Exploring the Black Box

A brief history

The relevance of using risk models as the basis for risk management was disputed in the beginning of this century. It actually remains disputed as an approach by a number of authors. In the early ‘00’s, leading risk management advisory companies did not see the reason to use models. They felt it impeded organizations from assessing the entirety of their risks. In the late 1990’s, Arthur Andersen was the first company to start structuring risk models as a basis for the structural implementation of enterprise risk management. Some of their risk models remain as risk models you can for example find in Protiviti’s Knowledge Leader.

The wider adoption of risk models

Risk models really came to the fore towards the end of the ’00s, when experiments in implementing enterprise risk management or ERM systems showed a significant flaw in the prior reasoning: people did not share a mutual understanding of the term ‘risk’ and even failed to agree on a common definition for the most traditional of risks.

A solution wasthe development of risk models: industry specific structured overviews of potential risks which could occur in companies active in a certain industry, with a clear definition of what the risk means in agreed upon terms. Agreed upon terms would be adapted to company specific terms, in order to limit the risk of misunderstanding and thus mistreatment of a specific risk.

The challenge of today’s risk models

In our quest to increase the transparency and the unified interpretation of risk models, I fear we may have overcomplicated them. Overcomplicating a risk model – or any model for that matter – lowers the adoption rates by users. Therefore, while the move towards a more complex set of risk models was necessary to develop enough detail in the risk models, we now need to make the reverse move. This move should not be towards no risk models, but towards a list, an overview of possible risks.

The added value of risk management

Because what is the actual added value of risk management? It is the optimization of our response to priority, identifiable risks if and when they occur. Risk management should NOT be a central pillar of a management system. It adds to better risk response, and can be added to ways in which an organization is run, but should not be the central element.

In essence, even if no management exists, this would not preclude risk management systems to exist across an entity or a group of entities.

Let me explain: we see the demise of certain (types of) corporations, especially, but not only in the services sector. These are being replaced by decentral, distributed networks of independent contractors which come together on a project-by-project basis. Perhaps more than ever, these decentralized networks need risk management, but they inherently do not have a management structure to, well, structure their risk management.

The trigger list in Getting Things Done

So, how do you manage risk in a distributed, decentralized environment, or in any type of environment for that matter, in an as cost-effective way as possible? You develop a risk trigger list.

Actually, this idea is not new. I borrow the central idea from David Allen, who in his excellent book called Getting Things Done refers to an incompletion trigger list as an essential tool for the brain dump, in essence a way of clearing any issues in your head and getting them on paper, for further processing.

The trigger list is a very powerful tool: it is small enough (David Allen’s trigger list covers at most 2 modest pages) to be used on a regular basis and yet complete enough so all elements you may have forgotten can be dealt with.

The Risk trigger list

In order to enhance adoption of risk management as a tool, in order to make it usable on a regular basis and complete enough to deal with most risks one could forget, I would suggest to develop a risk trigger list per project, process, organization or even industry. This trigger list, which should not be more than 2 pages long, contains trigger words, words that will result in a comprehensive listing of most of the relevant risks which can occur in that process, project, organization or industry.

You may be surprised. At least per industry, I believe at least 50% of the risks will be the same across organizations. The list will partly be generic, and partly specific to the organization, the process or the project. Developing a risk trigger list should be one of the first responsibilities in any new process or project.

The relevance

By simplifying the comprehensive risk models we’ve developed in the past 10 years and condensing them into risk trigger lists, we may reach the critical threshold to wider adoption of risk management principles, which will in turn lead to better managed processes, projects, organizations and industries.

Red tape increases risks

Red tape is likely to lead to increases in residual risk profiles of organizations. These organizations are overburdening their external and internal customers with these increases in rules and regulations they need to comply with. Contrary to their expectations, this will not lead to more care. The more rules exist, the more this will lead to less care. Less care will reduce the risk awareness of the customer facing employees because they too are jumping through the hoops. The reduction in risk awareness will result in a higher residual risk profile because the assumptions are not checked nor questioned and may turn out to be false.

Past relevance of red tape

Introducing red tape in organizations was initially done to ensure that operations ran smoothly. A lot of the operations in larger organizations in the industrial era were 'standardized' to reduce costs. This approach was copied in service organizations and public sector entities as well. This led to productivity increases, which were a good thing from a cost side. However, the more you standardize a process, the more difficult it will be to provide deviations to the standard product. As Ford (presumably) has said: "You can have any color of car, as long as it's black." The choice in the Model T was limited. You had the choice of black, black or black. In addition, people on the work floor were discouraged of showing initiative and thus did not take ownership of the process. This part was also mirrored in different organizations.

Assymetrical information availability influences risk

A risk profile of an organization is a view on the risks to which an organization is exposed. A risk profile is specific to a company but heavily influenced by the industry in which is operates as well as the overall business environment in which the organization lives. A lot of different elements can influence a risk profile. First, there are risks external to the company. These risks in the organizations environment will influence its risk profile. The organization can do little about these risks, which can include the business environment, demographical evolutions, weather, disasters such as the Deep Water Horizon ... but they will impact it, and may impact it severely. A risk profile also consists of operational risks. These risks occur in everyday operations of the organization. One of the possible risks which can influence or worsen other risks is the red tape. More on that later. Finally, we see decision making risks. Information out of the external and operational environment is reported to the decision making levels which are not necessarily intimately aware of the situation on the ground. They base themselves on decision information. Any errors in the assembly and presentation of this information can lead to faulty decisions. Therefore, these risks influence the risk profile as well. These risks in turn can be significantly influenced by the red tape risks.

What happens if you leave red tape unchecked?

Imagine a situation in which an organization continues to develop red tape procedures beyond the point of marginal returns, i.e. the point where the procedure stops making sense. Compliance, if reached at all, will be reached with minimal care as the users do not see the relevance or the benefit of the additional requirements. More rules lead to less care.

Now, imagine a situation in which an organization is run based on rules and only rules, with any remarks or dissenting opinion ignored or punished, because its deviant behavior. New hires will very quickly stop caring. This is exactly what is witnessed in this type or organization, often hierarchical organizations. Now, if your collaborators no longer care, they will not be aware of will not mention elements influencing risk profiles. In essence, their risk awareness will be significantly reduced.

And when the risk awareness in an organization reduces, the likelihood that risk exposures are identified, flagged, assessed and managed reduces. What happens is that the real residual risk profile of the organization will become higher. Now, every increase in risk has an associated cost, all other elements remaining equal. So, either the organization accepts the higher cost of the risk management, therefore losing the assumed benefits of red tape increases, or the organization will be exposed to more risk.

The simpler the process, the lesser the risk

Introducing simplification projects which aim to reduce red tape will likely bring terror to the corporate identity. They are not used to these exercises, and they are counter-intuitive to much of what they have learned. However, think about the following: you will introduce more care in the execution of the activities of your organization, which will be appreciated by your customers. The increase in care will lead to an increase in risk awareness, which should lead to a reduction in the residual risk profile of the organization.