Risk is being "managed" today in a wide variety of ways, but so are baseball teams, political parties, and fast-food outlets. So, variety in managing risk can be expected. Variety carries no stigma of inadequacy, frustration, or failure, either. Nor does it necessarily imply an endless search for the "right" way to manage risk. On the other hand, the popular term risk appetite could easily lead some to believe that managing risk is dependent on whim, fad, or quirk—surely a conclusion abhorrent to successful risk managers.
However, it is no secret that management of risk—as a profession—is far from the maturity of fields like engineering, finance, or production. It can too easily appear subjective, arbitrary, even aligned with buzzwords or slogans. To be kind, it is really disorganized!
How did this situation evolve? Why is risk management so often excluded from the boardroom? What differentiates risk from the traditional functions that are always mandatory parties to executive policymaking?
Perhaps answers can be found in the history of risk management itself. From the outset, the term was capitalized by the insurance industry—primarily because risk was readily linked to financial losses that could be insured.
Yet, wise executives will recognize that risk involves two types of loss—acceptable losses (because control of them is thought to be impossible) and unacceptable losses (because financing them is considered unthinkable). These two contrasting aspects of risk concern are depicted in Figure 1.
Unfortunately, not many risk managers recognize or understand both those risk types—or the bridge connecting them. This ignorance of the totality of risk requiring management readily leads to outsiders concluding that risk management as a profession is fragmented, unhinged, and disorganized.
At a deeper level, a significant issue clouds—and often precludes—universal understanding of risk management. It is the work performed by those who are called "risk managers."
Even though the insurance industry was first to promote and use the term "risk management," it does not manage risk. It only finances it. This means that risk management has become synonymous with insurance for many.
For the insured, its risk is thereby managed by an outside insurance source. The insurer has no management role inside the insured's organization—because it has no understanding or expertise to offer. The primary role, then, of an insured's risk manager is to obtain and manage the correct amount of insurance, not to conceive and implement internal changes that reduce, control, or manage risk.
In stark contrast, a risk manager in an organization where loss is unacceptable is charged with controlling loss, with no thought of insuring it. My personal and extensive involvement in NASA manned spacecraft programs illustrates this difference. Never did NASA consider buying insurance for those programs. Instead, it had to control every risk by creative and effective preventive action. Those who managed spaceflight risks were experts in highly technical issues—not insurance clients.
So, the high contrast between these two types of risk confuses the outsider who can readily view risk management as disorganized regarding risk, since vastly different expertise is required by people using the same job title.
Good news! Risk management can readily be transformed from "disorganized" to "organized" by accomplishing only two objectives:
Both of these objectives can be solved with little pain simply by using the systems approach.
So, what is the systems approach? There may be different definitions, but they all describe the godlike attribute—at least in perspective—of omniscience or totality of knowledge. It is all-encompassing, global, womb to tomb. Of course, it never completely succeeds because of human limitations, but the objective remains.
The systems approach provides that all-embracing, governing characteristic that is essential to joining both uncontrollable and controllable risks together, thus organizing risk as a singularity. Notice that both types of risk are elements of mature, effective risk management.
First, a definition is imperative:
A system is a composite, at any level of complexity, of operational and support equipment, personnel, facilities, and software (intelligence), which are used together as an entity and capable of performing or supporting an operational role that results in changing known inputs into desired outputs.
Note that, by this definition, a system can be either simple or complex, animate or inanimate, expensive or cheap, and natural or artificial. A coffee cup can be a system. So can your home garden, a football team, or a business—or the entire universe!
The most fundamental description of a system is "an entity for transforming inputs into outputs via resource expenditure" as shown in Figure 2.
Note the following facets of the system in Figure 2:
How then can a coffee cup be a system? Quite easily, as it is a simple piece of equipment that, together with the hands and intelligence of an operator and some hot coffee, becomes an entity for changing known inputs (boiling coffee along with room temperature cream, sugar, and stirrer) into desired outputs (chemical mixture of coffee, cream, and sugar, plus a controlled flow rate of hot liquid into the mouth that precludes scalding).
Two more system characteristics need emphasis as we organize the disorganized risk management image.
Not only is a system a simple whole; it is also an ordered whole. Since it transforms inputs into outputs, there are some predictable and ultimately knowable "goings on" within that system that enable the transformation. These ordered "goings on" can be described in various ways.
So, the idea of an ordered wholeness is important to treating anything as a system. Although many systems may initially appear to be chaotic and unmanageable, we approach managing them with the optimism of discovering the order that makes a particular system a system.
Applying the ordered wholeness concept requires a certain type of detachment. When initially applying the systems approach, some people invariably want to focus on too narrow a view. They always have to be encouraged to back away and look at the whole scene. Taking a less-than-whole vista obviously defeats systematic management of risk.
My work with the National Academy of Sciences illustrates this global perspective. The Academy established the Committee for the Prevention of Grain Elevator Explosions on which I served for years. As is common, the committee's initial impulse was to focus exclusively on the technical sector in Figure 3, primarily because it was composed of scientific personnel.
As we investigated many explosions—including one in the world's largest elevator—we learned that grain elevator explosions continue to occur for social, cultural, and economic reasons even though the technical reasons for explosions are well known and publicized.
As admirable as it may be, organizing a disorganized risk management system is not an end to itself. It must become the means to realizing benefit. And, there is a remarkable bonanza! Only via the systems approach is it possible to confidently identify, evaluate, rank, and control the full panoply of risks within any system. Foresight is implicit, negating nasty surprises.
Best of all, it is possible for the very first time to provide executives with their Number 1 risk, Number 2 risk, Number 3 risk, etc. The ranked array of all risks is depicted in Figure 4.
Obviously, there are never sufficient resources to eliminate/control every identified risk. So, decision-makers are enabled to decide where in the stacked array of risks to stop allocating resources for countermeasures—a cutoff. Thereby, cost-effectiveness is ensured when investing those always-limited loss mitigation resources.
We call that a payoff par excellence ... and welcome to the boardroom!
Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI. Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with your attorney, accountant, or other qualified adviser.