Toss out traditional risk management thinking
I live in San Jose, which is in Santa Clara County where a number of coronavirus cases have been identified.
My wife’s church has canceled tomorrow’s services as a precaution.
A local bridge center (I am an avid player) has closed down until further notice. One of my bridge partners placed himself in self-quarantine after his wife returned from a cruise where individuals tested positive for the virus. Another bridge player remains in Colorado, hospitalized and recovering after his cruise.
What has this got to do with my perennial rant that traditional risk management, considering only the potential for harm, doesn’t help organizations succeed?
Consider the decisions that people and businesses now have to make. For example:
- Should an airline cancel all its flights, not only to places like China but also to Seattle? After all, these are ‘hotspots’ and if you are only managing the possibility of infecting your employees or being involved in the spread of the virus you can best minimize that risk by not flying where passengers might bring it on board.
- Should a hotel in Seattle close down for the duration, for similar reasons?
- Should an organization in New York, which today declared a state of emergency because 75 people there have tested positive, tell all of its employees to work at home?
- If you have an outstanding purchase order for critical materials with a vendor in China or Korea, which is delayed due to temporary measures imposed by the government there, should you cancel it and buy instead from a US vendor at a far greater cost?
- As the head of sales, should you cancel a visit to a major customer that would involve a long flight, touring their plant, and meeting many people?
- As an individual, should you go to church or to a flower arrangement class? Should you even go to work or the grocery store?
These are real life decisions, decisions that have to be made by weighing all the things that might happen, not just the potential for harm.
- Can you afford not to go to work?
- Can you afford to move to a US vendor instead of one in Asia, not only at a greater cost but also taking on an unproven partner?
- If you close down part of your business, what does that do to your cash flow? Will you lose customers or even employees?
It’s time to recognize that managing a list of potential harms is not helping the organization make the informed and intelligent decisions necessary for success.
Informed and intelligent decisions depend on the right people having the information they need about where they are and what might happen, and the ability to weigh all the options and their effect on success.
Why do so many still plug traditional thinking about risk management? I asked a professor, formerly at Harvard and now in Lausanne this question. I should point out that she has been awarded a prestigious prize for her “research into risk management” and has been called a “pioneer in the field of risk management”. Yet, she writes books and lectures on traditional ERM: the management of a list of things that might go wrong.
Her answer, which is what I have heard from consultants and other so-called risk thought leaders, is that traditional risk management is what people are familiar with and they think they need. She writes about what people are doing, not what they need to do (her words).
Consider a February 28th post by my good friend, Jim DeLoach. Risk Realities and Enterprise Risk Management in 2020 focuses on a study by Protiviti and the ERM Initiative at North Carolina State University.
Jim is a smart man, but even his magic cannot save the idea that boards and management need to focus on a list of things that might harm the business.
The study identified these as the so-called ‘top risks’ in 2020:
- Impact of regulatory change and scrutiny on operational resilience, products and services
- Economic conditions impacting growth
- Succession challenges; ability to attract and retain top talent
- Ability to compete with “born digital” and other competitors
- Resistance to change operations
- Cyber threats
- Privacy/identity management and information security
- Organisation’s culture may not sufficiently encourage timely identification and escalation of risk issues
- Sustaining customer loyalty and retention
- Adoption of digital technologies may require new skills or significant efforts to upskill/reskill existing employees (new in 2020)
Does this list apply to your organization in 2020? Does it apply to any organization in the world, given the trade and economic shocks we are experiencing?
In his post, Jim has a number of questions board members should ask. Think about them. They include:
- Is our risk management process well-defined, repeatable and understood by stakeholders?
- Is there a process for identifying emerging risks? Does it allow sufficient time for management to consider response plans to these risks?
- Does our management dashboard system include robust key risk indicators that enable our leadership team to monitor shifts in risk trends?
At the same time Jim was publishing his article, Alfred Rodas was asking me a question on LinkedIn:
I’m reaching out to you because I hoped you could offer me some suggestions about something. This year, we wanted to try and limit the number of questions we ask senior management from 5-8 questions to 3-4 key questions. Thank you Norman, regards, Alfred
This was my reply:
OK, that’s a good idea. How about these?
-
When you make important decisions, what is your process? How do you make sure you consider all the things that might happen, both good and bad?
-
How do you measure your success? As you go through the year, how do you see whether you are on track? How do you assess the likelihood of being successful, considering all the things that might happen?
-
How do you know whether everybody is taking the right risks, the ones you need taken if you are to be successful?
-
Does everybody have your enterprise objectives in mind as they run the business and make decisions? Do they know what they are and how their actions and decisions might affect them?
I think these four questions should be asked by board members and top executives as well.
When it comes to coronavirus, the first question becomes:
- When you make decisions about coronavirus, what is your process? How do you make sure you consider all the things that might happen, both good and bad?
Then board members and the CEO can ask specific and more detailed questions to probe management’s decisions.
Isn’t it time to stop managing a list of potential harms and instead focus on how we can make more intelligent and informed decisions – including whether and how we respond to issues like the coronavirus?
I welcome your thoughts.
Leave a Reply
Norman Marks on Governance, Risk Management, and Audit 
Traditional risk management thinking (and most other risk, threat, prevention, etc.) ignores and fails to address GSDs (Gaps, Silos, and Disconnects) and these common GSDs have been responsible for failed prevention efforts for years. Research and big data analytics reveal these GSDs again and again after nearly every failed prevention effort.
The easy way to demonstrate to others (and yourself) is this simple exercise… the next time you are in a room with management (or other decision makers), ask your management to look around the room look for all of the things they can see that are red… tell them to hurry and look for everything red…
Then after about 10-15 seconds… ask everyone in the room to close their eyes… and then ask everyone to identify all the things they saw in the room that are yellow. (silence)
One of the biggest problems will become obvious… everyone is looking for the risks, but not looking for GSDs that allow the “risks and threats and red flags and warning signs” to fall through the gaps, silos, and disconnects and escalate on a pathway to something worse because the right information (red flags, warning signs, indicators, etc.) is not getting to the right people/resources who can do the right things at the right times on an ongoing basis.
Notice any GSDs involving the coronavirus??
A quick overview of my research and big data analytics can be seen at http://www.Awareity.com/community-timelines
Hi Norman, I agree with your emphasis on making informed decisions by all personnel as they are running the operations and making business decisions rather than having a list of risks and trying to manage them and call the exercise the ‘Risk Management’. However, when you propagate the idea that having the list of risks and trying to manage them is a primitive and bad idea; I tend to disagree with it. This is because the ‘primitive’ risk register acts as a broad checklist to ensure that the risk manager has evaluated all aspects that he/ she must check each time he is taking a business decision. Think about a pilot, as soon as he jumps in the cockpit, he has many lists of the task to perform, without having such a system he might miss some important aspect which may prove fatal later. So I think having a list of risk, with continuous updating of the same at any given moment of time and have such ‘risk registers’ at each level of business is what is needed in my opinion for effective risk management.
In conclusion, both aspects need to be considered and used simultaneously ie the continuously changing risk registers at board level as well as tactical and operational level AND focusing to ensure that decisions have made with right processes and following pragmatic approaches to ensure that best probability is created for business objectives/ goals to be achieved.
I hope I made some sense 🙂
Ammar, I don’t disagree that a list of the things you worry about happening has value. The trouble is that is all most do. They also don’t know (there is no guidance) how to weigh the potential for good and the potential for harm. For example, you can say that there is a risk getting in a car with a stranger. But what if you need to take your child to hospital? Would you take that risk?
Norman, I agree that we should focus on how to make intelligent decisions but ‘traditional’ risk management has a role in the anticipation of events. For example, a government should have carried out a risk analysis:
Objective: to keep citizens healthy
Risk: Pandemic occurs (influenza, Ebola)
Management: Information systems in place to recognise when a pandemic starts and monitor its progress; hospitals have quarantine facilities; emergency services simulate outbreak to familiarise themselves with procedures.
Such management response (i.e. controls) need to be constantly monitored and updated, depending on the nature of the risk.
But I would also define the four questions to the board you have suggested above as ‘risk management’:
Objective: to improve profitability
Risk: the board pursues projects which do not maximise profitability
Controls: there is a process of making decisions which identifies the best projects, taking into account the good and bad; realistic forecasts are set, actual progress is monitored against these, and the likelihood of hitting the target is constantly assessed; etc
Yes, you can couch the need to take advantage of opportunities as a risk. I also agree that there are controls about recognizing opportunities. But intelligent decisions require knowledge of all the things that might happen, not just the bad things. You also need to know how much to invest in addressing a risk, because of the opportunity cost of every dollar.
Agreed – the ‘process for making decisions’ needs to include balancing all potential benefits against all potential threats and ‘scenario analysis’, as noted in a previous blog.
Norman, I agree completely with you and, by the way, am getting tired to fight this battle in Brazil. Everybody seem to be stuck in a function-oriented framework: what is a risk manager supposed to do, instead of how people make decisions in a company.
Not Anonymous: Marco Nutini.
Norman,
The way we think about protecting ourselves and our organisations against Coronavirus should also cause us to question the now-outdated and complex practices, and faulty rationale of so-called ‘Business Continuity Management’ (BCM). The focus of BCM was on often elaborate arrangements aimed at returning an organisation to its pre-disruption state.
What preparing for Coronavirus should teach us is that to suffer from an unexpected event or change in circumstances, a person, community or organisation must be vulnerable to the effects of that event or change. While decision makers seldom have any control over the occurrence or magnitude of external events, it is they who either control or create vulnerability to such events.
Deriving a better understanding of our vulnerability is quite simple and involves asking the two questions (in relation to an event such the Coronavirus pandemic) of: “To what are we vulnerable?”’ and “How are we vulnerable?”.
The second question should always be answered in the context of our Purpose (highest level objectives, if you must) and as an integral part of decision making. We should consider, as part of all decisions:
• the way in which we or our organisation are vulnerable to the type of variance under consideration (i.e. the mechanisms involved that result in a different outcome than that intended); and
• the effect of that vulnerability in relation to the intended outcomes of the decision and, more generally, our or our organisation’s Purpose.
Once the ‘to what’ and ‘how’ of vulnerability has been appreciated, we can make adjustments to that vulnerability if this is necessary to ensure we have sufficient confidence in decision outcomes.
While Coronavirus seems to many to be only about loss and harm, the occurrence of such disruptions will always create new opportunities. This can come about in one of two ways:
• the event can change some aspect of the context that had constrained some previous decisions (for example, that all employees need to travel to work in our office each day); or
• the event may make a change that had become desirable but hitherto not practicable, now possible (by upgrading our communications software and giving employees laptops, people can work from home efficiently, communicate easily and be highly productive).
We should learn from disruptive events like Coronavirus that in an increasingly dynamic world,, a mindset aimed at returning to things as they were might be the very last thing to aspire to. Instead a carpe diem (seize the day) approach offers a better strategy than the more Maginot Line mentality of antiquated approaches such as BCM.
Norman, looking at some of your points from a different perspective. How do we change the thought process? What should we be bringing forward that represents latest thinking instead of for example the traditional old “top risks” of 2020 lists?
Mike, what I do is have leaders focus on optioning the likelihood and extent of success, measured by the achievement of exceeding of objectives. It works
Thanks Grant for your comments – Its really quite stunning how many organisations have failed to grasp what their business continuity arrangements *should* be capable of. There’s quite a gap between having a piece of paper, and having robust critical thinking on what an organisations ‘work arounds’ might be to deliver whats most important. I like your two questions – it very much sharpens the mind!
Thanks Jane.
Keeping the language simple really helps decision makers. Yesterday I used these two questions with the management team of a University College and hall of residence to develop a comprehensive strategy for the prevention of and protection from Coronavirus (COVID-19). The exercise took under 2 hours to produce a succinct action list and a one page description of all the strategies to be deployed.
In addition to the two questions above, I also asked:
– How can we change our vulnerability?
– What should we do now?
No risk registers, rating matrices, appetite statements, three letter acronyms or other artefacts of the belief systems called ‘risk management’ or ‘business continuity management’ were deployed in this exercise.
As a consequence, the decision makers were not in any way confused and left the meeting clearly understanding and ‘owning’ the decisions they had made, and a clear appreciation of the assumptions on what these had been based. They had considered options and had made decisions which they were sufficiently certain would lead to the outcomes they desire.
Yesterday afternoon the management team set to: putting in place the contingent arrangements and obtaining the contingent supplies we had agreed.
Well done, Grant. Leading by words and example
This is a great discussion. For me also highlights the imperative that remains…our actions must be driven by data. The current situation clearly makes us assess our vulnerability.
Our success will be defined by how we address this with measurable actions. Execution at pace.