Another Book on Risk Management!
Did you just groan at the thought of opening another book on risk management? Like election cycles, media talk about celebrity hairdos and cute cat videos trending on social media; perhaps, the least interesting thing might be another book on risk management. However, you got past the first two sentences, so possibly you believe there is something still needed in risk management thinking that is keeping you going.
Risk management has always been a part of business, as it should be. However, it appears that the limelight on risk management seems to go in cycles—and always at the most inappropriate times. By this, I mean that the attention on risk management always occurs after an assumed failure of risk management. In other words, the attention on risk management is always ramped up after there has been some sort of crisis. A financial crisis occurs—risk management (and associated regulation) comes into the news cycle as soon as the dust has settled. A natural disaster occurs—risk management (and associated regulation) comes into the news cycle as soon as the dust has settled. A terrorist attack at a public facility—risk management (and associated regulation) comes into the news cycle as soon as the dust has settled. An industrial accident—well you get the picture.
The unfortunate aspect of risk management is that it predictably comes to the fore after some form of bad thing has happened. In some sense, risk management has kind of become the undertaker of business. If a death has occurred, the undertaker appears; if a crisis has appeared, the risk manager appears, (and their sidekick a regulator with a new process to prevent a reoccurrence). Although surveys show that dentists tend to be the professionals who commit suicide with the greatest frequency, I suspect that risk managers must not be too far behind. After all, who wants to be known only as the person who both cleans up after a mess and takes the blame for allowing the mess to occur in the first place? Not a cheery perspective to take.
To me, this seems the wrong way to think about risk management, and thus, the reason for writing this book. I believe that risk management is a very valuable and necessary task that every business needs to focus on in some way, but the focus has, for the most part, been all wrong, and frequently counterproductive, or at least inefficient.
In all value-creating tasks, there is a need to periodically revaluate assumptions—those that are both implicit as well as explicit—and ask questions about whether there is a better way forward, or perhaps even a paradigm shifting way to do things differently and better. I believe that this is a good time to do so for risk management. Risk management (and its associated regulation) is choking business and nonprofits with little discernible benefit. Few companies or organizations are calculating the cost to benefit analysis, both because they do not know how to do the calculation, and because they subconsciously realize that they do not want to know the answer. Perhaps more worryingly, most companies and risk managers are following “best risk practices” without ever questioning why. The risk management profession in many instances is making the mythical conforming lemmings look like a herd of feral cats. (Perhaps, the phrase “best practice” is the most evil phrase in business or at least in risk management.)
This book is centered on a series of questions whose purpose is to re-examine some of the underlying assumptions behind much of modern risk management. Furthermore, these questions form the basis of examining other ways forward for risk management. Even if one accepts the dubious assumption that risk management is not broken, there will still be value gained from such an examination, if it sparks ideas for improvement.
Chapter 1 begins with a very simple, very fundamental, but also a very critical question—what is risk? Perhaps, the question is trivial, but in workshops I have conducted, I get a wide variety of responses, and often, a passionate debate will break out among the participants. Apparently, the answer to the simple question of “what is risk?” is not so simple. Of course, this leads to a follow-up question of what is risk management? Another simple question that proves to have a not-so-simple answer—or at least not simple when you hear managers try to explain what risk management is. The physicist Richard Feynman supposedly once claimed that if you cannot explain what you do to someone in grade six, then you do not know what you are talking about. How much of risk management can be explained to a preteenager in grade six much less the managers or even the board of directors of an organization?
It is often only by going back to first principles, or a clean sheet of paper, that one can again make things simple again, and provide the clarity that is needed to develop more productive and effective paths forward. Asking two simple questions of what risk is and what risk management is helps to start us off on that process.
How often does someone in your organization question the reasoning behind a certain process? I suspect it is quite often, but they keep their questions to themselves without taking the risk of openly questioning and potentially exposing their lack of knowledge. Perhaps, you are one of those doing the silent questioning. Generally, if someone actually does verbalize the question, rather than leaving it unspoken, there is frequently no response other than “We’ve always done it this way.” Not a very satisfying response! Progress is not based on always and unquestioningly doing things the way they have always been done. Sometimes, processes are based on assumptions that turn out to be false upon close examination. However, without questioning these assumptions or axioms, the situation will never improve, unless by some fortuitous accident, which is not a high-probability strategy. It becomes very easy to lose the plot of what the main objective is without an occasional pause to ask what the end goal is, and what the best path to get there is. Chapter 2 openly questions whether or not we have lost the plot for risk management and the role of making assumptions about false risk axioms has in this.
Chapter 3 starts a discussion about the emerging (no pun intended) science of complexity. In common language we often commingle the words complex and complicated, but to a systems scientist, the two words and their associated systems have very different meanings. Along with a difference in meaning is a difference in how each comes about. Furthermore, there are dramatic and often counterintuitive methods for dealing with each. Things that are complex are most definitely not complicated, and more so, they must be managed in a very different manner. I believe that complicated thinking, when complexity thinking is called for, is the biggest mistake, the most common mistake, and the most serious flaw in most of risk management as it is currently practiced. The problem is that almost all conventional responses in risk management are based on flawed complicated thinking. Chapter 3 challenges this line of thinking and presents a radically different way of thinking about most risk management situations.
I am assuming that seeing as you were intelligent and conscientious enough to buy this book that you are never a source of risk in your organization or even in your personal life. You are not the source of risk, but something is—and what is that something? In other words, where does risk come from? Is risk just random, does risk come from the Gods, does risk only occur when processes are not followed? If you do not know where something comes from, how are you going to stop it or change its path or even exploit it? Chapter 4 has the nerve to ask the question of where risk comes from. The answer to the question (which of course will be different for different organizations) then guides the development of an appropriate response to risk, rather than developing a response and hoping it is suitable for the issue at hand. (By the way, hope is neither a very prudent nor a very mature risk strategy.)
Are risk frameworks evil? Chapter 5 critically examines the role that risk frameworks play in preventing risk management from achieving its potential. Risk frameworks seem to be the rage among risk consultants, those who engage risk consultants, and those consultants who are actively engaged in risk management societies. However, are risk frameworks useful for anyone besides consultants? Frameworks definitely have their place, but that place needs to be well defined and constrained. Utilizing a framework without thinking about the consequences—both positive and negative—is simply not smart risk management.
Is your risk management function a cost center or a profit center? Does your risk management function add value to your organization? If so, how much value? Is risk management part of the strategy or a series of processes to ensure that the strategy stays on track? Do risk managers get compensated on value added or on the prevention of losses? After covering the various definitions of risk presented in Chapter 1, it will be seen that the answers to this question come directly from how the risk management function is viewed. In most organizations that I work with, risk management is most frequently seen as the “Department of No!”; the high-profile function with the support of the board that puts the brakes on good ideas. Changing the focus to a value-creation center; the “Center of How to Do Things Better” makes a huge difference. How to bring about this change is the topic of Chapter 6—Does Risk Management Add Value.
Chapter 7 starts with the story of Tomas Lopez, a young lifeguard who had the audacity to willfully flaunt and ignore the rules of his position and actually save someone who was swimming outside of the designated swimming area. The question for Chapter 7 is whether risk management should be process-based or judgment-based. As risk management becomes more of a specialty, the prevalent thinking is that it is too complicated for the unwashed nonspecialist to manage, and thus, it must be made as idiot-proof as possible; thus, the rise of regulations and processes and the demise of allowing the people who actually do the work to use judgment. While processes certainly have their role, just like a Shakespearean actor, their role has a specific place and a specific time to appear on stage.
Risk management, along with every other important organizational function, does not exist in isolation. All the functions of an organization exist within the context of an organizational culture. Chapter 8 examines the question of how one goes about creating an effective risk culture. Culture is something like the weather; something that a lot of people spend a lot of time talking about, but alas, something that they seem to be helpless to affect. While I do not know if there are any magic steps to creating an optimal culture, there are certainly some steps to take that help avoid a poisonous environment.
Risk homeostasis is not a term that rolls off the tongue of many risk managers (nor their associated regulators), but it is an important phenomenon that keeps rearing its insidious head time and time again. Risk homeostasis is the answer to the question of Chapter 9—Can Your Risk System Be Too Good. In a nutshell, risk homeostasis is when risk management actually creates more risk due to the presence of a strong risk management infrastructure. In essence, in the act of being so careful about avoiding risk, you actually create a set of riskier outcomes. A bit of irony that is not at all funny.
This book concludes with a look at some future scenarios for risk management. Predicting the future is fun to do, although not all that useful as Orgel’s law teaches us that “evolution is smarter than we are.” Creatively thinking about the future does, however, allow us to profit from what I like to think of as the first law of risk management; the mere fact that you acknowledge that a risk exists allows one to automatically increasing the probability and the magnitude of it occurring if it is a good risk while simultaneously decreasing the probability and severity of it if it is a bad risk.
As I write this, I am listening to a news report of an assumed shooting with LAX airport. The reports of a shooter fortunately turned out to be false, but that did not mean that there wasn’t a scene of chaos as passengers ran for their lives and authorities tried to clear the airport. What was interesting, however, was one of the many terrified passengers who were interviewed by the media. One such passenger was asked, “Did you hear gunshots?,” and his response was “No?” The natural follow-up question that was asked was “Then, why were you running?,” and the response was “Because everyone else was!” Now I am not suggesting that if you see a pack of people running for their lives that you should refrain from following suit, but it appears that a mass panic ensued for no apparent reason. In a similar fashion, that seems to be the situation in risk management as well. We calculate the same risk metrics and employ the same risk tactics as everyone else, solely in large part because that is what everyone else is doing.
The follow-the-crowd strategy for risk management has several obvious flaws. The first is that one-size-for-all risk management is not likely to be optimal. Different companies have different types of operations and different tolerances and preferences for risk. They also have different abilities to deal with and manage risk. It is like going into a clothing store and simply buying the most popular outfit in the most popular size. While this might be a suitable tactic to allow one to “fit-in” when they are in junior high school, it is obviously a foolish and childish thing to do once one has reached a certain age of maturity and emotional intelligence.
A second and more serious issue with the follow-the-crowd strategy is that it is a brain-dead tactic that does not encourage thinking, learning, or intelligent analysis. How is one to discover new paths if one simply follows the crowd? How is one to learn and develop additional skills if letting the crowd carry you away is the main operational method?
Into this atmosphere, the academic and the training industry are producing more highly and rigorously trained risk managers than ever before. The number of professionals with a risk management certification has risen significantly over the last decade, while the number of academic programs with risk management in their title is also growing rapidly. Clearly, there is a demand (and a supply) for participating in some form of formal risk management training. Managers (and prospective managers) obviously want a roadmap so as to know how to follow the crowd.
The demand for risk management training raises an interesting question of whether risk managers can be developed. In other words, is risk management an innate skill or is risk management a well-defined process that can be trained?
With all of this attention on risk management, it behooves one to ask the question of organizational leaders if they believe that their organizations are getting better at risk management. To paraphrase Ronald Regan’s election-winning phrase from 1980, “Are you better off than you were 10 years ago in terms of your risk management?” What would you answer for your organization? Hopefully, that was not too sobering of a thought.
If your current risk management paradigms are not doing it for you, what do you have to lose by trying something different? After all, there is the well-known and prudent rule of if you find yourself in a hole, the first thing you should do is to stop digging.
This book is based on three fundamental tenets: (1) that risk management is a vital task for developing competitive advantage, (2) having knowledge, but more importantly skill and intuition in risk management is key for advancing one’s career, particularly in light on the onslaught of the robots and computers that are replacing both blue-collar and white-collar jobs, and (3) there is a need to take a fresh look at risk management by questioning some old assumed axioms and asking some fresh questions.
I hope you have as much fun in reading this book as I had writing it.