A weak risk management approach is effectively the biggest risk in the organization.
The financial crisis occurring while I wrote the first edition of this book was another example of a common mode failure that traces its way back to the failure of risk management of firms such as AIG, Lehman Brothers, Bear Stearns, and the federal agencies appointed to oversee them. Previously loose credit practices and overly leveraged positions combined with an economic downturn to create a cascade of loan defaults, tightening credit among institutions, and further economic downturns. Poor risk management methods are used in government and business to make decisions that not only guide risk decisions involving billions—or trillions—of dollars but also are used to affect decisions that impact on human health and safety.
Fortunately, the cost to fix the problem is almost always a fraction of a percent of the size of what is being risked. For example, a more realistic evaluation of risks in a large IT portfolio worth over a hundred million dollars would not have to cost more than a million—probably a lot less. Unfortunately, the adoption of a more rigorous and scientific management of risk is still not widespread. And for major risks, such as those in the previous list, that is a big problem for corporate profits, the economy, public safety, national security, and you.
A NASA scientist once told me the way that NASA reacts to risk events. If she were driving to work, veered off the road and ran into a tree, NASA management would develop a class to teach everyone how not to run into that specific tree. In a way, that's how most organizations deal with risk events. They may fix that immediate cause but not address whether the original risk analysis allowed that entire category of flaws to happen in the first place.
KEY DEFINITIONS: RISK MANAGEMENT AND SOME RELATED TERMS
There are numerous topics in the broad term of risk management but this term is often used in a much narrower sense than it should be. This is because risk is used too narrowly, management is used too narrowly, or both. And we also need to discuss a few other key terms that will come up a lot and how they fit together with risk management, especially the terms risk assessment, risk analysis, and decision analysis.
If you start looking for definitions of risk, you will find many wordings that add up to the same thing and a few versions that are fundamentally different. For now, I'll skirt some of the deeper philosophical issues about what risk means (yes, there are some, but that will come later) and I'll avoid some of the definitions that seem to be unique to specialized uses. Chapter 6 is devoted to why the definition I am going to propose is preferable to various mutually exclusive alternatives that each have proponents who assume their definition is the “one true” definition.
For now, I'll focus on a definition that, although it contradicts some uses of the term, best represents the one used by well-established, mathematical treatments of the term (e.g., actuarial science), as well as any English dictionary or even how the lay public uses the term.
DEFINITION OF RISK
Long definition: A potential loss, disaster, or other undesirable event measured with probabilities assigned to losses of various magnitudes
Shorter (equivalent) definition: The possibility that something bad could happen
The second definition is more to the point, but the first definition describes a way to quantify a risk. First, we determine a probability that the undesirable event will occur. Then, we need to determine the magnitude of the loss from this event in terms of financial losses, lives lost, and so on.
The undesirable event could be just about anything, including natural disasters, a major product recall, the default of a major debtor, hackers releasing sensitive customer data, political instability surrounding a foreign office, workplace accidents resulting in injuries, or a pandemic flu virus disrupting supply chains. It could also mean personal misfortunes, such as a car accident on the way to work, loss of a job, a heart attack, and so on. Almost anything that could go wrong is a risk.
Because risk management generally applies to a management process in an organization, I'll focus a bit less on personal risks. Of course, my chance of having a heart attack is an important personal risk to assess and I certainly try to manage that risk. But when I'm talking about the failure of risk management—as the title of this book indicates—I'm not really focusing on whether individuals couldn't do a better job of managing personal risks like losing weight to avoid heart attacks. I'm referring to major organizations that have adopted what is ostensibly some sort of formal risk management approach that they use to make critical business and public policy decisions.
Now, let us discuss the second half of the phrase risk management. Again, as with risk, I find multiple, wordy definitions for management, but here is one that seems to represent and combine many good sources.
DEFINITION OF MANAGEMENT
Long definition: The planning, organization, coordination, control, and direction of resources toward defined objective(s)
Shorter, folksier definition: Using what you have to get what you need
There are a couple of qualifications that, although they should be extremely obvious, are worth mentioning when we put risk and management together. Of course, when an executive wants to manage risks, he or she actually wishes to reduce it or at least make sure it is acceptable in pursuit of better opportunities. And because the current amount of risk and its sources are not immediately apparent, an important part of reducing or minimizing risks is figuring out where the risks are. Similar to any other management program, risk management has to make effective use of limited resources. Of course, we must accept that risk is inherent in business and risk reduction is practical only up to a point. Putting all of that together, here is a definition (again, not too different in spirit from the myriad definitions found in other sources).
DEFINITION OF RISK MANAGEMENT
Long definition: The identification, analysis, and prioritization of risks followed by coordinated and economical application of resources to reduce, monitor, and control the probability and/or impact of unfortunate events
Shorter definition: Being smart about taking chances
Risk management methods come in many forms, but the ultimate goal is to minimize risk in some area of the firm relative to the opportunities being sought, given resource constraints. Some of the names of these efforts have become terms of art in virtually all of business. A popular (and, I think, laudable) trend is to put the word enterprise in front of risk management to indicate that it is a comprehensive approach to risk for the firm. Enterprise risk management (ERM) is one of the headings under which many of the trends in risk management appear. I'll call ERM a type of risk management program, because this is often the banner under which risk management is known. I will also distinguish programs from actual methods because ERM could be implemented with entirely different methods, either soft or quantitative.
The following are just a few examples of various programs related to managing different kinds of risks (Note: Some of these can be components of others and the same program can contain a variety of different methods):
Enterprise risk management (ERM)
Project portfolio management (PPM) or Project risk management (PRM)
Portfolio management (as in financial investments)
Disaster recovery and business continuity planning (DR/BCP)
Governance risk and compliance (GRC)
Emergency/crisis management processes
The types of risks managed, just to name a few, include physical security, product liability, information security, various