I've recently suffered a bout of the flu, with 3 days of fever over 38℃ (that's over 100℉). It got me thinking.
When you get sick with the flu, people say things like:
Guess you didn't get the flu shot.
Looks like the flu shot isn't working.
...and it's intelligent, knowledgeable, people who say this.
Replace references to the flu with risk management and they're the same comments that get thrown around when many companies assess the value of risk management or when it fails.
Looks like risk management isn't working.
So... How much has Process X really saved us from losing?
It struck me that the same smart people who don't understand how the flu shot works are not that different from the people who don't understand how risk management works. Understand is definitely an emotive word here - what I'm talking about is the difference between knowledge and understanding. A smart person can know something, without understanding it – without being able to generalise their knowledge.
How does the flu shot/risk management work?
It's about managing and accepting risk. The cost – time, money, effort, etc. – of removing all risk (if it is even possible) is usually too high. It is, in some sense, the 80-20 rule. So we accept the risk of catching some (bloody annoying!) strain of the flu, with the confidence that we will avoid the majority of other strains that are likely to be around - all at a nominal cost.
It's the same with risk management – even the name gives a hint: management not removal or avoidance.
To avoid the flu or a loss, the flu shot, or risk management, needs to be right every single event. If it isn't, just one single time, then you catch the flu or make a loss.
How do you measure success?
It is ... difficult ... to quantify how much money you haven't lost because of good risk management practices. It is a lot easier to measure how much money you made by avoiding managing your risks. However, that's the (in-)famous strategy of
picking up pennies in front of a steamroller.
To measure success, firstly, don't trust your instincts. Virtually no-one can do statistics by instinct. Take the famous Monty Hall problem:
Suppose you're on a game show, and you're given the choice of three doors: Behind one door is a car; behind the others, goats. You pick a door, say No. 1, and the host, who knows what's behind the doors, opens another door, say No. 3, which has a goat. He then says to you, "Do you want to pick door No. 2?" Is it to your advantage to switch your choice?
You probably know this problem and learned the answer, but as a test, try to come up with a solution and a justification (that you really believe). Research shows most people still do the wrong thing - even after being told the answer - knowledge vs. understanding again...
So, how do you measure the success of your risk management approach? Ask someone who understands risk management.
A flippant answer, that is isn't too far from the truth is — If you have someone in your organisation who is a contrarian, who disagrees with approaches and seems to always say "No, because ...", that's who you start with. If, in your organisation, you have a risk management expert who doesn't let their team speak, who doesn't have strong opinions or really stand up and fight for them, well, you're in the majority and at risk.
The best people in this area, don't think of risk management as an add-on, or as a separate entity. It is, and should be, part of the risk taking decision process. One of the best experts in risk I know is an ex-trader.
In the end
Coming full circle — remember to understand the risks you are taking, when something goes wrong (and you catch the flu) ask questions about the efficacy of your risk management, but remember, sometimes c'est la vie.