Couple of months ago I promised Hans Læssøe to respond to his article about the link between risk management and decision making. I finally managed to summarise my thoughts in this short video: https://www.youtube.com/watch?v=AHUW1Tecfac, but basically I believe risk management was hijacked by auditors and consultants approximately 30 years ago and turned into a joke and all along we had all the answers and tools necessary to add value to organizations. We still do.
Here is what happened (most likely), very simplified version:
- the need to make decisions under full or particial uncertainty is old as time
- in XVI-XVII century mathematicians started to quantify uncertainty to help people make better decisions (attempts to analyze games of chance by Gerolamo Cardano in the sixteenth century, and by Pierre de Fermat and Blaise Pascal in the seventeenth century). Probabilty theory was born.
- the link between decision making and risk management was solidified in early XX century when decision science was developed. According to Harvard University, decision science is the collection of quantitative techniques used to inform decision-making at the individual and population levels. It include decision analysis, risk analysis, cost-benefit and cost-effectiveness analysis, constrained optimization, simulation modeling, and behavioral decision theory, as well as parts of operations research, microeconomics, statistical inference, management control, cognitive and social psychology, and computer science.
- then psycologists jumped on board and the field neuroeconomics and risk psychology was born.
- most of the research into how decisions are made and the tools that address uncertainty in decision making are 50-500 years old. Some of the most common and arguably useful: decision trees, scenarios, simulations, scoring models (not heatmaps).
Then something amazing (read sad) happened. Someone with no foundation in probability theory, decision science and risk psychology took risk management and decided to run with it by dumbing it down to the point (suposedly) understandable by general business audience. It made total commercial sense. GRC and ERM market is substantial. But just like any other management fad, risk management in the new sense became a corporate governance exercise with little value for the actual decision making.
In some sense, modern day risk management is like weather forecasting.
Here is how weather forecasting actually works: https://www.sciencedaily.com/terms/weather_forecasting.htm (complex, multifactor model simulating a range of possible outcomes). Compare that to what we see on TV, which usually is a single number. No wonder people hate weather forecasters. Yet, when measured, actual weather forecasts are still some of the most accurate when compared to other types of forecasts.
So, what do we call risk management going forward? Should it be objective-centric ERM or decision focused risk management or risk-based decision making or just decision making? Well, it doesn't matter. As long as we use proper tools to make sense of uncertainty and the outcome of our analysis leads to better decision making.
What are the proper tools? Here: Finally! An alternative to risk matrices