Risk simply means that we are not sure about what will happen in the future. If you know everything about the future, you haven’t got any risk. However, if you are mortal like the rest of us you are constantly wrestling with what might, or might not happen, in the future. That’s risk. Then you think about what you might do to influence or respond to the future event. That’s risk management.

Risk management isn’t about having a risk committee or filling out risk reports. It’s just life. When you lie in bed in the morning and its foggy and frosty, you do a risk analysis in your head. Shall I get up or stay in the warm? Would the boss be upset if I worked from home today? Shall I walk or drive? Can I risk being late for an important meeting…maybe take the car as the train is often late, but then driving in poor weather may be dangerous?

Some risks are bigger than others. We all know that governments were ill-prepared for the COVID pandemic. Here’s what a government source told the Times newspaper;

“The reason we prepared for flu is because we have flu epidemics every year. The idea that you prioritise what’s least likely to happen is for the birds. This was a novel virus. The clue’s in the name…we didn’t know that it was asymptomatic. It’s very difficult to prepare for something that doesn’t exist.”

Why should you prioritise preparing something that’s unlikely to happen? Probably because, although it’s unlikely, it’s still possible and the consequences could be bad. Is it difficult to prepare for something that doesn’t exist? No, you just need to use your imagination.

 Here’s what typically goes wrong with risk management;

  1. We prepare only for events that happened recently. How often have you heard someone dismissing something as a 1-in-100 year event. Say you live for 80 years, the chances are very high that you will live through such an unlikely event. In any case, we tend to underestimate rare events. You’ve already lived through a 1-in-100 year pandemic and a 1-in-100 year financial crisis both in the last 15 years!
  1. We prioritise the most likely risk, not the most deadly. Likely risks may well have already happened, so you have some measure of mitigation and tolerance already in place. People tend to be dismissive of rarer, but deadlier risks because they haven’t yet happened or happened a long time ago. But if they do, and if you are ill prepared, they can be devastating (eg pandemic, credit crun
  2.  We focus on how an event might happen, rather than the event itself. People tend to become distracted by thinking through what might happen and assessing often unknowable probabilities. For example, instead of thinking about the consequences of a pandemic in general, the Government considered flu only. This meant that they focussed on infection by contact instead of imagining ways to handle other forms of infection, such as air-borne. Start by thinking about an event happening (eg closure of your head office) and only then think about how this might happen (eg a pandemic or a terrorist threat), Consider it in the context of trying to avoid that risk, not using it to assess likelihood or to close down the consequences. Focus initially on events that might be triggered, such as closure of offices, social isolation, elevated mortality and economic downturns rather than whether the cause would be flu or a novel virus.
  1. We focus on the risk, not the consequences. Thinking through the consequences is unpleasant but extremely valuable, because you need to be planning to mitigate the worst results. Yet we tend to concentrate on actions to reduce the possibility of the risk materialising. That’s important, but we still need to focus on the mitigations we need to take if the event nevertheless materialises.
  2. We don’t think through all the possibilities. It is frequently the risks that you didn’t think of that really hit you. For example, the financial crisis was made exponentially worse when banks wouldn’t lend to other banks and investors didn’t even want AAA rated paper. Most people thought a credit crunch like this was inconceivable.

 

The traditional corporate way of thinking about risks is inadequate. We specify a risk, eg a food contamination, then we work out how we would avoid it by: USually by forming a committee and then deciding that this mitigates the risk so much it won’t happen.

A good risk process will take an event (eg a contaminated production run) and look at how this might be caused and what the consequences would be. It then puts barriers up to try to stop this happening – to try to stop the contamination and also how to react to minimise the damage if contaminated food is sent out. You can’t just assume the event will never happen. A key action in the contamination risk process, for example, is training executives to talk to the media when you are scrabbling to recall products and might have poisoned a customer.

Avoid, Trap, Mitigate

 Avoid – Envisage the event and then work out how you can put roadblocks in the way to try to stop it happening. This is called ‘mitigation’ in traditional corporate risk management.  For example, the best way to handle theft is to deter it in the first place. The main role of airline security for example is not to spot terrorists, it is to deter them from trying.

Trap – People often forget that you can’t manage an event if you don’t know it is happening. Make sure that you have information systems designed to spot emerging events. For example, one reason that Chernobyl and Three Mile Island nuclear catastrophes happened was because the operators couldn’t interpret the information and didn’t know what was happening. When I worked for Mars, we used to sample the previous day’s production in the office. It wasn’t a perk, it was a deal. You eat and flag any quality problems before that production run left the factory.

Mitigate the consequence – Again, often dismissed because you know it could never happen…until it does. In 2008, Northern Rock, like any UK bank, knew that if it ran out of liquidity, the Bank of England would act as lender of the last resort. This sounds like a good mitigation for the event. However, it hadn’t considered the risk that someone would leak this and the BBC would blaze it across the TV news, causing a run. The mitigation wasn’t strong enough, or at least opened up another reputation risk.

Specific walk throughs

Another time, I was sat in the boardroom of a very large professional company, listening to an executive explaining how they were completely prepared for any IT outage because they had a full back up system. The main computer centre had regular back-ups onto tapes that were then biked to another office 100 miles away. It was very unlikely to be needed anyway, because the datacentre could withstand an earthquake and had sprinkler systems against fire.  I asked what would happen to the datacentre when sprinklers went off and showered the servers with water?  What happens to the backups? Apparently, once a week the tapes are driven to another office and stored. OK then, I said, how would you mount the disks and what hard and software would run the back-ups to restore all the systems. It turned out that they didn’t have any system to run the back-ups and of course had never been able to test it. The back-up mitigation was in practice useless.

Imagine if an aircraft pilot manual just said, “monitor and manage the flight computers and identify abnormalities.” Would you get on that plane?

Walk through a mitigation plan step by step making sure that each stage works.

Summary

  1. Treat every decision as a risk – What’s the best/worst that can happen?
  2. Think how can you avoid that risk happening?
  3. Ask yourself how you can ensure that you know if the risk is happening?
  4. Think what you would do if that risk does happen?
  5. Take yourself through every step of your mitigation plans (so what would happen then? Who would do this?)
  6. Scrap every mitigation plan that uses the following words: ‘manage’, ‘review’, ‘monitor’, ‘ensure’ and ‘committee’. Replace them with sentences that are action-specific, such as “If this happens, we will do that’.

Risk is not something to delegate to a Risk Committee. It’s not a report to fill out for regulators. It is how we live our lives. You can’t talk about strategy on the one hand and risk on the other. They are both the same thing. If you want to invest in new plant or buy something, you need to weigh up the certainties (eg the purchase price) and the upside and downside risks. That is how you make the decision.

Just like how you decided whether to stay in bed this morning and how you would get to a meeting!

 

There is much more on my website and in my book, ‘Behind Closed Doors’ on how to think about and manage risk.