Over the last several years what is traditionally called risk management has undergone significant criticism from professionals, practitioners and benefactors of its practices and principles.
For the most part these criticisms are justified. Up until now risk management has been practiced across disparate domains each having their own definition of risk, taxonomy, rigor, and practices for amelioration (some do not even have that as an objective).
One risk domain might focus on better decision making informed by quantifying the value at risk usually in financial terms. Another domain might direct its attention to preventing risk from becoming a reality by implementing controls and measures. Some will talk about hazards and obstacles while others will speak of threats and events. Most will focus on negative outcomes and fewer the positive side of risk.
Some will deny that positive outcomes are risks at all and others will espouse that using heat maps is pseudo science, and if you are not using Monte Carlos you are not doing risk management. Some are trying to find the elusive black swan and most are trying to realize the benefits from risk management in a world that is calibrated to measure things that happened rather than things that don’t.
As companies have continued to elevate the role of risk management further up in their organization the lack of consistency and coherency has become more prevalent driving much of the criticisms we now observe and for the conclusion by some that risk management as a whole is broken which is something I agree with.
What the risk profession needs more than ever is a conceptual frame that is comprehensive enough to properly incorporate the way that risk manifests itself in reality as a whole not only in particular categories.
The Game of Snakes and Ladders
Risk as we now understand it is a manifestation of uncertainty which has been described as the fabric of reality found all the way down to quantum level. It should therefore come as no surprise that this reality has been present since the beginning of time and of course in the game of “Snakes and Ladders.”
This is an old game but has important lessons to teach us about how risk manifests itself in reality. “Snakes and Ladders” captures a reality of life that for every path you take there will always be the possibility of snakes waiting to take you down. However there is also the possibility of ladders to rise above them.
The International Standard Organization’s ISO 31000 guidelines defines risk (and rightly so) as the effect of uncertainty on objectives. As an aside, this definition has perhaps had the most impact in recent years to advancing the domain of risk management.
In the game, uncertainty is represented by the roll of the dice which serves to turn possibilities into reality, the effects of which can be both negative or positive. You can be bitten by the snake and sent back down or find yourself climbing a ladder towards your objective. The presence of uncertainty affects everything.
Contending with Snakes (managing threats)
Snakes hinder getting to where you want to go or what you are trying to achieve. They take you down in the game, in business and in life.
However, not all snakes matter. The snakes that matter are the ones in your path. These snakes can sometimes be avoided, or their effects minimized but they can never truly be eliminated.
Snakes can be active as in the case of bad actors who want to take you down. Snakes can also be passive, holes in your defenses that wait to be exploited. All snakes contribute to the uncertainty of winning the game. In business this uncertainty is manifested in the form of institutional or operational risk; the effects of uncertainty on mission objectives.
You can wait for snakes to come or you can take advantage of ladders to stay above them. However, what the game teaches us is there will always be snakes.
Climbing Ladders (exploiting opportunities)
Ladders are the opposite of snakes. Instead of taking you down they take you up. Ladders help to advance your progress towards what you are trying to achieve.
As with snakes, not all ladders matter; some are more useful than others. Ladders can help to avoid snakes which is what traditional risk management focuses on. Ladders can also represent opportunities to get ahead.
Winning strategies not only build defenses against snakes, they also include measures to exploit opportunities to win the game.
Deciding which Game to Play (evaluating value at risk)
The game of snakes and ladders is a game of chance. However, in life and in business winning strategies must also consider the effects of choice which have their own snakes to contend with.
You can choose to avoid as many snakes as possible or decide to build more ladders to improve your chances of winning, or any combination of both. Which option do you pick?
To decide which is best you need a way of determining which strategy among alternatives is most likely to succeed. In many cases you can calculate the probabilities and the cost of one strategy over another. However, even when you can't you still need a way to choose which game to play and what strategy to use to win.
A New Risk Management Framework
Although the game of “Snakes and Ladders” is a simple one created years ago it is based on observing how risk manifests it self in the world over hundreds of years. The following principles derived from the game have pass the test of time:"
Chance (uncertainty) affects everything.
There will always be snakes (threats) to contend with.
Ladders (opportunities) are necessary to overcome snakes and win the game.
You need a way to decide which game to play and how to succeed.
It is disconcerting that many risk managers are not aware of these basic principles and how to use them to advance mission success. All too often only one aspect of risk is considered usually driven by a particular set of analysis tools or definition of risk.
A few years ago I conducted a risk workshop with a group of managers who were considering structural changes to their organization. During this meeting one of the managers commented that there were no risks since there were no hazards. This was coming from an approach to risk that is common in safety; when you eliminate the hazard you eliminate the risk. In other words, no hazard no risk.
This was technically true since of course there were no physical hazards. However, there were organizational hazards, uncertainties, and associated risk. There were options that needed to be evaluated and opportunities to exploit to improve the probability that intended outcomes would be achieved and negative ones might be minimized. Unfortunately, there was no framework that everyone understood for effective discourse to occur. The effects of this problem surface throughout organizations across every sector. When we talk about risk we are seldom talking about the same thing.
Risk management must move beyond individual risk domains, tools and approaches if it is to have the role that it should have in an organization. Of course it will always be necessary for specialized research and practices to support individual risk categories. However, the way we talk about risk should be the same across all of them. Until that happens risk management will not be as effective as it could or needs to be. Confusion rather than certainty will prevail and we all know where that leads.
The current frames to describe risk are overly reductive lacking the scope to properly describe and effectively contend with uncertainty. In other words, how we frame risk has become more important than what is inside the frame.
As we transition into a new year, my hope is that we continue the transition towards a coherent and comprehensive risk framework. The work that ISO has done is a good start. However, we need to continue to build ladders that will help risk management move up in organizations and be effective in the role that it needs to have.