Risk is almost universally managed by the wrong people. It has nothing to do with their title—or their capability. It's all about their responsibility—what they are doing about risk.
From the origin of risk management, the title "risk manager" was assigned to a person who was expected to collect and propagate data on losses—determine the most likely anticipated types of losses, warn everyone about those losses, and hopefully insure sufficiently to cover the losses that do occur.
In other words, there was a silent assumption that losses are inevitable, so someone had to be assigned to account for and hopefully minimize them. Of course, accounting for losses is fairly simple and straightforward. Just note what has happened and then keep good records.
But the second half of that assignment—minimizing losses—was a subtle trap. It was impossible! Why? Because the risk manager had neither authority, budget, nor skill to accomplish it. Were such managers expected to wave a magic wand or declare a secret spell over the organization to keep losses from occurring?
Thereby began creation and distribution of all those slogans, posters, and campaigns aimed at being careful, doing well, and never messing up. Innocuous efforts at best, they were often insulting. Ironically, similar exhortative messages have never been employed in engineering, manufacturing, or marketing.
But, was there really any alternative? Who was really responsible for losses? Certainly not the hapless, defrocked, powerless, misnamed risk manager.
To make matters worse, we all know that such moralistic "preaching" about avoiding losses always falls on deaf ears. Yes, we all know the truth, but what's the answer?
Before attacking the charade of unmanaged risk, we must examine the manageability of risk itself. If risk is "the potential magnitude of a loss combined with its likelihood," can it really be managed? Should it not just be tolerated or subsumed as "the cost of doing business"?
After all, we don't have managers of corporate integrity, goodwill, or advancement. Why risk? The answer is simple. Risk is attempted to be managed primarily because it involves money: three different types of money, as shown in Figure 1.
Figure 1: the Total Cost of Risk
Two of those types—risk financing and risk control—are budgeted and expended voluntarily. However, the third one is always a surprise and is unbudgeted! That sector is responsible for management's high interest in managing risk.
Interestingly, risk extraction is rarely acknowledged or even recognized. It's almost like bad breath or body odor. It's an embarrassment—something that bespeaks "management failure to foresee what should have been foreseen."
Yet, risk extraction is the secret reason why executives believe that risk should be managed somehow. Intuitively, they recognize the need—whether or not they have any idea about how to actually accomplish it. There are three universal measures of managing anything: cost, performance, and schedule. Beyond those three, however, management of risk is unique.
While seldom rationally analyzed, managing risk additionally requires the four types of knowledge in Figure 2, regardless of who is assigned responsibility for possessing them. The first three types are self-explanatory, even though often ignored or overlooked. The fourth type is virtually impossible, apart from utilizing the systems approach to create an all-encompassing, womb-to-tomb methodology to integrate the first three.
Off on the Wrong Foot
Historically, executives have acted as though they expected risk managers to possess and comprehend all four types of risk knowledge when the responsibility for them resides in line management. Worse yet, risk managers went along with the ruse. The result of that two-party subterfuge has crippled every effort to manage risk. It guarantees that loss prevention will be nothing more than a toothless tiger. Furthermore, because of that false assumption, the risk manager has traditionally been charged with the primary responsibility for losses, while the line manager escapes with only secondary obligation.
For example, whenever a major loss occurs, the risk manager—not the line manager—is held accountable should that loss fail to be adequately insured or foreseen. Yet, the loss occurred because line management failed to institute effective countermeasures that would have precluded it from occurring. The incongruity of this hidden but fatal presumption is still seldom recognized today, even by risk management professionals.
Of course, there are two parties to this sham: both line managers and risk managers. Their roles must be reversed! And that radical transformation calls for top management recognition, execution, and oversight. Otherwise, reversal could result in chaos.
Four required steps for successful risk role reversal are listed in Figure 3. They emphasize the obvious wisdom of not only recognizing the need for reversal but also being prepared to make it happen.
It is obvious that reversing long-established risk roles must be more than an informal handshake agreement. We are all creatures of habit. We become so comfortable with a modus operandi that it almost becomes like a straitjacket that binds us, restraining us from making any revision of behavior or approach to anything.
Back on the Right Foot
Role reversal is a two-sided action that demands abandonment of the old and assumption of the new—both of which require a fundamental commitment to change. And because every one of us resists any change in the status quo, role reversal will be a challenge.
But to start, let's consider what line managers must do to reverse their current role. Figure 4 requires that they move from being defenders of the status quo regarding loss to become managers of all risk—which they, perhaps unknowingly, have always been. Recall that they alone control the resources required to preclude or minimize all losses.
This reversal corrects the original and devastating error committed when that very first risk manager was appointed—being charged with an impossible task for which there were neither resources nor authority to control the losses of risk.
Coupled with that essential line manager role reversal, there must be an equally essential one for risk managers. If that does not occur, there will be two types of managers trying to occupy the same chair (managing risk)!
The role reversal for risk managers is also a revolutionary one. They must abandon the role of being an adversary to line managers—constantly confronting them to meet all the demands of moralism (to do better, to quit ignoring rules, to avoid wrong thinking ... always implying inadequacy with "I told you so!" or "If you'd only taken my advice!").
Instead, risk managers must assume a radically different role as a resource to line managers, providing them with creative techniques, methods, and capability to revise the status quo into a less vulnerable posture concerning loss potential. See Figure 5.
When traditional roles for line managers and risk managers are reversed, there are two profound results. First, note that loss reaction disappears! No longer does internal bickering and infighting uselessly consume an organization's resources. Second, both line and risk managers are now preventing loss—albeit from complimentary and affirmative positions.
These two reversals, though challenging to accomplish, are destined to revolutionize risk management!
Reversing the roles of the two managers who alone are capable of truly managing risk is a major step forward for every conceivable type of organization, whether public or private. It will not only greatly increase management effectiveness, but it will also greatly reduce losses due to unmanaged risk.
It also brings out in the open an obvious but hidden conflict that has existed ever since the term "risk management" was coined. No one should be charged with responsibility without being provided with sufficient resources (authority and finances) to execute that responsibility. Historic risk management has always been denied those resources—and will continue to be until the two role reversals occur.
Finally, undergirding the rationale for role reversal is the necessity to implement the systems approach. Why? Because it alone enables the all-encompassing, womb-to-tomb perspective that ensures success of role reversal. It is the only known means to confidently identify, evaluate, rank, and control the full panoply of risks within any system.
Join the ranks of the liberated risk managers who have convinced their organization's top executive to reverse the roles of both line and risk managers!
Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI. Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with your attorney, accountant, or other qualified adviser.