“Risk management” is a misnomer. It’s about as dumb as “change management.” It’s nonsense. One doesn’t “manage” risks, risk-taking, thinking about risks, etc. It’s not a chart of things that could go wrong over a period of time, with a “relative weighting” or some quantified list of probabilities. So, let’s call it what it really is: “Risk Intelligence.”
Risk Intelligence is gained or gleaned from the information, experience, inputs from some, feedback from others. These are the things one makes choices from, and decisions on. Secondly, risk can only be taken on by those people or entities which have “skin in the game,” that is, something at risk. For example, talking heads, pundits, academicians and politicians rarely, if ever, have skin in the game. That is, they “talk the talk,” but don’t “walk the walk.” They are, however, considered experts solely because of their position and the authority and power they wield. Real world risk-takers require inputs that come with more rigor. “Rigor” in this sense might be experience from others who have gone thru similar situations or events, or the opinions of those who are in a position to lose (or gain – “risk” can be good, too!) wealth, ownership, time, reputation, etc.
Risk Intelligence also requires clarity of mind and a bit of knowledge of probability and statistics. It is indeed different to make decisions under the cloak of uncertainty than it is for those things that require little risk taking, such as the day-to-day decisions that every business must make. The big push today is to generate and use a “risk model.” Models tend to give humans a “comfort zone” of sorts: a bit of misplaced certainty over what can or could come to pass. One doesn’t “model” reality; one would have reality “model” something. But that’s a little too abstract and obtuse for my taste…
For instance, I would tell you to take risks you understand, and don’t try to understand the risks that aren’t clear, or you don’t understand. How would you quantify THAT? It’s difficult – I think we all agree. Therefore, risk-taking shouldn’t be thought of as quantifiable; it’s more “qualifiable.” Which means it should be thought out, discussed, brainstormed, pro’d and con’d – whatever brings as much comfort and solace as can be gleaned from the issue.
Let me give you an example: We’ve all heard that any given person has a “one in 20 million chance” to be struck by lightning (this is but one probability stat out of dozens I’ve read about). So, let’s think about it for a sec, ok? Does this mean:
…everybody on the planet?
…everybody who is outdoors?
…only those people where lightning is common or prevalent?
…a number based on the present number of people hit by lightning over a specific amount of time, divided by the number of people on the planet?
I don’t know about you, but I WOULD NOT make my decision to go outside if lightning was coming soon, happening now, or the storm just passed. I also WOULD NOT make my decision with regard to lightning based on some probability number, algorithm or model. What would YOU make your decision on?
Here’s another “risk model” scenario: What would be your “red line” limit for if you decided to fly today or not? Would it be a 1% chance of crashing? A 0.1% chance? How about a 0.0001% chance? Do you base your assignment of risk over:
…the number of planes taking off and landing today in the U.S.?
…the number of planes taking off and landing today in the world?
…same questions, but over a longer period of time – say, a year or 5 years?
…how about a different angle – say, the number of people killed in plane crashes over a specific time horizon?
<Again, pick your poison (presumption)>
We tend to talk about “risk” and “risk management” too glibly, for my taste. Risk can’t be boiled down to a number or a stat of some sort. I mean, show the stat about getting stung by a horde of killer bees to the guy in the hospital…stung by a horde of killer bees! I’m sure he’ll appreciate it the time and effort it took.
So, bottom line: educating yourself on risk should not be about throwing around numbers and statistics, or impressing a regulator of some compliance bureaucrat. Educate yourself on risk to make you (and your company) more competent.