I like to keep things simple but there’s a paradox to simplicity – simple is hard. Sometimes, working out what the essentials are and how to do things efficiently isn’t just hard; it can seem like more work than just sticking with the complicated path in the first place.
“That’s been one of my mantras – focus and simplicity. Simple can be harder than complex: You have to work hard to get your thinking clean to make it simple. But it’s worth it in the end because once you get there, you can move mountains.”
Steve Jobs
That’s certainly the case with risk management where we are working with several areas of complexity and difficulty:
- Organizations are complex
- Risk management is complicated
- We are dealing with multiple unknowns
- Change is hard
These would seem like the kinds of things that aren’t just hard to simplify, but things that actually require complexity. How can something simple be useful in this case?
If you are at NASA or running high-frequency trading models then I agree, it’s going to get complicated. However, most people just need a risk management system that’s fast, efficient, and effective.
- Fast in order to deliver results when they’re needed and time is scarce.
- Efficient to make the best use of the (limited) resources available.
- Effective because it provides the decision-makers with the data they need to help the organization achieve its objectives.
Anything slow and complicated will fail each of these tests. Even if you produce a thorough report, it’s often too late or too confusing to use.
Why not start simple?
Rather than a complicated, cumbersome approach, I think most people just need a stripped-down system that delivers results with speed, efficiency, and effectiveness. At the same time, the system still has to adhere to relevant standards and produce useable results for all but the most special edge cases.
I’ve been calling this KISS risk management: getting back to first principles and the basics while trying to keep it stupid simple.
After all, you can always add more complicated processes later on if you need them.
A system and mindset
However, KISS risk management isn’t just a system. Just as importantly, it’s a mindset. Using a KISS approach won’t work if you judge success on the number of words in the final report.
Taking a KISS approach requires you to accept uncertainty, embrace simplification (even if it feels like over-simplification), and understand that you might not be right the first time.
This might come across as sloppy, but it’s not. Instead, it’s about being realistic.
We don’t have unlimited time and resources, and we certainly don’t have all the information we need. Moreover, even if we did, we are trying to peer into the future so we will still get some things wrong.
So KISS is also about being realistic about what risk management can achieve with limited time, limited resources, and limited data while still giving decision-makers what they need.
The exact process and steps will differ depending on your organization, location, and sector. But a simple, lean approach should be something that should benefit any risk manager.
So no matter what your specialty, industry, or level of expertise, please take some time to think about what you can strip away, cut back and simplify. Start taking a KISS approach to your risk management system and you’ll quickly see the investment pay off.
Andrew Sheves Bio
Andrew Sheves is a risk, crisis, and security manager with over 25 years of experience managing risk in the commercial sector and in government. He has provided risk, security, and crisis management support worldwide to clients ranging from Fortune Five oil and gas firms, pharmaceutical majors and banks to NGOs, schools and high net worth individuals. This has allowed him to work at every stage of the risk management cycle from the field to the boardroom. During this time, Andrew has been involved in the response to a range of major incidents including offshore blowout, terrorism, civil unrest, pipeline spill, cyber attack, coup d’etat, and kidnapping.
Andrew has distilled these experiences down to first principles to develop the KISS Risk Management framework, a straightforward, effective and robust approach to risk management. This aims to make high-quality risk management tools, resources, and training accessible to as many people as possible, particularly those starting out in the field of risk. He has also developed the dcdr.io risk management software platform and several online assessment tools to complement the KISS framework.
Andrew has an MSc in Risk, Crisis and Disaster Management from Leicester Univerity and has written articles for several publications including the RUSI Journal, ASIS Security Manager Managzine and the International Association of Emergency Managers Bulletin.
Email – andrew@andrewsheves.com
Website – https://andrewsheves.com
Software – https://dcdr.io
Linkedin – https://www.linkedin.com/in/sheves/