropriately to $700—the same fine that exists for cars that fail to stop for pedestrians. The problem is a case of a risk culture causing risk homeostasis. Pedestrians have become so accustomed to cars stopping for them that they no longer bother to “look both ways” before crossing at an intersection.
Contrast the situation in Halifax with that of Drachten in the Netherlands. According to Taleb,3 the town of Drachten had a similar problem with car–pedestrian accidents, but their solution was unique and counterintuitive, but it worked. The town of Drachten simply did away with virtually all crosswalks, and the number of automobile accidents dramatically reduced. Cars became more aware of pedestrians attempting to cross at random places, and pedestrians, in turn, become more cautious when crossing without the benefit of a designated crosswalk. Without a risk system (crosswalks) and without standard rules for street crossing, both cars and pedestrians become more attuned to the risk, and thus, the problem solved itself organically.
With a strong risk system, or a strong risk culture, the individual accountability for risk management is greatly diminished. The onus lands on the systems, or the rules and regulations, to manage the risk, rather than the responsibility of the individual. Without the individual accountability, risk homeostasis sets in and risk often overall increases.
In a corporate setting, employees can become complacent or worse yet “lazy” in their risk thinking and their risk awareness. In essence, managers and employees can become disengaged from risk management, just as the pedestrians of Halifax through the car–pedestrian culture became disengaged from the dangers of crossing the street. This is particularly true if employees believe that the risk management function is so strong that it is not worth trying to change it, or work against it for the betterment of the company.
Another side effect of being risk-lazy is that employees will not be looking out for good risk, that is unexpected good outcomes of a risky situation. In many organizations, the risk culture stifles creativity and generates a momentum of its own for the status quo. In essence, employees quickly learn what the risk system allows, and just like Pavlov’s dogs, they react in a way that confirms to the risk system, rather than thinking independently.
Of course, in certain cases, they may take the exact opposite view and work to sabotage or work around the risk system. If the risk system is assumed to be strong and reliable, then a rogue employee with nefarious intents can use the firm’s confidence in risk management to their own purposes. For instance, there are several well-publicized cases of financial traders who learned to “cheat” their firm’s extensive risk systems for their own benefit, but also to the ultimate detriment of the firm. Ironically, believing that the risk system is infallible makes it that much easier to cheat it.
Additionally, if a risk system or culture is too strong, employees and managers will not be consciously or unconsciously thinking about how risk management could be better or how risk technology could make things more efficient and effective from a risk standpoint. This is a very important point that will be discussed in more detail later in this chapter.
An obvious and explicit downside to having too strong of a risk system is the costs, both those that are explicit as well as the often uncalculated implicit costs and opportunity costs. Having a strong risk management system has explicit costs, such as the systems, and the personal required to implement and maintain it. As one risk manager told me about their experience implementing Sarbanes Oxley (the government regulations imposed on corporations to prevent corruption and financial fraud), that in estimating the costs, one should take their worst estimate in terms of explicit costs, as well as their worst estimate of time required and then quadruple them in order to get the requirements to being 50 percent implemented. Regulations such as SOX and Basle III regulations for financial institutions are the main drivers behind the vast number of employees being trained and employed as risk managers and the concurrent rise of Masters in Risk Management programs that are proliferating. It is an interesting thought experiment to consider the valued added to an organization if this cost and the talent associated with regulation were simply employed in risk management in a manner that the organization felt was most useful, rather than in the manner that regulators require.
However, rarely does an organization calculate these direct costs, and even more rarely do they calculate the return on the risk management investment. In a widely cited case study, John Fraser, the former Chief Risk Officer at Hydro One (the major electrical distributor for the Province of Ontario), gives the example where capital allocation at Hydro One was based on “risk bang for the buck.”4 Risk bank for the buck is a process whereby divisional managers at Hydro One have to quantify the amount of risk their unit had and the return per unit of risk reduction. Capital allocation is based on where the capital would have the greatest return per unit of risk reduction.
Regulators suffer from three drawbacks as adjudicators of risk. The first is that they need an objective set of benchmarks for which they can fairly and consistently apply their standards across the organizations that they are responsible for. The second is that they do not have “skin in the game” as coined by author Nassim Taleb.5 The third is that they are often responding more to political pressure than real-time concerns. This, of course, is most evident after a crisis occurs, and thus, we get the often voiced criticism that regulators are always managing the last crisis, not the more critical forthcoming crisis.
Finally, a too strong risk management system or culture creates an atmosphere of paranoia, where employees are afraid to attempt the slightest of innovations and managers manage to the rule rather than to the situation. This creates a stifled workplace and leads to delays in product innovation and general overall efficiency and effectiveness of the work environment. It most definitely is possible to have too strong of a risk management system.
Steps to a Healthier Attitude Toward Risk Management
The purpose of the preceding arguments is not to say that risk management is bad or unnecessary, but rather to illustrate that the tail may be wagging the dog. It has also been to show that excessive risk management is not benign, but rather that it may be having a harmful effect on the efficiency and efficiency of the organization in a plethora of ways, both explicit and implicit. You really can have too much of a good thing in risk management.
The first step toward more effective risk management is to clearly recognize and communicate what the goal of risk management within the organization is. As discussed previously, frequently risk management is seen as the “Department of No,” when instead it should be seen as the “Department of How to Do Things Better.” This, of course, immediately raises the question what exactly it means to say “better.”
By rethinking and reframing the role of risk management, an organization can dramatically increase the effectiveness and the value of its risk function. The one difficulty of doing so is that the change in tone by the organization will not by itself change the demands and expectations of other stakeholders, and most significantly, the demands and expectations of regulators. The regulators have an interest in only downside risk, that is, they will only receive publicity when adverse events happen, and not when something goes right in an industry. Thus, convincing regulators that risk has a positive side in addition to a negative side is a very difficult sell. (Ironically, politicians should have an interest in upside risk as if a company or an industry is doing better than expected then the economy will be doing well. However, as discussed previously, fear sells, and thus, negative politics keeps the focus on the negative aspects of risk.)
The asymmetry between the objectives of regulators who want the focus to be on negative risk and that of an organization that wants to manage both the positive as well as the negative types of risk can be reconciled in a fashion akin to accounting. Most for-profit companies in effect have three different sets of accounting statements. They have a set that they use for financial reporting that are subject to accounting standards board’s rules. They also have a similar set of financial statements that are used for tax reporting purposes. However, few organizations use these mandated and regulated statements for actually managing the business. Instead, they maintain a third set of statements for managerial purposes, and thus, the term managerial accounting. In a similar fashion, companies could maintain a set of risk records for the regulators, but also maintain a set of risk measures and metrics for managing both the upside and the downside risks that they face.
A second paradigm shift needed in risk management is the returning to the reality that all business decisions are inherently risky. It gets back to the central tenet that states “no risk, no return.” This statement seems so obvious as to not merit mention, but in the current culture of excessive risk management, it is too often forgotten or lost in the process. With excessive risk management, the mantra seems to be that all risk is bad. This is pervasive not only from the legal, regulatory, and political realms, but has also entrenched itself within the corporate world itself. It is, perhaps, not a coincidence that entrepreneurship, which is most often based on new paradigms that have yet to attract the attentions of authorities and regulators, is seen as the corner of business in which the risk-takers dwell, while the established corporations are seen as the conservative realm for those more interested in professional management. Risk is inherent in business, and furthermore, it should be inherent in business.
Creating the proper culture around risk is imperative. Risk, and in particular, good risk, or upside risk, needs to be embraced. Even downside risk needs to be embraced as an opportunity or a challenge to create and engineer processes to make the risk of the situation more acceptable, and in doing so, create a competitive advantage.
One method for creating a proper risk culture is to foster an environment where honest and well-thought-out mishaps are encouraged and rewarded. As well-known educational consultant and TED speaker Ken Robinson states, “If you are not prepared to be wrong, you will never come up with anything creative.”6 Part of creating a healthy risk culture is developing a well-thought-out and articulated risk tolerance. The risk tolerance of an organization is stating what level of risk the organization is willing to take, and also clearly stating what levels of risk are not acceptable. Obviously, anything that threatens the viability of the firm, or puts human health or safety at risk should not be tolerated. However, a culture that encourages managers to take prudent business risks within the level of risk tolerance will spur more creativity, more action, and likely a more enjoyable work environment.
Finally, an organization needs to attempt to calculate the cost-effectiveness of its risk management. As mentioned previously, Hydro One successively did this by introducing the concept of risk bang for the buck, which was, in essence, a return on risk management expenditures.7 By explicitly tracking costs, as well as the value added by risk management, a more efficient and healthy risk management function will be created. Implicitly assuming that risk management is a function that must be implemented to eliminate all downside risk leads to it becoming a bloated and overarching corporate bureaucracy with limited value, but overbearing reach.
Concluding Thoughts
Risk is an inherent part of business, and business management is inherently nothing more than risk management. However, in the current culture of fear and mandatory regulation, organizational risk management has often gone too far. In essence, the demands of regulators, corporate stakeholders, and even managers have created a culture that has created bubble-wrapped organizations. Excessive risk management is not benign. There are both significant explicit and implicit costs of having too strong of a risk management function. Furthermore, the phenomenon of risk homeostasis illustrates in example after example that an excessive focus on risk actually increases the possibility of bad things occurring—the exact opposite of the intended effect.
To be sure, risk management is a necessary part of managing a successful organization. However, good risk management is not excessive; instead it is smart and relevant for the situation. Tearing off the bubble wrap may involve a few more scrapes and the occasional broken bone, but in the long run, it makes the organization both healthier and ultimately safer and better risk-adjusted. If nothing else, it makes being a kid a lot more fun.
1 Brussoni, M. et al., “Position Statement on Active Outdoor Play,” International Journal of Environmental Research and Public Health, 2015, 12, 6475–6505, available at http://www.mdpi.com/1660-4601/12/6/6475.
2 Gardner, Dan, Risk: The Science and Politics of Fear, Virgin Books, London, 2008.
3 Taleb, N., Antifragile: Things That Gain From Disorder, Random House, New York, 2012.
4 Aabo, T., Fraser, J., Simkins, B., “The Rise and Transformation of the Chief Risk Officer: A Success Story on Enterprise Risk Management,” Journal of Applied Corporate Finance, Winter 2005.
5 Taleb, N., Antifragile: Things That Gain From Disorder, Random House, New York, 2012.
6 Robinson, K., “Do Schools Kill Creativity?,” http://www.ted.com/talks/ken_robinson_says_schools_kill_creativity.
7 Aabo, T., Fraser, J., Simkins, B., “The Rise and Transformation of the Chief Risk Officer: A Success Story on Enterprise Risk Management,” Journal of Applied Corporate Finance, Winter 2005.