I recently came upon this article titled “The Psychology of Risk” from the RIMS Risk Management Magazine online and I want to add my comments here.
On the positive side the author mentions many of the important cognitive biases affecting our decision making processes and skewing the way we assess both impact and likelihood of events. The article states correctly that „risk“ is a very complex concept that is very difficult to grasp and truly comprehend for the human mind. The mere mentioning of the term „risk“ may lead to reflex-like activation of cognitive biases which are actually detrimental to “good” risk management.
However, what bugged me is that throughout the entire article the author mixes the terms “risk management“ and „crisis management“ which are two related but distinct concepts.
Risk management is making well-informed decisions to achieve business objectives under consideration of the ever present impact of a myriad of uncertainties.
Risk also does not imply negative impact: just uncertainty about outcomes. Variations due to uncertainty can be positive or negative.
Unfortunately, most publications and presentations about risk management start out with a statement that risk can be “both positive and negative impact on objectives” but afterwards, without explicitly mentioning it, switch back to the narrow view of „downside“ risk only.
Crisis management, on the other hand, is a „management mode“ that is activated following a (downside) risk that has materialized and where the impact has such a scope and magnitude that one cannot deal with it under a normal operating mode of management. Crisis management aims at contacting the impact and bringing an abnormal situation due to extreme circumstances back under normal control.
Crisis management is needed for Black Swan events, extremely low likelihood but extremely high impact; examples are 9/11, the Fukushima earthquake & tsunami; a hurricane; a social media sh**storm… If these are externally caused, there’s little to nothing you can do to prevent them. You can just be alert and well-prepared. So crisis management comes after a risk has struck and is a reactive control to mitigate the impact, contain the fallout, and eventually return to regular management and operations.
Two different kettles of fish
Most risk management scenarios won’t fall into the black swan category. So they will not lead to a crisis and we won’t enter into crisis management-mode.
Risk management professional associations should actually know better than to mix these topics up with one another.
It is my opinion that in many cases we might be better off not using the „r-word“ at all and instead focus on improving our decision-making abilities and practices, making principles-based, well-informed decisions to achieve our objectives, taking into account the influence of uncertainty and our limited and biased capabilities to correctly grasp this uncertainty.
In this way we can also get out of the cul-de-sac of treating risk management as an activity separate from business management that is the responsibility of “risk professionals” whose task it is to “manage” entities called “risks“. Because it is due to this way of framing the topic that risk management has become detached from business, a purpose focused mainly upon itself for its own sake, on administrative tasks of keeping and updating risk registers and at times even worse – fueled by SOX – an activity focused on controls for controls sake.
On the other hand, risk managements professional organizations maybe have an interest in keeping their profession distinct and specialized, claiming that management needs to be educated to understand everything better from the risk management perspective and – in addition to managing the business – properly “manage risks”.
Add to the entire conundrum an internal audit profession that keeps promoting a flawed Three-Lines-of-Defense model supporting the notion risks as something negative that we need to defend against and keeping responsibility for risk management away from (first) line management.