Here’s an often heard remark in organizations: we want risk management, but we cannot or will not yet make the full required effort. Well, if that is the starting position, the best thing the person charged with the project of implementing risk management can do is hand back that project to the project owner and state it cannot be done.
Because it cannot be done. Really. You will not succeed. No matter how hard you try. It is pretty much like sowing acorn seeds and expecting a tree in a couple of minutes. Not possible. Sorry about that.
Why initial risk identification completeness is necessary yet impossible
In any risk management exercise, it’s important to identify as many risks as possible. You want to aim for a full risk identification, although that is impossible. As Rumsfeld stated when talking about Iraq: ” … there are unknown unknowns – there are things we do not know we don’t know.” And if you don’t know certain risks are there, you won’t go looking for them. There are ways to increase the probability you will be as close to completeness as possible, such as using risk models (not risk registers) but I will deal with those in a separate post. Let’s assume for the sake of discussion that the actual means to achieve approximation to completeness of risk identification are less relevant.
Do, or do not
But why do we strive for an as complete as possible overview of possible risks with respect to our stated objectives? Because anything less than aiming for an as complete as possible risk identification will result in a necessarily incomplete risk identification. That in turn leads to either a false sense of security or a more likely feeling of impending doom because you know you are not in control and worse, you don’t know where the next hit could be coming from. In the end, window dressing risk management is lying to yourself. You either manage all of your risks or you do not. Or, as Yoda stated so eloquently when training Luke Skywalker in The Empire Strikes Back: “Do, or do not. There is no try.”
First risks are not top risks
Examine a risk identification exercise where people are asked to identify their top 10 risks. Even with the best of intentions, most of the participants will stop after listing the first 10 risks that occur to them. Those are not necessarily the most important risks, but those that are the closest to their mental surface. Risk parallax, where we overly focus on risks that are near in geographic terms and in time, is a major determining factor in that erroneous identification. So you need to aim to get all of your risks out there, on the table.
Management needs to make choices. Choices expose management.
Now, does managing all of those risks mean that you need to deal with all those risks? Not necessarily, nor even likely. Once as many risks as possible have been identified, management needs to start making choices on which risks will be dealt with, and which will be monitored and the existing exposures accepted.
As each risk is related to an objective, or to a translation of an organizational objective to an operational objective, the decision on which risks to treat and which risks to accept is a combination of priority of objectives, the cost/benefit of the risk management options and the available capacities and capabilities in or to the organization. Bottom line, the management team will need to make choices. Whereas they are likely to want to say yes to the management of pretty much all of the risks that threaten the achievement of objectives, they will need to say no a lot in order to say yes to the management of the most relevant aspects. And management should and will be held accountable for their choices.
Choices need to be followed by actions
However, it does not end with the choices. Establishing a prioritized list of what needs to be done is not ensuring it gets done. The management team needs to invite its middle management to develope a good plan to put all those actions in place. At the least, it’s assigning tasks based on roles and responsibilities of middle management and their teams. At the most, it’s developing an entire project management plan to implement a certain set of risk management measures. That depends on the extent and the impact of the risk exposure and the extent of the risk management effort.
An understandable reluctance
Of course, all of this explains a certain reluctance from management teams to start an as complete as possible risk identification and management exercise. As soon as as many risks as possible have been identified, they will be required to make choices. Making the wrong choices can come back to bite you. Hence, it’s easier to ignore the real risks, do window dressing and have plausible deniability.
Easier yes, but in the end, each manager will be held accountable for his or her contribution to the organizational objectives. A good and complete application of key risk management principles goes a long way towards motivating your due diligent attitude, as a manager.