I’ve always had a problem with ‘risk management’. It just seems so self-deluding and so manifestly untrue, judging by what I observe. More commonly, risk is either a problem you failed to anticipate or a lucky escape. It isn’t something I see much evidence of being managed. Risk is the uncertain, unknowable future. When taking risks there is much you can do to prepare for an outcome that goes the wrong way, but that’s just scenario planning. ‘Risk management’ hints at a power to control the future that is simply not there.
Part of the problem is the small industry that has grown up around risk management and the time taken up by Boards reviewing the risk matrices produced. It hasn’t made us any better at preventing things going wrong, or revealed things we didn’t already know, or made us quicker at reacting to unforeseen problems. You therefore have to question the value of risk management as an activity. Ask yourself what would happen if we just stopped it – completely.
Run this thought experiment and quite quickly you realise where the value of risk management lies. Its main purpose is a communications tool. It gives a language for management to use when speaking to investors, regulatory authorities, and internal governance committees such as audit boards. It’s an opportunity to say ‘These are the problems we face in our business at the moment, and this is what we’re doing about it’. This is interesting. It’s interesting what management say as much as what they don’t say. Both pieces of information are valuable but a lot of time could be saved by finding a better way than a risk register to communicate how management are tackling problems in their business.
The most powerful mitigating action available to a Board to manage risk is to employ competent managers. And most scenario plans should envisage sacking managers if they prove incompetent. Instead of agonising over risk registers, a better use of audit boards’ time might be spent reviewing the performance of the executive team.
The other reason I distrust risk management is when it is promoted as a tool of strategy. This sounds a lot like risk managers bigging up their role to me. Yes, a serious discussion of risk management is a serious discussion about strategy. My complaint is that using the language of risks (ie likelihood of outcome and magnitude of impact) is a cumbersome approach to such a discussion. There are better alternatives.
You have to love Donald Rumsfield for giving us the language of ‘known unknowns’ and ‘unknown unknowns’. It manages both to sound incomprehensible and be right. It turns out Donald Rumsfield had a very particular approach to planning and risks which has largely been discredited by the second Gulf War but he put his finger on exactly the problem with risk management. We don’t know what we don’t know. There will always be surprises. How you prepare to be surprised and how you react when surprised, this is a far more valuable management skill than communicating problems. If risk management techniques had something to offer in this field then I’d be a disciple.
Indeed there is a way to be prepared for surprises. It’s called scenario planning. We have to make guesses about the future, but before acting upon them we should know what we would do should our guesses prove hopelessly optimistic or we’re blind-sided by unexpected events or competitor action. We should expect things to go wrong. Having a plan in the top drawer is the best way to manage the risk that they do.