Risk management is not compliance; however, compliance can serve as a basis for the management of risks. A risk management program that overlooks compliance or underplays the significance of being in compliance puts the enterprise at risk. That said, risks and the managing of risk is not directly related to compliance; rather risk management is related to ensuring that the organization’s strategy, goals and objectives are achieved by buffering risk from being realized.
ARE YOU DRIVING THE CAR WHILE LOOKING IN THE REARVIEW MIRROR?
Many risk management practitioners are not able to recognize risk until it has been realized, hopefully by another organization. Much will be said about this statement I am sure. But let’s face it; we are generally not able to recognize risks until they are responding to an event. Our ability to forecast the probability of occurrence is just as dismal. Hence, the sightings of so many ‘Black Swans’ based on wishful thinking and misinterpretation of information (see my article: Black Swans or Just Wishful Thinking and Misinterpretation? (www.ContinuityCentral.com).
Unfortunately the problem is not that risk managers are simply mediocre at what they do. The problem is that business leaders trust them to manage risks – those that are recognized and those that are yet to be recognized. It is one thing to be wrong; it is quite another to be consistently and confidently wrong.
Risk modeling, determining probabilities (math algorithms), scenario gaming and compliance all have limitations that most fail to understand. Models are dependent on theories as to how risks are supposed to manifest themselves. Probabilities are measurements or estimations of likelihood of occurrence of an event. Scenario gaming is a simulation exercise used to play out a set of events, the evolution of a market, or some situation in advance of the actual events occurring. A fundamental concept behind war gaming is that the dynamic aspect of business is often hard to describe. Compliance is an after-the-fact exercise in reaction to the last catastrophe.
TYPES OF DATA
We tend to focus our attention on compliance, which is essentially like driving a car forward while looking at the rearview mirror. This causes us to focus on the wrong things – i.e.; solving the wrong problem precisely. This is often due to a reliance on incomplete data that is generally subject to revision (sometimes massive revision). If we think about risk and risk data or information we see that it falls into three categories:
- Lagging Data: The road behind, where you have been, etc. Compliance is a classic example of lagging data applied to current situations.
- Concurrent or Coincident Data: Real Time, present situation, where you are right now; a constantly changing mosaic of information and noise that requires active analysis and constant monitoring to buffer risks.
- Leading Data or Indicators: The road ahead, future possibilities; it’s recognizing the potential consequences of an event to the enterprise and its touch points. Think competitive intelligence here.
UNCERTAINTY
Fundamental uncertainties derive from our fragmentary understanding of risk and complex system dynamics and interdependencies. Abundant stochastic variation in risk parameters further exacerbates the ability to clearly assess uncertainties.
Uncertainty is not just a single dimension, but also surrounds the potential impacts of forces such as globalization and decentralization, effects of movements of global markets and trade regimes, and the effectiveness and utility of risk identification and control measures such as buffering, use of incentives, or strict regulatory approaches.
Such uncertainty underpins the arguments both of those exploiting risk, who demand evidence that exploitation causes harm before accepting limitations, and those avoiding risk, who seek to limit risk realization in the absence of clear indications of sustainability.
Events are nonlinear and therefore carry uncertain outcomes. Rare events and the evolution of rare events; their randomness, shapeshifting fluctuations and how reactive response underestimates the true consequences of rare events add opacity to risk management and cannot be overcome by compliance. Opacity is the quality of being difficult to understand or explain; i.e. risk whereas compliance is fairly straightforward and prescriptive; i.e. regulations.
RISK IS IN THE FUTURE NOT THE PAST
During the cold war between the United States of America and the former Soviet Union, there were thousands of nuclear warheads targeted at the antagonists and their allies. T he result, the concept of mutually assured destruction was created. The term was used to convey the idea that neither side could win an all-out war; both sides would destroy each other. The risks were high; there was a constant effort to ensure that ‘Noise’ was not mistaken for ‘Signal’ triggering an escalation of fear that could lead to a reactive response and devastation.
Those tense times have largely subsided, however, we now find ourselves in the midst of global competition and the need to ensure effective resilience in the face of uncertainty.
NEW RISK PARADIGM
We are faced with a new Risk Paradigm: Efficient or Effective? Efficiency is making us rigid in our thinking; we mistake being efficient for being effective. Efficiency can lead to action for the sake of accomplishment with no visible end in mind. We often respond very efficiently to the symptoms rather than the overriding issues that result in our next crisis. Uncertainty in a certainty seeking world offers surprises to many and, to a very select few, confirmation of the need for optionality.
It’s all about targeted flexibility, the art of being prepared, rather than preparing for specific events. Being able to respond rather than being able to forecast, facilitates early warning and proactive response to unknown Uknowns. I think that Jeffrey Cooper offers some perspective: “The problem of the Wrong Puzzle. You rarely find what you are not looking for, and you usually do find what you are looking for.” In many cases the result is irrelevant information.
Horst Rittel and Melvin Webber would define this as a Systemic Operational Design (SOD) problem – a ‘wicked problem’ that is a social problem that is difficult and confusing versus a ‘tame problem’ not trivial, but sufficiently understood that it lends itself to established methods and solutions. I think that we have a ‘wicked problem.’
Gresham’s Law of Advice comes to mind: “Bad advice drives out good advice precisely because it offers certainty where reality holds none.”
The questions that must be asked should form a hypothesis that can direct efforts at analysis. We currently have a ‘threat’ but it is a very ill defined ‘threat’ that leads to potentially flawed threat assessment; leading to the expending of effort (manpower), money and equipment resources that might be better employed elsewhere. It is a complicated problem that requires a lot of knowledge to solve and it also requires a social change regarding acceptability.
Experience is a great teacher it is said. However, experience may date you to the point of insignificance. Experience is static. You need to ask the question, “What is the relevance of the experience to your situation now?”
Bio:
Geary Sikich – Entrepreneur, consultant, author and business lecturer
Contact Information: E-mail: G.Sikich@att.net or gsikich@logicalmanagement.com. Telephone: 1- 219-922-7718.
Geary Sikich is a seasoned risk management professional who advises private and public sector executives to develop risk buffering strategies to protect their asset base. With a M.Ed. in Counseling and Guidance, Geary’s focus is human capital: what people think, who they are, what they need and how they communicate. With over 25 years in management consulting as a trusted advisor, crisis manager, senior executive and educator, Geary brings unprecedented value to clients worldwide.
Geary is well-versed in contingency planning, risk management, human resource development, “war gaming,” as well as competitive intelligence, issues analysis, global strategy and identification of transparent vulnerabilities.
Geary began his career as an officer in the U.S. Army after completing his BS in Criminology. As a thought leader, Geary leverages his skills in client attraction and the tools of LinkedIn, social media and publishing to help executives in decision analysis, strategy development and risk buffering. A well-known author, his books and articles are readily available on Amazon, Barnes & Noble and the Internet.
REFERENCES
Apgar, David, Risk Intelligence – Learning to Manage What We Don’t Know, Harvard Business School Press, 2006.
Davis, Stanley M., Christopher Meyer, Blur: The Speed of Change in the Connected Economy, (1998).
Kami, Michael J., “Trigger Points: how to make decisions three times faster,” 1988, McGraw-Hill, ISBN 0-07-033219-3
Klein, Gary, “Sources of Power: How People Make Decisions,” 1998, MIT Press, ISBN 13 978-0-262-11227-7
Mauldin, John and Tepper, Jonathan, “Code Red” John Wiley & Sons, Inc. 2014, ISBN-978-1-118-78372-6
Sikich, Geary W., Graceful Degradation and Agile Restoration Synopsis, Disaster Resource Guide, 2002
Sikich, Geary W., “Integrated Business Continuity: Maintaining Resilience in Times of Uncertainty,” PennWell Publishing, 2003
Tainter, Joseph, “The Collapse of Complex Societies,” Cambridge University Press (March 30, 1990), ISBN-10: 052138673X, ISBN-13: 978- 0521386739
Taleb, Nicholas Nassim, “The Black Swan: The Impact of the Highly Improbable,” 2007, Random House – ISBN 978-1-4000-6351-2
Taleb, Nicholas Nassim, “The Black Swan: The Impact of the Highly Improbable,” 2nd Edition 2010, Random House – ISBN 978-0-8129-7381-5
Taleb, Nicholas Nassim, Fooled by Randomness: The Hidden Role of Chance in Life and in the Markets, 2005, Updated edition (October 14, 2008) Random House – ISBN-13: 978-1400067930
Taleb, N.N., “Common Errors in Interpreting the Ideas of The Black Swan and Associated Papers;” NYU Poly Institute October 18, 2009
Taleb, Nicholas Nassim, “Antifragile: Things that gain from disorder,” 2012, Random House – ISBN 978-1-4000-6782-4