Risk is being "managed" today in a wide variety of ways, but so are baseball teams, political parties, and fast-food outlets. So, variety in managing risk can be expected. Variety carries no stigma of inadequacy, frustration, or failure, either. Nor does it necessarily imply an endless search for the "right" way to manage risk. On the other hand, the popular term risk appetite could easily lead some to believe that managing risk is dependent on whim, fad, or quirk—surely a conclusion abhorrent to successful risk managers.
However, it is no secret that management of risk—as a profession—is far from the maturity of fields like engineering, finance, or production. It can too easily appear subjective, arbitrary, even aligned with buzzwords or slogans. To be kind, it is really disorganized!
How did this situation evolve? Why is risk management so often excluded from the boardroom? What differentiates risk from the traditional functions that are always mandatory parties to executive policymaking?
Perhaps answers can be found in the history of risk management itself. From the outset, the term was capitalized by the insurance industry—primarily because risk was readily linked to financial losses that could be insured.
Yet, wise executives will recognize that risk involves two types of loss—acceptable losses (because control of them is thought to be impossible) and unacceptable losses (because financing them is considered unthinkable). These two contrasting aspects of risk concern are depicted in Figure 1.
Unfortunately, not many risk managers recognize or understand both those risk types—or the bridge connecting them. This ignorance of the totality of risk requiring management readily leads to outsiders concluding that risk management as a profession is fragmented, unhinged, and disorganized.
At a deeper level, a significant issue clouds—and often precludes—universal understanding of risk management. It is the work performed by those who are called "risk managers."
Even though the insurance industry was first to promote and use the term "risk management," it does not manage risk. It only finances it. This means that risk management has become synonymous with insurance for many.
For the insured, its risk is thereby managed by an outside insurance source. The insurer has no management role inside the insured's organization—because it has no understanding or expertise to offer. The primary role, then, of an insured's risk manager is to obtain and manage the correct amount of insurance, not to conceive and implement internal changes that reduce, control, or manage risk.
In stark contrast, a risk manager in an organization where loss is unacceptable is charged with controlling loss, with no thought of insuring it. My personal and extensive involvement in NASA manned spacecraft programs illustrates this difference. Never did NASA consider buying insurance for those programs. Instead, it had to control every risk by creative and effective preventive action. Those who managed spaceflight risks were experts in highly technical issues—not insurance clients.
So, the high contrast between these two types of risk confuses the outsider who can readily view risk management as disorganized regarding risk, since vastly different expertise is required by people using the same job title.
Good news! Risk management can readily be transformed from "disorganized" to "organized" by accomplishing only two objectives:
- Integrate risk and risk control into a singularity.
- Manage the integrated entity as a whole.
Both of these objectives can be solved with little pain simply by using the systems approach.
So, what is the systems approach? There may be different definitions, but they all describe the godlike attribute—at least in perspective—of omniscience or totality of knowledge. It is all-encompassing, global, womb to tomb. Of course, it never completely succeeds because of human limitations, but the objective remains.
The systems approach provides that all-embracing, governing characteristic that is essential to joining both uncontrollable and controllable risks together, thus organizing risk as a singularity. Notice that both types of risk are elements of mature, effective risk management.
First, a definition is imperative:
A system is a composite, at any level of complexity, of operational and support equipment, personnel, facilities, and software (intelligence), which are used together as an entity and capable of performing or supporting an operational role that results in changing known inputs into desired outputs.
Note that, by this definition, a system can be either simple or complex, animate or inanimate, expensive or cheap, and natural or artificial. A coffee cup can be a system. So can your home garden, a football team, or a business—or the entire universe!
The most fundamental description of a system is "an entity for transforming inputs into outputs via resource expenditure" as shown in Figure 2.
Note the following facets of the system in Figure 2:
- A system is well bounded or defined—not fuzzy. Figure 2 depicts this important fact.
- Transformation (conversion of known inputs into desired outputs) occurs within the bounded system.
- Resources (e.g., materials, money, manpower) are expended to accomplish the transformation.
- The units or dimensions of the transformation are cost, performance, and schedule.
- There is generally feedback from outputs back to inputs (learning) that tunes or modifies the inputs over a period of time.
How then can a coffee cup be a system? Quite easily, as it is a simple piece of equipment that, together with the hands and intelligence of an operator and some hot coffee, becomes an entity for changing known inputs (boiling coffee along with room temperature cream, sugar, and stirrer) into desired outputs (chemical mixture of coffee, cream, and sugar, plus a controlled flow rate of hot liquid into the mouth that precludes scalding).
Two more system characteristics need emphasis as we organize the disorganized risk management image.
An Ordered Wholeness
Not only is a system a simple whole; it is also an ordered whole. Since it transforms inputs into outputs, there are some predictable and ultimately knowable "goings on" within that system that enable the transformation. These ordered "goings on" can be described in various ways.
- They may be thought of as processes whose results enable the achievement of the system's desired outputs. Examples might be design techniques, material selection, building maintenance, production lines, or personnel recruiting.
- They could also be called controls, which direct and coordinate activity within the system. Laws, budgets, quality inspections, schedules, and even employee time accounting illustrate such controls.
- Information that is organized, processed, and distributed within the system is a third type of "goings on." Staff meetings, data processing, public relations, marketing strategies, and management policy are typical of these.
- Logistics—those activities or characteristics that sustain the operation of the system, such as shipping and receiving, cash flow, personnel management, spare parts, and electrical power supply, exemplify this class.
So, the idea of an ordered wholeness is important to treating anything as a system. Although many systems may initially appear to be chaotic and unmanageable, we approach managing them with the optimism of discovering the order that makes a particular system a system.
A Global Perspective
Applying the ordered wholeness concept requires a certain type of detachment. When initially applying the systems approach, some people invariably want to focus on too narrow a view. They always have to be encouraged to back away and look at the whole scene. Taking a less-than-whole vista obviously defeats systematic management of risk.
My work with the National Academy of Sciences illustrates this global perspective. The Academy established the Committee for the Prevention of Grain Elevator Explosions on which I served for years. As is common, the committee's initial impulse was to focus exclusively on the technical sector in Figure 3, primarily because it was composed of scientific personnel.
As we investigated many explosions—including one in the world's largest elevator—we learned that grain elevator explosions continue to occur for social, cultural, and economic reasons even though the technical reasons for explosions are well known and publicized.
Figure 3: System Perspective Sector of Grain Dust Explosions
As admirable as it may be, organizing a disorganized risk management system is not an end to itself. It must become the means to realizing benefit. And, there is a remarkable bonanza! Only via the systems approach is it possible to confidently identify, evaluate, rank, and control the full panoply of risks within any system. Foresight is implicit, negating nasty surprises.
Best of all, it is possible for the very first time to provide executives with their Number 1 risk, Number 2 risk, Number 3 risk, etc. The ranked array of all risks is depicted in Figure 4.
Obviously, there are never sufficient resources to eliminate/control every identified risk. So, decision-makers are enabled to decide where in the stacked array of risks to stop allocating resources for countermeasures—a cutoff. Thereby, cost-effectiveness is ensured when investing those always-limited loss mitigation resources.
We call that a payoff par excellence ... and welcome to the boardroom!