It is generally assumed that if you can get to the root causes of something, then you are well on your way to mastering it. So, that begs the question of “what cases risk?” It is ironic however that this is rarely if ever asked proactively. Instead it is almost always asked after the fact, as in “what caused this mess?,” or “what caused this screw-up?” Notice as well that it is almost never asked after something good happens. Rarely does someone seriously ask, “How were we able to sign this customer to such a large deal, or why did our advertising go viral?” However, we must also remember that there is also upside risk, and in our analyzing the root causes of risk, we must not shortchange it.
What causes risk is a more profound question than it may appear to be on the surface. A quick response would likely, and reasonably be, that there are many causes of risk. I, however, believe that for the situations that we care about most, that is, for the risk situations that have the biggest positive, or the biggest negative impact, that there are two main causes that are almost always present—people and complexity. Furthermore, it might be argued from a close reading from between the lines of the previous chapter that it is people that cause complexity, and thus all risk, good or bad, is caused by people. Yes, there are other risks that exist—material breakage, acts of God, and randomness along with many others—but most of the time when something unexpectedly bad or good happens, there is a person at the root cause of it.
This chapter explores the idea that people and complexity are the root causes of risks. In order to buy into this somewhat novel thesis requires one to rethink many risk management activities. Risk management policies that are not grounded to managing root causes are likely to be both misguided and ineffective. Currently, most risk policies are seemingly designed for random events or acts of God or for complicated processes that we believe we have the mathematical tools to deal with. Understanding that people and complexity are the roots of almost all of the risks that matter requires a significant change in thinking and in risk management practices.
Problems with the Question “What Causes Risk?”
What causes risk in your organization? It is a great question and an obvious starting place for developing a great risk management function. Knowing the root causes allows one to work from first principles. It allows risk to be mitigated or exploited at its core. Although asking what causes risk is a simple question, there are a few problems inherent in the question. To start with, there is an inherent bias in the question for the past tense. Risk is a future-looking event. However if I ask that question at your organization I will likely get a laundry list of all of the bad things that have happened in the past.
There is a better set of questions to ask. The first, and less valuable, is what has repeatedly caused risk in your company, and the second, and more interesting, question is what will cause risk in your company? The question about the past is interesting, but it is incomplete and not always that useful. The question about the future is much harder to answer, but much more interesting and potentially much more valuable to have the answer to. Risk is something that happens in the future. There is no uncertainty associated with the past. Thus asking what happened is a bit of a fruitless exercise with the exception of those cases where the adage of those who ignore history tend to repeat it applies.
Thus the first problem of asking about what causes risk is to get past the historical analysis of risk to the future analysis of risk. What caused risk is only valuable for how it will help manage risk going forward. However this leads to the oft-cited and frequently correct criticism of risk management that it is always working to fix the last crisis without enough focus on the next problem or opportunity.
The second inherent bias in the question of what causes risk is the normal risk biases of assuming that risk is the possibility of something bad happening. Now in an organizational context, if something unexpectedly good happens then there is generally a person, or more likely persons, who are more than willing to take responsibility for the unexpectedly good that happened. Saying that people are the root cause of good risks is a trivial thing to do as it is trivial to find management and staff at any organization that are more than willing to take credit for almost anything positive that happens. Thus something unexpectedly good is not seen as a surprise, or something unexpected, or as a risk, but as the product of conscious and “brilliant” foresight of a member or members of an organization. While it might very well be true that it was indeed the brilliant actions of a person or a group that caused the unexpected upside, simply saying it was brilliance and not a risk worth analyzing is not helpful. It certainly does not help the organization increase the odds of a good risk happening to them again.
This leads us to a third problem with the question of what causes risk in that it starts to assign responsibility for the risk. Now as stated in the previous paragraph, it does not take much effort in getting people to accept responsibility for a good risk event. However assigning responsibility for a bad risk event is quite different. Assigning responsibility for a bad risk is akin to assigning blame. No one wants to take blame. Very little positive comes from assigning blame in a risk context. It is important to realize that no one gets up in the morning thinking they are going to be in an accident that day. Likewise, rational people do not get up thinking they are going to win the lottery. Assigning blame only serves to make someone feel worse, who very likely already feels awful about the mishap they caused. (By the way, if people are actively trying to create bad risk events, or do not care about good risk, then the company does not have a risk management problem, but a very serious problem of a very different organizational cultural basis.)
The role of responsibility, blame, and risk management will be discussed at ore length in Chapter 8 when risk culture is discussed, but at this point it will suffice to say that the purpose of asking the question “What causes risk?” is most definitely not to assign blame.
Five-by-Five “Whys?”
If you are at a progressive risk management company, you likely have a regular report on risk events in the past. Depending on how seriously your company takes risk, your company may have even followed up and looked at the causes of those risks. However did they look at those causes superficially or deeply? Furthermore did they just look at negative surprises or did they also examine the upside surprises?
Some companies are excellent at following up on the root causes of risk, while others just categorize and assume that someone did not follow the stipulated process properly or took a shortcut. That may very well be true, but then one should ask the follow-up question of why they did not follow the appropriate process. That is a much more valuable piece of information to have. The first and easy answer is generally not very helpful nor valuable. It is also lazy thinking, and risk management cannot afford lazy thinking.
Therefore assuming that people are consistently skirting the rules is not really constructive analysis. Likewise assuming that employees do not care about risk is also incredibly lazy and cynical thinking.
Using a technique I call a “Five by Five Why” analysis is one way to get to root causes that prevents a superficial conclusion. In a five-by-five “Why” analysis, at least five reasons for the risk event are listed. Note that it may take some creativity to get to five possible reasons, but there is value in forcing one to come up with five different possibilities. Then, for each of those five “Whys,” there are five questions or five “Whys?” asked that follow from each other.
The power of this method was clearly shown to me when I was talking to a student who came to me to discuss their career. I asked the student what they wanted to do with their career, and they mentioned that they wanted to have a career like a well-known money manager. With that response I started the whys. I asked the student for five reasons why they wanted a career like this certain money manager. They gave me five “whys,” the first of which was that the money manager was rich. With this, I started down the path of asking five whys on this first response. I asked the student why they wanted to be rich. They responded “so I can buy the same fancy car that they bought.” I then asked why they needed to have such a fancy car, and they responded “so I can take lots of friends for drives in it.” I then asked the question “Why do you want to take lots of friends for drives in this dream car?,” and they responded “because I am lonely.”
This story is more than a little sad, but it illustrates that the first response you get to the question “why” is generally very far from the real truth, and very far from one of the root causes. I never would have guessed that the reason why this student wanted to go work for a major money manager was solely to get rich in the false belief that they might be able to buy friends. Furthermore I suspect that the student themselves did not understand their true motivation. When the student said that they wanted to work in money management in order to get rich, it would have been trivial to jump to the conclusion that that this student is just a stereotypical greedy MBA student and be done with the conversation. Asking the five-by-five whys however led to a much more profound conversation. It turned out that the student did not like finance or money management in the least. Going to work in money management would have likely have been a terrible career choice, but without getting to the root causes of the actions, decisions, or motivations makes it hard for anyone to understand what is really the motivating factor.1
In risk analysis I have seen too many cases where the analysis ends with the first obvious, yet incomplete answer. The first answer, which is generally the superficially obvious cause, generally has many more layers to it. The first answer is almost never the root cause. Consider for instance the loans to NINJAs (no-income, no jobs, no assets) that bankers were widely criticized for making in the build-up to the 2008 financial crisis. It is widely assumed that the bankers were just greedy in making those loans. However it has been my experience that bankers are very loathe to lend to those they think may not pay them back. So did anyone ask why the bankers all of a sudden became so greedy as to make those questionable loans? (Could it have been the regulatory lending requirements of the Fair Housing Act, or could it have been that they knew they could sell those loans forward? If, so then you need to ask what factors were in place to force the Fair Housing Act, or that allowed them to sell those loans to others and so on.)
Utilizing the five-by-five whys greatly helps to move beyond the superficial into a much more productive analysis and understanding. Even if the first and obvious answer does turn out to be the root cause, going through the five-by-five analysis is valuable in that it exposes other potential causes which in turn will lead to a greater likelihood of them being mitigated or exploited in the future.
It is also important to note why you need to come up with five reasons. There is a very real temptation to go with the first cause that comes to mind. Often the first cause is a true cause, but almost as often it is not a cause but more of a symptom. Even if the first blush cause is a cause, there are likely to be at least one or two more enabling causes. Risks, both good and bad, tend to happen because of a confluence of events, not a singular cause. Additionally, forcing oneself to come up with (at least) five causes, forces one to be creative and to think beyond the usual suspects. There is a tremendous side value in doing this as it helps to build the risk intelligence and the risk awareness of the firm. Recall my first law of risk management; the mere fact that you acknowledge that a risk exists automatically increases both the probability and the magnitude of it occurring if it is a good risk, while simultaneously decreasing the probability and severity of it occurring if it is a bad risk. There is real value in forcing oneself to be creative when it comes to risk.
In an engineering context, we think of materials failure. Materials failure is relatively easy to diagnose. You see the broken pipe, or you see the stress fracture. People failure is much more difficult to assess. You see that someone did not follow protocol, or you see that they made a mistake. What you don’t understand though is what caused them to not follow protocol, or what caused them to make the mistake. Again, only the psychotic go to work each day intending or believing that they will be the cause of a screwup. They might be afraid of doing something incorrectly or of causing a mishap, but that is not their intention. Given that, it is thus very superficial to say that the problem is that someone did not follow protocol or someone made a mistake. That is simply lazy analysis.
People People People
In real estate the old adage goes that the three things that matter are 1. location, 2. location, and 3. location. In risk management the three things that matter are 1. people, 2. people, and 3. people. Organizations are run by people, for people, and are all about people. I have yet to see an advertising campaign aimed at selling to computers. Robots have needs, such as batteries or new gears, but they do not have wants or desires, and thus consumerism is out for them. Inanimate objects do not browse catalogs wondering if they are going to be in style for next season. Computers do not have hopes and fears and thus emotional appeals to them are nonsensical.
People on the other hand do have wants, desires, needs, hopes, fears, and emotions. Risk management would be a lot easier without people. In fact, risk management could be, and should be, run by computers if it were not for people. One of the curious things about the debate of driverless cars is how people are afraid of them, yet many of us realize that we are collectively far safer if all cars were being driven by computers—particularly in this age when it seems like every second person on the highway is updating their social media status while trying to pass a truck. Have you ever considered that the major task of a pilot on a commercial airliner is to greet you when you deplane to reassure you that there was a live human body in control—even though the plane was likely on autopilot for the vast majority of the trip. (Ever notice how frequently the pilot does not greet you as you disembark after a particularly rough landing in calm weather—for which landing is the one time that the pilot is in control.)
Risk is about people. However risk is not necessarily about people behaving badly, or stupidly or for that matter even consistently brilliantly. People are people and we all do things that make us wince with hindsight. We all have regrets, and we all have moments of triumph. The problem is that we cannot control those moments as much as we would like to. We get tired, or lazy or perhaps brilliantly inspired. We know some things, we don’t know other things, and we guess at things way more than we would honestly estimate that we do. We also have very different world views and experiences that color our world views and how we interpret things.
Risk and people arise in two forms that are very different and which pose different challenges and different management tasks for the risk manager. People acting individually or in a small group create risk, and people acting as part of a larger group or a sociological system create risks. Risk management to the individual or the small group is very different than risk management of the larger sociological group. Risk management of the individual involves idiosyncratic risks that are likely to appear to be more random in nature. Group risks on the contrary are likely to demonstrate some form of complex emergence. In other words, a risk evolving from the interactions of a group of people is likely to show patterns (at least with hindsight), but those patterns will be random, unpredictable, and not amenable to management in the conventional sense. To understand and manage the risk of individual actions, you need empathy. To understand and manage the risks of the sociological group, the risk manager needs to develop a sociological imagination.
Empathy and Sociological Imagination
Empathy and sociological imagination are the two necessary abilities needed for the risk management of people. Unfortunately empathy and having a sociological imagination are things that we as humans suck at. This presents a real risk problem, as empathy and a sociological imagination are two vital keys to successful risk management. Another difficulty is that although we, as humans, suck at empathy and having a sociological imagination, a computer sucks at it even more, and additionally, a rulebased series of risk management processes sucks even more!
Empathy is understanding the emotions and opinions of another person or group of persons. It is not necessarily agreeing with those emotions or opinions, nor is it necessarily having sympathy for those emotions or opinions. Empathy and sympathy are two different things. While it is nice to have sympathy, sympathy does not help that much in decision making; empathy does in that it allows you to understand how to frame an effective solution in the context of how it will be interpreted by the person(s) it is geared toward.
Harvard Business School professor Rita McGrath says that business is now entering a new era of empathy.2 In a Harvard Business Review article, Professor McGrath states that the first era of management was the era of simply figuring out how to do things. This was the case during the industrial revolution when how to harness the power of the steam engine, how to engineer things, and how to efficiently manufacture products were key. This led to the era of Scientific Management that brought forth Taylorism and the assembly line and led to the creation of MBA programs and business as a field of academic study. However, McGrath argues that we are entering into a third age: the Age of Empathy. The Age of Empathy involves not knowledge but instead requires an innate understanding of how individuals, and perhaps more importantly a collection of individuals, behave and change in their behaviors depending on context.
What many risk managers and technocrats often fail to understand is that the actions of individuals and collections of individuals cannot be reduced to a set of consistent and rational principles. Humans are unique and their thoughts, dreams, and actions cannot be reduced to a formula or a set of principles. Referring back to Systems Theory from Chapter 3, the Age of Empathy requires a complexity mindset rather than complicated knowledge. It is an important point when remembering that people and their actions need to be at the core of risk management.
Related to empathy is having a sociological imagination. If empathy could be described as understanding the emotions of an individual, then a sociological imagination is the group equivalent. Sociological imagination is thinking outside of your own worldview of things and seeing them as a broader swath of society might imagine them or interpret them. The sociologist C. Wright Mills coined the term sociological imagination to point out the importance of not only understanding how we as individuals think and act, but how we as part of a society think and act. Complexity, and its associated phenomena of emergence demonstrates that the collective outcome of a social group is not the simple summation of the actions of the individuals that comprise the group.
Organizations are part of a sociological group. Industries are also a sociological group, and in fact the entire economy can be properly thought of as a sociological group. If managing with empathy requires a complexity mindset, managing with a sociological imagination demands it. Managing with a sociological mindset means that the risk manager is considering the possible set of connections and adaptive behaviors that the people in the group may form and the emergent patterns and outcomes that may come from the group.
If one was to typecast risk managers, they would generally not be considered to be too high on the scale for either empathy or for having sociological imaginations. Risk managers as a group would more typically be typecast as being technocrats, as individuals tied to careful rational thought. Basically risk managers and the risk strategies they promote and implement would probably be most accurately typecast as the antithesis of empathy and a sociological imagination. This fact may be the root cause of a significant amount of risk in organizations—namely the disconnect between risk management systems and the people who are the source of the risk.
The Importance of Design
How important is design in your risk management system? How many designers or ergonomic engineers are in your organization’s risk management group? If you accept that risk management is largely caused by people, shouldn’t the risk management function and processes be designed for people. Shouldn’t the risk management functions be designed with the psychological needs, the sociological needs, and the ergonomics needs of the implementers and the users and the beneficiaries of the risk management in mind?
Design is thought of as a nice to have, not a must have. Design is too often thought of in terms of aesthetics, rather than functionality and efficiency. Good design can help people not only conduct actions that are more effective but also follow the rules more than they would without good design.
The principles of good design are beyond the scope of this book (and beyond my area of knowledge), but it should be obvious that good design is central to good risk management.
Delphi Method
A very powerful method for uncovering potential risks and designing effective risk management is the Delphi Method. The Delphi Method is a discussion technique that allows for cognitive diversity to produce innovative ideas to come to the fore without the concerns of groupthink and bureaucracy preventing progress.
In the Delphi Method, a diverse group of individuals is given the task of risk identification as well as risk ranking. The better the diversity, the better the results are likely to be. The group does not (in fact should not) be composed of risk experts, but instead it should be composed of a sample of individuals associated with the organization from different divisions of the organization, from different stakeholder groups, such as suppliers or customers, and from different levels ranging from frontline employees through to senior managers. The group is then given a question such as what are the major risks associated with a given task or a given unit of the organization. (It should be pointed out to the assembled group that the definition of risk is that of the possibility that bad or good things may happen.) Individuals in the group are asked to anonymously list what they believe are the primary risks. A facilitator will then list the risks and facilitate a discussion about the listed risks. Then the group is asked to rank the risks anonymously. The results of the ranking (done by anonymous voting) are then presented to the group and another facilitated discussion takes place. The process of discussion and anonymous voting is continued until a consensus ranking is achieved.
The diverse individuals (again, they are not risk experts and come from a wide range of functions and levels of experience and seniority) and anonymous voting are the two keys to a successful outcome for the Delphi Method. The diversity of individuals brings out unique ideas that would likely not be thought of if a group of experts well acquainted with the situation had been assembled. Admittedly many of the risks or ideas put forward will not be valid or appropriate, but they will be quickly dismissed by the process. The anonymous voting prevents group think and it also prevents a dominant member of the group being able to sway the group. Finally it avoids the Asch effect that is so prevalent when groups or town halls are convened to assess a situation or suggest solutions.
The Asch effect comes from the research of Solomon Asch. In a brilliantly designed experiment, Asch had groups of experimental subjects tell him which of a group of drawn lines was the longest. Everyone in each group observing the lines was in on the experiment except for a single individual. In other words, each group was composed of actors, while there was only one true experimental subject who was responding with their own nonprearranged answer. The group would be shown a set of lines labeled A, B, C, and D. One of the lines would be obviously much longer than the others—say for instance line C might be drawn much longer than lines A, B, and D. Each of the experimental subjects who were actors would, however respond that line B was the longest line. This was obviously not true, but when the true experimental subject was asked to state in front of the others what line they thought was the longest they would also respond with line B. The purpose of the experiment was to show that our desire to conform to the thoughts of a group, even though the group was obviously wrong, was greater than our desire to state what we truly believed to be true.
The Delphi Method can also be used as a way to identify a way to manage risk. Once the risks have been identified and ranked, the group (or even a different group) can then be asked the question of how to manage the most important risks. The Delphi Method can then be repeated to rank the most effective risk management strategies. This naturally provides buy-in to the risk management response as it provides solutions that are coming from a diverse group rather than from a specific unit of the organization or solely from the senior management team. If you are part of the group that develops a suggestion, you will be much more vested in seeing that suggestion be successful.
In sum, the Delphi Method provides a very effective way for the organization to learn about its risks in a way that avoids relying on “the usual suspects.” It does so in a way that provides unique ideas, avoids groupthink, and allows for the measurement (or at least a ranking) of nonquantitative risks. Additionally, the Delphi Method creates buy in as it is a risk identification that involves the individuals who have to implement the risk management plan and have a vested role in seeing their plan be successful.
Concluding Thoughts
All too often, risk is thought to be caused by something outside of our control. Risk is credited to freak occurrences, failure of materials, failure of processes, random acts of God, and so on. All of these explanations are random or have their basis in complicated systems. Admittedly these things do cause risk events, but these explanations are rarely the root causes. People either individually, or as a group are much more frequently the root cause. Additionally as people are complex, we can also add complexity as a frequent root cause of risk. This creates a disconnect between how we think about risk and what causes risk. Risk is generally not totally random, and likewise risk is generally not complicated. Risk is people and complexity.
Dealing with people and complexity requires a different way of thinking, a different mindset from the complicated calculation of risk metrics. It requires thinking in terms of complexity, empathy, and having a sociological imagination. Admittedly easier said than done, but some risk managers have the ability to think that way. Training risk managers does not solely require mastering mathematics, or learning engineering principles, but also requires mastering people and why people act the way they do in given situations.
There is one final principle to remember about people. You can’t fix stupid, and people (including me, and perhaps especially me) sometimes act stupidly. This is where design kicks in to make the risk system as robust to failure as possible. But it is also why the old risk adage that “the only perfect hedge is in a Japanese Garden” is so true.
1 Needless perhaps to say, but a continuation of the five-by-five whys ceased at this point and the discussion went in a different direction. The student is now successfully working in marketing and has a wealth of friends.
2 McGrath, R., Management’s Three Eras: A Brief History, Harvard Business Review, July 2014.