One idea that I keep revisiting is how through the course of history, we human beings have always been uncomfortable with the lack of certainty in our lives. We are continually attempting to reduce it. Here is part of what I wrote in my “Brief History of Risk Management” for John Fraser and Betty Simkins’ book entitled Enterprise Risk Management (2010).
- “As the millennia passed, our species developed other mechanisms for coping with each day’s constant surprises. We invented a pantheon of divine creatures to blame for misfortune, praise for good luck, and to whom we offered sacrifices to mitigate the worst. These gods and goddesses, the personification of heavenly bodies, high mountains, and the deepest seas, led to a dependence on human oracles, soothsayers, priests, priestesses, and astrologers, to predict the future. We created a written language (Mesopotamia, Sumeria, Egypt, Phoenicia) in order to pass knowledge to the future. As our species used language, experience, memory, and deduction to explain random uncertainty, we created an alternative and backup explanatory system.”
More recently, the single-most important development in our thinking about how best to respond to uncertainty has
been the rapid expansion in behavioral science, especially behavioral economics. This includes the recognition of the many varied potential outcomes to future events and situations, and that they are constantly changing. Another is the idea that “results” are primarily mental, not only physical. And finally, we are learning to use data more intelligently.
In your career, what obstacles have you seen that impede effective risk management?
The foremost obstacle is our very natural inability to accept big changes, our tendency to lock ourselves into a current and comfortable set of ideas or processes, and failing to acknowledge change and new ideas. Over the course of my career, I have challenged four ideas: first that “risk” is bad; second, that the primary goal of risk management is to benefit shareholders; third, that risk management is the responsibility of specialists; and, fourth, that risk can be transferred. Let me elaborate.
Icon #1: Risk is Bad. Looking at the news today, it’s clear that many in our society feel harried, distrustful, and insecure, all of which leads to feeling extra-cautious and wanting to preserve, hunker down, and take no chances. This inevitably leads to stagnation. All systems require continuing adjustment. Take health care for example: we should view this moment as an opportunity to try and improve our expensive and complicated system and, in doing so, we should learn from other systems around the world (see Taiwan; Scandinavia, and Canada).
Maybe the best way to smash this first icon is rephrasing Rene Descartes’ cognito ergo sum – “I think, therefore I am.” I suggest it should be periclitor ergo sum – “I risk, therefore I am.” Taking risk is the defining element in human existence. We should relish, not avoid it; balance, not eliminate it.
Icon #2: The Goal is to Benefit Shareholders. One of the most pernicious current beliefs of risk management is that its sole purpose is to serve shareholders, and to increase share prices. I believe that risk management’s most important role is becoming the mechanism that corrects erratic steering, bringing the vessel back on a principled course. The proper course is to serve all stakeholders, from employees and customers, to suppliers, investors, lenders, regulators, and the community at large. An over-focus on any one set of stakeholders inevitably cheats others.
Our role is not to “reduce the cost of risk,” the mantra that has consumed the discipline for too long, but to enable the organization to build a higher level of confidence and trust within each stakeholder group and to facilitate intelligent communication with these groups. Risk communication should build and maintain the trust of these groups and their confidence in the future of the organization.
Icon #3: Risk Management is the Responsibility of the Specialists. Over the years, numerous castles of risk management specialization (credit, safety and health, financial derivatives, security, insurance, contingency planning, auditing, contracts, and regulatory management) have been erected on the premise that each specialty is so arcane, so based on long experience, that outsiders cannot appreciate, much less practice, the trade. The recent move to a strategic, integrated, enterprise, or holistic risk management is recognition that the separation of risk functions is counter-productive. Simply allowing the specialists to ply their trades separately does not work.
This is why we see the rise of a new executive, the Chief Risk Officer. This person is a generalist who reports to both the Chief Executive and the Board and coordinates the work of other risk specialists. Implicit in the CRO movement is the assumption that risk management is the responsibility of each person in the organization. The new goal is to build a culture of risk understanding so that better decisions may be made at every level, every day.
Icon #4: Risk can be Transferred. One of the worst fallacies is that insurance solves a risk problem. It does not. It simply provides the possibility of some sharing, some spreading of the risk. In reality, insurance is a pre-funded line of credit.
An insurance company effectively operates as the coordinator of the shared risk by many disparate individuals and organizations. It pools the funds of the many for the losses of the few. The inherent risk remains the responsibility of the organization even when some of its potential financial effects are shared with others. Any risk sharing partnership demands that each party (policyholder and insurer) understand and accept the financial condition of the other. The primary responsibility of any insurer is its ability to meet future commitments. Too many insurance purchasers fail to respect this in their haste to get the best deal.
The obstacles of a silo mentality and compartmentalization appear to pose a formidable obstacle to effective risk management. How problematic is this challenge?
It is entirely natural for human beings to cluster inside protected ideas and processes, fighting to exclude nasty new thoughts! I prefer the analogy of “castles” because they are designed to sequester their inhabitants against the outside world, while silos contain only grain.
As evidence of the growing complex of castles, just look at the innumerable global organizations and associations that purport to represent and sell the “Word” about risk management: Society for Risk Analysis (SRA), Risk & Insurance Management Society (RIMS), International Federation of Risk & Insurance Management Associations (IFRIMA), Nonprofit Risk Management Center (NRMC), Professional Risk Managers International Association (PRMIA), Institute of Risk Management (IRM), Global Association of Risk Professionals (GARP), and the Risk Management Association (the oldest, perhaps, as it was formed as Robert Morris Associates in the early 1900s). Then add all the accounting and auditing groups. A very messy mélange of often-conflicting ideas!
One solution lies in the development of a Chief Risk Officer (CRO) who is independent, patient and a team-player. Within these qualities, one can develop or employ various technical skills for risk analysis (scenario analysis, quantitative and probabilistic analysis, actuarial science, data management, legal knowledge, econometric modeling etc.). Similarly, another set of skills is employed in risk response – the controls adopted to balance upside and downside risk: knowledge of safety and quality systems (e.g., Six Sigma), audit and accounting controls, environmental controls, behavioral economics (financial incentives and penalties), contingency and crisis management (business recovery planning), and financing (credit, derivatives, hedging, pooling and use of capital markets, insurance and claims management).
It is too much to ask any one person to be fully conversant and expert in all these fields. This makes teamwork a mandatory aptitude. If a CRO adopts this basic thesis, then it follows that the three basic objectives of risk management must be:
- Credibility: Communicating the nature of the risks, both favorable and unfavorable, with stakeholders, and their responses, to enhance the support of the specialists for the organization.
- Resilience: Building an internal and external flexibility so that the organization can respond to whatever unexpected event may occur – and in many cases taking advantage of a downside event to improve market position.
- Perspective: Countering the prevailing over-focus on the short-term. Here Peter Schwartz’s The Art of the Long View (Doubleday, 1991) remains one of the best expositions of long-term perspective.
How do you think the evolution of standards (e.g., ISO-31000) has changed the practice of risk management?
We are subject to a very human habit: trying to condense loose ideas into a set of rules, which, of course, can then be “policed” by self-appointed teams. Too often, these “standards” are the result of large teams of international believers trying to push their own views, with an end result being a confusing mish-mash of rules. One of the first was AS/NZS 4360 in 1995, a relative success in its brevity and clarity. One of the worst was the effort of COSO (The Committee of Sponsoring Organizations of the Treadway Commission – auditors and accountants) in 2004, a long-winded and obtuse confusion that seems to imply that only public accountants might be trusted to develop risk management. The Aussies and Kiwis updated their version in 2004 and then the International Organization for Standardization (ISO) produced its ISO-31000 in 2009, one that is currently in process of updating.
While an effort to refine, and condense new ideas makes sense, too often the results are increased confusion. But this is part of our nature!
One final question for this segment – we hear about different types of risk terminology: white swan (certain and predictable events like contracting the flu); grey swan (uncommon, less predictable, and potentially catastrophic events like a hurricane); black swan (unlikely, unexpected and potentially catastrophic events like Captain Sullenberger landing his airplane on the Hudson River because of a bird strike to both engines); and black elephant (visible and potentially catastrophic problem that no one wants to address). How useful are these classifications?
Risk classifications are a tool or filter for interpreting events but we will continue to be surprised by the ever-present problems we are unwilling to address as well as by the unlikely and unexpected things we never considered. Nevertheless, I suspect that our growing understanding of our universe, our galaxy, our earth, and all the flora and fauna thereon will enable us to improve our ability to make predictions about our futures.
Let me offer another useful set of classifications – the challenge of our overwhelming ignorance of historical data and experience even as the Internet opens doors to global information. John Skar, of Massachusetts Mutual in Springfield, gave me a way to think about four levels of historical ignorance that we must combat:
- Unawareness of past events.
- Awareness of events, but a lack of intelligence and perspective to draw comparisons.
- Awareness of events and patterns, but denial about current similarities; and
- Awareness of events, patterns and similarities, but an unwillingness to act.