Douglas W. Hubbard - The Failure of Risk Management

Now, let us discuss the second half of the phrase risk management . Again, as with risk, I find multiple, wordy definitions for management, but here is one that seems to represent and combine many good sources.

Long definition: The planning, organization, coordination, control, and direction of resources toward defined objective(s)

Shorter, folksier definition: Using what you have to get what you need

There are a couple of qualifications that, although they should be extremely obvious, are worth mentioning when we put risk and management together. Of course, when an executive wants to manage risks, he or she actually wishes to reduce it or at least make sure it is acceptable in pursuit of better opportunities. And because the current amount of risk and its sources are not immediately apparent, an important part of reducing or minimizing risks is figuring out where the risks are. Similar to any other management program, risk management has to make effective use of limited resources. Of course, we must accept that risk is inherent in business and risk reduction is practical only up to a point. Putting all of that together, here is a definition (again, not too different in spirit from the myriad definitions found in other sources).

Long definition: The identification, analysis, and prioritization of risks followed by coordinated and economical application of resources to reduce, monitor, and control the probability and/or impact of unfortunate events

Shorter definition: Being smart about taking chances

Risk management methods come in many forms, but the ultimate goal is to minimize risk in some area of the firm relative to the opportunities being sought, given resource constraints. Some of the names of these efforts have become terms of art in virtually all of business. A popular (and, I think, laudable) trend is to put the word enterprise in front of risk management to indicate that it is a comprehensive approach to risk for the firm. Enterprise risk management (ERM) is one of the headings under which many of the trends in risk management appear. I'll call ERM a type of risk management program, because this is often the banner under which risk management is known. I will also distinguish programs from actual methods because ERM could be implemented with entirely different methods, either soft or quantitative.

The following are just a few examples of various programs related to managing different kinds of risks ( Note: Some of these can be components of others and the same program can contain a variety of different methods):

Enterprise risk management (ERM)

Project portfolio management (PPM) or Project risk management (PRM)

Portfolio management (as in financial investments)

Disaster recovery and business continuity planning (DR/BCP)

Governance risk and compliance (GRC)

Emergency/crisis management processes

The types of risks managed, just to name a few, include physical security, product liability, information security, various forms of insurance, investment volatility, regulatory compliance, actions of competitors, workplace safety, getting vendors or customers to share risks, political risks in foreign governments, business recovery from natural catastrophes, or any other uncertainty that could result in a significant loss.

As the previous definition indicates, risk management activities include the analysis and mitigation of risks as well as establishing the tolerance for risk and managing the resources for doing all of this. All of these components of risk management are important but the reader will notice that this book will spend a lot of time on evaluating methods of risk analysis . So let me offer both a long and short definition of risk analysis at this point.

Long definition: The detailed examination of the components of risk, including the evaluation of the probabilities of various events and their ultimate consequences, with the ultimate goal of informing risk management efforts

Shorter definition: How you figure out what your risks are (so you can do something about it)

Note that some risk managers will make a distinction between risk analysis and risk assessment or may use them synonymously. If they are used separately, it is often because the identification of risk is considered separate from the analysis of those risks and together they comprise risk assessment. Personally, I find the analysis and identification of risks to be an iterative, back-and-forth process without a clear border between them. That is, we start with some identification of risk but on analyzing them, we identify more risks. So I may use the terms analysis and assessment a bit more interchangeably.

Now, obviously, if risk analysis methods were flawed, then the risk management would have to be misguided. If the initial analysis of risk is not based on meaningful measures, the risk mitigation methods are bound to address the wrong problems. If risk analysis is a failure, then the best case is that the risk management effort is simply a waste of time and money because decisions are ultimately unimproved. In the worst case, the erroneous conclusions lead the organization down a more dangerous path that it would probably not have otherwise taken. Just consider how flawed risk management may impact an organization or the public in the following situations.

The approval and prioritization of investments and project portfolios in major US companies

The level of protections needed for major security threats, including cybersecurity threats, for business and government

The approval of government programs worth many billions of dollars

The determination of when additional maintenance is required for old bridges or other infrastructure

The evaluation of patient risks in health care

The identification of supply chain risks due to pandemic viruses

The decision to outsource pharmaceutical production overseas

Risks in any of these areas, and many more, could reveal themselves only after a major disaster in a business, government program, or even your personal life. Clearly, mismeasurement of these risks would lead to major problems—as has already happened in some cases.

The specific method used to assess these risks may have been sold as “formal and structured” and perhaps it was even claimed to be “proven.” Surveys of organizations even show a significant percentage of managers who will say the risk management program was “successful” (more on this to come). Perhaps success was claimed for the reason that it helped to “build consensus,” “communicate risks,” or “change the culture.”

Because the methods used did not actually measure these risks in a mathematically and scientifically sound manner, management doesn't even have the basis for determining whether a method works. Sometimes, management or vendors rely on surveys to assess the effectiveness of risk analysis, but they are almost always self-assessments by the surveyed organizations. They are not independent, objective measures of success in reducing risks.

I'm focusing on the analysis component of risk management because, as stated previously, risk management has to be informed in part by risk analysis. And then, how risks are mitigated is informed by the cost of those mitigations and the expected effect those mitigations will have on risks. In other words, even choosing mitigations involves another layer of risk analysis.

This, in no way, should be interpreted as a conflation of risk analysis with risk management . Yes, I will be addressing issues other than what is strictly the analysis of risk as the problem later in this book. But it should be clear that if this link is weak, then that's where the entire process fails. If risk analysis is broken, it is the first and most fundamental common mode failure of risk management.