The latest enterprise risk management news from around the world

Searching for risk in all the wrong places

We cannot manage the complexity of risk today the way we managed risk in the past. Yesterday’s models, methods and ‘best practices’ while minimally useful, do not readily apply to managing risk in the future say Geary W. Sikich and Sara Robertson. In this article they explain their viewpoint…

Introduction

Much like the song ‘Lookin’ for Love in All the Wrong Places’, sung by Johnny Lee, risk management professionals need to ask the question “Are we searching for risk in all the wrong places”?  Are risk professionals being deluded or deluding themselves by seeing risk based on media driven analysis; applying outmoded tools, models, etc. that no longer reflect the reality of risk? 

Currently, COVID-19 is capturing the headlines daily as the pandemic continues to rage worldwide. So, much of risk management seems to be focused on COVID-19 impact, ‘the new normal’ and ‘the great reset’ as touted by high profile consulting firms. While our attention is focused on the COVID-19 headlines are risk professionals taking into account the touchpoint relationships to other risks?

Absolutes versus reality

We cannot manage the complexity of risk today the way we managed risk in the past. Yesterday’s models, methods and ‘best practices’ while minimally useful, do not readily apply to managing risk in the future. Risk today is full of uncertainty, complexity, orders of magnitude beyond the readily recognizable. Therefore, we have to create new ways of looking at risk and managing risk. What is risk? Think about it before you leap to answer. Do we really know and understand risk?  Some facts to consider:

  • Risk is not static, it is fluid.
  • Risk probes for weaknesses to exploit.
  • Risk, therefore, can only be temporarily mitigated and never really eliminated.
  • Over time risk mitigation degrades and loses effectiveness as risk mutates, creating new risk realities.

Heisenberg and Schrödinger both came up with theories about uncertainty. If we move away from the mathematics of quantum mechanics, we can look at the key points and apply them to risk management.

The most famous realization of Heisenberg’s uncertainty principle states that one cannot measure with absolute certainty the position and momentum of a particle.

Restated in risk management terms: ‘One cannot measure with absolute certainty risk realization (occurrence), velocity and impact’. This is due to inequality; not all risks realized will be felt equally. For example, today there are five generations in the workforce. A single application of a risk model cannot be applied as each generation will experience risk realization differently, even though it is the same risk that we identified.

Schrödinger's famous thought experiment used a cat, a flask of poison, and a radioactive source placed in a sealed box with a radiation monitor. If the monitor detects a single atom decaying, the flask is shattered, the poison is released, and the cat is killed. According to Wikipedia the Copenhagen interpretation of quantum mechanics implies that after a while, the cat is simultaneously alive and dead. Yet, when one looks in the box, one sees the cat either alive or dead, not both alive and dead. This poses the question of when exactly quantum superposition ends and reality resolves into one possibility or the other.

Restated in risk management terms: risk management requires that you constantly monitor recognized risks and continue to scan for new, as yet to be recognized, risks. This process cannot be accomplished with a ‘one and done’ mindset. Risk needs to be looked at in three dimensions and perhaps even four dimensions to begin to understand the ‘touchpoints’ and aggregation of risk, potential to cascade, conflate and/or come to a confluence. In other words, ‘Keep looking into the box’.

McKinsey has come up with the ‘Uncertainty Cube’ as an enhancement for analyzing scenarios. In a November 2, 2020, article entitled Are scenarios limiting your pandemic recovery strategy? McKinsey authors provide examples of the Uncertainty Cube used as an analysis tool. The article highlights include the following:

Building an uncertainty cube allows business leaders to accurately assess the probability that certain outcomes will materialize under various scenarios.

Does the Uncertainty Cube enhance or inhibit analysis?  It may enhance analysis to a point. A cube is a rigid structure, bounded by artificial sides. It therefore limits analysis to the extent that the analyst chooses the cell structure of the cube.

Risk is not bounded by artificial structures, such as, a cube shape. No matter how creative you get with the cube shape, it is limited to the artificial boundaries that you set. Perhaps the following examples will visually explain:

Although novelty items, the Amazon X Cube and the Megaminx Shengshou (pictured) appear to be applicable in the context of uncertainty as discussed in the McKinsey article. However, there is still the boundary problem that presents artificial limits to the identification and analysis of risk. As already stated, risk is not static. Perhaps a more logical depiction would be to depict the analysis points as floating points that have no boundaries and are in a constant state of flux (change)?

Can we accurately assess the probability that certain outcomes will materialize under various scenarios?  Probability is at best a guess at what may happen in the future. Can we accurately assess, no matter how creative we get, when we place artificial boundaries on the parameters of our analysis?  There will always be forces influencing the analysis that we have not taken into account due to analysis bias, emotional bias, overlooking the obvious, applying outmoded analytical tools, etc.

Ask yourself, “What is my organization’s risk absorption capacity?  Where is our risk saturation point?  At what point does our risk profile allow for risk deflection?  At what point does our risk profile create a risk explosion for our organization?”  These four questions, all too often, never get asked when conducting investigations into risk, threat, vulnerability, business impact and/or hazard analyses. How do you begin to answer these questions?  First, you need to be open to complexity; second you have to be able to see beyond the immediate, and third, you have to embrace the dynamic nature of risk as non-static.

Overlooked, understated, lurking in the shadows

Why do we search for Black Swans when we are being slapped in the face daily with risks that are accepted, overlooked, and sloughed off because their impact is considered insignificant or because we are not directly affected by them?  Below are some examples of the overlooked and understated risk issues that tend to become transparent to analysis until they are not.

Overlooked/understated risk issues

  • Senior management does not take risk management seriously
  • Regulatory compliance is not risk management
  • Distracted by current events – failure to see the long scenario and cascade effects
  • Lack of strategic foresight – the failure of risk management
  • Misdiagnosis of risk
  • Human resources treated as a cost rather than as an asset
  • Over-reliance on process optimization
  • Failure to identify risk beyond first order effects (cascade effects)
  • Human capital not considered in contingency planning
  • Single model for managing human capital (multi-generational workforce)
  • Risk created by unhealthy workplaces largely ignored by senior management.

Incomprehensive, inconsistent, over optimistic

As we write this, the world is in the midst of a global pandemic (COVID-19), experiencing unusual weather (wildfires, storms, earthquakes, global warming) and is threatened by geopolitical concerns (trade wars, localized conflicts, state sponsored cyber warfare).

Are we overlooking the obvious?  We have seen inconsistent, incomprehensive decision making on the part of global leadership with the efforts to stem the effects of the COVID-19 pandemic. This has led to a lot of emotional finger pointing, loss of trust in our leaders at all levels, and a general apathy toward the seriousness of the situation. Leaders often appear to be wading in concrete, mired in confusion, implementing incomprehensive actions that often times do more harm than good. The inconsistencies of leadership, at all levels, has led to frustration and, in some instances, refusal to comply with mandates that are controversial, ineffective, and are so unenforceable (easily circumvented) that they are rendered useless.

Instabilities, nonequilibrium and active analysis in complex systems

Risk, by its very nature, being non-static, creates instabilities and nonequilibrium in complex systems (touchpoints internal and external to an organization). Add to this human intervention in the form of active behavior and you begin to see that the traditional approaches to identifying, quantifying, and protecting against risk realization become less flexible and more rigid when applied; thereby creating a false sense of mitigating risk (often thought of as eliminating risk) when in reality, risk has changed as a result of the mitigation effort. ‘Active analysis’ is necessary to maintain a current perspective on risk mitigation (buffering) efforts.

Think of this much like the current situation with the coronavirus. We are now getting reports of new strains that appears to be easier to transmit from person to person. And, this is happening just as vaccine distribution is beginning to rollout. The question arises, “How effective will the current vaccines be against a mutated strain of the virus?”

An analysis of instabilities within complex touchpoints can result in the development of two planes, a plane of possibility and a plane of probability of risk realization. The plane of possibility is infinite; from which the plane of probabilities emerges. The graphic below depicts a hypothetical plane of probability (Siegel, D. 2018, ‘Aware: The Science and Practice of Presence’).

Three important aspects of creating a plane of probability are:

1) Early detection of risk realization and potential impacts. This allows for analysis where very precise measurements are not available or cannot be obtained due to the fluidity of a situation.
2) Depending on the number of touchpoints and complexity of touchpoint connectivity, a variety of different scenarios can be developed to create a menu of risk buffering options.
3) Even early instabilities can be identified, thus allowing a rather detailed analysis of potentially complicated/connected instability points that can lead to risk cascade effects should the risk be realized.

Below is a simple comparison, contrasting a rigid approach to risk assessment (left) and the reality of the undulating, unstable nature of risk in a dynamic environment (right).

Examples of the reality of risk instability and the cascade effect of risk being realized can be seen in today’s chaotic reaction to the COVID-19 situation. Currently, due to the identification of  new strains of the virus we are seeing border closures, flight cancellations, alterations in trade and apprehension regarding the effectiveness of the currently approved vaccines against emergent strains of the virus. As it is too early to speculate on the implications of vaccine effectiveness or non-effectiveness the plane of possibility remains open and emerging rather than being buffered and mitigated.

However, are we too narrowly focused on the ‘risk of the day’ that we are not seeing the emerging risks that are present and yet, remain unseen?

Conclusions

Risk taking is central to the functioning of any organization. Excessive risk taking and a simultaneous decline in the risk absorption capacity of the organization can lead to catastrophic results. One can never achieve true certainty when assessing risk unless you reduce the probabilities to zero or one. Opacity, that is constant uncertainty and changing factors, makes getting a clear picture of risk realities nearly impossible. In order to overcome opacity, you need to constantly monitor the risk environment. It’s all about targeted flexibility, the art of being prepared, rather than preparing for specific events.

Being able to respond rather than being able to forecast, facilitates early warning and proactive response to shifts in your market segment. We live in a world full of consequences. Our decisions need to be made with the most information available with the recognition that all decisions carry with them flaws due to our inability to know everything. Our focus should be on how our flawed decisions establish a context for flawed risk assessments, leading to flawed plans, resulting in flawed abilities to execute effectively. If we change our thought processes from chasing symptoms and ignoring consequences to recognizing the limitations of decision making under uncertainty, we may find that the decisions we are making have more upside than downside.

We're limited not by the amount of risk we can identify, but by how inventive we are about how we think about risk and how much we're willing to do to buffer against risk realization. Here are seven identified needs for today’s risk managers:

  • Techniques for identifying permanent versus cyclical changes in the external operating environment.
  • Techniques for spotting and buffering risks so that the organization has the ability to leverage risk management activities for competitive advantage.
  • Tools for stimulating the creation of options, particularly where change is occurring rapidly and the scope for risk management action is shifting.
  • Tools for stimulating the understanding of opaque risk forces that are truly dynamic, with multiple orders of consequence effects.
  • Proven tools for improving strategy, risk management, business continuity, and competitive intelligence processes, breaking inertia, and jolting conventional risk management thinking.
  • Techniques for generating and harnessing insights from big data about risks that customers, competitors, and suppliers present to the organization.
  • Techniques for identifying and focusing the top team’s attention on new or poorly understood risks—before it is too late and the risk materializes (risk realization).

Here are five factors affecting decision making under uncertainty:

  • Interconnectedness: opportunities for risk contagion (geographic, category, geopolitical).
  • Asymmetry: small events that can create disproportionate and unexpected effects.
  • Time compression: Just in time processes have little leeway with effects of risk realization being felt rapidly.
  • Noise: salient facts that are not noticed at the time of event (failure of critical thinking).
  • Information vetting: misinformation or inadequately provided information that has not been properly validated can lead to greater risk exposure and skewed responses.

We will close with a quote from Alexander Hamilton, who was the first Secretary of the Treasury for the United States. Hamilton said: "The nation which can prefer disgrace to danger is prepared for a master and deserves one.

Will a failure to connect the dots and rethink risk and uncertainty lead to the demise of your organization?

About the authors

Geary Sikich – Entrepreneur, consultant, author and business lecturer

Geary Sikich is a seasoned risk management professional who advises private and public sector executives to develop risk buffering strategies to protect their asset base. With a M.Ed. in Counseling and Guidance, Geary's focus is human capital: what people think, who they are, what they need and how they communicate. With over 30 years in management consulting as a trusted advisor, crisis manager, senior executive and educator, Geary brings unprecedented value to clients worldwide. A well-known author, his books and articles are readily available on Amazon, Barnes & Noble and the Internet. Contact G.Sikich@att.net or gsikich@logicalmanagement.com

Sara Robertson, MSc (c) MCPM MCADT AMMS

After experiencing severe burnout in her former career in management at one of Canada’s 50 Best Managed Companies, Sara went on a mission to build a new life for herself and found a calling in teaching others that there is a better way to live and work.

In 2015 she founded LimeHorse, a professional education company - with a focus on the legal profession - offering online and in-person training in mindfulness, emotional intelligence, organizational development and peak performance.  She is a Faculty and Advisory Board Member of University of Toronto's AMM-MIND program, Co-Chair of the Ontario Chapter and CLE planning task force member with the Mindfulness in Law Society and Performance Specialist at Mindful Gateway Consulting.  She is a regular contributor on Thrive Global’s special section on Overcoming Lawyer Burnout. Sara is passionate about helping professionals build resilience and cultivate purposeful work.

Sara has worked in diverse environments such as academic, corporate, and professional sports.  Through MGC she has developed and delivered training for the Toronto Maple Leafs development camp and the Toronto Marlies.  She splits her free time between raising her young daughter, her many hobbies and volunteer commitments working with marginalized individuals.

This article is Copyright© Geary W. Sikich, Sara Robertson 2021. World rights reserved. Published with permission of the authors.

References

  • Apgar, David, Risk Intelligence – Learning to Manage What We Don’t Know, Harvard Business School Press, 2006.
  • Cloke, K., Goldsmith, J. 2000 Resolving Interpersonal and Organizational Conflict. Jossey-Bass
  • Davis, Stanley M., Christopher Meyer, Blur: The Speed of Change in the Connected Economy, (1998).
  • Jones, Milo and Silberzahn, Philippe, Constructing Cassandra: Reframing Intelligence Failure at the CIA, 1947–2001, Stanford Security Studies (August 21, 2013) ISBN-10: 0804785805, ISBN-13: 978-0804785808
  • Kami, Michael J., “Trigger Points: how to make decisions three times faster,” 1988, McGraw-Hill, ISBN 0-07-033219-3
  • Klein, Gary, “Sources of Power: How People Make Decisions,” 1998, MIT Press, ISBN 13 978-0-262-11227-7
  • Marston, C. 2007 Motivating the What’s In It For Me? Workforce: Manage Across the Generational Divide and Increase Profits. Wiley
  • McKinsey, https://www.mckinsey.com/business-functions/strategy-and-corporate-finance/our-insights/are-scenarios-limiting-your-pandemic-recovery-strategy
  • Project Management Institute. 2008 A Guide to the Project Management Body of Knowledge (PMBOK Guide) – Fourth Edition – Chapter 9. PMI Publications
  • Siegel, D. 2018, “Aware: The Science and Practice of Presence”. Penguin Random House
  • Sikich, Geary W., Graceful Degradation and Agile Restoration Synopsis, Disaster Resource Guide, 2002
  • Sikich, Geary W., "Integrated Business Continuity: Maintaining Resilience in Times of Uncertainty," PennWell Publishing, 2003
  • Sikich, Geary W., "Risk and Compliance: Are you driving the car while looking in the rearview mirror?” 2013
  • Sikich, Geary W., “Transparent Vulnerabilities” How we overlook the obvious, because it is too clear that it is there” 2008
  • Sikich, Geary W., "Risk and the Limitations of Knowledge” 2014
  • Sikich, Geary W., “Rethinking Risk and Uncertainly” 2015, Continuity Central
  • Tainter, Joseph, “The Collapse of Complex Societies,” Cambridge University Press (March 30, 1990), ISBN-10: 052138673X, ISBN-13: 978-0521386739
  • Taleb, Nicholas Nassim, “The Black Swan: The Impact of the Highly Improbable,” 2007, Random House – ISBN 978-1-4000-6351-2, 2nd Edition 2010, Random House – ISBN 978-0-8129-7381-5
  • Taleb, Nicholas Nassim, Fooled by Randomness: The Hidden Role of Chance in Life and in the Markets, 2005, Updated edition (October 14, 2008) Random House – ISBN-13: 978-1400067930
  • Taleb, N.N., “Common Errors in Interpreting the Ideas of The Black Swan and Associated Papers;” NYU Poly Institute October 18, 2009
  • Taleb, Nicholas Nassim, “Antifragile: Things that gain from disorder,” 2012, Random House – ISBN 978-1-4000-6782-4
  • "Lookin' for Love" is a song written by Wanda Mallette, Bob Morrison and Patti Ryan, and recorded by American country music singer Johnny Lee. It was released in June 1980 as part of the soundtrack to the film Urban Cowboy, released that year.


Want news and features emailed to you?

Signup to our free newsletters and never miss a story.

A website you can trust

The entire Continuity Central website is scanned daily by Sucuri to ensure that no malware exists within the site. This means that you can browse with complete confidence.

Business continuity?

Business continuity can be defined as 'the processes, procedures, decisions and activities to ensure that an organization can continue to function through an operational interruption'. Read more about the basics of business continuity here.

Get the latest news and information sent to you by email

Continuity Central provides a number of free newsletters which are distributed by email. To subscribe click here.