Embedding Sound Risk Management Practices into an Organization
Core principles for risk management adoption within an organization.
Risk management is a lot easier when risks can be credibly projected, based on historical data. It's hard to argue with math - although, as all risk managers will tell you, some mid-level sales manager is certain to give it a shot.
Protests - often bellicose protests - become a lot more problematic when there is no substantial backlog of data. Without real math to shore up risk projections, the loudest voices can overwhelm your project and steer your company down a needlessly dangerous path.
A post by Justin Fox, the editorial director at Harvard Business Review, addresses this tendency against the backdrop of $3 billion trading losses at financial firm JPMorgan Chase. Based on reporting by the New York Times, Fox concludes that the meltdown may well be due to the illness and absence of a key executive who wrangled contentious meetings about new products or initiatives that JPMorgan Chase simply did not have the experience to model out scientifically.
Fox's observations go well beyond a common-sense warning to watch out for pig-headed loudmouths. He touches on the works of scientific philosopher Karl Popper, who in the formative era of probability studies noted that projecting the likelihood of an exceptional event (say, a massive meteor strike on the Earth) is dicey, at best. There's just not enough data, and you certainly can't replicate it in your lab.
So, Fox concludes, standard risk management disciplines can take you only so far, particularly when your company is heading for entirely new horizons. He writes:
And that's where argument (or discussion, or conversation, if you prefer) comes in. You want diverse, even opposing viewpoints. You want to manage their interactions in a way that allows the quieter, less-senior, less-predictable voices to be heard. You probably do want to accord different weights to the arguments of different people, although deciding how to do so (past track record? clarity of argument?) is hard.
Fox concludes by noting that some scientists, most notably computer scientist Peter McBurney, are trying to apply algorithms to bring at least some quantitative order to this qualitative madness. (If you want to feel really stupid for 30 minutes, check out this video of McBurney at a recent financial conference). But for the time being, it's up to cooler (or hotter, depending on your corporate culture) heads to apply non-scientific validation and weighting to "soft" input. And, as Fox notes, risk managers often are not positioned politically to take on executives who just "know" something is going to work.
As for a spreadsheet that takes a stab at quantifying all that input - we'll think about it, but that sounds like a mission for Prof. McBurney and his peers.