At work I have been given the task of implementing a risk management strategy for an IT department. The problem is that I am not convinced that Risk Management adds much value to organizations. To be clear, I am all for pondering and evaluating risks when making decisions. After all, if you are currently an adult, you are likely an expert on Risk Management having survived your childhood or possibly that first year of college (just saying).
Gun Shy of Risk Management
My point is that I am not a huge fan of is the Risk Management process. I have worked for a few organizations in which Risk Management became a bit of a fad and organizational resources were poured into a very comprehensive list of risks. The list was a fascinating read and many could have been the basis for either a cheap thriller or space-cowboy science fiction book. Generally though, these lists were a compendium of obvious things covered by a few good operational plans or a comprehensive list of things that in all likelihood would never come to pass.
Once these telephone book’esque lists of risks were compiled, they were dumped on some poor unsuspecting line manager. Called the risk owner, this poor sod now had to develop a treatise on how he or she would react to a cornucopia of risks. The smart manager would generally set the telephone-book of risks to one side and get on with their day job… hoping the Risk Management fad had passed before they were asked for their response.
Of course auditors love risk management. If auditors can’t find something juicy in the operations of an organization they know they can always get an observation or recommendation from criticizing the risk management process. This is because no list of risks is ever complete; there can always be one more entry added. The auditor can also examine the events affecting an organization over the past year. In all likelihood an untoward event that occurred was not precisely described in the telephone book. At this point the auditor shouts with glee: ‘AH-HA, your risk management process is flawed, pour more resources into it so I can make more observations next year! BRUHAHAH.. Cough, sputter…‘
Why is Risk Management so Hard?
Okay, I am being a bit harsh on auditors (some of my best friends are recovering auditors). So why is risk management so hard and why does it add so little value? I have a few thoughts on why Risk Lists is an enumeration things that will never occur:
- Identification is Mitigation:
- Simply identifying a risk can help to mitigated the risk.
- In economics this is known as the efficient information model meaning the organization has internalized and corrected for the risk – good Risk Management in action!
- Example: cash controls are deemed a risk and internal controls are beefed up such that theft or fraud are no longer likely risks.
- Easter Egg Effect
- This effect states that if you tell a person that there are ‘X’ number of things, they will stop looking once they find that number.
- In the same way, an organization may look at an ever growing list of risks and at some point say ‘that is good enough’.
- As a result, an organization may have a beefy telephone book of lists which have low likelihood or occurance or of poor predictive power .
- Post-Diction Focus:
- Nicholas Taleb [see further reading section below] introduced the concept of ‘post-diction’ which is a play on the concept of prediction.
- The ability to predict the occurrence of a past event improves after the event has occurred. Post-diction is the certainty an individual or organization did in fact PREDICT something in retrospect.
- This gives the organization an impression that it has better predictive powers than it really does have.
- The Past as a Guide to the Future:
- While one does not want to be doomed to repeat past mistakes by not reading history, the reality is that the past has only limited predictive power.
- Certainly there are themes from the past that are enduring and can be used in the future.
- Given opportunity, even the most honest person may be tempted to steal if they believe the chances of being caught is nominal.
- Eventually your organization will be hacked, cyber-ransomed or be a victim of a denial of service act if you have an online presence.
- Social Blindness:
- Risk identification can be politically or social driven/influenced.
- Thus a risk may be ignored because of organizational desire to align with social norms.
- In early September 2001, an organization renting real estate in the New York Trade Center would be disinclined to consider listing a catastrophic attack by Islamic extremists as a potential risk so as to not be accused of being Islamophobes.
- Black Swan Events
- Returning to Taleb, the risks that will have the greatest impact on your organization are by definition unpredictable.
- Called Black Swans, they have are a positive or negative significant event that creates enormous upheaval in an eco-system. Think of a comet striking the earth or the 2008 financial melt down.
- “Events that are extreme, unknown and very improbable (according to our current knowledge)”; adapted from p.xxvii, The Black Swan: The Impact of the Highly Improbable, Nassim Nicholas Taleb, 2007.
Can Risk Management Be Value Added?
In general, can Risk Management add value? Absolutely, evaluating risk is an inherent human trait; we are constantly calculating and estimating risk to our advantage. The fact that we are here shows its evolutionary success.
However, for organizations, I am proposing a strategy called ‘Anti-Fragile Risk Management‘ or ARM. This concept builds on the ideas in my 2016 article, Anti-fragile Strategic Planning and builds on ISO 31000 – Risk Management.
- Anti-fragile Strategic Planning, FMI Journal January 2016; Frank Potter.
- Managing Risks: A New Framework, HBR June 2012; Robert S. Kaplan, Anette Mikes.