Sunday, March 9, 2008

Consequences and Leadership: Addressing Risk Management

I saw an ad recently for a seminar that was going to address risk. Specifics would include such subjects as balancing risks and opportunities, identifying lower risk opportunities, building a risk management environment in your corporation, etc.

This reminds me of an effort that the military services began in the late 1980’s to use ‘Operational Risk Management’ (ORM) in decision-making. Similar subjects, with a military perspective, were taught to officers throughout the services, particularly in the Navy and Air Force.

Unfortunately, in a very real sense, it’s a bad idea.

Managing Risk is about management. It’s about keeping what you have in an uncertain world. But, over the long term, worrying about risk is worrying about the wrong thing. The problem lies both in the words being used and the implications of those words, the mental condition created in any organization when it starts to act in accordance with those words.

The dictionary defines risk as a situation involving exposure to danger. Certainly, exposing yourself to danger without purpose – running into a burning building, for example – isn’t terribly smart. But the language fails to capture the real question at hand. The question is not, or should not be, ‘What is the risk?’ The question should be ‘What are the consequences of not acting?’

I can hear the ORM instructors saying ‘but that’s exactly what we meant.’ Unfortunately, that’s not true. Risk talks about danger during the action (or inaction). Consequence deals with effects. In fact, consequence is defined as the result or effect.

Any organization that is managing risk is, in a strict sense, focused on the wrong thing. Managing risk becomes, in effect, an effort to reduce and regulate the level of danger. While every one who goes through risk management training will respond ‘well, with an end in mind,’ the fact is that the language, and the intellectual effort, is on the initial action. Very quickly, safety figures become the measure of success, whether it is safety in actual operations (number of accidents, losses, etc.) or losses in investments.

This is not to say that there aren’t appropriate uses for ORM tools, particularly in certain fiduciary relationships (banks managing other people’s money) or in non-vital events such as putting on an air show.

But that misses the key point that any organization should be focused on results, on effects, on consequences. And often, when ORM tools are stressed without a greater stress placed on desired results, on goals, organizations lose themselves in ORM and ‘playing it safe.’ And playing it safe soon becomes an effort to manage what you have, to protect it, rather than looking ahead and trying to grow; playing it safe focuses on today, consequences focuses on tomorrow.

Blaise Pascal, in his famous argument on whether to believe in the existence of God (Pascal’s Wager) sums up the situation nicely with a warning that can be shortened to ‘you must never confuse the probability of an event with the consequences of an event.’

Such thinking, implicit or explicit, was behind US development and maintenance of its nuclear forces: the consequences of nuclear war were (and are) so severe, that nearly any cost for preparation can be justified if, in preparing for the war those forces prevent the war from starting, irrespective of whether the actual likelihood of such a war starting is very low.

Many businesses and many other organizations miss the key implication here: what is the desired result should drive your decision-making. Whether that result is a positive – you achieve X, or negative – you avoid Y, you need to be focused on the result.

What does this have to do with leadership? Two things: first leaders provide the vision, the goal, the desired result. If the organization is focused on today, the leadership isn’t leading. Second, ORM, safety under any terms, is seductive and comforting. It can provide an ‘easy’ set of answers to many problems. But it doesn’t move you forward. It requires someone with a real will, with real leadership, to move the organization past the comfort zone and focus on the long term goals. Managing risk, whether you use a formal ORM process or your own, informal process, is important and can be quite valuable. But risk management – under any name – must never be allowed to dominate your operations or your pursuit of your goals.

In short, ORM processes are valuable tools, but leadership is not about managing tools, leadership is about understanding consequences and achieving desired results.


Post a Comment

Subscribe to Post Comments [Atom]

<< Home