Knowing and Thinking must be linked to Doing
“One of the things that we’re trying to do is to get people to think more rather than know more,” said Rick Nason, associate professor of finance at Dalhousie University’s School of Business in Halifax, Nova Scotia. “In risk management we’ve gotten into a regulatory mode of knowing more, and unfortunately we’re stuck on techniques and forget how to think about risk. Going beyond knowing is what we’re trying to stress.”
Too few risk managers are actually empowered to actually DO anything. Natural human nature steps in which leads these disempowered risk managers to elevate the importance of the things that they are empowered to do. Knowing and Thinking are two of those things.
It is of course important to KNOW your risks and the possible paths to loss that go with each risk as well the current status of your exposures. Nason rightly points out that regulatory risk management requirements work on the assumption that if a management team KNOWS about their risks that they can necessarily be counted on to react. But that is often an unstated and unrequired assumption. Perhaps regulators shy away from going any further in their prescriptions because of lack of authority.
Risk Management systems, such as ISO31000, build up a massive infrastructure of steps that are required to support the KNOWing objective. A risk manager applying ISO31000 can keep very, very busy for several years building up that infrastructure without getting to the step of actually infringing upon management of the company.
Nason is right to suggest that THINKing is a step further. But by focusing on THINKing, he makes the same sort of assumption, that if someone THINKs about their risks, they surely must eventually DO something about them.
The risk manager who wants to be effective must start with the end in mind (see Covey). DOing must be the purpose of a risk management system. A system that focuses on KNOWing or THINKing is merely a Risk Management Entertainment System.