Douglas W. Hubbard

The Failure of Risk Management


Скачать книгу

A weak risk management approach is effectively the biggest risk in the organization.

      Fortunately, the cost to fix the problem is almost always a fraction of a percent of the size of what is being risked. For example, a more realistic evaluation of risks in a large IT portfolio worth over a hundred million dollars would not have to cost more than a million—probably a lot less. Unfortunately, the adoption of a more rigorous and scientific management of risk is still not widespread. And for major risks, such as those in the previous list, that is a big problem for corporate profits, the economy, public safety, national security, and you.

      A NASA scientist once told me the way that NASA reacts to risk events. If she were driving to work, veered off the road and ran into a tree, NASA management would develop a class to teach everyone how not to run into that specific tree. In a way, that's how most organizations deal with risk events. They may fix that immediate cause but not address whether the original risk analysis allowed that entire category of flaws to happen in the first place.

      There are numerous topics in the broad term of risk management but this term is often used in a much narrower sense than it should be. This is because risk is used too narrowly, management is used too narrowly, or both. And we also need to discuss a few other key terms that will come up a lot and how they fit together with risk management, especially the terms risk assessment, risk analysis, and decision analysis.

      For now, I'll focus on a definition that, although it contradicts some uses of the term, best represents the one used by well-established, mathematical treatments of the term (e.g., actuarial science), as well as any English dictionary or even how the lay public uses the term.

      DEFINITION OF RISK

      Long definition: A potential loss, disaster, or other undesirable event measured with probabilities assigned to losses of various magnitudes

      Shorter (equivalent) definition: The possibility that something bad could happen

      The second definition is more to the point, but the first definition describes a way to quantify a risk. First, we determine a probability that the undesirable event will occur. Then, we need to determine the magnitude of the loss from this event in terms of financial losses, lives lost, and so on.

      Because risk management generally applies to a management process in an organization, I'll focus a bit less on personal risks. Of course, my chance of having a heart attack is an important personal risk to assess and I certainly try to manage that risk. But when I'm talking about the failure of risk management—as the title of this book indicates—I'm not really focusing on whether individuals couldn't do a better job of managing personal risks like losing weight to avoid heart attacks. I'm referring to major organizations that have adopted what is ostensibly some sort of formal risk management approach that they use to make critical business and public policy decisions.

      Now, let us discuss the second half of the phrase risk management. Again, as with risk, I find multiple, wordy definitions for management, but here is one that seems to represent and combine many good sources.

      DEFINITION OF MANAGEMENT

      Long definition: The planning, organization, coordination, control, and direction of resources toward defined objective(s)

      Shorter, folksier definition: Using what you have to get what you need

      DEFINITION OF RISK MANAGEMENT

      Long definition: The identification, analysis, and prioritization of risks followed by coordinated and economical application of resources to reduce, monitor, and control the probability and/or impact of unfortunate events

      Shorter definition: Being smart about taking chances

      Risk management methods come in many forms, but the ultimate goal is to minimize risk in some area of the firm relative to the opportunities being sought, given resource constraints. Some of the names of these efforts have become terms of art in virtually all of business. A popular (and, I think, laudable) trend is to put the word enterprise in front of risk management to indicate that it is a comprehensive approach to risk for the firm. Enterprise risk management (ERM) is one of the headings under which many of the trends in risk management appear. I'll call ERM a type of risk management program, because this is often the banner under which risk management is known. I will also distinguish programs from actual methods because ERM could be implemented with entirely different methods, either soft or quantitative.

      The following are just a few examples of various programs related to managing different kinds of risks (Note: Some of these can be components of others and the same program can contain a variety of different methods):

       Enterprise risk management (ERM)

       Project portfolio management (PPM) or Project risk management (PRM)

       Portfolio management (as in financial investments)

       Disaster recovery and business continuity planning (DR/BCP)

       Governance risk and compliance (GRC)

       Emergency/crisis management processes

      The types of risks managed, just to name a few, include physical security, product liability, information security, various