As the previous definition indicates, risk management activities include the analysis and mitigation of risks as well as establishing the tolerance for risk and managing the resources for doing all of this. All of these components of risk management are important but the reader will notice that this book will spend a lot of time on evaluating methods of risk analysis. So let me offer both a long and short definition of risk analysis at this point.
DEFINITION OF RISK ANALYSIS
Long definition: The detailed examination of the components of risk, including the evaluation of the probabilities of various events and their ultimate consequences, with the ultimate goal of informing risk management efforts
Shorter definition: How you figure out what your risks are (so you can do something about it)
Note that some risk managers will make a distinction between risk analysis and risk assessment or may use them synonymously. If they are used separately, it is often because the identification of risk is considered separate from the analysis of those risks and together they comprise risk assessment. Personally, I find the analysis and identification of risks to be an iterative, back-and-forth process without a clear border between them. That is, we start with some identification of risk but on analyzing them, we identify more risks. So I may use the terms analysis and assessment a bit more interchangeably.
Now, obviously, if risk analysis methods were flawed, then the risk management would have to be misguided. If the initial analysis of risk is not based on meaningful measures, the risk mitigation methods are bound to address the wrong problems. If risk analysis is a failure, then the best case is that the risk management effort is simply a waste of time and money because decisions are ultimately unimproved. In the worst case, the erroneous conclusions lead the organization down a more dangerous path that it would probably not have otherwise taken. Just consider how flawed risk management may impact an organization or the public in the following situations.
The approval and prioritization of investments and project portfolios in major US companies
The level of protections needed for major security threats, including cybersecurity threats, for business and government
The approval of government programs worth many billions of dollars
The determination of when additional maintenance is required for old bridges or other infrastructure
The evaluation of patient risks in health care
The identification of supply chain risks due to pandemic viruses
The decision to outsource pharmaceutical production overseas
Risks in any of these areas, and many more, could reveal themselves only after a major disaster in a business, government program, or even your personal life. Clearly, mismeasurement of these risks would lead to major problems—as has already happened in some cases.
The specific method used to assess these risks may have been sold as “formal and structured” and perhaps it was even claimed to be “proven.” Surveys of organizations even show a significant percentage of managers who will say the risk management program was “successful” (more on this to come). Perhaps success was claimed for the reason that it helped to “build consensus,” “communicate risks,” or “change the culture.”
Because the methods used did not actually measure these risks in a mathematically and scientifically sound manner, management doesn't even have the basis for determining whether a method works. Sometimes, management or vendors rely on surveys to assess the effectiveness of risk analysis, but they are almost always self-assessments by the surveyed organizations. They are not independent, objective measures of success in reducing risks.
I'm focusing on the analysis component of risk management because, as stated previously, risk management has to be informed in part by risk analysis. And then, how risks are mitigated is informed by the cost of those mitigations and the expected effect those mitigations will have on risks. In other words, even choosing mitigations involves another layer of risk analysis.
This, in no way, should be interpreted as a conflation of risk analysis with risk management. Yes, I will be addressing issues other than what is strictly the analysis of risk as the problem later in this book. But it should be clear that if this link is weak, then that's where the entire process fails. If risk analysis is broken, it is the first and most fundamental common mode failure of risk management.
And just as risk analysis is a subset of risk management, those are subsets of decision analysis in general decision-making. Risks are considered alongside opportunities when making decisions, and decision analysis is a quantitative treatment of that topic. Having risk management without being integrated into decision-making in general is like a store that sells only left-handed gloves.
WHAT FAILURE MEANS
Now that we have defined risk management, we need to discuss what I mean by the failure of risk management. With some exceptions, it may not be very obvious. And that is part of the problem.
First, a couple of points about the anecdotes I just used. I believe airlines and aircraft manufacturers involved in the crashes described before were probably applying what they believed to be a prudent level of risk management. I also believe that many of the other organizations involved in other disasters I listed were not always just ignoring risk management practices. When I refer to the “failure of risk management,” I do not just refer to outright negligence. Deliberately failing to employ the accounting controls that would have avoided Enron's demise, for example, are not the kind of failures I examine the most in this book. I will concentrate more on the failure of sincere efforts to manage risks—as I will presume is the case with many organizations—even though we know the possible lawsuits must argue otherwise. I'm focusing on those organizations that believe they have adopted an effective risk management method and are unaware that they haven't improved their situation one iota.
Second, I used these anecdotes in part to make a point about the limits of anecdotes when it comes to showing the failure or success of risk management. No single event necessarily constitutes a failure of risk management. Nor would a lucky streak of zero disasters have indicated that the risk management was working.
I think this is a departure from some approaches to the discussion of risk management. I have heard some entertaining speakers talk about various anecdotal misfortunes of companies as evidence that risk management failed. I have to admit, these stories are often fascinating, especially where the circumstances are engaging and the outcome was particularly disastrous. But I think the details of the mortgage crisis, 9/11, rogue traders, Hurricane Katrina, major cyberattacks, or Fukushima feed a kind of morbid curiosity more than they inform about risk management. Perhaps the stories made managers feel a little better about the fact they hadn't (yet) made such a terrible blunder.
I will continue to use examples like this because that is part of what it takes to help people connect with the concepts. But we need a better measure of the success or failure of risk management than single anecdotes. In most cases regarding risk management, an anecdote should be used only to illustrate a point, not to prove a point.
So, when I claim that risk management has failed, I'm not necessarily basing that on individual anecdotes of unfortunate things happening. It is possible, after all, that organizations in which a disaster hasn't occurred are just lucky and they may have been doing nothing substantially different from organizations in which disasters have occurred. When I say that risk management has failed, it is for at least one of three reasons, all of which are independent of individual anecdotes:
1 The effectiveness of risk management itself is almost