One of the central tenets of risk management is the idea that we understand “risk.” Most definitions of risk management include terms such as assessment, evaluation, identification, control, transfer, reduction, retention and so on to describe what should be done to risk to protect the firm, patient or enterprise from bad outcomes. The benefits ascribed to risk management include the achievement of a firm’s business goals, better patient care, improved decision making, risk-adjusted returns on capital and a host of superlatives attributed to the proper risk framework or leading practice.
Very few risk management definitions actually explain how to accomplish these results with any degree of specificity. Instead, the definition includes vague descriptions of activities that lead to risk management. For example, a hospital definition of risk management: “The constellation of activities—planning, organizing, directing, evaluating and implementing—which are involved in reducing the risk of injury to patients and employees, as well as property damage or financial loss in a health care facility.” This definition, like many others of similar ambiguity, are no more than “trial and error” disguised as risk management. What is clear is that we may not truly understand risk as well as we think we do!
With few exceptions, there are two very large and glaring gaps in every definition of risk management. The first gap consists of a lack of recognition that a large body of well-established research and knowledge exists on how to measure risk. Risk has a shape and the shape of risk is derived from the data of events composed of the things we call a risk. For example, hospitals document the number of wrong limbs cut off due to poor communications or an IT department may count the number and type of “denial of service” incidents it has experienced each month. Each of these events take the form of various distribution patterns when plotted on a chart. The shape of risk can be defined by its distribution on a chart such as normal, log-normal, and skewed distributions, to name a few. To truly understand risk, you must understand its shape.
Anyone, without any training, can talk about risk management, but if you can’t explain the shape of your risk, then you have only a cursory understanding of it. This lack of understanding partially explains why risk management programs are perceived to have failed. The shape of risk helps to explain the behavior of the risks you face. What is perceived as a failure of risk management programs is really a failure to understand the limits of the tools used in risk management today. This is not a debate between nerds. We are misled by risks every day because we do not understand the shape of risk.
The second gap in risk definitions deals with what cognitive scientists call “heuristics and biases.” Heuristics include intuition, norms, knowledge and shortcuts we use to understand and navigate the world we live in. Biases are long-held beliefs and preferences we establish over a lifetime. Whenever we are faced with new threats and uncertainty, we oftentimes fall back on the things that worked in the past, only to learn that we were led astray by cognitive dissonance. Said simply: we fail to believe the facts that are counter to our beliefs or expectations until the risk is obvious to all.
Risk management — outside of scientific departments, Quant shops on Wall Street and a few select quantitative fields — does not practice its art with precise tools for measuring risk or take into account the human errors inherent in heuristics and bias. Precision should be measured in degrees. Data scientists understand that all models are flawed, but some models are more useful than others.
Making decisions under uncertainty requires that risk professions understand the shape of their risks. The shape of your risks will tell you how much confidence to place in your data. As risk professionals begin to discuss risk in terms of degrees of confidence and probability of outcomes through the use of more precise tools, the expectations of and value in risk management becomes more evident. These tools will then lead to better decision making and help to overcome the flaws that simple heuristics and bias bring to sloppy thinking. I plan to address heuristics and bias in-depth in upcoming articles as it deserves much more explanation than I have dealt with in this piece.
The good news is that these tools exist today and you can begin to use them in your risk practice without becoming a data scientist or quantitative analyst. In fact, I maintain one of the largest free databases of risk management tools on the internet today. The level of sophistication and functionality of analytical risk tools continues to grow rapidly and will become standard practice in the next five to 10 years. Now you have no excuse for not knowing or understanding the shape of your risk.
James Bone’s career has spanned 29 years of management, financial services and regulatory compliance risk experience with Frito-Lay, Inc., Abbot Labs, Merrill Lynch, and Fidelity Investments. James founded Global Compliance Associates, LLC and TheGRCBlueBook in 2009 to consult with global professional services firms, private equity investors, and risk and compliance professionals seeking insights in governance, risk and compliance (“GRC”) leading practices and best in class vendors.
