Douglas W. Hubbard

The Failure of Risk Management


Скачать книгу

regulatory compliance, actions of competitors, workplace safety, getting vendors or customers to share risks, political risks in foreign governments, business recovery from natural catastrophes, or any other uncertainty that could result in a significant loss.

      As the previous definition indicates, risk management activities include the analysis and mitigation of risks as well as establishing the tolerance for risk and managing the resources for doing all of this. All of these components of risk management are important but the reader will notice that this book will spend a lot of time on evaluating methods of risk analysis. So let me offer both a long and short definition of risk analysis at this point.

      DEFINITION OF RISK ANALYSIS

      Long definition: The detailed examination of the components of risk, including the evaluation of the probabilities of various events and their ultimate consequences, with the ultimate goal of informing risk management efforts

      Shorter definition: How you figure out what your risks are (so you can do something about it)

      Now, obviously, if risk analysis methods were flawed, then the risk management would have to be misguided. If the initial analysis of risk is not based on meaningful measures, the risk mitigation methods are bound to address the wrong problems. If risk analysis is a failure, then the best case is that the risk management effort is simply a waste of time and money because decisions are ultimately unimproved. In the worst case, the erroneous conclusions lead the organization down a more dangerous path that it would probably not have otherwise taken. Just consider how flawed risk management may impact an organization or the public in the following situations.

       The approval and prioritization of investments and project portfolios in major US companies

       The level of protections needed for major security threats, including cybersecurity threats, for business and government

       The approval of government programs worth many billions of dollars

       The determination of when additional maintenance is required for old bridges or other infrastructure

       The evaluation of patient risks in health care

       The identification of supply chain risks due to pandemic viruses

       The decision to outsource pharmaceutical production overseas

      Risks in any of these areas, and many more, could reveal themselves only after a major disaster in a business, government program, or even your personal life. Clearly, mismeasurement of these risks would lead to major problems—as has already happened in some cases.

      Because the methods used did not actually measure these risks in a mathematically and scientifically sound manner, management doesn't even have the basis for determining whether a method works. Sometimes, management or vendors rely on surveys to assess the effectiveness of risk analysis, but they are almost always self-assessments by the surveyed organizations. They are not independent, objective measures of success in reducing risks.

      I'm focusing on the analysis component of risk management because, as stated previously, risk management has to be informed in part by risk analysis. And then, how risks are mitigated is informed by the cost of those mitigations and the expected effect those mitigations will have on risks. In other words, even choosing mitigations involves another layer of risk analysis.

      This, in no way, should be interpreted as a conflation of risk analysis with risk management. Yes, I will be addressing issues other than what is strictly the analysis of risk as the problem later in this book. But it should be clear that if this link is weak, then that's where the entire process fails. If risk analysis is broken, it is the first and most fundamental common mode failure of risk management.

      And just as risk analysis is a subset of risk management, those are subsets of decision analysis in general decision-making. Risks are considered alongside opportunities when making decisions, and decision analysis is a quantitative treatment of that topic. Having risk management without being integrated into decision-making in general is like a store that sells only left-handed gloves.

      Now that we have defined risk management, we need to discuss what I mean by the failure of risk management. With some exceptions, it may not be very obvious. And that is part of the problem.

      Second, I used these anecdotes in part to make a point about the limits of anecdotes when it comes to showing the failure or success of risk management. No single event necessarily constitutes a failure of risk management. Nor would a lucky streak of zero disasters have indicated that the risk management was working.

      I think this is a departure from some approaches to the discussion of risk management. I have heard some entertaining speakers talk about various anecdotal misfortunes of companies as evidence that risk management failed. I have to admit, these stories are often fascinating, especially where the circumstances are engaging and the outcome was particularly disastrous. But I think the details of the mortgage crisis, 9/11, rogue traders, Hurricane Katrina, major cyberattacks, or Fukushima feed a kind of morbid curiosity more than they inform about risk management. Perhaps the stories made managers feel a little better about the fact they hadn't (yet) made such a terrible blunder.

      I will continue to use examples like this because that is part of what it takes to help people connect with the concepts. But we need a better measure of the success or failure of risk management than single anecdotes. In most cases regarding risk management, an anecdote should be used only to illustrate a point, not to prove a point.

      1 The effectiveness of risk management itself is almost