What Is the Future of Risk Management?
The great Yankees catcher Yogi Berra famously said, “It’s tough to make predictions, especially about the future.” In this chapter, I am not so much going to make predictions, but present my own view of where we are trending and put forward some hopes that I have about the future of risk management.
As a field of study and as a management discipline, risk management is paradoxically one of the oldest disciplines and simultaneously still in its infancy. It is one of the oldest management disciplines, in that risk-taking has been acknowledged as core to organizational success since the earliest cavemen determined how best to gang hunt a woolly mammoth. It is also still in its infancy as the data-driven approach to risk management that is so prevalent has only recently become possible due to advances in computing techniques.
As an academic field, risk management has strong roots in engineering. In business academia, risk has traditionally been rooted in finance and operations, with little in the way of serious study in areas such as organizational behavior and marketing or strategy. The finance and operations components have almost completely ignored the sociology of risk management, preferring to focus on the quantitative studies, which are much easier to get concrete results for. As such, it has ignored the real issues surrounding risk culture and complexity.
As an illustration of the bias against risk management in academia, I was once asked to develop a university course in enterprise risk management (ERM). However, even before drafting an outline, the course was rejected as a regular course because ERM as a subject was considered to be nothing but “blah, blah, blah.” I understand, and even appreciate the criticism, but simply because one does not (yet) have concrete answers for a question does not mean it is not worthy of study—perhaps, it makes it even more worthy of study! Of course, the most current trend is for advanced courses and programs in risk management to be very popular.
Trends in Risk Management
To begin examining the future, perhaps, it is useful to look at some current trends. The first trend is that of greater expectations (hopes) for what risk management can do. One need is to only examine the statements of politicians and regulators to see that there is an expectation that risk as an issue can be “solved.” Risks, however, evolve, and Orgel’s law teaches us that “evolution is smarter than we are.”
The greater expectations set up risk management to be a field of disappointment. “Solving risk” is a term that does not make any sense whatsoever if one thinks about it. True, we can solve, or at least diagnose the complicated risks, such as an engine running out of fuel, but complex risks, such as how to create a winning product, or how to prevent or exploit market bubbles are by definition unsolvable. Additionally, risk and uncertainty are an inherent part of any organization. If risk and uncertainty are “solved,” then will there even be a need for organizations?
Risk and risk tolerances are emotional in nature for the individual and sociological in nature at the organizational and societal levels. You cannot “solve” emotions or sociological issues. I do not even know how to define what such a solution would look like.
The trend, however, in popular belief and among those that do not know better is that risks are solvable. This, in part, leads to the bias and trend in thinking that risk is a bad thing. Without risk-takers, however, we would not have social media, technological developments, medical advances, or even the wheel and controllable fire for that matter. The scientists, engineers, organizers, entrepreneurs, and so on who have developed the modern conveniences that we take for granted were all risktakers. They defied convention, and they certainly never took the path of lowest risk, or thought that risk was something to be avoided. Risk is not solvable, and it is those who get comfortable with that fact that we have to thank for our highly developed (and comfortable) lives.
Related to the trend of solving risk is the quantification of risk. Data and quantification are great things—for those risks that can be measured and that can be measured correctly. Unfortunately, many important risks cannot be measured, and many risks are inappropriately measured as discussed in Chapter 2. Despite my saying this, I believe that there are still many more risks that can be measured and should be measured. One area for growth in measurement is using Big Data techniques and social media to study the evolving trends and patterns. Data can give us clues to complexity, and that can be helpful, even though we cannot use that data directly to solve complexity. Social media data, however, can help us understand and build our intuition toward data, but will never replace the human who has their finger on the imperceptible pulses of society.
The trend is also for greater regulation of risk. Regulation definitely has its place, but I, and many others fear, that regulation is becoming too rigid. Rigidity in regulation prevents judgment to take its rightful place. Regulation also implicitly and explicitly assumes that risks are complicated. Regulation and complicated thinking has little place in the presence of complexity.
Regulation also builds rigidity into the economic system, which increases both the probability of a systemic risk occurring as well as the severity of a systemic risk, such as the 2008 financial crisis. Several years ago, my family moved into a new house on a heavily wooded lot. Shortly thereafter, a rare hurricane came through the area. I lost over a 100 trees on my property, as of course did my neighbors. The interesting thing is that the trees that got knocked down were the old trees with the deepest roots and the thickest trunks. The trees that were younger or not as solid had a much greater survival rate. The thick-trunk trees did not have the flexibility to adjust with the wind, while the less sturdy trees had the ability to bend, but not break. Despite their thick trunks and deep roots, the older, more established trees were no match for the wind. Regulation acts like a thick-trunked tree with deep roots. When a hurricane comes (and hurricanes will always come along), these are the trees that get uprooted and cause the most property damage.
These are some of the trends that I see in risk management. While it is a positive that risk management is now getting serious attention for its role in an organization’s success, it is important to not get carried away. However, one of the things I have learned about trends in business is that just when you think it is a trend, you find out it is a cycle.
Some Potential Developments
One trend that is currently faddish is that of the trend of the entrepreneur. Business incubators, courses, and workshops on entrepreneurship are all the rage. It is almost as if we are revisiting the age at the turn of the 1900s when the railroad magnate and the industrialist were the masters of the universe.
Much of the current focus on entrepreneurship is on the millennial generation. Many of them (not all of them) bring a new approach to risk. Like entrepreneurs before them, they tend to be skeptical of accepted wisdom, and instead, they are intent on creating new ways of developing ideas and organizations. With this new spirit of entrepreneurship come new ideas about risk management. This can only be a good thing, as new ideas, even those that turn out to be wanting or incorrect, are necessary for developing and enhancing a discipline.
Many of these new entrepreneurial ventures are focused on exploiting the power of social media. This may seem to be unrelated to risk management, but I believe adaptation of social media techniques can dramatically improve risk management. By definition, social media is exploiting how societies and groups of individuals behave, interact, and adapt. Social media is complexity in action. Social media is giving us clues and ideas on how to harness or at least adapt to complexity. If nothing else, social media is exploiting complexity, and exploiting complexity, I believe, is a major area of potential development for risk management.
Social media is also demonstrating the importance of trying to understand social systems. In Chapter 4, the importance of “people, people, people” for risk management was highlighted. The role of people in risk management is key, and it is likely that risk management, catalyzed by social media entrepreneurs, will wake up to this fact. Perhaps, organizational risk management as a respected field of academic study will arise within sociology departments.
It is also quite possible that risk management as a discipline will go the other way. Instead of the focus on getting a risk management certification, there will be a realization that risk management is central with management. In other words, just like breathing is central to life, risk management is central to the success of an organization. You do not take courses in breathing (except maybe for some health conscious zealots), and likewise, risk management reverts to being simply management.
Despite my earlier comments about risk in academia, the rise of risk management certification programs and advanced courses in risk management does indeed demonstrate that there is a thirst for risk management knowledge. With that knowledge, however, comes a need to not forget about “thinking.” Risk management is not necessarily about knowing things. Knowing about risk is complicated thinking. Computers are increasingly taking over the business of knowing things and managing complicated systems. Instead, it is incumbent on the modern risk management to understand things, rather than just know them. Creativity is more important in risk than knowledge. Being able to connect the dots is key. The ability to think about things is more important than the ability to know things.
One criticism I have about the current new wave of highly trained risk engineers is that they understand the mathematics, but they do not understand how businesses work and how markets and industries work. The more experienced risk managers may not understand the mathematics, and have as sophisticated toolbox, but they do have an intuitive feel for how organizations evolve, businesses evolve, industries evolve, and economies evolve. I fear that the emphasis on knowing about risk management will “crowd out” the understanding of risk management.
The emphasis on knowing things is also highly correlated with having a complicated mindset. However, I believe that having a complexity mindset is key. In our information age, knowledge is becoming a commodity. Any piece of knowledge can be found almost instantaneously using an Internet search engine. IBM’s Watson computer can beat chess masters and of course win at the TV show Jeopardy. Increasingly, computers beat humans when it comes to all matters that are complicated. However, risk is rarely complicated; it is almost always complex, and it is in managing complexity that humans beat computers almost every time. Learning to acknowledge, understand, and become comfortable with dealing with complexity will give the manager of the future, and especially the risk manager of the future, a key competitive advantage.
The final expectation I have for risk management is that risk management will become a part of every manager’s path to success. Traditionally, in order to become a senior executive, or even the CEO of an organization, one had to show competency in marketing, finance, and in operations. I expect, and hope, that risk management will be added to that list of must-have competencies for one to be considered suitable for leadership.
Concluding Thoughts
In this book, I have intentionally stayed away from many of the typical specifics about managing risks and instead stayed at a high-level conceptual view. That approach was very intentional. Risk management techniques and tactics are specific to each individual field and to each individual organization. Hopefully, however, you, the reader, have come away with a few high-level conceptual ideas about managing risk that you can apply to your specific situation and issues. Hopefully, you will be inspired to ask your own questions about conventional risk wisdom and will attempt to try new ideas and be willing to take new risks when it comes to designing and implementing risk management. Hopefully, you have advanced your own ideas about the future of risk management.
I began by stating in the introduction that “This book is based on three fundamental tenets: (1) that risk management is a vital task for developing competitive advantage, (2) having knowledge, but more importantly skill and intuition in risk management is key for advancing one’s career, particularly in light on the onslaught of the robots and computers that are replacing both blue-collar and white-collar jobs, and (3) there is a need to take a fresh look at risk management by questioning some old assumed axioms and asking some fresh questions.” I hope that these themes have come across even though I did not explicitly dwell on them.
My wish is that in some small way that this book has added a grain of sand to the mountain of knowledge on risk and risk management. Risk management is a fascinating field. It is fun, it is important, and it is exciting to think of how the field will continue to develop and evolve.
Finally, I would like to thank you the reader for taking the time to read this book. Again, repeating myself from the introduction, I hope you had as much fun reading this book as I had writing it.