One major flaw in the risk management industry is that the commonly adhered to standards and practices are built on theories that have no basis in scientific fact. Indeed, risk managers have become bogged down in appetite statements and risk registers which have little or no bearing on improving actual decision-making.
Risk Management 1 is relatively recent, barely 40 years old. It is promoted by risk management associations, institutes, consultants, big four auditors and the Institute of Internal Auditors. Normally the principles are documented in global best practices or risk management standards and many of the books are written by retired risk professionals and auditors.
But when you start digging further, there is absolutely no empirical evidence or scientific research to support that these so-called ‘best practices’ actually improve decision making beyond the expected placebo effect. Instead, it’s a kind of window dressing with artificial concepts that sometimes will even hinder company performance.
However, Risk Management 2 takes a completely different approach. It’s more than 500 years old, and rather than focusing on standards and best practices, it’s a consolidation of different branches of science. It has roots in probability theory, decision science, behavioural economics and neuroscience.
The techniques, approaches and tools aren’t found in international standards, instead they come from scientific textbooks, research papers and so on. Crucially, this means that practices are scientifically evaluated, meaning you can actually measure whether they improve decision making and company performance.
Another main characteristic of Risk Management 1 is that activities are always positioned for the sake of managing risks. We identify and assess risks solely in order to prioritize and better manage them. Risk Management 2 on the other hand does not see managing risks as a standalone profession, industry or practice. Instead, we think about risks as the volatility of assumptions or outcomes and their management is seen as one of many techniques that can be used to improve decision making and organisational performance.
For example, in the Risk Management 1 world, it is common to have a regular risk report which highlights important risks, assesses and prioritises them and then lists mitigations. But in the Risk Management 2 world, you would very rarely, if ever, have a risk report. Instead, you would just show risk information in the normal management reporting as a the volatility of objectives or as probability of achieving goals.
Equally, in Risk Management 1, risk is a thing that you plot on the map – a point in space, which represents a combination of likelihood and consequence. But in risk management 2, you realise that this makes no mathematical sense and therefore it’s pretty silly to do. Instead, you represent risk as a range of uncertainties around some of your key assumptions or performance metrics. The biggest challenge is to stop talking about risks and start talking about how risks affect something else.
Risk Management 1 is essentially the equivalent of horoscopes, tarot cards and astrology. If you want to become a good astronomer, you do not need to become good at astrology first. Equally, Risk Management 1 is not just an immature version of Risk Management 2 – it’s nonsense. And doing a perfect risk register or a perfect risk report will not bring you an inch closer to proper decision making.
Clearly, if we were to implement everything suggested by the so-called ‘best practices’ of consultants, that would be an enormous waste of time. In fact, we can do most of these things so much more easily using the techniques available in the Risk Management 2 world.
Unfortunately, things are not that simple, and Risk Management 1 isn’t going anywhere. The regulators are asking for it, the credit rating agencies are asking for it and the banks are asking for it. Sometimes even shareholders ask for visibility of the risk management report, instead of considering how risks really affect important decisions.
Given that context, as risk managers and senior decision-makers, we need to embrace the fact that we need some sort of window dressing for our risk management activities, but then need to make sure that we spend as little time on it as possible.
My general rule in life is 10 per cent risk management, 90 per cent risk management 2.0. That means you spend a small fraction of your time on risk appetite statements, registers and reports and spend 90% of the time applying proper quantitative risk analysis techniques to decision making.