While thinking about driving back from a week of vacation out of Istanbul to our house in the city, I am starting to look at the traffic and the inevitable congestion that will build up in the next hours as a few million people will return from their 9-day Ramadan holiday to their homes. After all, Istanbul is the second most congested city in Europe.
Again, while thinking of the trip ahead, my thoughts return to risk management and “reimagining” the same. (Reimagining old concepts is in high fashion today, not only in my company but also for many consultants.)
And I com again to the point how it’s time to make the step from focusing on “risks” (and the management of the same) to the “achievement of objectives” (and managing the (un)certainty of the same).
The two are not at all the same.
The accepted ISO definition of a “risk” has been for a long time: “the effect of uncertainty in objectives”. Note that it can go both ways, positive and negative. If we keep focusing our risk management frame of thinking narrowly on identifying downside risks (“what can go wrong?”) and workout to reduce them (by controls), we run the risk (pun intended) of losing sight of the objectives and ending up in the risk-control (vicious?) cycle: Our old RAM / Self-Assessment approach based on control maturity levels was a prime example of putting the horse in front if the cart by saying: “If the controls are not at the specified target maturity level, then we have a risk.” The objective was to satisfy a list of control requirements (a.k.a. control objectives) out of fear of “the auditors” and a “red report” with all of its consequences (the actual risk!).
What about if we put the horse again in front of the cart by asking: “What needs to go right in order to achieve our objectives?” (question 1) instead of just asking “whatever in the world could go wrong?” (question 2a) and then after going through a list of possible failures we can think of, ask in the second step “what impact would that have on objectives?” (question 2b)
The first question is one that (business) management can immediately relate to. It is linked to scenario-based thinking; it draws the focus on the critical bottlenecks or assumptions that need to be closely watched/managed; it will easily help create a dashboard of key indicators to watch (and this is true risk management). Heat maps are not required and not helpful here because they fail to show the impact on objectives in the way that a scenario-based dashboard with tornado diagrams etc can. Note that this frame of thinking includes managing the factors of uncertainty to also exceed objectives, adding quantifiable business value.
The second question is one that puts the risk / compliance practitioner into the “doomsayer” corner, who focuses only on the negative, avoiding harm and damage, including all possible (but not necessarily likely/impactful) downside scenarios. It will in the best case create a sense of security about meeting the objectives but doesn’t contribute to exceeding them, so it remains behind the potential to create true business value. All this will not help but hinder to close the gap to becoming true business partners; and with this frame of thinking, business will never truly take over ownership of managing risk.
The resulting risk matrices/heat maps/risk registers (lists) will be periodically discussed by / with management (with a 3 month view into the rear view mirror) when the risk professional brings it up because the defined reporting process requires it, but not because they will truly impact management business decision-making. This will remain “Enterprise List Management”, a periodical exercise performed for the sake of mostly formal compliance with internal reporting requirements.
Take Google Maps routing as an example for applied risk management in everyday life: Your objective is to drive from home to the airport an arrive latest at 13:00 to catch your 14:30 flight. What needs to go right in order for you to make the flight? I leave the detailed brainstorming to you, but we can think about the car (fuel), roads (there is a big road construction on the main way leading to big congestion around lunchtime), weather (heavy rain) and the increased likelihood of accidents, parking situation at the airport and queues at check-in (it’s Friday and the beginning of a holiday week)…
Now, you can evaluate all these “what can go wrongs” on a heat map ending up in some greens, yellows and reds. But what will that tell you about when you have to depart from home to the airport and which route to take?
Now the second way: What needs to go right? First you need to manage the uncertainty of arriving at the airport in time (with the upside potential of being early and having a coffee); secondly you need to streamline your way at the airport up to the gate.
So, what you will actually do is check the say before that you have enough fuel, enter the airport into Google Maps, select some route options (your “policy”: toll free, fastest/shortest…), do your check-in and seat selection online and restrict yourself to carry on luggage, consider it as an option to give your car to the valet parking service… and depart 30 minutes early as a safety margin for any unforeseen delay due to weather. En route, Google Maps – your dashboard – will inform you in real time about traffic conditions and alternative routes (in line with your policy) and your estimated time of arrival. Your car dashboard keeps you informed about the normal risks of driving and road traffic (speed, fuel, distance to car in front…). As expected, a major congestion is building up around the construction site; Google Maps has already picked an alternative route; as traffic begins to stop following an accident on the alternative route, the system guides you through a few side streets back to the fastest way. Finally, you arrive at the airport and seeing the queue at the car park, finally decide it’s a good idea to drop your car off at the valet parking point. Finally, you are actually 20 minutes earlier than planned and enjoy your favorite hot caffeinated beverage at your preferred coffee chain before walking whistling past the crowded baggage drop-off to the security check.
Did I write “inevitable congestion” above? I kept monitoring the road with Google Maps throughout the afternoon. The expected heavy traffic didn’t build up. We drove home to Istanbul at 7 pm. No serious traffic… at all. In fact, I never had such a smooth return trip on a Sunday evening before. In the news I read that many people had timed there return trips on Friday and Saturday to avoid the huge traffic congestion on Sunday afternoon.
Uncertainty at work. With a twofold upside: I had accepted that we might end up in traffic. So we stayed at the beachside until early evening and could enjoy ourselves throughout the entire afternoon. Plus we had a stress-free, smooth drive home and arrived in daylight with sufficient time to unpack, unwind, and go to bed relaxed at the end of a great holiday.
You may also want to read this post by Tim Leech, who in the early 1990s was one of the inventors of Control Self-Assessment and is now advocating for a shift to Objective Centric Risk and Certainly Management (OCRCM) as the next evolutionary step after ERM.
And these two articles from David Vose: