In the book Streetlights and Shadows, Gary Klein describes three sorts of risk management.
- Prioritize and Reduce – the system used by safety and (insurance) risk managers. In this view of risk management, there is a five step process to
- Identify Risks
- Assess and Prioritize Risks
- Develop plans to mitigate the highest priority risks
- implement plans
- Track effectiveness of mitigations and adapt plans as necessary
- Calculate and Decide – the system used by investors (and insurers) to develop multi scenario probability trees of potential outcomes and to select the options with the best risk reward relationship.
- Anticipate and Adapt – the system preferred by CEO’s. For potential courses of action, the worst case scenario will be assessed. If the worst case is within acceptable limits, then the action will be considered for its benefits. If the worst case is outside of acceptable limits, then consideration is given to management to reduce or eliminate the adverse outcomes. If those outcomes cannot be brought within acceptable limits then the option is rejected.
Most ERM System are set up to support the first two ideas of Risk Management.
But if it is true that most CEO’s favor the Anticipate and Adapt approach, a total mismatch between what the CEO is thinking and what the ERM system is doing emerges.
It would not be difficult to develop an ERM system that matches with the Anticipate and Adapt approach, but most risk managers are not even thinking of that possibility.
Under that system of risk management, the task would be to look at a pair of values for every major activity. That pair would be the planned profit and the worst case loss. During the planning stage, the Risk Manager would then be tasked to find ways to reduce the worst case losses of potential plans in a reliable manner. Once plans are chosen, the Risk Manager would be responsible to make sure that any of the planned actions do not exceed the worst case losses.
Thinking of risk management in this manner allows us to understand the the worst possible outcome for a risk manager would not be a loss from one of the planned activities of the firm, it would be a loss that is significantly in excess of the maximum loss that was contemplated at the time of the plan. The excessive loss would be a signal that the Risk area is not a reliable provider of risk information for planning, decision making or execution of plans or all three.
This is an interesting line of reasoning and may be a better explanation for the way that risk managers are treated within organizations and especially why risk managers are sometimes fired after losses. They may be losing their jobs, not because there is a loss, but because they were unable to warn management of the potential size of the loss. It could well be that management would have made different plans if they had known in advance the potential magnitude of losses from one of their choices.
Or at least, that is the story that they believe about themselves after the excessive loss.
This suggests that risk managers need to be particular with risk evaluations. Klein also mentions that executives are usually not particularly impressed with evaluations of frequency. They most often want to focus on severity.
So whatever is believed about frequency, the risk manager needs to be careful with the assessment of worst case losses.