Review of "The Failure of Risk Management: Why It's Broken and How to Fix It" Part 2

In Chapter two of his book, Douglas Hubbard's discusses where the risk management industry has been and where it currently thinks it is.

The chapter starts out with a very brief history of risk management ('800 words' according to the author), tracing the route from the discovery of mathematical probabilities, to its initial commercial application in insurance, and finally down to the modern day emerging 'new character' or risk management, incarnated in regulations like Basel II, and in applications like Enterprise Risk Management. His history is not very complimentary, comparing today's state of risk management as similar to the Old West gold rush towns, where things look brightly painted and pretty, but built on shaky foundations and filled with snake oil peddlers.

His history aligns quite well with Peter Bernstein's own summary, although at a very very high level and, I suspect, very much framed to support his thesis (which I suppose is what the rest of the book is about).

Hubbard then makes a brief discussion of the common risk assessment approaches (expert intuition, weighted scoring, probabilistic models, etc) and suggests that some of these are not up to par for the role risk management is playing (corporate growth survival, after all) and will probably need to be dispensed with.

The next section covers risk mitigation approaches. He has a brief treatment of the common approaches (what risk management book doesn't?): avoid, reduce, transfer, retain. The most interesting part of this section is his list of examples of concrete manifestations of risk mitigation approaches (in contrast to the abstract approaches of
avoid, reduce, etc. His list includes selection processes, contractual risk transfer, insurance, liquid asset position, etc.).

In the final section, Hubbard discusses 3 major surveys of enterprise risk management, conducted by Aon, The Economist, and Protiviti. The surveys show what the executives in these companies thought about what their top risks are (reputation, market, human capital, and regulatory environment figure very high). The surveys indicate that risk management is present in those companies primarily because they are being required to have it (a necessary evil). It also shows that risk
management is well represented and increasingly so at the board level.  The executives seem pretty confident that they are doing risk management well.

Hubbard suggests that that is not the case at all.

The Duck Hunters

Duck hunters shoot ideas as soon as they hear of them.  This is a recipe to become a mediocre team.

Imagine yourself in one of your project meetings.  This particular meeting proceeds just like any other meeting.  You look around checking everyone’s faces. You can plainly see on everyone that unmistakable look that they’d rather be elsewhere.  Everyone knows this meeting is a waste of time.  The meeting conveys nothing that can’t be broadcasted by more efficiently and effectively by email.  But it is a long held ritual and apparently must be perpetuated.

All the ingredients that make up dull meetings are here: meaningless status updates,  the obligatory round-the-table ‘what are you working' on’ exercise, and finally, the question: ‘Is there anything else?’

The more experienced members of the team keep silent.  However, Jack, a new and young member of the team, nervously, tentatively, makes a suggestion:  “Uhm… I was just thinking… uhm… you know how we are implementing the database for this system… I was just thinking, have we determined all the end users who will be using this system?  I was just thinking, they might have different needs and I’m not sure the database as currently designed will be able to handle all their needs. I was just thinking we should maybe make a list of the different kinds of stakeholders and what their needs are”

Jim, the project manager replies dismissively:  “We’ll just be making extra work for us that way. I think you’ll find that even the stakeholders don’t know what they want.”

Bang! A Duck Just Got Shot Down

The project manager’s dismissal of Jack’s suggestion, apparently without even giving it its deserved consideration, is equivalent to shooting down ducks as soon they get spotted. 

Duck? An idea duck.  People who shoot down ideas as soon as they get raised are what I call duck hunters. The moment they hear an idea, they take aim and fire: Bang! Another idea shot down.

Some people are so good at shooting down ducks, almost as soon as they take flight, they are the equivalent of professional duck hunters.  Maybe they find pleasure in shooting down ideas – maybe an ego boost.  Maybe they’re trying to act decisively, but what’s the broader impact to the project?

Let’s take a broader view.

How would Jack feel?  He has put forward what he obviously thought was a good idea, something that he thinks will benefit the team.  But his idea just got shot down, almost not taken seriously.  You can be sure he is anything but more motivated. Next time, he might try again, and when his duck get shot down again, his attempts will come less and less often, until it finally stops.  When people notice their ducks being shot, soon they will stop introducing new ducks. 

How would other project team members feel?  Maybe some of them agree with the project manager.  Maybe some of them agree with Jack?  All of them will notice – at different degrees – how Jack’s idea was shot down.  They will think twice about raising their own ideas.

An environment not conducive to inviting ideas has just been established.  Whether this negative environment continues and reinforces itself to the detriment of the team, or gets weaker allowing more ideas to come up, depends on the next meetings.  If the same thing happens, it will reinforce the negative dynamics. 

When the Ducks Go, the Team Goes

A project team that raises no new ideas, soon becomes a mediocre team, unable to produce anything but the dullest, plainest possible product.

High quality people don’t want to be part of mediocre teams.  A mediocre team will soon experience an exodus of its brightest and most passionate members.  First the exodus will happen intellectually and emotionally.  People will start to tune out.  The team members will still be physically part of the project, but their minds and their passions have long gone.  It is only a matter of time when they also leave physically.

Avoiding Duck Hunting

How does one avoid this problem?  The solution comes from the top.  It must establish a management system where ideas a actively solicited, and rigorously considered. 

I would suggest putting up an idea log, where ideas can be put forward, and discussed and considered, and then rejected, accepted, put on hold, modified, or otherwise acted upon is.  Having a history of ideas generated is a terrific tool for documenting lessons learned.  (Of course, depending on the organisation’s culture, this could be a terrible witch-hunting tool as well).

Save the Ducks

Next time you’re in a meeting, watch for ducks, and for one day -- just one day --  make a note to leave your gun behind and don’t bring it to the meeting.

Risk Versus Risk

One of the most critical processes in managing projects are those addressing project risks.  Some writers go so far as to call risk managent 'project management for adults'.  The implication being that if you’re not doing risk management in your project, then you’re just a kid, you haven’t grown up yet, and have no place among grown-ups (I agree with this view, by the way).

When asked what risk is, quite a few will give an answer that goes something like: 'a risk anything that can go wrong.'  In this view, a risk is something that can go wrong, and therefore risk management is about addressing those things that can go wrong.

But there is another, less commonly known, view of risk.   In this view, risk is something uncertain that may affect the project.  Not something necessarily bad, but something uncertain. 

Let's suppose you are planning a picnic for tomorrow.  Being an adult, you have prepared a risk management plan (your picnics may be boring, but they are predictable).  You have an entry for weather in your risk plan.  In the first view of risk, you look at the weather and look for something that could 'go wrong' that could negatively affect your picnic.  Is it going to rain tomorrow?  If there's a chance of rain, what can we do to mitigate the effects of this rain on the picnic? Perhaps bring an umbrella.  Perhaps plan to hold the picnic nearby an accessible shelter, to make escaping from the rain easier.

In the second view, we look at the weather not as something that is the harbinger of something that can go wrong, but simply something uncertain.  So there's a 50% chance of rain.  Let's prepare for that eventuality.  But there's also a 50% chance of no rain. Let's also prepare for that happy eventuality as well -- perhaps plan to go to a place with a nicer view if the weather clears up.

With this second view, risk is not simply viewed as about bad circumstances that can happen, but simply about all uncertain circumstances. Circumstances which can indeed turn out bad (and whose effects we should be ready to address), but which can also turn out good (which we should be ready to take advantage of).

In the first view, we simply prepared ourselves for the worst.  But in the second view, we also prepared ourselves for the best.

Assumptions

Until we develop the ability to see the future, projects and programmes will have to be run in the face of uncertainty.

In the absence of complete information, assumptions will have to be made. Otherwise decisions cannot be made and activities will stall. At least some of these assumptions are documented in the projects. In the more badly run projects, the assumptions are there uncritically reviewed. Because a project is proceeding as if these assumptions are valid, it is critically important to review the assumptions.

You are trying to cross a bridge and making the assumption that the floor is sound. You have several choices: make the assumption, and proceed to walk normally as if the assumption is correct. You can also make the assumption, keeping in mind that you could be wrong, and proceed with caution, testing every step to see if the assumption holds. You can also, before, proceeding, inspect the bridge, and gather more information about the assumption. How likely is the assumption to be correct? How likely is it wrong? Apart from
physical inspection you can observe the environment. Are locals crossing the bridge? Are there local experts who know if the bridge is sound?

Because the assumptions are the 'floor' on which the programme will be proceeding, it is critical to review these assumptions to see how sound they are. These assumptions should be looked at with the following filters:

• Are they complete? Are these the only critical assumptions?
• Are they valid? Are we making assumptions about things that are not already known to be false?
• Do we have a plan for reviewing the assumptions at a later date, when we may have more information and able to verify or reject the assumptions.
• Have we identified the risks that will arise if the assumptions on which we are proceeding are proven false?

ERM is an Integrative Approach to Risk Management

Risk management as traditionally practiced in organisations, tended to be silo-based.  Risks originating from one area is expected to be managed in that area which is assigned the responsibility for managing, while risks originating from another area is managed by that area. 

One reason Chapman gives as to why this approach developed is our tendency to compartmentalise. Our analytical mindset approach to problem solving leads us to split things into their basic components, to make them easier to manage. 

Over the years, there have been growing recognition that the silo-based approach is flawed.  The impact of risks span across silos -- a breakdown in manufacturing leads to impacts well beyond the manufacturing department.  Mismanagement of risk in one silo affects other silos, which may not be prepared for that risk because they had assumed that other area was managing that risk.  

ERM is a new approach to managing risk.  The thrust is of ERM is the integrative management of risks, understanding the interdependencies, their impacts, and areas where they can be leveraged so that addressing a single cause can prevent multiple risks.

Reference: Chapman, Robert. Simple Tools and Techniques for Enterprise Risk Management 2006.

Tools and Techniques of Enterprise Risk Management, Part 1

I’m going to go through Robert Chapman’s ERM book.  Based on the table of contents, the first part of the book what ERM is. Part II is about ‘The Appointment’ or what I think is a discussion of the engagement process.  The table of contents covers topics about interviewing the client, preparing the proposal, and implementation (of what, I am not sure yet).

Part II covers the Risk Management Process.  It seems to be about a fairly standard process: Analysis of the Business, Risk Identification, Risk Assessment, Risk Planning, and Risk Management.

Part IV covers ‘Internal Influences’ which I think is about internally generated risks.  The table of contents says it covers Financial Risk Management, Operational Risk Management, and Technological Risk.

The final part covers ‘External Influences’ which seems like about risks generated externally.  It discusses Economic, Environmental, Legal, Political, Market, and Social risks.

Finally there are 14 short Appendixes which discuss techniques like SWOT, PEST, VRIO analysis, Change Management, among other topics.

Ten Rules of Effective Language

One of the challenges risk professionals wrestle with is how to convince stakeholders to take specific actions,  such as proactively identifying risks. These stakeholders can be individuals, or they can be organisations.  While these stakeholders are not necessarily reluctant to comply with the requirements of proper risk management, they do have to deal with their own realities, including other demands on their energy,  or simply a perception that risk management is a waste of time.

Perception is reality, as the saying goes.  If you want to change reality, you have to change perception.  And one way to change perception is through communication.  A risk professional often needs to organisational action through reports and recommendations and also through interpersonal communication.

Dr. Frank Luntz, who apparently is a highly sought political speech writer, provides ten rules for effective language in his book, “Words that Work”.   I think when he came up with these rules, he was thinking in the in the context of public speeches, political messages,  and media relations.  But his rules seem a useful guide for a launching  a coordinated approach to getting your message across. 

In summary his rules are:

1. Use Small Words.  Use only words that you are certain your audience understands.  Don’t risk getting your message misunderstood. 
2. Use Short Sentences. If you can deliver the same message using a dozen words, do not do so with a thousand.  Not only are fewer words easier to remember, you stand a better chance at having your writing  read.
3. Credibility is as Important as Philosophy. Make sure you are telling the truth.  Very catchy marketing of something false will fool some people for a little while, but not for long, and not again. 
4. Consistency Matters. This is a nice way of saying: repeat the message over and over, using the same words if possible.  Drill the message in. Repeat until it becomes the truth.  And don’t change your message. Don’t change what you are trying to say.
5. Novelty: Offer Something New. Add a new twist on the language or coin a new phrase that capture the message vividly and clearly and memorably.  Definitely avoid clichés. Avoid it like the plague ;-).
6. Sound and Texture Matter. A slogan that makes sound (like ‘Snap, Crackle, Pop!’) helps make the slogan memorable.  Alternatively, come up with combinations of words that make a distinctive sound (‘Melts in your mouth…’)
7. Speak Aspirationally. Show the way to an ideal place. He gives the example of Crest toothpaste’s “Look ma, no cavities”. Tap into the audience’s aspirations and ideals.
8. Visualize.  Paint a picture with your words.
9. Ask a Question. Engage the listener by asking a relevant and memorable question.  Note that it is a single question, not several.
10. Provide Context and Explain Relevance. Make it very clear ‘why’ you are telling them what you are going to tell them. Give context to your message.

Luntz summarises these ten rules with ten words: simplicity, brevity, credibility, consistency, novelty, sound, aspiration, visualisation, questioning, and context.

You don’t have to follow all his rules for every message you want to get across.  I don’t think that’s possible, nor is it Luntz’s intention.  However, the list is useful as a guide for formulating a memorable message.